General settings
You can configure slow HTTP protection and set the TLS version.
Slow HTTP protection settings
Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time, to a web server. If an HTTP request isn't complete or the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS.
Slow HTTP protection helps to protect against Slow HTTP attacks by setting a time-out for request headers.
-
Soft limit: Minimum amount of time to receive a request header.
-
Hard limit: Maximum amount of time to receive the request header.
-
Extension rate: Amount of data, in bytes, to extend the time-out set by the soft limit. Every time the rate is exceeded, the soft limit is increased by one second.
-
Skipped networks/hosts: Networks or hosts that should not be affected by Slow HTTP protection.
Restriction
Sophos Firewall only implements the protection for IP host types IP and Network. Don't specify an IP range or IP list.
TLS version settings
Select the minimum TLS version that is allowed to connect to the WAF.
Note
Check your browser's TLS support before selecting a version. If you select TLS version 1.2, clients such as Microsoft Internet Explorer 8 or earlier and those running on Windows XP won't be able to connect to the WAF.
Select one of the following versions:
- TLS v1 or later: Includes all protocols except SSLv3. Use this for legacy systems.
- TLS v1.1 or later: Includes all protocols except SSLv3 and TLSv1.
- TLS v1.2 (wide compatibility): Includes only the TLSv1.2 protocol. It also includes ciphers that aren't recommended for use but you might need them on legacy systems.
- TLS v1.2 (strict): Includes only the recommended TLSv1.2 protocol ciphers.
- TLS v1.3: Includes only the TLSv1.3 protocol ciphers.
-
Custom TLS: Manually enter the following details using the OpenSSL syntax:
- Protocols: Enter the protocols.
- Cipher suite: Enter the ciphers of your specified protocols. Don't enter the TLS v1.3 ciphers here.
- TLS v1.3 cipher suite only: Enter only the TLS v1.3 ciphers if you're using the TLS v1.3 protocol.
For the OpenSSL syntax, see Apache Module mod_ssl.