Security & isolation

BOA's foundational threat model: multiple Octopus tenants share one host but cannot affect each other or escape their boundaries. This area is the operator reference for every layer that enforces that model — the trust hierarchy, the per-tenant restricted shell, the network edge (SYNPROXY → CSF/LFD → Nginx), per-binary AppArmor confinement, SSH/SFTP hardening, password policy, the default /admin* and mailing restrictions, and the backend Drush extension deny-filter.

The defence is layered. A request crosses, in order: kernel SYNPROXY → CSF/LFD → the Nginx Abuse Guard → PHP-FPM (function-restricted, AppArmor-confined) → Drupal. Each layer filters more, so by the time traffic reaches application code it has already survived several independent gates.

Pages in this topic

Adjacent operating topics

  • Abuse Guard (nginx IDS) — the deep scan_nginx scoring, ban pipeline and request guards that CSF and the security model reference.
  • Nginx internals — the vhost generator and the config-template maps that emit the /admin* block, AI policy and realip.
  • Migration & cloning — the xmass/xoct flow that the migration-proxy trust on the CSF page supports.
  • Troubleshooting — blocked-IP recovery and SSH host-key-changed recovery.