Hi,
we have a Web Application Firewall (WAF) that allows us to block by URL, common threats etc etc
We are hosting LS ourselves so was wondering what URL's we need to provide for public access.
For instance, we don't want to provide access externally to the /admin folder as we manage that internally.
We can provide access to /LS root folder but was wondering what other folders within this we would require as we would need to specify them.

regards,
Louis

What version of LS is used?
What WAF is used? Depending on the rules, you will see certain hits by LimeSurvey caused by JS libraries.

I would be surprised if someone will provide you a list with URLS, which are needed.
That can change within an update.

It's a Sophos SG330 using WAF. LS is 3.4 CE.
Straight away I can see I wouldn't want:

/admin
/installer

to be accessible to the internet. I know that LS will have it's own security but it's certainly enhanced if /admin isn't accessible full stop.
So I'm wondering exactly what folders do need to be exposed and what don't for LS to function?

louism wrote: It's a Sophos SG330 using WAF. LS is 3.4 CE.

SG330 is quite an investment. If I remember correct, the WAF is based on a reverse proxy.
Which adds another layer of potential issues with LimeSurvey.

[quote="louism" post=184702So I'm wondering exactly what folders do need to be exposed and what don't for LS to function?[/quote]
I understand, but my WAF is based on rules and not blocking any generic path by defintion. My tools need to be accessed via Web tool

For your case (only submitting surveys via WAN, everthing else via LAN/DMZ) you can start here:
manual.limesurvey.org/Directory_structure

You will need to run tests after every update, if you block too tight.

/ and tmp/ and upload/ (in some situation) only i think …

But depend on : the url params used …