utm 9 reverse proxy configuration

i want to use the utm 9 virtual webserver protection reverse proxy to protect my nextcloud installation.

I have nextcloud with collabora running in docker, and I cant get collabora working. I imported the letsencrypt certificates to the utm, wo the ssl is not a problem. Hase someone an idea on hwo to modify the reverse proxy on the utm to get it working with collabora?

  • In reply to Stefan Fröchtenicht:

    Hi Stefan,

    Hmm interesting. Everything looks OK. What you could double check, in the reverseproxy.conf file, is the specific vhost and if it contains the line: WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus

    The virtual server of my customer has also enabled the RewriteHTML and RewriteCookies, but I'm not sure if that makes any difference.
    Also, the init script logs to reverseproxy.log: when you grep on "AllowEncodedSlashes" you should at least see something like "AllowEncodedSlashes found - fixing" or "AllowEncodedSlashes not found - skipping". If not, it looks like the hook is not being triggered... somehow ..

    KR,
    Onno.

  • In reply to Onno vdL:

    Sorry, but is 

    ${CHROOT}/usr/apache/conf/reverseproxy.conf

     

    correct?

     

    this file doestnt exsists...

    In the logs i get a "not found" then a "found - Fixing".

    so it should work...

  • In reply to Onno vdL:

    Your patch resolved the AH00026 error for me. Tx. I had to change the argument after AllowEncodedSlashes from On to NoDecode to resolve a follow-up issue with ID 973338 but otherwise fine.

    The GUI from Collabora Online (CODE) now loads but the document is still not parsed.

    In the reverseproxy.log there are two similar lines with statuscode 500:

    2019:09:11-16:44:44 fw-2 httpd: id="0299" srcip="my.client.ip" localip="my.server.ip" size="620" user="-" host="my.client.ip" method="GET" statuscode="500" reason="-" extra="-" exceptions="-" time="14333" url="/lool/https:/my.NC.FQDN/nextcloud/index.php/apps/richdocuments/wopi/files/222626_oczvwerl8jzj?access_token=VD0rd2gwyuliLG0bTGgORabtIWhOZaom&access_token_ttl=0&permission=edit/ws" server="my.CODE.FQDN" port="443" query="?WOPISrc=https%3A%2F%2Fmy.NC.FQDN%2Fnextcloud%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F222626_oczvwerl8jzj&compat=/ws" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="vkcUi9RgZ7CKJvxYw1oscg==" websocket_version="13" uid="XXkIXMCoAv4AAEl0RvsAAAB2"

     

    No other errors in the log. Looks like WAF is not playing nice with WebSockets :-(

    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/4849021-websocket-support-for-waf points to several issues and mixed results with the new feature in UTM 9.6

    Suggestions welcome.

  • In reply to Onno vdL:

    Onno vdL

    Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

    === START PATCH
    <M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy    2018-07-06 11:38:01.464266168 +0200
    +++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
    @@ -35,7 +35,20 @@
         ${APACHE2CTL_LOG}
     }
     
    +apache_allowslashes() {
    +    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    MYRESULT=$?
    +
    +    if [ ${MYRESULT} -eq 0 ]; then
    +        echo "AllowEncodedSlashes found - fixing" | log
    +        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    else
    +        echo "AllowEncodedSlashes not found - skipping" | log
    +    fi
    +}
    +
     apache_conftest() {
    +    apache_allowslashes
         chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
         if [ $? -ne 0 ]; then
             return 1

    === END PATCH

    I know this is a pretty old thread, so apologies in advance. How does one best use the provided script? I can see it makes a small change to the /var/mdw/scripts/reverseproxy file. I could make this change manually (since it's quite nicely written out what's added), but I'm a little bit unsure about making changes to the Sophos UTM files like that.