NextCloud-Webdav über WAF und ReverseProxy

Hallo werte Forengemeinde,

 

wir haben möchten gerne die Nexcloud WebDav funktion mit Sophos WAF und ReverseProxy nutzen.

Test 1 ohne ReverseProxy:
Anmeldung an NC via WebDav funktioniert!
[code]
2019:08:05-10:23:35 FW-1 httpd: id="0299" srcip="46.x.x.x" localip="10.y.y.y" size="241" user="-" host="46.x.x.x" method="PROPFIND" statuscode="404" reason="-" extra="-" exceptions="-" time="60967" url="/remote.php/dav/files/A0yyyy/AutoRun.inf" server="cloud.web.net:8090" port="8090" query="" referer="-" cookie="__Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true; cookie_test=test; oct306o4re1g=9b495ms7csanc9h32osmr6m6te; oc_sessionPassphrase=CuJLshuLO5vX6WH9C4FKdwNR7Bh2vYhYAv0%2BDOGcMiq8K684sRaX7kI4RS8CKslkZZ8TMFbx8E9uvkShpqX091G9%2BEtcYf4WPiR571uqjkEbgc6Xrd1Egqvnmh6CmMSy" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XUfnhwr6@wEAACPRWDEAAAAK"
[/code]


Test 2 mit ReverseProxy:
Anmeldung an NC via WebDav funktioniert NICHT!
[code]
2019:08:05-10:29:36 FW-1 httpd: id="0299" srcip="46.x.x.x" localip="10.y.y.y" size="247" user="-" host="46.x.x.x" method="PROPFIND" statuscode="405" reason="-" extra="-" exceptions="SkipURLHardening" time="657" url="/_soeshaymadadmkv_form" server="cloud.web.net:8090" port="8090" query="?L3JlbW90ZS5waHAvZGF2L2ZpbGVz" referer="-" cookie="__Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true" set-cookie="soeshaymadadmkv_cookie=;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;httponly;secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XUfo8Ar6@wEAACclhNgAAAAG"
[/code]

Ein Firewall Profile ist erst mal nicht hinterlegt.
Reverse Profil sieht wie folgt aus:

Hat evtl. noch jemand eine Idee wie der Zugriff über ReverseProxy ohne Probleme funktionieren könnte?
Besten Dank im Voraus

VG TBC

  • Hallo TBC,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Sad)

    It looks like both accesses above were through WAF.  The successful one appears in the log, so it's not "ohne ReverseProxy" - did you mean without authentication?

    The second one appears to fail because the cookie has expired.  That doesn't make sense to me, but what if you disable 'Cookie signing' in the Virtual Server?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • In reply to BAlfson:

    Hello Bob,

    yes both are over WAF but the first one is without ReverseProxy Authentication.

    Here are the hole coniguration without ReverseProxy Authentication what are running now:

    and here with Authentication but not running currently:


    and the Auth Profile

    Where can you see that the cookies have expired? Cookie Singing is already off because i don't use the Firewall-Profile.

    Thanks for helping Bob and best regards

    TBC

  • In reply to RemoHehlert:

    cookie="__Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true" set-cookie="soeshaymadadmkv_cookie=;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT

    Maybe your authentication form uses a cookie to track the Sitzungsdauer???

    MfG - Bob (Bitte auf Deutsch weiterhin.)

  • In reply to BAlfson:

    Hello Bob,
    your are right but i have no idear why. I have checked several constallations but nothing works to use Nexcloud / Webdav with WAF Authentication.
    If i use WAF/Authenication and the Web Interface of Nextcloud, that one works fine.
    Do you have other Idear?

    Thanks

    TBC