Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 3 subscribers
  • Views 4790 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

NextCloud-Webdav über WAF und ReverseProxy

RemoHehlert

Hallo werte Forengemeinde,

 

wir haben möchten gerne die Nexcloud WebDav funktion mit Sophos WAF und ReverseProxy nutzen.

Test 1 ohne ReverseProxy:
Anmeldung an NC via WebDav funktioniert!
[code]
2019:08:05-10:23:35 FW-1 httpd: id="0299" srcip="46.x.x.x" localip="10.y.y.y" size="241" user="-" host="46.x.x.x" method="PROPFIND" statuscode="404" reason="-" extra="-" exceptions="-" time="60967" url="/remote.php/dav/files/A0yyyy/AutoRun.inf" server="cloud.web.net:8090" port="8090" query="" referer="-" cookie="__Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true; cookie_test=test; oct306o4re1g=9b495ms7csanc9h32osmr6m6te; oc_sessionPassphrase=CuJLshuLO5vX6WH9C4FKdwNR7Bh2vYhYAv0%2BDOGcMiq8K684sRaX7kI4RS8CKslkZZ8TMFbx8E9uvkShpqX091G9%2BEtcYf4WPiR571uqjkEbgc6Xrd1Egqvnmh6CmMSy" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XUfnhwr6@wEAACPRWDEAAAAK"
[/code]


Test 2 mit ReverseProxy:
Anmeldung an NC via WebDav funktioniert NICHT!
[code]
2019:08:05-10:29:36 FW-1 httpd: id="0299" srcip="46.x.x.x" localip="10.y.y.y" size="247" user="-" host="46.x.x.x" method="PROPFIND" statuscode="405" reason="-" extra="-" exceptions="SkipURLHardening" time="657" url="/_soeshaymadadmkv_form" server="cloud.web.net:8090" port="8090" query="?L3JlbW90ZS5waHAvZGF2L2ZpbGVz" referer="-" cookie="__Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true" set-cookie="soeshaymadadmkv_cookie=;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT;path=/;httponly;secure" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="XUfo8Ar6@wEAACclhNgAAAAG"
[/code]

Ein Firewall Profile ist erst mal nicht hinterlegt.
Reverse Profil sieht wie folgt aus:

Hat evtl. noch jemand eine Idee wie der Zugriff über ReverseProxy ohne Probleme funktionieren könnte?
Besten Dank im Voraus

VG TBC



This thread was automatically locked due to age.
Parents
  • 0

    Hallo TBC,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    It looks like both accesses above were through WAF.  The successful one appears in the log, so it's not "ohne ReverseProxy" - did you mean without authentication?

    The second one appears to fail because the cookie has expired.  That doesn't make sense to me, but what if you disable 'Cookie signing' in the Virtual Server?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0

    Hallo TBC,

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. [:(])

    It looks like both accesses above were through WAF.  The successful one appears in the log, so it's not "ohne ReverseProxy" - did you mean without authentication?

    The second one appears to fail because the cookie has expired.  That doesn't make sense to me, but what if you disable 'Cookie signing' in the Virtual Server?

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • 0 in reply to BAlfson

    Hello Bob,

    yes both are over WAF but the first one is without ReverseProxy Authentication.

    Here are the hole coniguration without ReverseProxy Authentication what are running now:

    and here with Authentication but not running currently:


    and the Auth Profile

    Where can you see that the cookies have expired? Cookie Singing is already off because i don't use the Firewall-Profile.

    Thanks for helping Bob and best regards

    TBC

  • 0 in reply to RemoHehlert

    cookie="__Host-nc_sameSiteCookiestrict=true; __Host-nc_sameSiteCookielax=true" set-cookie="soeshaymadadmkv_cookie=;Max-Age=0;expires=Thu, 01 Jan 1970 00:00:00 GMT

    Maybe your authentication form uses a cookie to track the Sitzungsdauer???

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hello Bob,
    your are right but i have no idear why. I have checked several constallations but nothing works to use Nexcloud / Webdav with WAF Authentication.
    If i use WAF/Authenication and the Web Interface of Nextcloud, that one works fine.
    Do you have other Idear?

    Thanks

    TBC

Unfiltered HTML