This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Application Firewall / Reverse Proxy support multiple domain or wildcard domain

Hi,

 

our company using sophos UTM as Reverse Proxy,  I want to archive this goal.

     virtual Server      (Port 80)                     real Server

subdomain1.ourcompany.com  ----->             Server 1

www.ourcompany.com  ------------->             Server 2

*.ourcompany.com       ------------->              Server 3

*.*.com                       ------------->              Server 4

 

is it possible?  if yes, how to setup this.

 

thanks

 

 

 

 



This thread was automatically locked due to age.
  • Hi,

    yes, this is possible.

    You have to configure one virtual webserver for each real webserver.

    If you configure wildcards in the domain name, the WAF will always route the traffic to the virtual webserver with the most specific domain name.


    Note: for the last setup, you have to set '*.com' as Domain name ('*.*.com' won't be accepted).

     

    Best,
     Sabine

  • Hi Evianne

    This thread is old but it exactly reflects my issue. Unless I am doing something wrong, what you suggest does not work (for me, at least).

    My setup is more simple than that of the OP. I have two real servers and two domain FQDNs (www.domain1.com, www.domain2.com) that point to the same public IP where the UTM is listening. I have two virtual servers defined (one for each domain) pointing to the corresponding backend real server.

    If I use port 80 for both virtual servers the first one is addressable but the second one is not (actually traffic is sent to the first one where the requested URLs do not exist so I get a not found reply). If I use a different port, say 81, then this second domain works fine too and I am able to fully navigate through it. Put back port 80 in this other domain just to start getting not found errors again.

    So it looks like the WAF does not work in the depicted scenario.

    Regards.

  • Based on documentation, this should work.  (IP address conflict resolved by wildcard WAF site).

    DNS www1.example.com on IP Address x.x.x.x with WAF #1 configured with certificate *.example.com and listening for www1..example.com:80

    DNS www2.example.com on IP Address x.x.x.x with WAF #2 configured with certificate *.example.com and listening for *.example.com

     

    I do not believe this configuration will work (IP Address conflict without use of a wildcard-default web site)

    DNS www1.example.com on IP Address x.x.x.x with WAF #1 configured with certificate *.example.com and listening for www1..example.com:80

    DNS www2.example.com on IP Address x.x.x.x with WAF #2 configured with certificate *.example.com and listening for www2.example.com:80

     

    And I also do not believe that this configuration will work (IP Address conflict with two different certificates)

    DNS www1.example.com on IP Address x.x.x.x with WAF #1 configured with certificate www1.example.com and listening for www1..example.com:80

    DNS www2.example.com on IP Address x.x.x.x with WAF #2 configured with certificate www2.example.com and listening for www2.example.com:80

     

  • I agree that this *should* work but it doesn't. An important thing to mention: there are no certificates involved here (it is not https but simple http):

     

    DNS www.example1.com on IP Address x.x.x.x with WAF virtual server #1 configured and listening for www.example1.com:80 over WAN interface (public IP the same x.x.x.x as before)

    DNS www.example2.com on IP Address x.x.x.x with WAF virtual server #2 configured and listening for www.example2.com:80 over WAN interface (public IP the same x.x.x.x as before)

     

    Notice that domains are diferent (they are NOT even two subdomains of the same domain). The only common thing is the port used: 80

     

  • I suspect that without certificates, it is not sure to work.  Have you asked support?

  • Not so far. Anyway Sabine (Evianne in this thread) belongs to the Sohpos Staff so, somehow, they should be advised now. In fact this thread is marked as solved while this is clearly not solved as it does not work.

     

    I agree with you that without certs this is not working but I do not have certs to check by the moment. Apart from this I cannot see the point of needing certificates for this to work. Being http it is a matter of vhosting/reverse proxying like any apache is able to do. No certificates should be needed.

     

    If one needs certificates for this to work then WAF is mostly useless because not eveyone can afford to have a public IP to match their internal real servers.

  • Hola, Miguel, and welcome to the UTM Community!

    This should work.  The only thing I can think of would be contravening #3 in Rulz.  If that's not the case, then please tell us what Sophos Support has to say about this.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA