Multiple domain forwarding 1 Public IP

Hi Rafal Niznik 

Yes, this can be easily done using WAF in Sophos XG. But make sure you select Pass host header in your WAF Business Application rule.

Please refer to this KBA Sophos XG Firewall: WAF configuration guide and in case if you need there's a Sophos XG Firewall: WAF Troubleshooting guide as well.

Hi,

Can you please give me an example how to configure this business rule (WAF) for the mentioned scenario?

environment:

1 Public IP
2 different domains (each domain A record points to public IP)
2 different web servers (no vhosts)

Goal:

Domain A hits public IP of (XG Firewall) and forwards to server 1
Domain B hits public IP of (XG Firewall) and forwards to server 2

The KBA https://community.sophos.com/kb/en-us/126470 only describes how to publish one webserver. But here we have two (or more) webservers behind one public IP and multiple DNS-Names.

As far as i understand, the option "Pass host header" just passes the host header to the webserver, so it can route to a configured vhost. In the described environment we have to seperate webservers without vhosts. The option "pass host header" has no effect here?

Thank you!

RasalGhul,

follow the KB above. You need to create 2 different WAF rule, where in each one you define the domain name for server 1 and in the second rule, the domain name for server 2.

Regards

RasalGhul,

follow the KB above. You need to create 2 different WAF rule, where in each one you define the domain name for server 1 and in the second rule, the domain name for server 2.

Regards

Thank you for clarify this. It works with different WAF rules for each server/domain!

I had trouble with my browser cache so things were not running as they should.

I have another question/issue regarding this topic.

Beside the two WAF rules i need a DNAT rule for port 443. The WAF rules have a higher priority, so the DNAT rule will be last one to be processed ("fallback").

For example i have following domains (all same public IP), rules and servers

- prio1 > domain: waf1.domain.com > rule: waf1 443 rule > server-waf1

- prio2 > domain: waf2.domain.com > rule: waf2 443 rule > server-waf2

- prio3 > domain: dnat1.domain.com / dnat2.domain.com > rule: dnat 443 > server-fallback

The problem is, the two "dnat1/2" subdomains will be processed by rule "waf2 443" and it returns an 403 http error. This error shows up is in the log "/log/reverseproxy.log": 

[Thu Feb 27 15:51:35.073229 2020] [url_hardening:error] [pid 47656:tid 140695402669824] [client xxx.xxx.xxx.xxx:58401] Hostname in HTTP request (dnat2.domain.com) does not match the server name (waf2.domain.com), referer: https://dnat2.domain.com/

[Thu Feb 27 15:51:35.073091 2020] timestamp="1582815095" srcip="xxx.xxx.xxx.xxx" localip="192.168.0.2" user="-" host="xxx.xxx.xxx.xxx" method="GET" statuscode="403" reason="-" extra="-" exceptions="-" duration="250" url="/favicon.ico" server="dnat.domain.com" referer="https://dnat.domain.com/" cookie="-" set-cookie="-" recvbytes="494" sentbytes="429" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.116 Safari/537.36" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="2"

Why is rule "waf2 443" processed at all, the server name does not match?

Thank you