Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 39 subscribers
  • Views 2397 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Rule - Nginx site can't be accessed (SFOS 18.0.0 GA-Build354)

Chris Martin2

Hi,

I'm using a home licence (XG 18.0.0 GA-Build354) on my own hardware and I'm trying to configure a simple web server to be externally available via a WAF rule.

 

Setup:

Example:

WAN - 11.22.33.44 (www.my-site.uk)

LAN - 10.1.1.50 (caton-edge)

 

The setup for the most part is simple, I have a host within my LAN that's running Nginx within a container.

The host that is running Nginx has been configured as a web service within Sophos:

 

 

I can access  the Nginx page internally on port 80 (http://10.1.1.50) without issue.

My WAF rule looks like so:

 

For the WAF rule I have HTTPS certs from Lets Encrypt that I would like to use.

So the cert is the cert generated by the certbot.

 

Issue:

Once the WAF rule is running, I'm unable to access the site via it's configured (external) DNS name e.g. 11.22.33.44 (https:/.../www.my-site.uk) from either the WAN or LAN interface,

The response received is that the connection is refused:

 

Troubleshooting:

After reading around on the Sophos site I see that the Web Portal runs on port 443 (although internal only), but to ensure that there is no port conflict I have disabled this via:

Administration > Device Access > User Portal (uncheck WAN)

And I have changed the port number of the User portal to something other than 443.

To ensure the above is effective, I have rebooted the device as a belt and braces approach.

With the above in place, I still get the same (no) response.

 

What I have found to work, is changing the HTTPS port in the WAF rule, so that the external port is e.g. 445

When accessing https://www.my-site.uk:445 the site loads as expected - the same is also true when configuring the WAF rule as HTTP rather than HTTPS

 

However, when returning back to the default of 443, the same connection refused error is presented.

I have looked through both the Web server protection logs and IPS logs, and nothing is logged upon failure, only when the above steps are taken to change the port number are records logged (also tail -f /log/reverseproxy.log on the advanced shell).

 

 

 

Thanks in advance, any help will be appreciated.

 



This thread was automatically locked due to age.
Parents Reply Children
  • 0 in reply to Keyur

    I have disabled the web user portal completely, so I'm not sure why port 443 is being used,

    A netstat on the firewall CLI shows that Apache is listening but I'd believe that to be expected?

     

     

     

    The /log/reverseproxy.log mentioned doesn't provide much detail:

    SFVH_SO01_SFOS 18.0.0 GA-Build354# tail -f /log/reverseproxy.log
    AH00112: Warning: DocumentRoot [/sdisk/waffiles/0e8433f9a404f1f3ba601c14b026d321] does not exist
    [Wed Apr 15 21:22:21.857062 2020] [mpm_worker:notice] [pid 5182:tid 140121896452544] AH00295: caught SIGTERM, shutting down
    AH00112: Warning: DocumentRoot [/sdisk/waffiles/0e8433f9a404f1f3ba601c14b026d321] does not exist
    [Wed Apr 15 21:22:24.000822 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
    [Wed Apr 15 21:22:24.000910 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: APR compiled version="1.5.2"; loaded version="1.5.2"
    [Wed Apr 15 21:22:24.000917 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: PCRE compiled version="8.43 "; loaded version="8.43 2019-02-23"
    [Wed Apr 15 21:22:24.000922 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: LIBXML compiled version="2.9.9"
    [Wed Apr 15 21:22:24.000926 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
    [Wed Apr 15 21:22:25.003002 2020] [mpm_worker:notice] [pid 22255:tid 139773011489216] AH00292: Apache/2.4.25 (Unix) OpenSSL/1.0.2r-fips configured -- resuming normal operations
    [Wed Apr 15 21:22:25.003117 2020] [core:notice] [pid 22255:tid 139773011489216] AH00094: Command line: '/usr/apache/bin/httpd -E /log/reverseproxy.log'

  • 0 in reply to Chris Martin2

    After doing some further testing, I have setup a packet capture on my webserver:

     

    The external interface/WAF is listening on port 443,

    my internal server is listening on port 80.

     

    The traffic that is being received on the external interface is being passed to my webserver on port 443 (it's listening on 80)

    On my Sophos, the webserver is configured to listen on port 80:

     

    Is there a means of further investigating / troubleshooting this?

  • 0 in reply to Chris Martin2

    In the NAT rules, I see this auto generated rule which looks to be the culprit?

  • +1 in reply to Chris Martin2

    Disabling this NAT rule seems to have fixed the issue.

    I can now browse to my https://www.my-site.uk and access the site!

     

    Very strange, considering the NAT rule wasn't something of my own

  • 0 in reply to Chris Martin2

    Hi  

    That is a loopback rule created when the DNAT configuration is there. It used to allow LAN users to use public IP of the DNAT to access the server. We glad that issue gets resolved.

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

  • 0 in reply to Keyur

    Thanks for your reply,

     

    "It used to allow LAN users to use public IP of the DNAT to access the server"

    But I can't access the service (from LAN) when enabled, and I can access it when it is disabled?

    so it would seem to me that the rule defeats the point?

     

    The NAT rule shows that the destination is my webserver, and that the port used, is the translated port is the original port used in the request.

    For my WAF service I'm performing a PAT 443 -> 80, so I don't see how the NAT rule would help in this case?

  • 0 in reply to Chris Martin2

    The description for this NAT rule, is:

    "Loopback rule for NAT rule with ID #7 and rule name DNAT to caton-edge_1586710100575."

     

    But there is no NAT rule with ID #7, perhaps this rule is missing and why it's not working?

  • 0 in reply to Chris Martin2

    Hi  

    Is there any rule for Caton-edge firewall rule or NAT/DNAT rule in the configuration?

    Regards,

    Keyur
    Community Support Engineer | Sophos Support
    Sophos Support VideosKnowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link

Unfiltered HTML