This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF Rule - Nginx site can't be accessed (SFOS 18.0.0 GA-Build354)

Hi,

I'm using a home licence (XG 18.0.0 GA-Build354) on my own hardware and I'm trying to configure a simple web server to be externally available via a WAF rule.

Setup:

Example:

WAN - 11.22.33.44 (www.my-site.uk)

LAN - 10.1.1.50 (caton-edge)

The setup for the most part is simple, I have a host within my LAN that's running Nginx within a container.

The host that is running Nginx has been configured as a web service within Sophos:

I can access the Nginx page internally on port 80 (http://10.1.1.50) without issue.

My WAF rule looks like so:

For the WAF rule I have HTTPS certs from Lets Encrypt that I would like to use.

So the cert is the cert generated by the certbot.

Issue:

Once the WAF rule is running, I'm unable to access the site via it's configured (external) DNS name e.g. 11.22.33.44 (https:/.../www.my-site.uk) from either the WAN or LAN interface,

The response received is that the connection is refused:

Troubleshooting:

After reading around on the Sophos site I see that the Web Portal runs on port 443 (although internal only), but to ensure that there is no port conflict I have disabled this via:

Administration > Device Access > User Portal (uncheck WAN)

And I have changed the port number of the User portal to something other than 443.

To ensure the above is effective, I have rebooted the device as a belt and braces approach.

With the above in place, I still get the same (no) response.

What I have found to work, is changing the HTTPS port in the WAF rule, so that the external port is e.g. 445

When accessing https://www.my-site.uk:445 the site loads as expected - the same is also true when configuring the WAF rule as HTTP rather than HTTPS

However, when returning back to the default of 443, the same connection refused error is presented.

I have looked through both the Web server protection logs and IPS logs, and nothing is logged upon failure, only when the above steps are taken to change the port number are records logged (also tail -f /log/reverseproxy.log on the advanced shell).

Thanks in advance, any help will be appreciated.

This thread was automatically locked due to age.

Parents

0 Keyur over 4 years ago

Hi Chris Martin2

You can try packet capture utility to check the traffic and change the user portal port to other than 443 and enable user portal access.

https://community.sophos.com/kb/en-us/124574 - WAF troubleshooting

https://community.sophos.com/kb/en-us/126470- WAF configuration

https://community.sophos.com/kb/en-us/123189 - Packet capture

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris Martin2 over 4 years ago in reply to Keyur

I have disabled the web user portal completely, so I'm not sure why port 443 is being used,

A netstat on the firewall CLI shows that Apache is listening but I'd believe that to be expected?

The /log/reverseproxy.log mentioned doesn't provide much detail:

SFVH_SO01_SFOS 18.0.0 GA-Build354# tail -f /log/reverseproxy.log
AH00112: Warning: DocumentRoot [/sdisk/waffiles/0e8433f9a404f1f3ba601c14b026d321] does not exist
[Wed Apr 15 21:22:21.857062 2020] [mpm_worker:notice] [pid 5182:tid 140121896452544] AH00295: caught SIGTERM, shutting down
AH00112: Warning: DocumentRoot [/sdisk/waffiles/0e8433f9a404f1f3ba601c14b026d321] does not exist
[Wed Apr 15 21:22:24.000822 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity for Apache/2.9.3 (http://www.modsecurity.org/) configured.
[Wed Apr 15 21:22:24.000910 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: APR compiled version="1.5.2"; loaded version="1.5.2"
[Wed Apr 15 21:22:24.000917 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: PCRE compiled version="8.43 "; loaded version="8.43 2019-02-23"
[Wed Apr 15 21:22:24.000922 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: LIBXML compiled version="2.9.9"
[Wed Apr 15 21:22:24.000926 2020] [security2:notice] [pid 22252:tid 139773011489216] ModSecurity: Status engine is currently disabled, enable it by set SecStatusEngine to On.
[Wed Apr 15 21:22:25.003002 2020] [mpm_worker:notice] [pid 22255:tid 139773011489216] AH00292: Apache/2.4.25 (Unix) OpenSSL/1.0.2r-fips configured -- resuming normal operations
[Wed Apr 15 21:22:25.003117 2020] [core:notice] [pid 22255:tid 139773011489216] AH00094: Command line: '/usr/apache/bin/httpd -E /log/reverseproxy.log'
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris Martin2 over 4 years ago in reply to Chris Martin2

After doing some further testing, I have setup a packet capture on my webserver:

The external interface/WAF is listening on port 443,

my internal server is listening on port 80.

The traffic that is being received on the external interface is being passed to my webserver on port 443 (it's listening on 80)

On my Sophos, the webserver is configured to listen on port 80:

Is there a means of further investigating / troubleshooting this?
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris Martin2 over 4 years ago in reply to Chris Martin2

In the NAT rules, I see this auto generated rule which looks to be the culprit?
Cancel
Vote Up 0 Vote Down

Cancel
+1 Chris Martin2 over 4 years ago in reply to Chris Martin2

Disabling this NAT rule seems to have fixed the issue.

I can now browse to my https://www.my-site.uk and access the site!

Very strange, considering the NAT rule wasn't something of my own
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Chris Martin2

Hi Chris Martin2

That is a loopback rule created when the DNAT configuration is there. It used to allow LAN users to use public IP of the DNAT to access the server. We glad that issue gets resolved.

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris Martin2 over 4 years ago in reply to Keyur

Thanks for your reply,

"It used to allow LAN users to use public IP of the DNAT to access the server"

But I can't access the service (from LAN) when enabled, and I can access it when it is disabled?

so it would seem to me that the rule defeats the point?

The NAT rule shows that the destination is my webserver, and that the port used, is the translated port is the original port used in the request.

For my WAF service I'm performing a PAT 443 -> 80, so I don't see how the NAT rule would help in this case?
Cancel
Vote Up 0 Vote Down

Cancel
0 Chris Martin2 over 4 years ago in reply to Chris Martin2

The description for this NAT rule, is:

"Loopback rule for NAT rule with ID #7 and rule name DNAT to caton-edge_1586710100575."

But there is no NAT rule with ID #7, perhaps this rule is missing and why it's not working?
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 4 years ago in reply to Chris Martin2

Hi Chris Martin2

Is there any rule for Caton-edge firewall rule or NAT/DNAT rule in the configuration?

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Keyur over 4 years ago in reply to Chris Martin2

Hi Chris Martin2

Is there any rule for Caton-edge firewall rule or NAT/DNAT rule in the configuration?

Regards,

Keyur
Community Support Engineer | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data