Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS WAF redirect loop

Set up: Client <---> Sophos HTTPS WAF (Ports 80 & 443) <---> HTTP Wordpress Server (Port 80)

The reverse proxy seems to keep redirecting me to HTTPS on port 443 despite the request being for HTTPS on port 443.

~$ wget http://blog.mysite.com/ -O /dev/null
--2021-10-20 15:31:39--  http://blog.mysite.com/
Resolving blog.mysite.com (blog.mysite.com)... 123.123.123.123
Connecting to blog.mysite.com (blog.mysite.com)|123.123.123.123|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://blog.mysite.com:443/ [following]
--2021-10-20 15:31:39--  https://blog.mysite.com/
Connecting to blog.mysite.com (blog.mysite.com)|123.123.123.123|:443... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://blog.mysite.com:443/ [following]
--2021-10-20 15:31:39--  https://blog.mysite.com/
Reusing existing connection to blog.mysite.com:443.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://blog.mysite.com:443/ [following]
--2021-10-20 15:31:39--  https://blog.mysite.com/
Reusing existing connection to blog.mysite.com:443.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://blog.mysite.com:443/ [following]

The WAF behaves the same when the initial request is for HTTPS on port 443.

I looked at the reverse proxy config file at /cfs/waf/reverseproxy.conf and there are no redirect directives under the HTTPS (port 443) VirtualHost, so I'm confused as to how I end up in a redirect loop.

I set up a packet capture on the HTTP server and noticed that none of these requests are hitting the web server, just a ping-pong between the client and HTTPS WAF reverse proxy.

/log/reverseproxy.log:

[Wed Oct 20 15:46:42.791833 2021] timestamp="1634759202" srcip="172.16.2.212" localip="123.123.123.123" user="-" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" duration="1269" url="/" server="blog.mysite.com" referer="-" cookie="-" set-cookie="-" recvbytes="1161" sentbytes="4990" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="30"
[Wed Oct 20 15:46:42.844237 2021] timestamp="1634759202" srcip="169.254.234.5" localip="123.123.123.123" user="-" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" duration="248" url="/" server="blog.mysite.com" referer="-" cookie="-" set-cookie="-" recvbytes="624" sentbytes="488" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="30"
[Wed Oct 20 15:46:42.843673 2021] timestamp="1634759202" srcip="172.16.2.212" localip="123.123.123.123" user="-" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" duration="1374" url="/" server="blog.mysite.com" referer="-" cookie="-" set-cookie="-" recvbytes="1161" sentbytes="4990" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="30"
[Wed Oct 20 15:46:42.876101 2021] timestamp="1634759202" srcip="169.254.234.5" localip="123.123.123.123" user="-" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" duration="413" url="/" server="blog.mysite.com" referer="-" cookie="-" set-cookie="-" recvbytes="624" sentbytes="488" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="30"
[Wed Oct 20 15:46:42.875577 2021] timestamp="1634759202" srcip="172.16.2.212" localip="123.123.123.123" user="-" method="GET" statuscode="301" reason="-" extra="-" exceptions="-" duration="1300" url="/" server="blog.mysite.com" referer="-" cookie="-" set-cookie="-" recvbytes="1161" sentbytes="4990" protocol="HTTP/1.1" ctype="text/html" uagent="Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) Gecko/20100101 Firefox/94.0" querystring="" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" ruleid="30"

Also I'm not sure why some requests are coming from a self-assigned IP, as highlighted above.



This thread was automatically locked due to age.