This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG Reverse Proxy fails

Hello experts

I am struggling to get a Docker container of vaultwarden up and running in my internal network. Since vaultwarden has limited support for HTTPS, I tried to use XG as reverse proxy, but I cannot connect. I assume, it is irrelevant for the setup whether the protected server is a container or something else. It would be great, if you can give me a hint how I can find out what I have done wrong.
I can connect via HTTP to the container (protected server - I call it real server here) directly.
In XG, I created a web server like this:
My firewall rule looks like this. I have tested with different gateways (Port 1.*) but none of them worked. As I wrote above, this setup is in my internal network and I have no access from the internet which would be the WAN port.
The only XG test option I found was the policy test and that looks good to my - at least it ist green even though I do not know what 'Not decrypted' means.
 For any suggestions, how to find out what is missing, I am very thankful.
Thank you
Patric


This thread was automatically locked due to age.
Parents
  • Hello!

    What error you're getting while connecting to Vaultwarden proxied through the Firewall?

    Is It a 403 Error? 404?

    Is DNS working as expected. (The domain is resolving to the same IPv4 of the "Port1.150" of the Firewall at the client?)

    Can you send a screenshot of the Log Viewer at the "Web server protection" section?

    I assume, it is irrelevant for the setup whether the protected server is a container or something else.

    Indeed, It's irrelevant for this issue.

    Also, it's "better" to use the standard HTTPS port with WAF (TCP/443). (For sanity reasons.)

    Thanks!


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Thank you Prism,

    I only saw your response now because I did not receive any notification.

    I have not managed to display the HTTP error code (neither in Safari, nor in Chrome). In Chrome I get ERR_CONNECTION_CLOSED and the internet says, it is 444. In Safari on the other hand, the description is rather that a secure connection could not be established.

    My MacBook client can resolve the address and domain, but in XG under Diagnostics -> Name lookup I cannot resolve the IP address. I was told that is not an issue as the reverse proxy just forwards what is received. I created the relevant DNS entry in XG under Network -> DNS and I was surprised that XG itself does not seem to check that. Beside the locally maintained DNS entries, I have only set DNS 1 to my DSL router.

    When I open the log and try to access the domain, no log entries show up.

    regards

  • When I open the log and try to access the domain, no log entries show up.

    This really looks like a DNS issue.

    Just to be sure WAF is running as expected, can you access "">">">https://firewallip:1443", and check if It shows a "403 Forbidden." error?

    From your images It should be "">">">10.10.150.1:1443".

    Also check if something appears on the Log Viewer after this, if it does then It's DNS.

    EDIT: I've used the Sophos Firewall WAF with Vaultwarden for ~8 months (hosted on a docker container.) Back then it worked as expected. (Including the WebSockets notifications.)


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Hi Prism

    I now maintained XG as DNS server and also defined a DNS request route to the XG.

    I also moved the reverse proxy to the same VLAN in which my client is (Port 1.110).

    When using the firewall:1443 (now 10.10.110.1:1443) I still get HTTP 444 and no logs are written.

    As I understand, this error code does not send anything back in order to prevent attacks.

    Do I somehow need to initially switch on the reverse proxy functionality?

    Which have you stopped using this setup?

  • Do I somehow need to initially switch on the reverse proxy functionality?

    Can you check at the Web Admin, on the "System services" then "Services" if the "WAF" service is running? If not then start It.

    Also, do you have any NAT Rule in place which could be using the same TCP port? NAT Rules takes priority over WAF Policies.

    If there are no logs available then the client didn't reach the WAF at all.

    Which have you stopped using this setup?

    The WAF available with the Firewall doesn't have the "necessary" capabilities for me to use It as a reverse proxy, such as HTTP Headers modifications (Adding or Removing.) TLS 1.3 or HTTP/2.

    But the actual reason on why I stopped using It is because of the performance of my XG 115w. Adding, removing or even modifying a single WAF Policy takes minutes.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Reply
  • Do I somehow need to initially switch on the reverse proxy functionality?

    Can you check at the Web Admin, on the "System services" then "Services" if the "WAF" service is running? If not then start It.

    Also, do you have any NAT Rule in place which could be using the same TCP port? NAT Rules takes priority over WAF Policies.

    If there are no logs available then the client didn't reach the WAF at all.

    Which have you stopped using this setup?

    The WAF available with the Firewall doesn't have the "necessary" capabilities for me to use It as a reverse proxy, such as HTTP Headers modifications (Adding or Removing.) TLS 1.3 or HTTP/2.

    But the actual reason on why I stopped using It is because of the performance of my XG 115w. Adding, removing or even modifying a single WAF Policy takes minutes.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

Children
No Data