This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

utm 9 reverse proxy configuration

i want to use the utm 9 virtual webserver protection reverse proxy to protect my nextcloud installation.

I have nextcloud with collabora running in docker, and I cant get collabora working. I imported the letsencrypt certificates to the utm, wo the ssl is not a problem. Hase someone an idea on hwo to modify the reverse proxy on the utm to get it working with collabora?



This thread was automatically locked due to age.
Parents
  • I have the same problem with my installation. Reverse Proxy for login in and file exchange works fine, but i can not open or edit files with collabora. Every time i try to open a file i get a white screen but the document is not opened.

    I think ssl is also on my side not a problem. But i think the utm has a problem with the different names - cloud.... for my nextcloud installation and office.... for the collabora installation. Do you think this is possible?

    Here are some logfile entrys:

    2017:06:25-22:47:07 remote httpd[31268]: [core:notice] [pid 31268:tid 3995577200] [client 91.17.50.163:59112] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404


    2017:06:25-22:47:07 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1568" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhS6wUYAEAAHokKKgAAACm"


    2017:06:25-22:47:08 remote httpd[31268]: [core:notice] [pid 31268:tid 3978791792] [client 91.17.50.163:59113] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404


    2017:06:25-22:47:08 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1620" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhTKwUYAEAAHokKKkAAACo"

     

    Best regards

    André

  • It seems,clear that it is objecting to the url because it contains %2f.

    I think if you check adjacent log entries for one starting

    "[Modsecurity:", that it will contain a sction of the form [id 123456]    Put that number into the rigid filter exception list.  Or turn off rigid filtering completely (which weakens security more.)

  • Hi Douglas,

    i have been looking in the log with activated firewall profile. I found the 3 following ids and made exclusions - 950120, 960032, 981203. I was getting a warning...

    "The list of skipped filter rules contains the following required infrastructure rules: 981203. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall."

    ...and saved the settings.

    But opening a document with collabora is also not working, see logs down below:

    2017:06:26-22:36:56 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="1523" user="-" host="91.17.50.163" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" time="242458" url="/loleaflet/4f4593a/loleaflet.html" server="office.server.com" port="443" query="?WOPISrc=https%3A%2F%2Fcloud.server.com%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F262_ocukbswiqfwn&title=About.odt&lang=de-DE&closebutton=1&revisionhistory=1" referer="-" cookie="-" set-cookie="-" uid="WVFwaKwUYAEAAGXQps4AAAAH"


    2017:06:26-22:36:56 remote httpd[26064]: [core:notice] [pid 26064:tid 4062718832] [client 91.17.50.163:52232] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../262_ocukbswiqfwn, returning 404


    2017:06:26-22:36:56 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="375" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="3543" url="/lool/cloud.server.com/.../262_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVFwaKwUYAEAAGXQps8AAAAI"


    2017:06:26-22:36:57 remote httpd[26064]: [core:notice] [pid 26064:tid 4054326128] [client 91.17.50.163:52233] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../262_ocukbswiqfwn, returning 404


    2017:06:26-22:36:57 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="375" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="2975" url="/lool/cloud.server.com/.../262_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVFwaawUYAEAAGXQptAAAAAJ"

    Is it possible that the utm has a problem with the redirection and the 2 different domain names? office.server.com + cloud.server.com

    Any other idea?

    Regards

    André

  • Yes, it seems plausible that a url-within-a-url could cause UTM WAF to get confused.   Suggest you open a case with Sophos Support, if you have not done so already, as it is the only way to get bugs documented and fixed.

  • yes. seem to be a bug. i opend a support ticket and refered to this thread.

    Case 8145469

     

  • André and Stefan, what happens if you select 'Pass host header' in the Virtual Server?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

    Regards André

  • Andre Winkler said:

    Hey Bob,

    in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

    Regards André

     

     

    Same here. But i tested with this option and wihout. no change. but without this option i don't see the taskbar from Collabora. So the option should be checked. that is important.

  • Hi,

    In case you're talking about the error "AH00026: found %2f (encoded '/') in ... returning 404": That's because Apache by default won't allow this. The solution is to add "AllowEncodedSlashes On" within the vhost config of reverseproxy.conf ; However, this can only done manually. But as soon as you make a change in the GUI, it's overwritten.

    Sophos had this feature implemented (according to support) in NUTM-2373, but the removed it again because it was leading to "other issues". The manual change was provided as workaround.

    Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

    === START PATCH
    <M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy    2018-07-06 11:38:01.464266168 +0200
    +++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
    @@ -35,7 +35,20 @@
         ${APACHE2CTL_LOG}
     }
     
    +apache_allowslashes() {
    +    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    MYRESULT=$?
    +
    +    if [ ${MYRESULT} -eq 0 ]; then
    +        echo "AllowEncodedSlashes found - fixing" | log
    +        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    else
    +        echo "AllowEncodedSlashes not found - skipping" | log
    +    fi
    +}
    +
     apache_conftest() {
    +    apache_allowslashes
         chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
         if [ $? -ne 0 ]; then
             return 1

    === END PATCH

    This way, the only thing my customer has to do when I wants 'AllowEncodedSlashes On' enabled for a virtual server, is create an exception under "Webserver Protection" > Firewall Policies > [Exceptions]. The param of the exception needs to be excluding anti-virus for the path /AllowEncodedSlashes/

    That's all! Works like a charm. Only thing to keep in mind is when you update the appliance, you need to check if the start script has been changed and if so, re-apply the patch. And I added the hook right before the actual config test, so when (in any strange way) my hook renders the config invalid, it keeps working because the reload/restart won't be executed.

    I hope this is of some help to anyone.

    Cheers,
    Onno.

  • Hoi Onno and welcome to the UTM Community!

    Thanks for joining us - it's very rare that a first post here is a solution to a problem.

    The OP was running in Docker.  Is your solution one that will allow WAF to work well with apps in Docker?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi there,

     

    no. Doesn't work. or i did something wrong.

    Here are some screenshots:

     

  • Hi Stefan,

    The image of the Exception is not legible.  Instead of the screencap of the code, please copy and paste the text.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply Children
No Data