i want to use the utm 9 virtual webserver protection reverse proxy to protect my nextcloud installation.
I have nextcloud with collabora running in docker, and I cant get collabora working. I imported the letsencrypt certificates to the utm, wo the ssl is not a problem. Hase someone an idea on hwo to modify the reverse proxy on the utm to get it working with collabora?
I have the same problem with my installation. Reverse Proxy for login in and file exchange works fine, but i can not open or edit files with collabora. Every time i try to open a file i get a white screen but the document is not opened.
I think ssl is also on my side not a problem. But i think the utm has a problem with the different names - cloud.... for my nextcloud installation and office.... for the collabora installation. Do you think this is possible?
Here are some logfile entrys:
2017:06:25-22:47:07 remote httpd[31268]: [core:notice] [pid 31268:tid 3995577200] [client 91.17.50.163:59112] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404
2017:06:25-22:47:07 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1568" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhS6wUYAEAAHokKKgAAACm"
2017:06:25-22:47:08 remote httpd[31268]: [core:notice] [pid 31268:tid 3978791792] [client 91.17.50.163:59113] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404
2017:06:25-22:47:08 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1620" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhTKwUYAEAAHokKKkAAACo"
Best regards
André
It seems,clear that it is objecting to the url because it contains %2f.
I think if you check adjacent log entries for one starting
"[Modsecurity:", that it will contain a sction of the form [id 123456] Put that number into the rigid filter exception list. Or turn off rigid filtering completely (which weakens security more.)
Hi Douglas,
i have been looking in the log with activated firewall profile. I found the 3 following ids and made exclusions - 950120, 960032, 981203. I was getting a warning...
"The list of skipped filter rules contains the following required infrastructure rules: 981203. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall."
...and saved the settings.
But opening a document with collabora is also not working, see logs down below:
2017:06:26-22:36:56 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="1523" user="-" host="91.17.50.163" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" time="242458" url="/loleaflet/4f4593a/loleaflet.html" server="office.server.com" port="443" query="?WOPISrc=https%3A%2F%2Fcloud.server.com%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F262_ocukbswiqfwn&title=About.odt&lang=de-DE&closebutton=1&revisionhistory=1" referer="-" cookie="-" set-cookie="-" uid="WVFwaKwUYAEAAGXQps4AAAAH"
2017:06:26-22:36:56 remote httpd[26064]: [core:notice] [pid 26064:tid 4062718832] [client 91.17.50.163:52232] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../262_ocukbswiqfwn, returning 404
2017:06:26-22:36:56 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="375" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="3543" url="/lool/cloud.server.com/.../262_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVFwaKwUYAEAAGXQps8AAAAI"
2017:06:26-22:36:57 remote httpd[26064]: [core:notice] [pid 26064:tid 4054326128] [client 91.17.50.163:52233] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../262_ocukbswiqfwn, returning 404
2017:06:26-22:36:57 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="375" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="2975" url="/lool/cloud.server.com/.../262_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVFwaawUYAEAAGXQptAAAAAJ"
Is it possible that the utm has a problem with the redirection and the 2 different domain names? office.server.com + cloud.server.com
Any other idea?
Regards
Yes, it seems plausible that a url-within-a-url could cause UTM WAF to get confused. Suggest you open a case with Sophos Support, if you have not done so already, as it is the only way to get bugs documented and fixed.
yes. seem to be a bug. i opend a support ticket and refered to this thread.
Case 8145469
André and Stefan, what happens if you select 'Pass host header' in the Virtual Server?
Cheers - Bob
Hey Bob,
in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.
Regards André
Andre Winkler said: Hey Bob, in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired. Regards André
Same here. But i tested with this option and wihout. no change. but without this option i don't see the taskbar from Collabora. So the option should be checked. that is important.
Hi,In case you're talking about the error "AH00026: found %2f (encoded '/') in ... returning 404": That's because Apache by default won't allow this. The solution is to add "AllowEncodedSlashes On" within the vhost config of reverseproxy.conf ; However, this can only done manually. But as soon as you make a change in the GUI, it's overwritten.Sophos had this feature implemented (according to support) in NUTM-2373, but the removed it again because it was leading to "other issues". The manual change was provided as workaround.Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:=== START PATCH<M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy--- reverseproxy 2018-07-06 11:38:01.464266168 +0200+++ reverseproxy.new 2018-07-06 13:47:37.722784507 +0200@@ -35,7 +35,20 @@ ${APACHE2CTL_LOG} } +apache_allowslashes() {+ grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf+ MYRESULT=$?++ if [ ${MYRESULT} -eq 0 ]; then+ echo "AllowEncodedSlashes found - fixing" | log+ sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf+ else+ echo "AllowEncodedSlashes not found - skipping" | log+ fi+}+ apache_conftest() {+ apache_allowslashes chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log if [ $? -ne 0 ]; then return 1=== END PATCHThis way, the only thing my customer has to do when I wants 'AllowEncodedSlashes On' enabled for a virtual server, is create an exception under "Webserver Protection" > Firewall Policies > [Exceptions]. The param of the exception needs to be excluding anti-virus for the path /AllowEncodedSlashes/That's all! Works like a charm. Only thing to keep in mind is when you update the appliance, you need to check if the start script has been changed and if so, re-apply the patch. And I added the hook right before the actual config test, so when (in any strange way) my hook renders the config invalid, it keeps working because the reload/restart won't be executed.I hope this is of some help to anyone.Cheers,Onno.
Hoi Onno and welcome to the UTM Community!
Thanks for joining us - it's very rare that a first post here is a solution to a problem.
The OP was running in Docker. Is your solution one that will allow WAF to work well with apps in Docker?
Hi there,
no. Doesn't work. or i did something wrong.
Here are some screenshots:
Hi Stefan,
The image of the Exception is not legible. Instead of the screencap of the code, please copy and paste the text.