utm 9 reverse proxy configuration

I have the same problem with my installation. Reverse Proxy for login in and file exchange works fine, but i can not open or edit files with collabora. Every time i try to open a file i get a white screen but the document is not opened.

I think ssl is also on my side not a problem. But i think the utm has a problem with the different names - cloud.... for my nextcloud installation and office.... for the collabora installation. Do you think this is possible?

Here are some logfile entrys:

2017:06:25-22:47:07 remote httpd[31268]: [core:notice] [pid 31268:tid 3995577200] [client 91.17.50.163:59112] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404

2017:06:25-22:47:07 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1568" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhS6wUYAEAAHokKKgAAACm"

2017:06:25-22:47:08 remote httpd[31268]: [core:notice] [pid 31268:tid 3978791792] [client 91.17.50.163:59113] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404

2017:06:25-22:47:08 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1620" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhTKwUYAEAAHokKKkAAACo"

Best regards

André

It seems,clear that it is objecting to the url because it contains %2f.

I think if you check adjacent log entries for one starting

"[Modsecurity:", that it will contain a sction of the form [id 123456]    Put that number into the rigid filter exception list.  Or turn off rigid filtering completely (which weakens security more.)

Hi Douglas,

i have been looking in the log with activated firewall profile. I found the 3 following ids and made exclusions - 950120, 960032, 981203. I was getting a warning...

"The list of skipped filter rules contains the following required infrastructure rules: 981203. Disabling a required infrastructure rule can lead to attacks not being blocked by the Web Application Firewall."

...and saved the settings.

But opening a document with collabora is also not working, see logs down below:

2017:06:26-22:36:56 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="1523" user="-" host="91.17.50.163" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" time="242458" url="/loleaflet/4f4593a/loleaflet.html" server="office.server.com" port="443" query="?WOPISrc=https%3A%2F%2Fcloud.server.com%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F262_ocukbswiqfwn&title=About.odt&lang=de-DE&closebutton=1&revisionhistory=1" referer="-" cookie="-" set-cookie="-" uid="WVFwaKwUYAEAAGXQps4AAAAH"

2017:06:26-22:36:56 remote httpd[26064]: [core:notice] [pid 26064:tid 4062718832] [client 91.17.50.163:52232] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../262_ocukbswiqfwn, returning 404

2017:06:26-22:36:56 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="375" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="3543" url="/lool/cloud.server.com/.../262_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVFwaKwUYAEAAGXQps8AAAAI"

2017:06:26-22:36:57 remote httpd[26064]: [core:notice] [pid 26064:tid 4054326128] [client 91.17.50.163:52233] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../262_ocukbswiqfwn, returning 404

2017:06:26-22:36:57 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="375" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="2975" url="/lool/cloud.server.com/.../262_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVFwaawUYAEAAGXQptAAAAAJ"

Is it possible that the utm has a problem with the redirection and the 2 different domain names? office.server.com + cloud.server.com

Any other idea?

Regards

André

Yes, it seems plausible that a url-within-a-url could cause UTM WAF to get confused.   Suggest you open a case with Sophos Support, if you have not done so already, as it is the only way to get bugs documented and fixed.

yes. seem to be a bug. i opend a support ticket and refered to this thread.

Case 8145469

André and Stefan, what happens if you select 'Pass host header' in the Virtual Server?

Cheers - Bob

Hey Bob,

in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

Regards André

Andre Winkler said:

Hey Bob,

in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

Regards André

 

Same here. But i tested with this option and wihout. no change. but without this option i don't see the taskbar from Collabora. So the option should be checked. that is important.

Hi,

In case you're talking about the error "AH00026: found %2f (encoded '/') in ... returning 404": That's because Apache by default won't allow this. The solution is to add "AllowEncodedSlashes On" within the vhost config of reverseproxy.conf ; However, this can only done manually. But as soon as you make a change in the GUI, it's overwritten.

Sophos had this feature implemented (according to support) in NUTM-2373, but the removed it again because it was leading to "other issues". The manual change was provided as workaround.

Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

=== START PATCH
<M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
--- reverseproxy    2018-07-06 11:38:01.464266168 +0200
+++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
@@ -35,7 +35,20 @@
     ${APACHE2CTL_LOG}
 }
 
+apache_allowslashes() {
+    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
+    MYRESULT=$?
+
+    if [ ${MYRESULT} -eq 0 ]; then
+        echo "AllowEncodedSlashes found - fixing" | log
+        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
+    else
+        echo "AllowEncodedSlashes not found - skipping" | log
+    fi
+}
+
 apache_conftest() {
+    apache_allowslashes
     chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
     if [ $? -ne 0 ]; then
         return 1

=== END PATCH

This way, the only thing my customer has to do when I wants 'AllowEncodedSlashes On' enabled for a virtual server, is create an exception under "Webserver Protection" > Firewall Policies > [Exceptions]. The param of the exception needs to be excluding anti-virus for the path /AllowEncodedSlashes/

That's all! Works like a charm. Only thing to keep in mind is when you update the appliance, you need to check if the start script has been changed and if so, re-apply the patch. And I added the hook right before the actual config test, so when (in any strange way) my hook renders the config invalid, it keeps working because the reload/restart won't be executed.

I hope this is of some help to anyone.

Cheers,
Onno.

Hoi Onno and welcome to the UTM Community!

Thanks for joining us - it's very rare that a first post here is a solution to a problem.

The OP was running in Docker.  Is your solution one that will allow WAF to work well with apps in Docker?

Cheers - Bob

Hi there,

no. Doesn't work. or i did something wrong.

Here are some screenshots:

Hi Stefan,

The image of the Exception is not legible.  Instead of the screencap of the code, please copy and paste the text.

Cheers - Bob

Hi Stefan,

The image of the Exception is not legible.  Instead of the screencap of the code, please copy and paste the text.

Cheers - Bob