This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

utm 9 reverse proxy configuration

i want to use the utm 9 virtual webserver protection reverse proxy to protect my nextcloud installation.

I have nextcloud with collabora running in docker, and I cant get collabora working. I imported the letsencrypt certificates to the utm, wo the ssl is not a problem. Hase someone an idea on hwo to modify the reverse proxy on the utm to get it working with collabora?



This thread was automatically locked due to age.
Parents
  • I have the same problem with my installation. Reverse Proxy for login in and file exchange works fine, but i can not open or edit files with collabora. Every time i try to open a file i get a white screen but the document is not opened.

    I think ssl is also on my side not a problem. But i think the utm has a problem with the different names - cloud.... for my nextcloud installation and office.... for the collabora installation. Do you think this is possible?

    Here are some logfile entrys:

    2017:06:25-22:47:07 remote httpd[31268]: [core:notice] [pid 31268:tid 3995577200] [client 91.17.50.163:59112] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404


    2017:06:25-22:47:07 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1568" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhS6wUYAEAAHokKKgAAACm"


    2017:06:25-22:47:08 remote httpd[31268]: [core:notice] [pid 31268:tid 3978791792] [client 91.17.50.163:59113] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404


    2017:06:25-22:47:08 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1620" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhTKwUYAEAAHokKKkAAACo"

     

    Best regards

    André

  • It seems,clear that it is objecting to the url because it contains %2f.

    I think if you check adjacent log entries for one starting

    "[Modsecurity:", that it will contain a sction of the form [id 123456]    Put that number into the rigid filter exception list.  Or turn off rigid filtering completely (which weakens security more.)

  • yes. seem to be a bug. i opend a support ticket and refered to this thread.

    Case 8145469

     

  • André and Stefan, what happens if you select 'Pass host header' in the Virtual Server?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob,

    in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

    Regards André

  • Andre Winkler said:

    Hey Bob,

    in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

    Regards André

     

     

    Same here. But i tested with this option and wihout. no change. but without this option i don't see the taskbar from Collabora. So the option should be checked. that is important.

  • Hi,

    In case you're talking about the error "AH00026: found %2f (encoded '/') in ... returning 404": That's because Apache by default won't allow this. The solution is to add "AllowEncodedSlashes On" within the vhost config of reverseproxy.conf ; However, this can only done manually. But as soon as you make a change in the GUI, it's overwritten.

    Sophos had this feature implemented (according to support) in NUTM-2373, but the removed it again because it was leading to "other issues". The manual change was provided as workaround.

    Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

    === START PATCH
    <M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy    2018-07-06 11:38:01.464266168 +0200
    +++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
    @@ -35,7 +35,20 @@
         ${APACHE2CTL_LOG}
     }
     
    +apache_allowslashes() {
    +    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    MYRESULT=$?
    +
    +    if [ ${MYRESULT} -eq 0 ]; then
    +        echo "AllowEncodedSlashes found - fixing" | log
    +        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    else
    +        echo "AllowEncodedSlashes not found - skipping" | log
    +    fi
    +}
    +
     apache_conftest() {
    +    apache_allowslashes
         chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
         if [ $? -ne 0 ]; then
             return 1

    === END PATCH

    This way, the only thing my customer has to do when I wants 'AllowEncodedSlashes On' enabled for a virtual server, is create an exception under "Webserver Protection" > Firewall Policies > [Exceptions]. The param of the exception needs to be excluding anti-virus for the path /AllowEncodedSlashes/

    That's all! Works like a charm. Only thing to keep in mind is when you update the appliance, you need to check if the start script has been changed and if so, re-apply the patch. And I added the hook right before the actual config test, so when (in any strange way) my hook renders the config invalid, it keeps working because the reload/restart won't be executed.

    I hope this is of some help to anyone.

    Cheers,
    Onno.

  • Hoi Onno and welcome to the UTM Community!

    Thanks for joining us - it's very rare that a first post here is a solution to a problem.

    The OP was running in Docker.  Is your solution one that will allow WAF to work well with apps in Docker?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi there,

     

    no. Doesn't work. or i did something wrong.

    Here are some screenshots:

     

  • Hi Stefan,

    The image of the Exception is not legible.  Instead of the screencap of the code, please copy and paste the text.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Stefan,

    Hmm interesting. Everything looks OK. What you could double check, in the reverseproxy.conf file, is the specific vhost and if it contains the line: WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus

    The virtual server of my customer has also enabled the RewriteHTML and RewriteCookies, but I'm not sure if that makes any difference.
    Also, the init script logs to reverseproxy.log: when you grep on "AllowEncodedSlashes" you should at least see something like "AllowEncodedSlashes found - fixing" or "AllowEncodedSlashes not found - skipping". If not, it looks like the hook is not being triggered... somehow ..

    KR,
    Onno.

  • Sorry, but is 

    ${CHROOT}/usr/apache/conf/reverseproxy.conf

     

    correct?

     

    this file doestnt exsists...

    In the logs i get a "not found" then a "found - Fixing".

    so it should work...

Reply Children
No Data