This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

utm 9 reverse proxy configuration

i want to use the utm 9 virtual webserver protection reverse proxy to protect my nextcloud installation.

I have nextcloud with collabora running in docker, and I cant get collabora working. I imported the letsencrypt certificates to the utm, wo the ssl is not a problem. Hase someone an idea on hwo to modify the reverse proxy on the utm to get it working with collabora?



This thread was automatically locked due to age.
Parents
  • I have the same problem with my installation. Reverse Proxy for login in and file exchange works fine, but i can not open or edit files with collabora. Every time i try to open a file i get a white screen but the document is not opened.

    I think ssl is also on my side not a problem. But i think the utm has a problem with the different names - cloud.... for my nextcloud installation and office.... for the collabora installation. Do you think this is possible?

    Here are some logfile entrys:

    2017:06:25-22:47:07 remote httpd[31268]: [core:notice] [pid 31268:tid 3995577200] [client 91.17.50.163:59112] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404


    2017:06:25-22:47:07 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1568" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhS6wUYAEAAHokKKgAAACm"


    2017:06:25-22:47:08 remote httpd[31268]: [core:notice] [pid 31268:tid 3978791792] [client 91.17.50.163:59113] AH00026: found %2f (encoded '/') in URI (decoded='/lool/cloud.server.com/.../7_ocukbswiqfwn, returning 404


    2017:06:25-22:47:08 remote httpd: id="0299" srcip="91.17.50.163" localip="172.20.96.1" size="373" user="-" host="91.17.50.163" method="GET" statuscode="404" reason="-" extra="-" exceptions="-" time="1620" url="/lool/cloud.server.com/.../7_ocukbswiqfwn server="office.server.com" port="443" query="" referer="-" cookie="-" set-cookie="-" uid="WVAhTKwUYAEAAHokKKkAAACo"

     

    Best regards

    André

  • It seems,clear that it is objecting to the url because it contains %2f.

    I think if you check adjacent log entries for one starting

    "[Modsecurity:", that it will contain a sction of the form [id 123456]    Put that number into the rigid filter exception list.  Or turn off rigid filtering completely (which weakens security more.)

  • Andre Winkler said:

    Hey Bob,

    in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

    Regards André

     

     

    Same here. But i tested with this option and wihout. no change. but without this option i don't see the taskbar from Collabora. So the option should be checked. that is important.

  • Hi,

    In case you're talking about the error "AH00026: found %2f (encoded '/') in ... returning 404": That's because Apache by default won't allow this. The solution is to add "AllowEncodedSlashes On" within the vhost config of reverseproxy.conf ; However, this can only done manually. But as soon as you make a change in the GUI, it's overwritten.

    Sophos had this feature implemented (according to support) in NUTM-2373, but the removed it again because it was leading to "other issues". The manual change was provided as workaround.

    Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

    === START PATCH
    <M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy    2018-07-06 11:38:01.464266168 +0200
    +++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
    @@ -35,7 +35,20 @@
         ${APACHE2CTL_LOG}
     }
     
    +apache_allowslashes() {
    +    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    MYRESULT=$?
    +
    +    if [ ${MYRESULT} -eq 0 ]; then
    +        echo "AllowEncodedSlashes found - fixing" | log
    +        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    else
    +        echo "AllowEncodedSlashes not found - skipping" | log
    +    fi
    +}
    +
     apache_conftest() {
    +    apache_allowslashes
         chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
         if [ $? -ne 0 ]; then
             return 1

    === END PATCH

    This way, the only thing my customer has to do when I wants 'AllowEncodedSlashes On' enabled for a virtual server, is create an exception under "Webserver Protection" > Firewall Policies > [Exceptions]. The param of the exception needs to be excluding anti-virus for the path /AllowEncodedSlashes/

    That's all! Works like a charm. Only thing to keep in mind is when you update the appliance, you need to check if the start script has been changed and if so, re-apply the patch. And I added the hook right before the actual config test, so when (in any strange way) my hook renders the config invalid, it keeps working because the reload/restart won't be executed.

    I hope this is of some help to anyone.

    Cheers,
    Onno.

  • Hoi Onno and welcome to the UTM Community!

    Thanks for joining us - it's very rare that a first post here is a solution to a problem.

    The OP was running in Docker.  Is your solution one that will allow WAF to work well with apps in Docker?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi there,

     

    no. Doesn't work. or i did something wrong.

    Here are some screenshots:

     

  • Hi Stefan,

    The image of the Exception is not legible.  Instead of the screencap of the code, please copy and paste the text.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Stefan,

    Hmm interesting. Everything looks OK. What you could double check, in the reverseproxy.conf file, is the specific vhost and if it contains the line: WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus

    The virtual server of my customer has also enabled the RewriteHTML and RewriteCookies, but I'm not sure if that makes any difference.
    Also, the init script logs to reverseproxy.log: when you grep on "AllowEncodedSlashes" you should at least see something like "AllowEncodedSlashes found - fixing" or "AllowEncodedSlashes not found - skipping". If not, it looks like the hook is not being triggered... somehow ..

    KR,
    Onno.

  • Sorry, but is 

    ${CHROOT}/usr/apache/conf/reverseproxy.conf

     

    correct?

     

    this file doestnt exsists...

    In the logs i get a "not found" then a "found - Fixing".

    so it should work...

  • Your patch resolved the AH00026 error for me. Tx. I had to change the argument after AllowEncodedSlashes from On to NoDecode to resolve a follow-up issue with ID 973338 but otherwise fine.

    The GUI from Collabora Online (CODE) now loads but the document is still not parsed.

    In the reverseproxy.log there are two similar lines with statuscode 500:

    2019:09:11-16:44:44 fw-2 httpd: id="0299" srcip="my.client.ip" localip="my.server.ip" size="620" user="-" host="my.client.ip" method="GET" statuscode="500" reason="-" extra="-" exceptions="-" time="14333" url="/lool/https:/my.NC.FQDN/nextcloud/index.php/apps/richdocuments/wopi/files/222626_oczvwerl8jzj?access_token=VD0rd2gwyuliLG0bTGgORabtIWhOZaom&access_token_ttl=0&permission=edit/ws" server="my.CODE.FQDN" port="443" query="?WOPISrc=https%3A%2F%2Fmy.NC.FQDN%2Fnextcloud%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F222626_oczvwerl8jzj&compat=/ws" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="vkcUi9RgZ7CKJvxYw1oscg==" websocket_version="13" uid="XXkIXMCoAv4AAEl0RvsAAAB2"

     

    No other errors in the log. Looks like WAF is not playing nice with WebSockets :-(

    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/4849021-websocket-support-for-waf points to several issues and mixed results with the new feature in UTM 9.6

    Suggestions welcome.

  • Onno vdL said:

    Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

    === START PATCH
    <M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy    2018-07-06 11:38:01.464266168 +0200
    +++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
    @@ -35,7 +35,20 @@
         ${APACHE2CTL_LOG}
     }
     
    +apache_allowslashes() {
    +    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    MYRESULT=$?
    +
    +    if [ ${MYRESULT} -eq 0 ]; then
    +        echo "AllowEncodedSlashes found - fixing" | log
    +        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    else
    +        echo "AllowEncodedSlashes not found - skipping" | log
    +    fi
    +}
    +
     apache_conftest() {
    +    apache_allowslashes
         chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
         if [ $? -ne 0 ]; then
             return 1

    === END PATCH

    I know this is a pretty old thread, so apologies in advance. How does one best use the provided script? I can see it makes a small change to the /var/mdw/scripts/reverseproxy file. I could make this change manually (since it's quite nicely written out what's added), but I'm a little bit unsure about making changes to the Sophos UTM files like that.

  • Here a summary and extension for a better understanding of Onno vdL's patch. It enables not only to configure AllowEncodedSlashes On, but rather ProxyPass nocanon to proxy services like GitLab through the Sophos UTM.

    Edit reverseproxy script:

    fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy.orig 2020-04-28 20:28:39.536059392 +0200
    +++ reverseproxy 2020-04-28 15:39:37.171411346 +0200
    @@ -35,7 +35,34 @@
    ${APACHE2CTL_LOG}
    }

    +apache_allowslashes() {
    + grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + MYRESULT=$?
    +
    + if [ ${MYRESULT} -eq 0 ]; then
    + echo "AllowEncodedSlashes found - fixing" | log
    + sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + else
    + echo "AllowEncodedSlashes not found - skipping" | log
    + fi
    +}
    +
    +apache_nocanon() {
    + grep -q '/ProxyPassNocanon/' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + MYRESULT=$?
    +
    + if [ ${MYRESULT} -eq 0 ]; then
    + echo "ProxyPassNocanon found - fixing" | log
    + sed -i 's|/ProxyPassNocanon/" lbmethod|/" nocanon lbmethod|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + sed -i 's|/ProxyPassNocanon/|/|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + else
    + echo "ProxyPassNocanon not found - skipping" | log
    + fi
    +}
    +
    apache_conftest() {
    + apache_allowslashes
    + apache_nocanon
    chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
    if [ $? -ne 0 ]; then
    return 1

    Add Firewall Profile Exception for virtual webserver:

    Edit default Site Path Routing entry for virtual webserver:

Reply
  • Here a summary and extension for a better understanding of Onno vdL's patch. It enables not only to configure AllowEncodedSlashes On, but rather ProxyPass nocanon to proxy services like GitLab through the Sophos UTM.

    Edit reverseproxy script:

    fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy.orig 2020-04-28 20:28:39.536059392 +0200
    +++ reverseproxy 2020-04-28 15:39:37.171411346 +0200
    @@ -35,7 +35,34 @@
    ${APACHE2CTL_LOG}
    }

    +apache_allowslashes() {
    + grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + MYRESULT=$?
    +
    + if [ ${MYRESULT} -eq 0 ]; then
    + echo "AllowEncodedSlashes found - fixing" | log
    + sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + else
    + echo "AllowEncodedSlashes not found - skipping" | log
    + fi
    +}
    +
    +apache_nocanon() {
    + grep -q '/ProxyPassNocanon/' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + MYRESULT=$?
    +
    + if [ ${MYRESULT} -eq 0 ]; then
    + echo "ProxyPassNocanon found - fixing" | log
    + sed -i 's|/ProxyPassNocanon/" lbmethod|/" nocanon lbmethod|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + sed -i 's|/ProxyPassNocanon/|/|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + else
    + echo "ProxyPassNocanon not found - skipping" | log
    + fi
    +}
    +
    apache_conftest() {
    + apache_allowslashes
    + apache_nocanon
    chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
    if [ $? -ne 0 ]; then
    return 1

    Add Firewall Profile Exception for virtual webserver:

    Edit default Site Path Routing entry for virtual webserver:

Children
No Data