Thread Info
  • State Suggested Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 20 replies
  • Answers 3 answers
  • Subscribers 12 subscribers
  • Views 48715 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

utm 9 reverse proxy configuration

mad1993max

i want to use the utm 9 virtual webserver protection reverse proxy to protect my nextcloud installation.

I have nextcloud with collabora running in docker, and I cant get collabora working. I imported the letsencrypt certificates to the utm, wo the ssl is not a problem. Hase someone an idea on hwo to modify the reverse proxy on the utm to get it working with collabora?



This thread was automatically locked due to age.
  • 0 in reply to Andre Winkler

    Andre Winkler said:

    Hey Bob,

    in my configuration the option "Pass host header" has always been checked. Last time i tested is more than 8 weeks ago and my VM with nextcloud is not running at the moment. I think the certificates are already expired.

    Regards André

     

     

    Same here. But i tested with this option and wihout. no change. but without this option i don't see the taskbar from Collabora. So the option should be checked. that is important.

  • +1 in reply to DouglasFoster

    Hi,

    In case you're talking about the error "AH00026: found %2f (encoded '/') in ... returning 404": That's because Apache by default won't allow this. The solution is to add "AllowEncodedSlashes On" within the vhost config of reverseproxy.conf ; However, this can only done manually. But as soon as you make a change in the GUI, it's overwritten.

    Sophos had this feature implemented (according to support) in NUTM-2373, but the removed it again because it was leading to "other issues". The manual change was provided as workaround.

    Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

    === START PATCH
    <M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy    2018-07-06 11:38:01.464266168 +0200
    +++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
    @@ -35,7 +35,20 @@
         ${APACHE2CTL_LOG}
     }
     
    +apache_allowslashes() {
    +    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    MYRESULT=$?
    +
    +    if [ ${MYRESULT} -eq 0 ]; then
    +        echo "AllowEncodedSlashes found - fixing" | log
    +        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    else
    +        echo "AllowEncodedSlashes not found - skipping" | log
    +    fi
    +}
    +
     apache_conftest() {
    +    apache_allowslashes
         chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
         if [ $? -ne 0 ]; then
             return 1

    === END PATCH

    This way, the only thing my customer has to do when I wants 'AllowEncodedSlashes On' enabled for a virtual server, is create an exception under "Webserver Protection" > Firewall Policies > [Exceptions]. The param of the exception needs to be excluding anti-virus for the path /AllowEncodedSlashes/

    That's all! Works like a charm. Only thing to keep in mind is when you update the appliance, you need to check if the start script has been changed and if so, re-apply the patch. And I added the hook right before the actual config test, so when (in any strange way) my hook renders the config invalid, it keeps working because the reload/restart won't be executed.

    I hope this is of some help to anyone.

    Cheers,
    Onno.

  • 0 in reply to Onno vdL

    Hoi Onno and welcome to the UTM Community!

    Thanks for joining us - it's very rare that a first post here is a solution to a problem.

    The OP was running in Docker.  Is your solution one that will allow WAF to work well with apps in Docker?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Hi there,

     

    no. Doesn't work. or i did something wrong.

    Here are some screenshots:

     

  • 0 in reply to Stefan Fröchtenicht

    Hi Stefan,

    The image of the Exception is not legible.  Instead of the screencap of the code, please copy and paste the text.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to Stefan Fröchtenicht

    Hi Stefan,

    Hmm interesting. Everything looks OK. What you could double check, in the reverseproxy.conf file, is the specific vhost and if it contains the line: WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus

    The virtual server of my customer has also enabled the RewriteHTML and RewriteCookies, but I'm not sure if that makes any difference.
    Also, the init script logs to reverseproxy.log: when you grep on "AllowEncodedSlashes" you should at least see something like "AllowEncodedSlashes found - fixing" or "AllowEncodedSlashes not found - skipping". If not, it looks like the hook is not being triggered... somehow ..

    KR,
    Onno.

  • 0 in reply to Onno vdL

    Sorry, but is 

    ${CHROOT}/usr/apache/conf/reverseproxy.conf

     

    correct?

     

    this file doestnt exsists...

    In the logs i get a "not found" then a "found - Fixing".

    so it should work...

  • 0 in reply to Onno vdL

    Your patch resolved the AH00026 error for me. Tx. I had to change the argument after AllowEncodedSlashes from On to NoDecode to resolve a follow-up issue with ID 973338 but otherwise fine.

    The GUI from Collabora Online (CODE) now loads but the document is still not parsed.

    In the reverseproxy.log there are two similar lines with statuscode 500:

    2019:09:11-16:44:44 fw-2 httpd: id="0299" srcip="my.client.ip" localip="my.server.ip" size="620" user="-" host="my.client.ip" method="GET" statuscode="500" reason="-" extra="-" exceptions="-" time="14333" url="/lool/https:/my.NC.FQDN/nextcloud/index.php/apps/richdocuments/wopi/files/222626_oczvwerl8jzj?access_token=VD0rd2gwyuliLG0bTGgORabtIWhOZaom&access_token_ttl=0&permission=edit/ws" server="my.CODE.FQDN" port="443" query="?WOPISrc=https%3A%2F%2Fmy.NC.FQDN%2Fnextcloud%2Findex.php%2Fapps%2Frichdocuments%2Fwopi%2Ffiles%2F222626_oczvwerl8jzj&compat=/ws" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="vkcUi9RgZ7CKJvxYw1oscg==" websocket_version="13" uid="XXkIXMCoAv4AAEl0RvsAAAB2"

     

    No other errors in the log. Looks like WAF is not playing nice with WebSockets :-(

    https://ideas.sophos.com/forums/17359-sg-utm/suggestions/4849021-websocket-support-for-waf points to several issues and mixed results with the new feature in UTM 9.6

    Suggestions welcome.

  • 0 in reply to Onno vdL

    Onno vdL said:

    Because I can't ask my customers to call me everytime they make a change in the GUI so I can update the reverseproxy.conf, and I wanted to create a way so my customers can "add" it them self, I've updated the script which (re)starts the reverseproxy service:

    === START PATCH
    <M> fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy    2018-07-06 11:38:01.464266168 +0200
    +++ reverseproxy.new    2018-07-06 13:47:37.722784507 +0200
    @@ -35,7 +35,20 @@
         ${APACHE2CTL_LOG}
     }
     
    +apache_allowslashes() {
    +    grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    MYRESULT=$?
    +
    +    if [ ${MYRESULT} -eq 0 ]; then
    +        echo "AllowEncodedSlashes found - fixing" | log
    +        sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    +    else
    +        echo "AllowEncodedSlashes not found - skipping" | log
    +    fi
    +}
    +
     apache_conftest() {
    +    apache_allowslashes
         chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
         if [ $? -ne 0 ]; then
             return 1

    === END PATCH

    I know this is a pretty old thread, so apologies in advance. How does one best use the provided script? I can see it makes a small change to the /var/mdw/scripts/reverseproxy file. I could make this change manually (since it's quite nicely written out what's added), but I'm a little bit unsure about making changes to the Sophos UTM files like that.

  • +1 in reply to Onno vdL

    Here a summary and extension for a better understanding of Onno vdL's patch. It enables not only to configure AllowEncodedSlashes On, but rather ProxyPass nocanon to proxy services like GitLab through the Sophos UTM.

    Edit reverseproxy script:

    fw:/var/mdw/scripts # diff -Nura reverseproxy.orig reverseproxy
    --- reverseproxy.orig 2020-04-28 20:28:39.536059392 +0200
    +++ reverseproxy 2020-04-28 15:39:37.171411346 +0200
    @@ -35,7 +35,34 @@
     ${APACHE2CTL_LOG}
     }

    +apache_allowslashes() {
    + grep -q 'PATH "/AllowEncodedSlashes/"' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + MYRESULT=$?
    +
    + if [ ${MYRESULT} -eq 0 ]; then
    + echo "AllowEncodedSlashes found - fixing" | log
    + sed -i 's|WAFExceptions PATH "/AllowEncodedSlashes/" SkipAntiVirus|AllowEncodedSlashes On|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + else
    + echo "AllowEncodedSlashes not found - skipping" | log
    + fi
    +}
    +
    +apache_nocanon() {
    + grep -q '/ProxyPassNocanon/' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + MYRESULT=$?
    +
    + if [ ${MYRESULT} -eq 0 ]; then
    + echo "ProxyPassNocanon found - fixing" | log
    + sed -i 's|/ProxyPassNocanon/" lbmethod|/" nocanon lbmethod|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + sed -i 's|/ProxyPassNocanon/|/|g' ${CHROOT}/usr/apache/conf/reverseproxy.conf
    + else
    + echo "ProxyPassNocanon not found - skipping" | log
    + fi
    +}
    +
     apache_conftest() {
    + apache_allowslashes
    + apache_nocanon
     chroot ${CHROOT} ${APACHE2CTL} configtest 2>&1 | log
     if [ $? -ne 0 ]; then
     return 1

    Add Firewall Profile Exception for virtual webserver:

    Edit default Site Path Routing entry for virtual webserver:

Unfiltered HTML