Advisory: Support Portal Maintenance. Login is currently unavailable, more info available here.

Jitsi Meet mit WAF

Hallo,

hat jemand schon mal Jitsi Meet Server hinter einer Sophos über die WAF zum laufen gebracht?

Klar könnte ich die Ports direkt weiter leiten, aber dann ist ja Exchange und andere Dienste per HTTPs WAF nicht mehr erreichbar.

Hätte hier vielleicht jemand einen Tipp für mich?

Grüße Frank

  • Hi ,

    Thank you for reaching out to the Community! 

    Check out the following troubleshooting document for WAF and see if that helps you identify the issue. 

    Thanks,

     

     
    Harsh Patel (H_Patel)

    Community Support Engineer | Sophos Technical Support
    Support Videos | Product Documentation | @SophosSupport | Sign up for SMS Alerts
    If a post solves your question use the 'Verify Answer' button.

  • Hi H_Patel,

    the WAF Works with 3 Webservers behind the Sophos SG.

    But i cant reached the Jiti Meet Server behind the Sophos SG by WAF.

    If i Disable WAF and do some NAT with Ports 80,443,10000 it works but not with WAF.

    I need to get this Working.

    with WAF i got this error:

    Proxy Error

    The proxy server received an invalid response from an upstream server.
    The proxy server could not handle the request GET /.

    Reason: Error reading from remote server

    regards

    frank

  • Hallo Frank,

    Herzlich willkommen hier in der Community !

    (Sorry, my German-speaking brain isn't creating thoughts at the moment. Frowning2

    Please show about 50 related lines from the Web Application Firewall log.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    this is what i get

    in the Log.

    2020:10:25-16:34:33 gateway httpd[32399]: [proxy_http:error] [pid 32399:tid 3951938416] (70014)End of file found: [client 109.42.3.49:1313] AH01102: error reading status line from remote server JITSI_Internal_IP:443
    2020:10:25-16:34:33 gateway httpd[32399]: [proxy:error] [pid 32399:tid 3951938416] [client 109.42.3.49:1313] AH00898: Error reading from remote server returned by /
    2020:10:25-16:34:33 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="379" user="-" host="109.42.3.49" method="GET" statuscode="502" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="13423" url="/" server="meet.myhost.net" port="443" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCTLoppOChxHZZUspMwAAAKs"
    2020:10:25-16:34:35 gateway httpd[32399]: [proxy_http:error] [pid 32399:tid 3951938416] (70014)End of file found: [client 109.42.3.49:1313] AH01102: error reading status line from remote server JITSI_Internal_IP:443, referer: https://meet.myhost.net/
    2020:10:25-16:34:35 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="0" user="-" host="109.42.3.49" method="GET" statuscode="200" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="12671" url="/favicon.ico" server="meet.myhost.net" port="80" query="" referer="https://meet.myhost.net/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCzLoppOChxHZZUspNAAAAKs"
    2020:10:25-16:34:35 gateway httpd[32399]: [proxy_http:error] [pid 32399:tid 4061043568] (70014)End of file found: [client 109.42.3.49:10196] AH01102: error reading status line from remote server JITSI_Internal_IP:443, referer: https://meet.myhost.net/
    2020:10:25-16:34:35 gateway httpd[32399]: [proxy:error] [pid 32399:tid 4061043568] [client 109.42.3.49:10196] AH00898: Error reading from remote server returned by /favicon.ico, referer: https://meet.myhost.net/
    2020:10:25-16:34:35 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="401" user="-" host="109.42.3.49" method="GET" statuscode="502" reason="-" extra="-" exceptions="SkipBlacklistDNSRBL, SkipBlacklistGeoIP, SkipAntiVirus, SkipTFT, SkipURLHardening, SkipFormHardening, SkipFormHardeningMissingToken, SkipCookieSigning, SkipThreatsFilter" time="12732" url="/favicon.ico" server="meet.myhost.net" port="443" query="" referer="https://meet.myhost.net/" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCzLoppOChxHZZUspNQAAAJ4"
    2020:10:25-16:34:37 gateway httpd: id="0299" srcip="109.42.3.49" localip="WAN_IP" size="29" user="-" host="109.42.3.49" method="POST" statuscode="200" reason="-" extra="-" exceptions="-" time="5060770" url="/Microsoft-Server-ActiveSync" server="mail.freaky-media.net" port="443" query="?Cmd=Ping&User=frank&DeviceId=SEC1037E3C4CCECF&DeviceType=SamsungDevice" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X5WbCDLoppOChxHZZUspMQAAALw"
    

  • You're right, that's not much more info than what you already said, Frank,  Let's look at pictures of the Edits of the Virtual Server with 'Advanced' open and of the Firewall Profile.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    so here some Pics from Backend.

    Firewall Profile all Disables so no Scan or Check does.

    i had this done with the oder Ports 4443 - 

    by NAT Port 10000 is redirected to Jitsi Meeting

    maybe this hoped ..

    if you need some other Information, get in touch 

    best regards

    Frank

  • The only thing I can see to try, Frank, is 'HTML umschreiben'.  If that doesn't work, then I would say that you've proven that Jitsi is not compatible with WAF.

    MfG - Bob (Bitte auf Deutsch weiterhin.)

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob,

    this i fear - every Options i try end in an error.

    Hope some one else, found a solution.

  • You'll have to have a DNAT rule for 10000/UDP from external to your Jitsi server. WAF with 80/TCP and 443/TCP should work at least for non restricted clients.

    Is Jitsi configured to know internal/external address? Read https://jitsi.github.io/handbook/docs/devops-guide/devops-guide-quickstart#setup-and-configure-your-firewall

    The following extra lines need to be added to the file /etc/jitsi/videobridge/sip-communicator.properties:

    org.ice4j.ice.harvest.NAT_HARVESTER_LOCAL_ADDRESS=<Local.IP.Address>
    org.ice4j.ice.harvest.NAT_HARVESTER_PUBLIC_ADDRESS=<Public.IP.Address>
    

    And comment the existing org.ice4j.ice.harvest.STUN_MAPPING_HARVESTER_ADDRESSES.

    Be aware that Jitsi clients will try to fallback to 443/TCP if 10000/UDP is blocked. Here comes the problem: Jitsi's 443/TCP connection is _NO_ http, so sophos WAF can't handle it. Thus said, external connections will only work with 10000/UDP opened.

    Another point is Sophos' flood protection. Watch your logs and be sure to set increase values there, if protection fires.

  • I'm running jitsi behind utm WAF without issue.  I use the docker-compose version. 

    Wildcard cert, https & redirect.  Had no issues.