This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTP 405 Error: Signal with GIPHY

Hi,

since a few days the messenger Signal supports GIF pictures by GIPHY. But when the messenger tries to load those pictures from a LAN behind a UTM with active Web Protection it fails. If I open the site via the web browser on the same mobile phone it works.

Here are the logs:

Request from Signal messenger
2016:11:02-20:47:03 jasnet httpproxy[2175]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.1.2" dstip="" user="" group="" ad_domain="" statuscode="405" cached="0" profile="REF_HttProContaLanNetwo3 (Mobile Devices Transparent)" filteraction="REF_HttCffAndroDevic (Android Devices)" size="0" request="0xe172ea00" url="https://api.giphy.com/" referer="" error="" authtime="0" dnstime="0" cattime="212" avscantime="0" fullreqtime="230075" device="0" auth="0" ua="okhttp/2.2.0" exceptions="" category="179" reputation="trusted" categoryname="Media Sharing"

Request from web browser
2016:11:02-20:49:01 jasnet httpproxy[2175]: id="0001" severity="info" sys="SecureWeb" sub="http" name="http access" action="pass" method="CONNECT" srcip="192.168.1.2" dstip="151.101.13.127" user="" group="" ad_domain="" statuscode="200" cached="0" profile="REF_HttProContaLanNetwo3 (Mobile Devices Transparent)" filteraction="REF_HttCffAndroDevic (Android Devices)" size="3559002" request="0xd239200" url="https://api.giphy.com/" referer="" error="" authtime="0" dnstime="22680" cattime="259" avscantime="0" fullreqtime="9566099" device="0" auth="0" ua="" exceptions="" category="179" reputation="trusted" categoryname="Media Sharing"
 

The log regarding to the Signal request says HTTP 405 error - Method Not Allowed. I think Signal works with a POST request to hide the source IP address, and this is the problem.

Do you aggree? Any idea how to get this work?

Thank you!

Jas Man



This thread was automatically locked due to age.
Parents
  • I think you nailed it.  The only option is to skip the proxy for that FQDN.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Bob,

    I'm not sure how to do this. I added the URL api.giphy.com to the "Transparent Skip List" as a DNS host:

     

    But it's still blocked. Same log entries as before. What did I wrong? Is there another option to skip a URL?

     

    Jas

     

    EDIT: Oh, forgot to write that the web filter profil for my mobile phone works in transparent mode.

  • Is 'Allow HTTP/S traffic for listed hosts/nets' selected under that?  If so, then you will want to watch the Web Filtering and Firewall Live Logs when you test.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • No, it's not.

    I've enabled it for a test. But regarding to the web filter log the target is still blocked by the web proxy. This means in my opinion that this exception is not working. Either it is not working because it works only with local addresses, or I did something wrong.

  • Please post a picture of your Exception and a representative log line from Web Filtering.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • Please post a picture of your Exception and a representative log line from Web Filtering.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Object

     

    Exceptions

    Logs

    2016:11:04-22:36:28 jasnet httpproxy[32406]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.1.2" dstip="" user="" group="" ad_domain="" statuscode="405" cached="0" profile="REF_HttProContaLanNetwo3 (Mobile Devices Transparent)" filteraction="REF_HttCffAndroDevic (Android Devices)" size="0" request="0xdc91c000" url="https://api.giphy.com/" referer="" error="" authtime="0" dnstime="0" cattime="33358" avscantime="0" fullreqtime="378431" device="0" auth="0" ua="okhttp/2.2.0" exceptions="" category="179" reputation="trusted" categoryname="Media Sharing"

    2016:11:04-22:36:28 jasnet httpproxy[32406]: id="0002" severity="info" sys="SecureWeb" sub="http" name="web request blocked" action="block" method="CONNECT" srcip="192.168.1.2" dstip="" user="" group="" ad_domain="" statuscode="405" cached="0" profile="REF_HttProContaLanNetwo3 (Mobile Devices Transparent)" filteraction="REF_HttCffAndroDevic (Android Devices)" size="0" request="0xdc91c600" url="https://api.giphy.com/" referer="" error="" authtime="0" dnstime="0" cattime="252" avscantime="0" fullreqtime="220352" device="0" auth="0" ua="okhttp/2.2.0" exceptions="" category="179" reputation="trusted" categoryname="Media Sharing"
     
    Thank you for your help!
  • So, the  problem here is statuscode="405" - "method not allowed."  The device is sending an incorrect request that is blocked by the Proxy, but why is the Proxy handling this request if the IP is in the Skiplist?

    The most likely is that the phone is configured to use the Proxy explicitly, and that's the first thing to rule out.

    It's possible that the IP address changes too rapidly.  It's difficult to say because the UTM has obviously cached the IP (dnstime="0").  I queried api.giphy.com and got, 151.101.49.127 - not the same IP as the one in your picture.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I aggree, the problem is the method how the Signal client is request the URL (POST and not GET). I tried to install tcpdump on my phone to capture the request, but I had some problems to get this to work. I will try to capture the traffic on my wifi router now. However, a proxy is not configured in my phone.

    In my opinion the web proxy blocks the request before it resolves the DNS name, because the field dstip="" in the logs is empty. That would also explain why the DNS time is zero.

     

    EDIT: I've just tested the exception under "Transparent Mode Skiplist" with another site which is blocked by the web filter profile, and it works. As soon as I add the site to the "Transparent Mode Skiplist" the site is accesible. So the proxy blocks the URL request by Signal before it checks the skiplist.

  • I managed to capture the traffic and I saw, that the client requests giphy-proxy-production.whispersystems.org and not api.giphy.com. I changed the exception to this new URL and now it's working.

    Still one question: why I see the URL api.giphy.com in the logs, and not the one which Signal is calling?