Problems getting WAF to work with virtual hosts

I have an Apache web server in my DMZ that uses numerous virtual hosts to serve up different websites.

For many years I have simply used a DNAT rule for my web server, which has been working fine.
I decided to try using the WAF instead, but have run into problems.

The WAF configuration I setup is pretty basic.

To start with, I disabled the existing DNAT rule.

I defined a Real Webserver that points to my actual webserver.
Plaintext (HTTP) - WebServer - 80

The Virtual Webserver
External Address - Plaintext (HTTP) - 80 - domain1.com & domain2.com - Real Webserver - Basic protection

When I try to access either of the 2 domains the webserver serves up the document root index.html file, which indicates that it is not parsing the correct information to the server, so I cannot get to any of the actual websites (defined as virtual hosts in the httpd-vhosts.conf file.

There are no errors in the log file. In fact, I see a status code of 200, which indicates success.

2022:05:14-02:20:56 firewall httpd: id="0299" srcip="1.145.6.84" 
localip="180.200.xxx.xxx" size="1106" user="-" host="1.145.6.84" 
method="GET" statuscode="200" reason="-" extra="-" exceptions="-" 
time="2904" url="/" server="domain1.com" port="80" query="" 
referer="-" cookie="-" set-cookie="-" websocket_scheme="-" 
websocket_protocol="-" websocket_key="-" websocket_version="-" 
uid="Yn6FaDfh6itcQLjSPvhVtgAAAAQ"

I am obviously missing something here, but I have no idea what.

How do I use the WAF with virtual hosts?



Fixed the code block
[edited by: BigO at 5:02 PM (GMT -7) on 13 May 2022]
Parents
  • Seems you use SNI to split the internal servers?

    you should see more details within the httpd - logfile.

    You can try to activate "pass host headers" or give every vhost it's own IP.

    .. or create a vserver for every vhost at the firewall.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks for the response, but I am a bit of a loss as to how to implement any of your suggestions.

    use SNI to split the internal servers

    Where/how would I do that?

    you should see more details within the httpd - logfile

    What should I be looking for in this logfile?
    I cannot see anything that looks like an error, or something that looks out of place.

    You can try to activate "pass host headers"

    That gave some strange results...

    One of the websites loaded, but all of the others got a 403 (forbidden) error.

    2022:05:14-12:17:17 firewall httpd[32534]: [url_hardening:error] [pid 32534:tid 4003281776] [client 1.145.62.60:3505] 
    Hostname in HTTP request (domain.com) does not match the server name (domain.com.au)

    It looks like the wrong hostname is being passed to the webserver.

    or give every vhost it's own IP

    I did consider this, but really this is not a viable option.
    To do this I would have to completely reconfigure my webserver, which I would prefer not to do.

    As mentioned, I was looking at using the WAF as possibly a more secure alternative to just using a DNAT rule.
    (which as mentioned, has worked for many years).

    I thought that should be pretty straight forward, but it appears that this is not the case.

    Surely I am not the only person that uses name based virtual hosts in an Apache webserver configuration.
    This is a very common method for having a multi host environment.

    Was I foolish to think that there would be a straight forward method for configuring the UTM to use a WAF for this scenario?

Reply
  • Thanks for the response, but I am a bit of a loss as to how to implement any of your suggestions.

    use SNI to split the internal servers

    Where/how would I do that?

    you should see more details within the httpd - logfile

    What should I be looking for in this logfile?
    I cannot see anything that looks like an error, or something that looks out of place.

    You can try to activate "pass host headers"

    That gave some strange results...

    One of the websites loaded, but all of the others got a 403 (forbidden) error.

    2022:05:14-12:17:17 firewall httpd[32534]: [url_hardening:error] [pid 32534:tid 4003281776] [client 1.145.62.60:3505] 
    Hostname in HTTP request (domain.com) does not match the server name (domain.com.au)

    It looks like the wrong hostname is being passed to the webserver.

    or give every vhost it's own IP

    I did consider this, but really this is not a viable option.
    To do this I would have to completely reconfigure my webserver, which I would prefer not to do.

    As mentioned, I was looking at using the WAF as possibly a more secure alternative to just using a DNAT rule.
    (which as mentioned, has worked for many years).

    I thought that should be pretty straight forward, but it appears that this is not the case.

    Surely I am not the only person that uses name based virtual hosts in an Apache webserver configuration.
    This is a very common method for having a multi host environment.

    Was I foolish to think that there would be a straight forward method for configuring the UTM to use a WAF for this scenario?

Children
  • I think the options with WAF are more complex than simple DNAT.

    With DNAT, all the requests for all servers are sent to the same real server. This server takes the server name from the URL and presents the associated vServer.

    With WAF, the user connect to the WAF using the external server name. WAF creates a new connection to the vServer (using the one name defines in "real-Server" configuration).

    ...so may be one possibility is to create a single "real web server" for WAF with the correct internal name for every vHost. Then you need a WAF rule for every vHost.
    ... but if WAF simple using the destination IP, so your apache can't select the correct vHost. (didn't test this by myself)

    I make the decision which vServer should be used at the WAF and use different TCP ports for each vServer


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks for the reply Dirk.

    With WAF, the user connect to the WAF using the external server name. WAF creates a new connection to the vServer (using the one name defines in "real-Server" configuration).

    There is no option when creating a Real Webserver to define the website, but...
    If for example, you create 3 Real Websevers and 3 Virtual Webservers, one for each website, with all of the Real Webservers pointing to the same Apache server (the name you give them is irrelevant), you can then point each virtual sever to a different Real Webserver. You must also select "Pass host header" in Advanced for each Virtual Webserver.

    This seems illogical to me, as all of the virtual webservers ultimately point to the same Apache server, but it seems to work.
    Well, at least in regard to passing the correct header information to the Apache server.

    I make the decision which vServer should be used at the WAF and use different TCP ports for each vServer

    Can you elaborate on that a bit more?

     

  • I make the decision which vServer should be used at the WAF and use different TCP ports for each vServer

    Can you elaborate on that a bit more?

    i connect

    domain1.com = WAF-Server1:80  with vhost:81

    domain2.com = WAF-Server2:80  with vhost:82


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • Thanks again for your assistance with this issue Dirk