WAF - [form_hardening:error]

Hello panicos ,

Thanks for reaching out to Sophos Community.

Could you try to create a new exception for form hardening that applies to the URL identified in the reverseproxy.log. Then enable exception "Never change HTML during URL Hardening or Form Hardening“ 

Regards,

hi,

Thank you, i added in the exception as follows (hope i did it correct):

Now i see the following logs (no hardening errors apparently):

2023:10:02-16:00:44 robfw1 httpd[6018]: [url_hardening:error] [pid 6018:tid 4102015808] [client 83.97.73.87:34984] Hostname in HTTP request (188.27.163.161) does not match the server name (REF_RevFroNextCloudExter_redirect_ssl)
2023:10:02-16:00:44 robfw1 httpd: id="0299" srcip="83.97.73.87" localip="188.27.163.161" size="199" user="-" host="83.97.73.87" method="POST" statuscode="403" reason="-" extra="-" exceptions="-" time="204" url="/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php" server="188.27.163.161:80" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRq-_Kq5SfZRxGuT36o8XgAAAAM"
2023:10:02-16:01:01 robfw1 httpd: id="0299" srcip="5.15.85.54" localip="188.27.163.161" size="5944" user="-" host="5.15.85.54" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="71496" url="/index.php/login" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="__Host-nc_sameSiteCookielax=true; HASH___Host-nc_sameSiteCookielax=3147B5FAD3ADF92A442C45B52D459FAE7106CFF8; __Host-nc_sameSiteCookiestrict=true; HASH___Host-nc_sameSiteCookiestrict=FFC39A0BA50A010033525A9232A588F0EE6D7617; oc_sessionPassphrase=As0q8lA25xeBr2j1tfEXHk8jOVITua8LZ%2FxBpnI45xAKbMnKoPU5SnYO8Mcu9EGmKYqKPE0j%2FnJlXX69bo27CFMTNwxJWBeLqsaX1TkE7eyBRlcgL2S9z2P4UCcDodcC; HASH_oc_sessionPassphrase=D4D5D9FA467532AA8EEAE5CFBD599B15AF54AA82; ocsdvx0o4czd=qtdug3si1988q6q8q0d339teq5; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; HASH_ocsdvx0o4czd=728E17D4FC81F9D8F8AC565F0877FC6ED12EFE51; ocqqq4bnplq7=ed65d4c3jfgboa58svqbgce3nv; HASH_ocqqq4bnplq7=2255CB6956FD42201C949CBAD068EC2EEDD29505" set-cookie="ocqqq4bnplq7=ed65d4c3jfgboa58svqbgce3nv;
2023:10:02-16:01:01 robfw1 httpd: path=/; secure; HttpOnly; SameSite=Lax" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRq_Daq5SfZRxGuT36o8XwAAAAQ"
2023:10:02-16:01:01 robfw1 httpd: id="0299" srcip="5.15.85.54" localip="188.27.163.161" size="203" user="-" host="5.15.85.54" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="15695" url="/index.php/apps/unsplash/api/login.css" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="__Host-nc_sameSiteCookielax=true; HASH___Host-nc_sameSiteCookielax=3147B5FAD3ADF92A442C45B52D459FAE7106CFF8; __Host-nc_sameSiteCookiestrict=true; HASH___Host-nc_sameSiteCookiestrict=FFC39A0BA50A010033525A9232A588F0EE6D7617; oc_sessionPassphrase=As0q8lA25xeBr2j1tfEXHk8jOVITua8LZ%2FxBpnI45xAKbMnKoPU5SnYO8Mcu9EGmKYqKPE0j%2FnJlXX69bo27CFMTNwxJWBeLqsaX1TkE7eyBRlcgL2S9z2P4UCcDodcC; HASH_oc_sessionPassphrase=D4D5D9FA467532AA8EEAE5CFBD599B15AF54AA82; ocsdvx0o4czd=qtdug3si1988q6q8q0d339teq5; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; HASH_ocsdvx0o4czd=728E17D4FC81F9D8F8AC565F0877FC6ED12EFE51; ocqqq4bnplq7=ed65d4c3jfgboa58svqbgce3nv; HASH_ocqqq4bnplq7=2255CB6956FD42201C949CBAD068EC2EEDD29505" set-cookie="-" websocket_scheme=
2023:10:02-16:01:01 robfw1 httpd: "-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRq_Daq5SfZRxGuT36o8YAAAAAQ"
2023:10:02-16:03:15 robfw1 httpd: id="0299" srcip="5.15.85.54" localip="188.27.163.161" size="5941" user="-" host="5.15.85.54" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="70037" url="/index.php/login" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="__Host-nc_sameSiteCookielax=true; HASH___Host-nc_sameSiteCookielax=3147B5FAD3ADF92A442C45B52D459FAE7106CFF8; __Host-nc_sameSiteCookiestrict=true; HASH___Host-nc_sameSiteCookiestrict=FFC39A0BA50A010033525A9232A588F0EE6D7617; oc_sessionPassphrase=As0q8lA25xeBr2j1tfEXHk8jOVITua8LZ%2FxBpnI45xAKbMnKoPU5SnYO8Mcu9EGmKYqKPE0j%2FnJlXX69bo27CFMTNwxJWBeLqsaX1TkE7eyBRlcgL2S9z2P4UCcDodcC; HASH_oc_sessionPassphrase=D4D5D9FA467532AA8EEAE5CFBD599B15AF54AA82; ocsdvx0o4czd=qtdug3si1988q6q8q0d339teq5; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; HASH_ocsdvx0o4czd=728E17D4FC81F9D8F8AC565F0877FC6ED12EFE51; ocqqq4bnplq7=ed65d4c3jfgboa58svqbgce3nv; HASH_ocqqq4bnplq7=2255CB6956FD42201C949CBAD068EC2EEDD29505" set-cookie="ocqqq4bnplq7=ed65d4c3jfgboa58svqbgce3nv;
2023:10:02-16:03:15 robfw1 httpd: path=/; secure; HttpOnly; SameSite=Lax" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRq_kqq5SfZRxGuT36o8YQAAAAA"
2023:10:02-16:03:15 robfw1 httpd: id="0299" srcip="5.15.85.54" localip="188.27.163.161" size="203" user="-" host="5.15.85.54" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="21442" url="/index.php/apps/unsplash/api/login.css" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="__Host-nc_sameSiteCookielax=true; HASH___Host-nc_sameSiteCookielax=3147B5FAD3ADF92A442C45B52D459FAE7106CFF8; __Host-nc_sameSiteCookiestrict=true; HASH___Host-nc_sameSiteCookiestrict=FFC39A0BA50A010033525A9232A588F0EE6D7617; oc_sessionPassphrase=As0q8lA25xeBr2j1tfEXHk8jOVITua8LZ%2FxBpnI45xAKbMnKoPU5SnYO8Mcu9EGmKYqKPE0j%2FnJlXX69bo27CFMTNwxJWBeLqsaX1TkE7eyBRlcgL2S9z2P4UCcDodcC; HASH_oc_sessionPassphrase=D4D5D9FA467532AA8EEAE5CFBD599B15AF54AA82; ocsdvx0o4czd=qtdug3si1988q6q8q0d339teq5; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; HASH_ocsdvx0o4czd=728E17D4FC81F9D8F8AC565F0877FC6ED12EFE51; ocqqq4bnplq7=ed65d4c3jfgboa58svqbgce3nv; HASH_ocqqq4bnplq7=2255CB6956FD42201C949CBAD068EC2EEDD29505" set-cookie="-" websocket_scheme=
2023:10:02-16:03:15 robfw1 httpd: "-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZRq_k6q5SfZRxGuT36o8YgAAAAA"

However, the behavior is the same. nothing changed - still not working, with the same problem.

Hello,

Thanks for sharing these details. Wanted to confirm if this previously worked before? If yes, are there any change on firewall side or server side prior the issue? Also, does this Next Cloud Extern virtual web server maps to an internal server? Could you provide high level traffic flow for this access? Thanks

Regards,

Hi,

Yes, this setup is old and has been running succesfully for the last 3-4 years. I have done no change on the firewall nor the Nextcloud server. The issue just appeared without explination. The firewall upgraded to 9.716-2 a while ago (one month aprox i think), but i cannot say that the problem appeared after the upgrade, because i have not checked in that moment. Anyway i upgrade the Sophos reguralry, each time there is an update, so i ve been doing it for years now, without any problem. I was just memntioning about the upgrade, as being the only recent change on this entire setup, not necesarly that it has an importance.

The nextcloud server is installed as a snap and has been working in the same manner as i said, for years now. When this problem appeared i deployed another new from scratch Nextcloud server (normal ubuntu installation this time, not snap), as a test and the problem is exactly the same. So which ever Nextcloud deployment i try (old snap or new install deployment), the problem is exactly the same.

High level of traffic flow: cloud-jder.ddns.net points to the Sophos WAN interface. Also i am using Sophos with Let's encrypt, to have a certificate for this domain (yes, i did renew the certificate as a test and still no change). When it receives traffic for this domain, it redirects it to the internal server Nextcloud, based on the WAF configuration that i made (type encrypted HTTPS & redirect). The Nextcloud has nothing special configured on it (no certifications, domains, etc).

That's it, a basic setup i would say.

Latest logs that i can see from my attempts:

2023:10:04-16:17:49 robfw1 httpd: =Lax" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1l_bC9kYVMhh3VRgiRYwAAAC8"
2023:10:04-16:17:49 robfw1 httpd: id="0299" srcip="5.15.79.18" localip="188.27.163.161" size="1174" user="-" host="5.15.79.18" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="2013" url="/core/css/guest.css.map" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="ocsdvx0o4czd=i2467r21avpb3epgn3qdmvvv1t; oc_sessionPassphrase=7urdPTA5WAG%2B1f9j3HR7FA32hV%2B7MYWxbwFr6c6%2FOgl0QN9%2BaxPGmdiwELjjukd1uUOvvvGDsip7bLzBLNhFqytIqngoQNm8fdh3w%2B%2F9kn1an%2FkVqNA3IOwApmHFp9xJ; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1l_bC9kYVMhh3VRgiRagAAACY"
2023:10:04-16:17:49 robfw1 httpd: id="0299" srcip="5.15.79.18" localip="188.27.163.161" size="4912" user="-" host="5.15.79.18" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="12749" url="/core/css/server.css.map" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="ocsdvx0o4czd=i2467r21avpb3epgn3qdmvvv1t; oc_sessionPassphrase=7urdPTA5WAG%2B1f9j3HR7FA32hV%2B7MYWxbwFr6c6%2FOgl0QN9%2BaxPGmdiwELjjukd1uUOvvvGDsip7bLzBLNhFqytIqngoQNm8fdh3w%2B%2F9kn1an%2FkVqNA3IOwApmHFp9xJ; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1l_bC9kYVMhh3VRgiRaQAAAC8"
2023:10:04-16:17:53 robfw1 httpd: id="0299" srcip="5.15.79.18" localip="188.27.163.161" size="0" user="-" host="5.15.79.18" method="GET" statuscode="302" reason="-" extra="-" exceptions="-" time="39050" url="/" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="ocsdvx0o4czd=i2467r21avpb3epgn3qdmvvv1t; oc_sessionPassphrase=7urdPTA5WAG%2B1f9j3HR7FA32hV%2B7MYWxbwFr6c6%2FOgl0QN9%2BaxPGmdiwELjjukd1uUOvvvGDsip7bLzBLNhFqytIqngoQNm8fdh3w%2B%2F9kn1an%2FkVqNA3IOwApmHFp9xJ; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1mAbC9kYVMhh3VRgiRawAAAB8"
2023:10:04-16:17:53 robfw1 httpd: id="0299" srcip="5.15.79.18" localip="188.27.163.161" size="6013" user="-" host="5.15.79.18" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="35918" url="/index.php/login" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="ocsdvx0o4czd=i2467r21avpb3epgn3qdmvvv1t; oc_sessionPassphrase=7urdPTA5WAG%2B1f9j3HR7FA32hV%2B7MYWxbwFr6c6%2FOgl0QN9%2BaxPGmdiwELjjukd1uUOvvvGDsip7bLzBLNhFqytIqngoQNm8fdh3w%2B%2F9kn1an%2FkVqNA3IOwApmHFp9xJ; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="ocsdvx0o4czd=i2467r21avpb3epgn3qdmvvv1t; path=/; HttpOnly; SameSite=Lax" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1mAbC9kYVMhh3VRgiRbAAAAB8"
2023:10:04-16:17:56 robfw1 httpd: id="0299" srcip="5.15.79.18" localip="188.27.163.161" size="1174" user="-" host="5.15.79.18" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1796" url="/core/css/guest.css.map" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="ocsdvx0o4czd=i2467r21avpb3epgn3qdmvvv1t; oc_sessionPassphrase=7urdPTA5WAG%2B1f9j3HR7FA32hV%2B7MYWxbwFr6c6%2FOgl0QN9%2BaxPGmdiwELjjukd1uUOvvvGDsip7bLzBLNhFqytIqngoQNm8fdh3w%2B%2F9kn1an%2FkVqNA3IOwApmHFp9xJ; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1mBLC9kYVMhh3VRgiRbgAAACY"
2023:10:04-16:17:56 robfw1 httpd: id="0299" srcip="5.15.79.18" localip="188.27.163.161" size="4912" user="-" host="5.15.79.18" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="3349" url="/core/css/server.css.map" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="ocsdvx0o4czd=i2467r21avpb3epgn3qdmvvv1t; oc_sessionPassphrase=7urdPTA5WAG%2B1f9j3HR7FA32hV%2B7MYWxbwFr6c6%2FOgl0QN9%2BaxPGmdiwELjjukd1uUOvvvGDsip7bLzBLNhFqytIqngoQNm8fdh3w%2B%2F9kn1an%2FkVqNA3IOwApmHFp9xJ; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1mBLC9kYVMhh3VRgiRbQAAAC8"
2023:10:04-16:20:23 robfw1 httpd: id="0299" srcip="5.15.85.54" localip="188.27.163.161" size="6013" user="-" host="5.15.85.54" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="40979" url="/index.php/login" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="__Host-nc_sameSiteCookielax=true; HASH___Host-nc_sameSiteCookielax=3147B5FAD3ADF92A442C45B52D459FAE7106CFF8; __Host-nc_sameSiteCookiestrict=true; HASH___Host-nc_sameSiteCookiestrict=FFC39A0BA50A010033525A9232A588F0EE6D7617; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true; oc_sessionPassphrase=tK4NHmDimHPnlzaB2jc2bUci50T8R%2BolcqjZXHgerCf4z31sCungYC3cSSqj7lWvEDvF9PzgQJO9crlu8G2nkVcv%2FkVjXBbbnGraMLjDEMUt%2FeJkDNlpZ%2BQi7yG0VNFO; ocsdvx0o4czd=itdu54j3acth7tbd09bgfu5lhb" set-cookie="ocsdvx0o4czd=12m9070oeoue7s1c51td03ig83; path=/; HttpOnly; SameSite=Lax, ocsdvx0o4czd=12m9070oeoue7s1c51td03ig83; path=/; HttpOnly; SameSite=Lax, ocsdvx0o4czd=12m9070oeoue7s1c51td03ig83; path=/; HttpOnly; SameSite=Lax, ocsdvx0o4czd=12m9070oeoue7s1c51td03ig83; path=/
2023:10:04-16:20:23 robfw1 httpd: ; HttpOnly; SameSite=Lax" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1ml7C9kYVMhh3VRgiRbwAAADA"
2023:10:04-16:27:40 robfw1 httpd: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="53" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="165" url="/lb-status" server="localhost:4080" port="80" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1oTLC9kYVMhh3VRgiRcAAAAAE"
2023:10:04-16:29:07 robfw1 httpd: id="0299" srcip="5.14.145.87" localip="188.27.163.161" size="4727" user="-" host="5.14.145.87" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="35724" url="/index.php/login" server="cloud-jder.ddns.net" port="443" query="" referer="-" cookie="oc_sessionPassphrase=CwWqmBs0TdcmFVjC0QvbL%2BLCw6oz07RGlwKfvaD6Ny5ZUvoN6rdyIZVo1iEXRYCKKL%2FyKjKaG6wB8zosZVDcGZsNvTDL4AuqYnz3aM%2Fb7xf2fLeLiZYeYPv1OscP8aT2; ocsdvx0o4czd=vma0n6l4lsi5k2d20aevh553cp; HASH___Host-nc_sameSiteCookielax=3147B5FAD3ADF92A442C45B52D459FAE7106CFF8; HASH___Host-nc_sameSiteCookiestrict=FFC39A0BA50A010033525A9232A588F0EE6D7617; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; HASH_nc_sameSiteCookielax=ED1D589C8364C1A2FEEC5F6379D33D0B3ED00A13; HASH_nc_sameSiteCookiestrict=BCABC1DB122EDF2C4B9BC8C27DE8888D28D1C432; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="ocsdvx0o4czd=vma0n6l4lsi5k2d20aevh553cp; path=/; HttpOnly; SameSite=Lax" websocket_scheme="-" websocket_protocol="-" websocket_
2023:10:04-16:29:07 robfw1 httpd: key="-" websocket_version="-" uid="ZR1oo7C9kYVMhh3VRgiRcQAAAC0"
2023:10:04-16:29:07 robfw1 httpd: id="0299" srcip="5.14.145.87" localip="188.27.163.161" size="1395" user="-" host="5.14.145.87" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="14942" url="/index.php/core/js/oc.js" server="cloud-jder.ddns.net" port="443" query="?v=52e1fa2b" referer="-" cookie="ocsdvx0o4czd=vma0n6l4lsi5k2d20aevh553cp; oc_sessionPassphrase=CwWqmBs0TdcmFVjC0QvbL%2BLCw6oz07RGlwKfvaD6Ny5ZUvoN6rdyIZVo1iEXRYCKKL%2FyKjKaG6wB8zosZVDcGZsNvTDL4AuqYnz3aM%2Fb7xf2fLeLiZYeYPv1OscP8aT2; HASH___Host-nc_sameSiteCookielax=3147B5FAD3ADF92A442C45B52D459FAE7106CFF8; HASH___Host-nc_sameSiteCookiestrict=FFC39A0BA50A010033525A9232A588F0EE6D7617; __Host-nc_sameSiteCookielax=true; __Host-nc_sameSiteCookiestrict=true; HASH_nc_sameSiteCookielax=ED1D589C8364C1A2FEEC5F6379D33D0B3ED00A13; HASH_nc_sameSiteCookiestrict=BCABC1DB122EDF2C4B9BC8C27DE8888D28D1C432; nc_sameSiteCookielax=true; nc_sameSiteCookiestrict=true" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="ZR1oo7C9kYVMhh3V
2023:10:04-16:29:07 robfw1 httpd: RgiRcgAAAC0"

I for one cannot see a problem through these lines. I tried from different browsers and i rebooted the Sophos several times. 

Really don't know where to look more.

Thanks

I managed to find the problem:

I had that one ticked and disabling it restores the functionality. Does this mean the current version changed the functionality somehow of this feature, because i used it ticked before ?

Different topic: now that i made it working i tried to apply the form and URL hardening but it is impossible. I made many exceptions based on the logs of the WAF and i can't make it work properly. either there are some icons that don't load, or features or submenu pages entirely. I played with a lot of exceptions, with wildcards, shorter, longer, etc. Only using /* makes it work , but that is basically disabling the hardening at all (or enabling a hardening which does nothing). 

thx

I managed to find the problem:

I had that one ticked and disabling it restores the functionality. Does this mean the current version changed the functionality somehow of this feature, because i used it ticked before ?

Different topic: now that i made it working i tried to apply the form and URL hardening but it is impossible. I made many exceptions based on the logs of the WAF and i can't make it work properly. either there are some icons that don't load, or features or submenu pages entirely. I played with a lot of exceptions, with wildcards, shorter, longer, etc. Only using /* makes it work , but that is basically disabling the hardening at all (or enabling a hardening which does nothing). 

thx