Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 6 replies
  • Subscribers 1 subscriber
  • Views 9431 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Android - WAF HTTPS too many redirects

Jeff x
I just setup WAF on one domain so far. I created a HTTPS Real and Virtual server. It seems to be working OK with FireFox and IE on PC's but when I try to access the site with an Android, I keep getting the following error:

Connection Problem
The page contains too many server redirects.

It works fine when I disable WAF and use DNAT.

Any suggestions?


This thread was automatically locked due to age.
  • 0
    Hi, what do the WAF logs show?

    You might try adding a '/' to the end of the urls, either in the browser or in the WAF.

    Barry
  • 0
    The log has repeated entries like below:

    ...
    2013:07:02-04:38:29 sophos reverseproxy: [Tue Jul 02 04:38:29.966987 2013] [cookie:warn] [pid 9294:tid 3989465968] [client 6x.xx.***.x6:24968] Dropping cookie '.APFW' from request due to missing/invalid signature
     
    2013:07:02-04:38:29 sophos reverseproxy: srcip="6x.xx.***.x6" localip="5x.***.xx.x3" size="114" user="-" host="6x.xx.***.x6" method="GET" statuscode="302" reason="-" extra="-" time="6390" url="/APFW/default.aspx" server="my.site.com" referer="-" cookie="AlarmsDue=false; ActLogin=username; ASP.NET_SessionId=5tjorxhdvfsgq1hxetcnnbqx; IsPendingWorkflowActionDialogOpen=false" set-cookie="AlarmsDue=false; path=/, HASH_AlarmsDue=100DC71D07382DBE0BCAF52C0FAEA069A3C4FF1D; path=/"
     
    2013:07:02-04:38:30 sophos reverseproxy: [Tue Jul 02 04:38:30.162907 2013] [cookie:warn] [pid 9294:tid 3989465968] [client 6x.xx.***.x6:24968] Dropping cookie '.APFW' from request due to missing/invalid signature
     
    2013:07:02-04:38:30 sophos reverseproxy: srcip="6x.xx.***.x6" localip="5x.***.xx.x3" size="119" user="-" host="6x.xx.***.x6" method="GET" statuscode="302" reason="-" extra="-" time="481836" url="/APFW/M" server="my.site.com" referer="-" cookie="ASP.NET_SessionId=5tjorxhdvfsgq1hxetcnnbqx; IsPendingWorkflowActionDialogOpen=false; AlarmsDue=false; ActLogin=username" set-cookie="-"
     
    2013:07:02-04:38:30 sophos reverseproxy: [Tue Jul 02 04:38:30.832060 2013] [cookie:warn] [pid 9294:tid 3989465968] [client 6x.xx.***.x6:24968] Dropping cookie '.APFW' from request due to missing/invalid signature
     
    2013:07:02-04:38:30 sophos reverseproxy: srcip="6x.xx.***.x6" localip="5x.***.xx.x3" size="149" user="-" host="6x.xx.***.x6" method="GET" statuscode="302" reason="-" extra="-" time="4215" url="/APFW/M/Home" server="my.site.com" referer="-" cookie="ASP.NET_SessionId=5tjorxhdvfsgq1hxetcnnbqx; IsPendingWorkflowActionDialogOpen=false; AlarmsDue=false; ActLogin=username" set-cookie="-"
     
    2013:07:02-04:38:31 sophos reverseproxy: [Tue Jul 02 04:38:31.046603 2013] [cookie:warn] [pid 9294:tid 3989465968] [client 6x.xx.***.x6:24968] Dropping cookie '.APFW' from request due to missing/invalid signature
     
    2013:07:02-04:38:31 sophos reverseproxy: srcip="6x.xx.***.x6" localip="5x.***.xx.x3" size="114" user="-" host="6x.xx.***.x6" method="GET" statuscode="302" reason="-" extra="-" time="6815" url="/APFW/default.aspx" server="my.site.com" referer="-" cookie="ASP.NET_SessionId=5tjorxhdvfsgq1hxetcnnbqx; IsPendingWorkflowActionDialogOpen=false; AlarmsDue=false; ActLogin=username" set-cookie="AlarmsDue=false; path=/, HASH_AlarmsDue=100DC71D07382DBE0BCAF52C0FAEA069A3C4FF1D; path=/" 
    ...

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x
    Unchecking Cookie signing in Firewall Profiles -> Advanced Protection seems to fix it.
     
    Since that worked, I thought I would create an exception instead of editing the Advanced Protection profile but it does not work.
     
    Shouldn't creating an exception and ticking Cookie Signing under Skip these checks accomplish the same thing as unticking Cookie signing under the Advanced Protection profile?

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0 in reply to BarryG
     
    You might try adding a '/' to the end of the urls, either in the browser or in the WAF.

    Didn't seem to do anything. Also, the domain names in WAF are automatically populated with no way that I see to edit them by adding a '/' at the end.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0
    OK. I'm sure the Cookie Signing is somehow incompatible with your webserver (maybe you can find a setting on the webserver that would work better).

    I don't know why the exceptions aren't working.

    Barry
  • 0
    [SIZE=2]After more testing, I find that the Cookie Signing exception does work. However, the Form Hardening exception does not. The only way I can disable/turn off form hardening is to uncheck it in the Firewall Profile that is being used.

    Same results after a fresh Sophos install. Seems to be a legitimate bug.
    [/SIZE]

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Unfiltered HTML