We have recently installed a UTM after migrating from TMG. We have an issue with the WAF in that a certain page on our site is causing an issue for some of our customers.
Customers have services installed on there servers that make a call to a page on our server by performing a HTTP post.
The customers using the following PHP :-
function http_post($server, $port, $url, $vars) {
// get urlencoded vesion of $vars array
mail($your_email, "http_post", $msg); // sends an email explaining whether APC was successful or not, the subject will be ?APC Debug? but you can change this to whatever you want.
$urlencoded = "";
foreach ($vars as $Index => $Value) // get all variables to be used in query
$urlencoded .= urlencode($Index ) . "=" . urlencode($Value) . "&";
$urlencoded = substr($urlencoded,0,-1); // returns portion of string, everything but last character
$headers = "POST $url HTTP/1.0\r\n" // headers to be sent to the server
. "Content-Type: application/x-www-form-urlencoded\r\n"
. "Content-Length: ". strlen($urlencoded) . "\r\n\r\n"; // length of the string
$fp = fsockopen($server, $port, $errno, $errstr, 10); // returns file pointer
if (!$fp) return "ERROR: fsockopen failed.\r\nError no: $errno - $errstr"; // if cannot open socket then display error message
fputs($fp, $headers); //writes to file pointer
fputs($fp, $urlencoded);
$ret = "";
while (!feof($fp)) $ret .= fgets($fp, 1024); // while it?s not the end of the file it will loop
fclose($fp); // closes the connection
return $ret; // array
}
Are receiving a response of 301 redirect and the Sophos returns a page to them with a HTML link. As the page being called is in a service they are unable to click it.
In the WAF logs I can see:-
2015:06:20-13:56:09 sophos-1 reverseproxy: [Sat Jun 20 13:56:09.417691 2015] [proxy:warn] [pid 4619:tid 4113103728] [client 217.***.***.70:34357] AH01092: no HTTP 0.9 request (with no host line) on incoming request and preserve host set forcing hostname to be mysite.com for uri /test.dll/apc/apc
2015:06:20-13:56:09 sophos-1 reverseproxy: id="0299" srcip="217.***.***.70" localip="62.***.***.97" size="163" user="-" host="217.***.***.70" method="POST" statuscode="301" reason="-" extra="-" exceptions="-" time="15541" url=“/test.dll/apc/apc” server=“mysite.com” referer="-" cookie="-" set-cookie="-"
I have the WAF set in monitoring mode with its own profile being used for the site in question but they are still receiving the message.
Is there an option to exclude this check from happening?
Thanks Andy
This thread was automatically locked due to age.
