Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 7 replies
  • Subscribers 2 subscribers
  • Views 22188 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Problem publishing internal http Server with https

para el mundo
Hi Forum

I`m new to Sophos UTM and want to publish a internal Ticket Port to our external customers.

The problem is: The internal Server is http only and we want to secure the external traffic with https.

So I created a Real Webserver say:

ticket.int.local, plain http, Port 8080

Next I created a Firewall-Profile, with all Checks disabeld (to start testing)

At last I created the Virtual Webserver:
ticket.external.de, https, Port 443

After this I browse to the https://ticket.external.de.
The Login-Page is loading, and I could login to the server.
After the login, all links in the ticket portal won`t work.

If we check the links, their all point to the internal servername http://ticket.int.local:8080 instead of https://ticket.external.de

If I activated "Pass host header" in the virtual web server, all links change to:
external.de (but not to https://ticket.external.de)


What ist the correct way to make this work?


Here`s the vendors solution to this problem: 
"Behind Proxy

RestAPI can be hidden behind proxy server.



Apache configuration

Apache server has to have enabled proxy and headers modules. You can enable them using command a2enmod

a2enmod proxy

a2enmod headers

Apache configuration (version at least 2.2.4)



ProxyPass        /proxy  http://restapi:8888/restapi

ProxyPassReverse /proxy  http://restapi:8888/restapi



RequestHeader append x-forwarded-path "proxy"

RequestHeader append x-forwarded-scheme "https" #optional, only for https-request to /proxy

Header edit Set-Cookie "^(.*; Path=)(.*)" $1/proxy



Note that, apart from headers which are set by the proxy module (httpd.apache.org/.../mod_proxy.html.

x-forwarded-path - path which is mapped to remote server.

x-forwarded-scheme - scheme used by caller in communication with proxy server (http, https) (since 6.7.3)

Consider the following scenario:

client -> https[:P]roxy server -> http:cmas server

x-forwarded-scheme "https" - will inform restapi that the client uses https scheme (note, communication between proxy and restapi is done in http!) thus the generated document will have links with https at the beginning.

If you use the same scheme to communication client -> proxy and proxy -> restapi, x-forwarded-scheme is redundant.

Both above headers are needed to contruct correct links in the generated documents."


This thread was automatically locked due to age.
Parents
  • 0
    Please click on [Go Advanced] below and attach a picture of the HTTPS Virtual Server open in Edit.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 0
    Please click on [Go Advanced] below and attach a picture of the HTTPS Virtual Server open in Edit.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
No Data
Unfiltered HTML