This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF. The web application firewall has blocked access to /folder. No signature found.

jlbrown over 9 years ago

Running 9.400-9

Have set up a virtual server, for a web server for https.

I can get to my landing page OK, when I click on a link to go to a deeper level, I get:

The web application firewall has blocked access to /folder for the following reason: No signature found.

WAF log:

2016:04:08-16:10:40 astaro1-2 reverseproxy: [Fri Apr 08 16:10:40.000689 2016] [core:notice] [pid 6068:tid 4148152000] AH00094: Command line: '/usr/apache/bin/httpd'

2016:04:08-16:10:40 astaro1-2 reverseproxy: [Fri Apr 08 16:10:40.000750 2016] [mpm_worker:warn] [pid 6068:tid 4148152000] AH00291: long lost child came home! (pid 4347)

2016:04:08-16:10:40 astaro1-2 reverseproxy: [Fri Apr 08 16:10:40.000789 2016] [mpm_worker:warn] [pid 6068:tid 4148152000] AH00291: long lost child came home! (pid 4348)

2016:04:08-16:10:40 astaro1-2 reverseproxy: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1777" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"

2016:04:08-16:10:40 astaro1-2 reverseproxy: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="940" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"

2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.281035 2016] [url_hardening:error] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] No signature found, URI: internal.bordo.com.au/folder

2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285167 2016] [cookie:error] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] No signature found, cookie: __utma

2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285199 2016] [cookie:warn] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] Dropping cookie '__utma' from request due to missing/invalid signature

2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285230 2016] [cookie:error] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] No signature found, cookie: __utmz

2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285241 2016] [cookie:warn] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] Dropping cookie '__utmz' from request due to missing/invalid signature

2016:04:08-16:11:23 astaro1-2 reverseproxy: id="0299" srcip="1.152.96.56" localip="203.206.204.254" size="209" user="-" host="1.152.96.56" method="GET" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="488705" url="/folder" server="internal.bordo.com.au" referer="-" cookie="-" set-cookie="-"

Settings:

I created the certificate in WebServer Protection/Certificate Management.

Any suggestions?

Thanks,

James.

This thread was automatically locked due to age.

0 BAlfson over 9 years ago

James, have you tried an Exception for URL Hardening for "/folder"?

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
- 0 jlbrown over 9 years ago in reply to BAlfson
  
  Thanks Bob, thank worked.
  
  After putting in the Exception for 'Static URL hardening' for /folder, I could get to:
  
  mydomain/folder/index.php
  
  But it would not show the login fields on that page. Going back to the Virtual Webserver settings and turning on 'Skip Form hardening' and the username/password field appeared.
  
  So good that it works, but bad that I've had to forgo these protections.
  
  Suppose this is just the way it has to be?
  - 0 Evianne over 9 years ago in reply to jlbrown
    
    Hi,
    
    in Static URL hardening you configure so called entry URLs. You have defined '/' as entry URL. Therefore, every link you can reach from '/' is signed.
    
    But if you make a separate request to '/folder/index.php', this URL has no signature and is therefore blocked. That's how Static URL hardening works.
    
    If you want to reach '/folder/index.php' without going through a link on '/', then either you have to configure '/folder/index.php' as entry URL or you have to configure an exception for it.
    
    Sabine
  - 0 BAlfson over 9 years ago in reply to jlbrown
    
    I believe that your web programmer would need to make some coding changes - I don't think you can "harden" a form in Webserver Protection unless the form is done differently than it is now.
    
    Cheers - Bob
    
    PS When I first posted this, I saw your last comment, Sabine - thanks! Is there a document that describes for our clients' web programmers what they need to adjust in various cases where we have to make an exception or disable a protection altogether?
    
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    
    MediaSoft, Inc. USA
  - 0 jlbrown over 9 years ago in reply to BAlfson
    
    BAlfson said:
    
    PS When I first posted this, I saw your last comment, Sabine - thanks! Is there a document that describes for our clients' web programmers what they need to adjust in various cases where we have to make an exception or disable a protection altogether?
    
    Yes, some information to give to our web programmer would be very helpful. The more exceptions you have to create, the less useful the WAF becomes.
0 Evianne over 9 years ago

Hi,

could you please also post a screenshot of your 'Advanced Protection' firewall profile?

Sabine
- 0 jlbrown over 9 years ago in reply to Evianne
  
  Evianne, do you mean Web Application Firewall/Firewall Profiles?
  
  James.
  - 0 Evianne over 9 years ago in reply to jlbrown
    
    Yes, this one.
    
    Sabine
  - 0 jlbrown over 9 years ago in reply to Evianne