Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 3 subscribers
  • Views 44401 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

WAF. The web application firewall has blocked access to /folder. No signature found.

jlbrown

Running 9.400-9

Have set up a virtual server, for a web server for https.

I can get to my landing page OK, when I click on a link to go to a deeper level, I get:

The web application firewall has blocked access to /folder for the following reason: No signature found.

WAF log:

2016:04:08-16:10:40 astaro1-2 reverseproxy: [Fri Apr 08 16:10:40.000689 2016] [core:notice] [pid 6068:tid 4148152000] AH00094: Command line: '/usr/apache/bin/httpd'
2016:04:08-16:10:40 astaro1-2 reverseproxy: [Fri Apr 08 16:10:40.000750 2016] [mpm_worker:warn] [pid 6068:tid 4148152000] AH00291: long lost child came home! (pid 4347)
2016:04:08-16:10:40 astaro1-2 reverseproxy: [Fri Apr 08 16:10:40.000789 2016] [mpm_worker:warn] [pid 6068:tid 4148152000] AH00291: long lost child came home! (pid 4348)
2016:04:08-16:10:40 astaro1-2 reverseproxy: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="1777" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
2016:04:08-16:10:40 astaro1-2 reverseproxy: id="0299" srcip="127.0.0.1" localip="127.0.0.1" size="109" user="-" host="127.0.0.1" method="GET" statuscode="200" reason="-" extra="-" exceptions="-" time="940" url="/lb-status" server="localhost" referer="-" cookie="-" set-cookie="-"
2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.281035 2016] [url_hardening:error] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] No signature found, URI: internal.bordo.com.au/folder
2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285167 2016] [cookie:error] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] No signature found, cookie: __utma
2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285199 2016] [cookie:warn] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] Dropping cookie '__utma' from request due to missing/invalid signature
2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285230 2016] [cookie:error] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] No signature found, cookie: __utmz
2016:04:08-16:11:23 astaro1-2 reverseproxy: [Fri Apr 08 16:11:23.285241 2016] [cookie:warn] [pid 6112:tid 4122884976] [client 1.152.96.56:11171] Dropping cookie '__utmz' from request due to missing/invalid signature
2016:04:08-16:11:23 astaro1-2 reverseproxy: id="0299" srcip="1.152.96.56" localip="203.206.204.254" size="209" user="-" host="1.152.96.56" method="GET" statuscode="403" reason="url hardening" extra="No signature found" exceptions="-" time="488705" url="/folder" server="internal.bordo.com.au" referer="-" cookie="-" set-cookie="-"
Settings:
I created the certificate in WebServer Protection/Certificate Management.
Any suggestions?
Thanks,
James.


This thread was automatically locked due to age.
Parents
  • 0

    James, have you tried an Exception for URL Hardening for "/folder"?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    Thanks Bob, thank worked.

    After putting in the Exception for 'Static URL hardening' for /folder, I could get to:

    mydomain/folder/index.php

    But it would not show the login fields on that page. Going back to the Virtual Webserver settings and turning on 'Skip Form hardening' and the username/password field appeared.

    So good that it works, but bad that I've had to forgo these protections.

    Suppose this is just the way it has to be?

  • 0 in reply to jlbrown

    Hi,

    in Static URL hardening you configure so called entry URLs. You have defined '/' as entry URL. Therefore, every link you can reach from '/' is signed.

    But if you make a separate request to '/folder/index.php', this URL has no signature and is therefore blocked. That's how Static URL hardening works.

    If you want to reach '/folder/index.php' without going through a link on '/', then either you have to configure '/folder/index.php' as entry URL or you have to configure an exception for it.


    Sabine

  • 0 in reply to jlbrown

    I believe that your web programmer would need to make some coding changes - I don't think you can "harden" a form in Webserver Protection unless the form is done differently than it is now.

    Cheers - Bob

    PS When I first posted this, I saw your last comment, Sabine - thanks!  Is there a document that describes for our clients' web programmers what they need to adjust in various cases where we have to make an exception or disable a protection altogether?

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson

    BAlfson said:

    PS When I first posted this, I saw your last comment, Sabine - thanks!  Is there a document that describes for our clients' web programmers what they need to adjust in various cases where we have to make an exception or disable a protection altogether?

    Yes, some information to give to our web programmer would be very helpful. The more exceptions you have to create, the less useful the WAF becomes.

Reply
  • 0 in reply to BAlfson

    BAlfson said:

    PS When I first posted this, I saw your last comment, Sabine - thanks!  Is there a document that describes for our clients' web programmers what they need to adjust in various cases where we have to make an exception or disable a protection altogether?

    Yes, some information to give to our web programmer would be very helpful. The more exceptions you have to create, the less useful the WAF becomes.

Children
No Data
Unfiltered HTML