iOS app not working through router's Web Application Firewall (WAF) - 401 status
I've been putting my servers behind a Web Application Firewall (WAF) in our Sophos UTM.
It works fine when we connect to the Security Spy using a web browser, but the iOS app gives "Connection Failed. The server that responded is not SecuritySpy." which is true.
Log line in the WAF is:
18-11:49:44 astaro1-2 httpd: id="0299" srcip="8.39.202.35" localip="139.130.139.174" size="17" user="-" host="8.39.202.35" method="GET" statuscode="401" reason="-" extra="-" exceptions="-" time="3417632" url="/++systemInfo" server="cameras.bordo.com.au:9001" port="9001" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X9v8pf3nfQ3Z7S0zzSlUTAAAAB0"
2020:12:
Is there a way we can stop this check to make it work through the WAF?
Any other suggestions?
Thanks,
James.
It works fine when we connect to the Security Spy using a web browser, but the iOS app gives "Connection Failed. The server that responded is not SecuritySpy." which is true.
Log line in the WAF is:
18-11:49:44 astaro1-2 httpd: id="0299" srcip="8.39.202.35" localip="139.130.139.174" size="17" user="-" host="8.39.202.35" method="GET" statuscode="401" reason="-" extra="-" exceptions="-" time="3417632" url="/++systemInfo" server="cameras.bordo.com.au:9001" port="9001" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X9v8pf3nfQ3Z7S0zzSlUTAAAAB0"
2020:12:
Is there a way we can stop this check to make it work through the WAF?
Any other suggestions?
Thanks,
James.
Comments
Turned on "Disable compression support" and "Rewrite HTML" as well and that didn't work either.
Many thanks, James.
There are not many options available, just check boxes for:
Disable compression support
Rewrite HTML
Pass host header
From the help page:
Disable compression support (optional): By default, this checkbox is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, in case of websites being displayed incorrectly or when users experience content-encoding errors accessing your webservers, it can be necessary to disable compression support. When the checkbox is enabled, the WAF will request uncompressed data from the real webservers of this virtual webserver and will send it on uncompressed to the client, independent of the HTTP request's encoding parameter.
Rewrite HTML (optional): Select this option to have Sophos UTM rewrite links of the returned webpages in order for the links to stay valid. Example: One of your real webserver instances has the hostname yourcompany.local but the virtual webserver's hostname on Sophos UTM is yourcompany.com. Thus, absolute links like <a href="http://yourcompany.local/"> will be broken if the link is not rewritten to <a href="http://yourcompany.com/"> before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your webserver or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook Web Access and/or Sharepoint Portal Server.
Note – It is likely that some links cannot be rewritten correctly and are therefore rendered invalid. Ask your website author(s) to format links consistently.
Apart from URL rewriting, the HTML rewriting feature also fixes malformed HTML, for example:
tags are moved in DOM tree from node html > title to correct html > head > title
Quotes around HTML attribute values are fixed (e.g., name="value becomes name="value")
Note – HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting feature.
Cross Reference – Please see the libxml documentation for further information (http://xmlsoft.org/html/libxml-HTMLparser.html).
Rewrite cookie (optional, only visible if Rewrite HTML is enabled): Select this option to have Sophos UTM rewrite cookies of the returned webpages.
Note – If Rewrite HTML is disabled the Rewrite cookie option will be also disabled.
Pass host header (optional): When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the webserver. Whether passing the host header is necessary in your environment however depends on the configuration of your webserver.