iOS app not working through router's Web Application Firewall (WAF) - 401 status

jlbrown · December 2020

I've been putting my servers behind a Web Application Firewall (WAF) in our Sophos UTM.

It works fine when we connect to the Security Spy using a web browser, but the iOS app gives "Connection Failed. The server that responded is not SecuritySpy." which is true.

Log line in the WAF is:

18-11:49:44 astaro1-2 httpd: id="0299" srcip="8.39.202.35" localip="139.130.139.174" size="17" user="-" host="8.39.202.35" method="GET" statuscode="401" reason="-" extra="-" exceptions="-" time="3417632" url="/++systemInfo" server="cameras.bordo.com.au:9001" port="9001" query="" referer="-" cookie="-" set-cookie="-" websocket_scheme="-" websocket_protocol="-" websocket_key="-" websocket_version="-" uid="X9v8pf3nfQ3Z7S0zzSlUTAAAAB0"
2020:12:

Is there a way we can stop this check to make it work through the WAF?

Any other suggestions?

Thanks,

James.

Ben · December 2020

The problem is that SecuritySpy passes a custom HTTP header to the app to identify itself. This is apparently not getting passed through by your proxy. Normally there would be a configuration option in the proxy to pass all HTTP headers, and this typically solves this problem - does your Sophos device have such an option?

jlbrown · December 2020

Thanks Ben. Had a look in Sophos's WAF. There is an option "Pass Host Header" which sounds like what you suggested. Turned it on, but no change. :-(

Turned on "Disable compression support" and "Rewrite HTML" as well and that didn't work either.

Ben · December 2020

The "Host" header is not the one that SS uses - it's a custom header (which is allowed by the HTTP spec, but stripped out by some proxies unfortunately). Sorry I'm not sure what else to suggest here. This has come up a few times previously, so we'll take a look at workarounds for a future update, but this won't be soon.

jlbrown · January 2021

Great, thanks Ben. Let me know if you need a beta tester!

jlbrown · May 2021

Hi Ben. Any idea when you think you'll be able to get round to looking at this?

Many thanks, James.

Ben · May 2021

Hi James, an alternative method using the "Server" HTTP header has been added to macOS SecuritySpy to get round this, but this functionality has not be added to iOS SecuritySpy yet. In our research, it seems that the Server header is more likely to be passed through proxies as-is. However we haven't specifically tested this for the Sophos - do you have any information about this from the available options presented in the proxy config or the Sophos documentation? I couldn't find it myself in the documentation.

jlbrown · May 2021

Hi Ben, thanks for replying.

There are not many options available, just check boxes for:

Disable compression support
Rewrite HTML
Pass host header

From the help page:
Disable compression support (optional): By default, this checkbox is disabled and the content is sent compressed when the client requests compressed data. Compression increases transmission speed and reduces page load time. However, in case of websites being displayed incorrectly or when users experience content-encoding errors accessing your webservers, it can be necessary to disable compression support. When the checkbox is enabled, the WAF will request uncompressed data from the real webservers of this virtual webserver and will send it on uncompressed to the client, independent of the HTTP request's encoding parameter.

Rewrite HTML (optional): Select this option to have Sophos UTM rewrite links of the returned webpages in order for the links to stay valid. Example: One of your real webserver instances has the hostname yourcompany.local but the virtual webserver's hostname on Sophos UTM is yourcompany.com. Thus, absolute links like <a href="http://yourcompany.local/"> will be broken if the link is not rewritten to <a href="http://yourcompany.com/"> before delivery to the client. However, you do not need to enable this option if either yourcompany.com is configured on your webserver or if internal links on your webpages are always realized as relative links. It is recommended to use the option with Microsoft's Outlook Web Access and/or Sharepoint Portal Server.

Note – It is likely that some links cannot be rewritten correctly and are therefore rendered invalid. Ask your website author(s) to format links consistently.

Apart from URL rewriting, the HTML rewriting feature also fixes malformed HTML, for example:

tags are moved in DOM tree from node html > title to correct html > head > title
Quotes around HTML attribute values are fixed (e.g., name="value becomes name="value")
Note – HTML rewriting affects all files with a HTTP content type of text/* or *xml*, where * is a wildcard. Make sure that other file types, e.g. binary files, have the correct HTTP content type, otherwise they may get corrupted by the HTML rewriting feature.

Cross Reference – Please see the libxml documentation for further information (http://xmlsoft.org/html/libxml-HTMLparser.html).

Rewrite cookie (optional, only visible if Rewrite HTML is enabled): Select this option to have Sophos UTM rewrite cookies of the returned webpages.

Note – If Rewrite HTML is disabled the Rewrite cookie option will be also disabled.

Pass host header (optional): When you select this option, the host header as requested by the client will be preserved and forwarded along with the web request to the webserver. Whether passing the host header is necessary in your environment however depends on the configuration of your webserver.

Ben · May 2021

No information about the Server header then. And it seems like the proxy potentially does quite a lot of editing to the data as it passes through. So it may simply be the case that this just won't work for SecuritySpy.

jlbrown · June 2021

Hi Ben, thanks for replying. I can test using the 'Server' HTTP Header when the new version of the iOS app is released. Any idea when that will happen?

iOS app not working through router's Web Application Firewall (WAF) - 401 status

Comments