This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Confused over web server protection policies / reverse proxying

Martin Porter1 over 5 years ago

Hello there

I'm new to Sophos XG, but fairly good with most firewalls so I hope this isn't a stupid question...

I have created 2 allowed client lists groups (under hosts and services) -

a FQDN one called "allowed FQDN hosts" with a setup of FQDN hosts

and a similar IP one "Allowed IP hosts" with a single IP host.

I want to protect an internal Synology NAS with its https admin page running on 5001. That is setup as "web server" correctly in Sophos already with the port 5001 and https selected

When I create a firewall rule using "Business application rule", I have set "hosted server" server fine , the correct domain on a valid LE cert in the domains area. I then also select the protected server . All good so far. If I leave the rule as it is, it does work - externally I can point a browser at my external FQDN on 5001 and reach the NAS.

But how do I restrict the allowed IPs (external ones) to my list of "allowed FQDN hosts" and "allowed IP hosts"? In the Access permission areas I don't see these groups? it's like I have to create new ones, specifically for this rule?

As a test
If I create a simple DNAT rule , I can see these groups, but then it won't be doing anything other than port forwarding - ie without the web server protection that the "business application rule" creates?

Or am I missing something?

Also

On other firewalls, I normally setup reverse proxying for running multiple websites behind a single IP. The firewall then parses the URL and redirects the inbound request to the correct internal server. I cant see a way to do this with Sophos?
Specifically I am running a docker app with a web interface on the same nas which is listening on http on port 8080.

Not only could I have the other firewall parse the web request to the right web server, but also it would allow effectively proxy https inbound and then forward them onto the http docker app.

Thus externally

https://host.domain.com:5001 would reach https://nas.internaldomain.com:5001

and

https://host.domain.com:443 would reach http://dockerapp.interanldomain.com:8080

Can I achieve similar with Sophos? -

Hope that all makes sense?

This thread was automatically locked due to age.

Parents

0 Keyur over 5 years ago

Hi Martin Porter1

Could you please check the article- https://community.sophos.com/kb/en-us/134380
Cancel
Vote Up 0 Vote Down

Cancel
0 Martin Porter1 over 5 years ago in reply to Keyur

Thanks, but that wasn't what I was after - it's was clarification on reverse proxying?
Cancel
Vote Up 0 Vote Down

Cancel
0 Keyur over 5 years ago in reply to Martin Porter1

Hi Martin Porter1

As per my understanding, you want to allow access of your NAS to a specific FQDN/IP group from WAN/Internet side through the business application rule configured to forward port 5001.
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Keyur over 5 years ago in reply to Martin Porter1

Hi Martin Porter1

As per my understanding, you want to allow access of your NAS to a specific FQDN/IP group from WAN/Internet side through the business application rule configured to forward port 5001.
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data