Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 27 subscribers
  • Views 1711 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

ShadowsocksR outgoing traffic failed for destination port 80 and 443

Kenny Yu

A quick primer for those who have not heard, ShadowsocksR (or SSR) is a set of protocol obfuscation + encryption tool that masks your traffic as regular traffic, turning them to what looks like regular TLS handshakes or auth_chain requests under the view of DPI engines.

I have a Sophos XG deployed in my network in transparent mode. I have clients in the local network connecting to external SSR servers. For destination servers that run on non HTTP/HTTPS ports, the clients would connect absolutely fine. But for servers which listens on port 443 or port 80, the connection will be broken. To be precise, such connections are still established, but the actual data is not returned. I am guessing Sophos XG has performed some man-in-middle modifications to the packets that are destined for port 80 and 443, and the SSR encryption becomes non-decryptable by this change.

In an attept to rectify this issue, I have tried the following:

  • disabling add_via_header in http_proxy settings
  • enabling relay_invalid_http_traffic in proxy_settings
  • add the destination server IP in the Web Exceptions list
  • disabling Web policy in firewall altogether
  • temporarily uses an "allow all" firewall rule from LAN to WAN
  • disabling microapp-discovery and application_clasification

But it would still fail. HTTP/HTTPS scanning/decryption and application control are already disabled by default. The current workaround is to relay such traffic via a node in the DMZ or public cloud, which is a bit counterproductive.

I am wondering if there is anything else I could try that might work without having to relay the traffic? Many thanks in advance.



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    I found that ShadowsocksR working is based on SOCKS (socks5 proxy mostly) and currently SOCK proxy is FR with XG.

    https://ideas.sophos.com/forums/330219-xg-firewall/suggestions/18677026-socks-proxy

    However with system IP based plain rule ( policy set to none and no scanning ) it should work for 80 and 443 based connection as well.

    In your case it is not working as per the description, If you doubt on firewall proxy then you may check the proxy debug logs to verify if still with plain rule any traffic getting submitted to firewall HTTPproxy.

    HTTP Proxy service you may start in debug with below command and check the log fine mentioned below:

    1)#service awarrenhttp:debug -ds nosync

    To verify service in debug or not:

    2)# service -S | grep awarren
    awarrenhttp RUNNING,DEBUG

    To revert the debug use command 1 and after reverting the same,check status via command no. 2.

    Web proxy log file: awarrenhttp.log , awarrenhttp_access.log

    Logfile guide: https://community.sophos.com/kb/en-us/132211

    Find log file : https://community.sophos.com/kb/en-us/123185

  • 0 in reply to Vishal_R

    Hello Vishal,

    The SSR client frontend does run a socks5 proxy implementation that listens to traffic at port 1080. Traffic streams hitting that proxy will be processed by the actual stateless SSR engine at the backend, which is not related to socks5. The engine's block diagram looks something like this:

    +-----------------------------------------------------------------------------+
|                +--------------------------------------------------------+   |
|                |               +------------------------------------+   |   |
|                |               |            +-------------------+   |   |   |
|  obfuscator    |   encryptor   |  protocol  |     user data     |   |   |   |
|   |            |       |       |      |     +-------------------+   |   |   |
|   |            |       |       +------+-----------------------------+   |   |
|   |            +-------+--------------+---------------------------------+   |
+---+--------------------+--------------+-------------------------------------+
    |                    |              |                                            
    +-- server_encode    +-- encrypt    +-- server_pre_encrypt       <<<=== user data
    |                    |              |                                            
    +-- server_decode    +-- decrypt    +-- server_post_decrypt      ===>>> user data

     

    Clients behind my Sophos XG has no problem using a socks5 proxy in the public internet listening at port 80/443. But SSR clients behind the Sophos XG cannot talk to an external SSR server correctly when they are listening at port 80/443. This only affect streams passing through the Sophos XG. When the clients are directly connected to the router, SSR works.

    I've tried enabling the debug mode of as you've suggested, but there's an error... am I missing something here?

    Sophos Firmware Version SFOS 17.5.9 MR-9

    console> service awarrenhttp:debug -ds nosync
    % Error: Unknown Parameter 'service'

    Thank you!

  • 0 in reply to Kenny Yu

    Hi  

    You have tried debug command from console and not from shell.

    From last reply KBA : 123185

    Section : Connecting to the advanced shell

    1. To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
    2. Select option 5 Device Management.
    3. Select option 3 Advanced Shell.
Reply
  • 0 in reply to Kenny Yu

    Hi  

    You have tried debug command from console and not from shell.

    From last reply KBA : 123185

    Section : Connecting to the advanced shell

    1. To connect using SSH, you may use any SSH client to connect to port 22 of the SFOS device.
    2. Select option 5 Device Management.
    3. Select option 3 Advanced Shell.
Children
No Data