Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 24 replies
  • Subscribers 33 subscribers
  • Views 17169 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Having Problems with WAF with Nextcloud behind it. Error: "413 Request Entity too large"

Dwayne Parker

Hi,

 

I am using a Nextcloud behind a XG with WAF enabled. This worked until version 18 of XG. Now I am getting 413 Request Enitity too large Errors as soon as I am enabling "Common threat filter", Antivirus or Cookie Signing in the Protection Policy.

The WebServerProtection Log's in XG are showing the requests as allowed, but with HTTP Status Code 413. In the Logs of the server, there's nothing found.

Could someone advise me how to fix this?

 

P.S. After some research, I've read in the Nextcloud Forums that if a NGINX Reverseproxy is used, the configuration key "client_max_body_size" has to be set to a higher value.



This thread was automatically locked due to age.
Parents
  • 0

    Having just updated to v18 from 17.5.9 we're having the exact same issue with Nextcloud behind the WAF. Our instance is probably a bit of a special case because it gets daily uploads of multiple files in excess of 40GB each, so "upping the value a little bit" doesn't help, and erring on the side of caution and setting the value equivalent to 100GB doesn't work because the integer is too big.

    This all worked fine without any database tinkering in v17 so it certainly appears to be a v18 bug rather than an issue with Nextcloud or our WAF policies. For now we've had to cripple our WAF policy but I'm subscribing to this thread in the hope of a proper fix as opposed to a nasty workaround. Cheers.

  • +2 in reply to Mike Watt

    Hi All,

    After following up with our Development team (NC-55441), they have informed me that:

    • The Nextcloud server uses WebDAV for file upload, which is not fully supported by WAF at this time.

    Apologies for the inconvenience caused.

    Regards,

    Florentino
    Director, Global Community & Digital Support
    Are you a Sophos Partner? | Product Documentation@SophosSupport | Sign up for SMS Alerts
    If a post solves your question, please use the 'Verify Answer' button.
    The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
  • 0 in reply to FloSupport

    Hi,

     

     is there a Fix scheduled for this Issue? If so, when could we expect the Fix to be released?

     

    Regards,

    Dwayne Parker

    _______________________________________________

    Sophos XG User

  • 0 in reply to FloSupport

    Hello,  

    Could you please clarify the support for WebDAV by the WAF component of the XG?

    Specifically:

    Does Sophos XG 17.5 support WebDAV behind the WAF component?

    Does Sophos XG 18 support WebDAV behind the WAF component?

    If not, is their a plan to support WebDAV in the WAF within the next 6 months?

    Can you recommend an approach to protecting a WebDAV server with the XG firewall if the WAF component is not designed to do this?

     

    Thank you for any suggestions and answers you can offer.

  • 0 in reply to J_87586

    I don't know if WebDAV is *supported* in 17.5 (as in they will provide support if you have issues) but it definitely *works*in 17.5.

    In 18 it's completely broken unless you disable the Common Threat Filters category entirely, which largely cripples the WAF protection.

  • 0 in reply to J_87586

    Does Sophos XG 17.5 support WebDAV behind the WAF component?

    SH> NO WAF does not support WebDAV

    Does Sophos XG 18 support WebDAV behind the WAF component?

    SH> NO WAF does not support WebDAV

    If not, is their a plan to support WebDAV in the WAF within the next 6 months?

    SH> No there is no plan to support WebDAV

  • 0 in reply to PMStuart

    Hi Stuart,

    we also have many customers who rely on WebDAV, just for clouds and collaboration platforms. In general, WAF of XG firewall is still very much in its infancy. Here XG makes us look old as a partner. To execute any database commands that are overwritten after a config update and bring the system to a halt again is nonsense. We even lost customers to Fortinet, because a functioning WAF simply had priority. I respect your release cycles and know that other features have priority. Nevertheless there should be more possibilities to override the internal WAF settings. There should be some kind of expert mode where new internal settings can be enabled, but the admin will be warned that this could compromise the security of the system.

    Best regards

    Intrusus
    Sophos Certified Engineer | Sophos Certified Technician

    private lab:
    XG firewall with SFOS 18.0.3 MR-3
    Intercept X Advanced (for Server) with EDR EAP latest
    If a post solves your question use the 'Verify Answer' link

  • 0 in reply to intrusus

    Hi.  I'm supposed to ask Dwayne Parker if he got this working.  I want to use Nextcloud behind WAF, so that I'm protected.  But no idea how to do this.  I no longer see him in name completion.  Any other people in this thread using Nextcloud behind WAF?  I can setup Nextcloud in docker containers.

Reply
  • 0 in reply to intrusus

    Hi.  I'm supposed to ask Dwayne Parker if he got this working.  I want to use Nextcloud behind WAF, so that I'm protected.  But no idea how to do this.  I no longer see him in name completion.  Any other people in this thread using Nextcloud behind WAF?  I can setup Nextcloud in docker containers.

Children
No Data
Unfiltered HTML