Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 8 replies
  • Subscribers 1 subscriber
  • Views 5239 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Separate real and virtual servers for both HTTP and HTTPS?

Jeff x
I've read the manual and searched the forum but I'm still confused.

I have a web server, email server and an FTP server all on the same box behind Sophos. I have static public IP's and some websites have their own static IP while others share IP's. All websites use both HTTP and HTTPS.

Do I need to set up two (HTTP and HTTPS) virtual and real servers for each public IP address? I'm not understanding the mapping.

On my old router, I just created services for each website and forwarded the needed ports to the corresponding private IP's of each website.


This thread was automatically locked due to age.
  • 0
    Two different issues.  Webserver Protection is a reverse proxy.  Port forwarding is called "DNAT" in the UTM and is accomplished in 'Network Protection >> NAT'.

    Yes, if you use the reverse proxy, you have to define separate Virtual Servers for each.  If you want, you can have the proxy handle the HTTPS conversation and use a single port-80 Real Server for your server.  That probably will require changes on the web server.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0 in reply to BAlfson
    Two different issues.  Webserver Protection is a reverse proxy.  Port forwarding is called "DNAT" in the UTM and is accomplished in 'Network Protection >> NAT'.


    I could have sworn I read somewhere on the forum that setting up "DNATing" was not necessary if using WebServer Protection. Is that false?

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x
    I could have sworn I read somewhere on the forum that setting up "DNATing" was not necessary if using WebServer Protection. Is that false?


    Hi,
    You probably still need DNAT for the FTP server, and you need to use the SMTP proxy or DNAT for the mail server.

    Barry
  • 0 in reply to BarryG

    Yes, if you use the reverse proxy, you have to define separate Virtual Servers for each.

    So if I have 5 static public IP's and 8 websites sharing those IP's and each website uses both port 80 and 443, I will have to create 5 Virtual and 5 Real servers if I don't want to mess with HTTPS conversion? Or are only 2 Virtual and 2 Real servers (1 for HTTP and 1 for HTTPS) needed since all websites are hosted on the same physical machine?

    Hi,
    You probably still need DNAT for the FTP server, and you need to use the SMTP proxy or DNAT for the mail server.

    So basically the Webserver Protection is for ports 80, 443 and can be used in place of setting up DNATing and any other servers that use different ports (i.e., mail and FTP server) need DNATing? Is that correct?

    Thanks guys. I really appreciate you sharing your expertise and time.

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • 0
    You need a separate Virtual server for each of the 8 public IPs.  Depending on your SSL certs, you will need only as many Virtual servers as you need different certs if your web servers can identify FQDNs instead of IPs.  If you only have five servers and the right ones can separate traffic based on FQDN instead of IPs, then you may be able to use fewer Virtual servers.

    Cheers - Bob
     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • 0
    Thanks Bob.

    So far, I have one website up and working. I noticed that all entires in the Apache access log are now from IP 192.168.0.1 regardless of the users' public IP. Presumably because of the proxy.

    Is there a way to pass the users' public IP so the Apache logs can once again be used for statistical information?

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

  • 0 in reply to Jeff x
    Is there a way to pass the users' public IP so the Apache logs can once again be used for statistical information?


    Hi,
    The WAF sets the HTTP_X_FORWARDED_FOR http header; you can log that in Apache with mod_rpaf in Apache 2.2 or mod_realip in Apache 2.4.

    Barry
  • 0
    Thanks Barry.
     
    I tried the following in Apache, but it's still not logging the public IP's.
     
    ...
    LogFormat "%V[FONT=Arial]%{HTTP_X_FORWARDED_FOR}i[/FONT] %l %u %t \"%r\" %>s %O\"%{Referer}i\" \"%{User-agent}i\""combinedtrueout_host_xforwarded
     
    CustomLog"C:/WampDeveloper/Logs/Websites/www.mysite.com/http.accesslog.txt"combinedtrueout_host_xforwarded
    ...
     
    UPDATE: If I replace [FONT=Arial]%{HTTP_X_FORWARDED_FOR}i [/FONT]with [FONT=Arial]%{X-Forwarded-For}i Apache logs the public IP's.[/FONT]
     
    UPDATE: The issue below was resolved by unticking Enable HTML rewriting in the Virtual Webserver.
     
    On one of my websites, there is an email form. When using DNAT instead of WAF, the form works correctly as indicated in the image below:

     
    When I disable DNAT and use WAF, the form still works but the wrong notification message displays:

     
    Why does the proxy cause this issue to happen? The form does not rely on IP addresses. The form uses the following jQuery/AJAX to replace the original SEND message:
     

     
    [SIZE=2][SIZE=2]/*    Contact Form[/SIZE][/SIZE]
    [SIZE=2][SIZE=2]    /* ---------------------------------------------------------------------- */[/SIZE][/SIZE]
     
     
     
    [SIZE=2][SIZE=2]// Needed variables[/SIZE][/SIZE]
    [SIZE=2]    var $contactform     [/SIZE][SIZE=2][SIZE=2]=[/SIZE][/SIZE][SIZE=2] $[/SIZE][SIZE=2][SIZE=2]([/SIZE][/SIZE][SIZE=2][SIZE=2]'#contactform'[/SIZE][/SIZE][SIZE=2][SIZE=2])[/SIZE][/SIZE][SIZE=2],[/SIZE]
    [SIZE=2]        $success        [/SIZE][SIZE=2][SIZE=2]=[/SIZE][/SIZE][SIZE=2][SIZE=2]'Your message has been sent. Thank you!'[/SIZE][/SIZE][SIZE=2];[/SIZE]
     
    [SIZE=2]    $contactform.submit[/SIZE][SIZE=2][SIZE=2]([/SIZE][/SIZE][SIZE=2]function[/SIZE][SIZE=2][SIZE=2](){[/SIZE][/SIZE]
    [SIZE=2]        $.ajax[/SIZE][SIZE=2][SIZE=2]({[/SIZE][/SIZE]
    [SIZE=2]           type: [/SIZE][SIZE=2][SIZE=2]"POST"[/SIZE][/SIZE][SIZE=2],[/SIZE]
    [SIZE=2]           url: [/SIZE][SIZE=2][SIZE=2]"php/contact.php"[/SIZE][/SIZE][SIZE=2],[/SIZE]
    [SIZE=2]           data: $[/SIZE][SIZE=2][SIZE=2]([/SIZE][/SIZE][SIZE=2]this[/SIZE][SIZE=2][SIZE=2])[/SIZE][/SIZE][SIZE=2].serialize[/SIZE][SIZE=2][SIZE=2]()[/SIZE][/SIZE][SIZE=2],[/SIZE]
    [SIZE=2]           success: function[/SIZE][SIZE=2][SIZE=2]([/SIZE][/SIZE][SIZE=2]msg[/SIZE][SIZE=2][SIZE=2])[/SIZE][/SIZE]
    [SIZE=2][SIZE=2]{[/SIZE][/SIZE]
    [SIZE=2]                if[/SIZE][SIZE=2][SIZE=2]([/SIZE][/SIZE][SIZE=2]msg [/SIZE][SIZE=2][SIZE=2]==[/SIZE][/SIZE][SIZE=2][SIZE=2]'[/SIZE][/SIZE][SIZE=2]SEND[/SIZE][SIZE=2][SIZE=2]'[/SIZE][/SIZE][SIZE=2][SIZE=2]){[/SIZE][/SIZE]
    [SIZE=2]                    response [/SIZE][SIZE=2][SIZE=2]=[/SIZE][/SIZE][SIZE=2][SIZE=2]'
    '
    [/SIZE]    [/SIZE][SIZE=2][SIZE=2]+[/SIZE][/SIZE][SIZE=2] $success [/SIZE][SIZE=2][SIZE=2]+[/SIZE][/SIZE][SIZE=2][SIZE=2]''[/SIZE][/SIZE][SIZE=2];[/SIZE]
    [SIZE=2][SIZE=2]}[/SIZE][/SIZE]
    [SIZE=2]                else[/SIZE][SIZE=2][SIZE=2]{[/SIZE][/SIZE]
    [SIZE=2]                    response [/SIZE][SIZE=2][SIZE=2]=[/SIZE][/SIZE][SIZE=2][SIZE=2]'
    '
    [/SIZE]    [/SIZE][SIZE=2][SIZE=2]+[/SIZE][/SIZE][SIZE=2] msg [/SIZE][SIZE=2][SIZE=2]+[/SIZE][/SIZE][SIZE=2][SIZE=2]''[/SIZE][/SIZE][SIZE=2];[/SIZE]
    [SIZE=2][SIZE=2]}[/SIZE][/SIZE]
    [SIZE=2][SIZE=2]// Hide any previous response text[/SIZE][/SIZE]
    [SIZE=2]                $[/SIZE][SIZE=2][SIZE=2]([/SIZE][/SIZE][SIZE=2][SIZE=2]".error,.success"[/SIZE][/SIZE][SIZE=2][SIZE=2])[/SIZE][/SIZE][SIZE=2].remove[/SIZE][SIZE=2][SIZE=2]()[/SIZE][/SIZE][SIZE=2];[/SIZE]
    [SIZE=2][SIZE=2]// Show response message[/SIZE][/SIZE]
    [SIZE=2]                $contactform.prepend[/SIZE][SIZE=2][SIZE=2]([/SIZE][/SIZE][SIZE=2]response[/SIZE][SIZE=2][SIZE=2])[/SIZE][/SIZE][SIZE=2];[/SIZE]
    [SIZE=2][SIZE=2]}[/SIZE][/SIZE]
    [SIZE=2][SIZE=2]}[/SIZE][/SIZE][SIZE=2][SIZE=2])[/SIZE][/SIZE][SIZE=2];[/SIZE]
    [SIZE=2]        return false;[/SIZE]
    [SIZE=2][SIZE=2]}[/SIZE][/SIZE][SIZE=2][SIZE=2])[/SIZE][/SIZE][SIZE=2];[/SIZE]

    --------------------------------------------------------------------
    Sophos UTM 9.714-4 - Home User
    Currently testing VM on i3-9100 @ 3.60 GHz
    16 GB RAM
    Dell Optiplex XE
    Intel Core 2 Duo CPU E8600 @ 3.33GHz
    8GB RAM
    --------------------------------------------------------------------

Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?