Do you recognize a good idea when you see one? We want to hear from you!
Header Image

I suggest you ...

websocket support for WAF

we are hosting a SignalR hub (http://signalr.net/) behind a Sophos UTM 320. We use the Web Server Protection feature extensively in our environment, and as such have opted to use the same for this.
SignalR will always try to use Web Sockets (http://en.wikipedia.org/wiki/WebSocket), a new HTML5 API, and fallback to other technologies where this isn't possible to be used.
Since we've been hosting the hub via the reverse proxy, none of our clients are able to connect via Web Sockets :so having support for websockets in WAF would be super cool

724 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    markmark shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    21 comments

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      Submitting...
      • SimonSimon commented  ·   ·  Flag as inappropriate

        Jürgen, thanks for the repost. I also find it hard to believe that an internet protocol documented with and RFC is still not being supported. It's not like there is a lot of work to do as you mentioned. It's just configuration settings.

      • Jürgen SteinblockJürgen Steinblock commented  ·   ·  Flag as inappropriate

        612 votes and still nothing new with UTM 9.4, very sad.

        It's not a big feature that needs to be programmed first. It's just an additonal config value that has to be written to the config (maybe configurable with a checkbox in the virtual webserver setting).

        Since the link Simon provided is dead, here is how you can enable websocket support (until reboot).

        1. Load the apache module
        echo 'LoadModule proxy_wstunnel_module /usr/apache/modules/mod_proxy_wstunnel.so' >> /var/storage/chroot-reverseproxy/usr/apache/conf/modules.conf

        2. Edit the reverse proxy file and add this inside the correct <VirtualHost 1.2.3.4.443> section. This example works for mattermost. I figured out the ws location via chrome dev console (CTRL + SHIFT + I) / Console

        <Location "/api/v3">
        ProxyPass "wss://mattermost.local.domain/api/v3"
        </Location>

        3. Restart WAF

        /var/mdw/scripts/reverseproxy restart

      • DennisDennis commented  ·   ·  Flag as inappropriate

        I can only add to this: I need Websocket Support in WAF as well.
        In nginx I can do this:

        location /websocket1 {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_pass http://127.0.0.1:80;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        }

      • traxxustraxxus commented  ·   ·  Flag as inappropriate

        I dont know why Sophos is not going to implement this... Lack of knowledge?

      • Adrian GreenAdrian Green commented  ·   ·  Flag as inappropriate

        Please listen Sophos! Websocket is NOT just some transient experiment that you can safely ignore. It is being used in production everywhere. Your devices stand in the way of my business moving forward. I cannot use apps services that depend on it. No more subscriptions for you.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Any update on this? The WAF is really convenient to use for https/authentication to backend admin apps but some of our apps use websockets now.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Yep, we too will not be renewing our licenses and selling our hardware once our licenses expire. We are done with Sophos as well.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Sophos has acquired cyberoam and websocket in cyberoam is as well not working. Support is turning a deaf ear and is terming it as a feature request with no ETA. Feel cheated as have bought the WAF subscription and now its useless. Sophos please care about the customers or else atleast publish the list of bugs for a subscription so that people are aware of the bugs before they buy.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Bad move not listening to your users Sophos. We are dropping UTM9 for this exact reason.

        I shouldn't have to hack conf files to get this to work.

      • TerenceTerence commented  ·   ·  Flag as inappropriate

        This is a basic requirement for a modern web applications, WebSockets have been around for years and years now. Heck, this "feature" request has been open for 2 years.

      • WiggerlWiggerl commented  ·   ·  Flag as inappropriate

        Are there any new informations? I´ve problems with websocket-Errors in combination of HTML5-VPN-UserPortal and WAF.

      • Anonymous commented  ·   ·  Flag as inappropriate

        We also have the Requirement for allowing Web Sockets through WAF. We are hosting nodeJS Application wich also uses Web Sockets and falling down to an alternative connection takes to much time. Is there Any Solution on the way?

      • SimonSimon commented  ·   ·  Flag as inappropriate

        So UTM 9.3 now has apache 2.4.10 which includes the mod_proxy_wstunnel module. How about giving us a way to enable it!

      ← Previous 1

      Feedback and Knowledge Base