Suggest, discuss, and vote on new ideas for SG UTM. The ultimate network security package.

Suggest an Idea...

websocket support for WAF

we are hosting a SignalR hub ( behind a Sophos UTM 320. We use the Web Server Protection feature extensively in our environment, and as such have opted to use the same for this.
SignalR will always try to use Web Sockets (, a new HTML5 API, and fallback to other technologies where this isn't possible to be used.
Since we've been hosting the hub via the reverse proxy, none of our clients are able to connect via Web Sockets :so having support for websockets in WAF would be super cool

319 votes
Sign in
or sign in with
  • facebook
  • google
    Password icon
    Signed in as (Sign out)

    We’ll send you updates on this idea

    markmark shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →


    Sign in
    or sign in with
    • facebook
    • google
      Password icon
      Signed in as (Sign out)
      • SimonSimon commented  ·   ·  Flag as inappropriate

        Does anyone from Sophos actaully look at this?

        Some acknowledgement would be nice. Or are we wasting our time giving you ideas!?

      • Gerald BeucheltGerald Beuchelt commented  ·   ·  Flag as inappropriate

        Mattermost requires websockets as well. The lack of support makes the Web Server protection mostly useless in 2017.

      • Marcel du PreezMarcel du Preez commented  ·   ·  Flag as inappropriate

        Our firewall partner logged this request at our behest.

        I'm still running the above environment in production, and for more than 3 years after I've made this suggestion, it hasn't been implemented.

        As a result, I'm replacing my Sophos devices with another vendor, who does support this feature.

      • Russell BornRussell Born commented  ·   ·  Flag as inappropriate

        Atlassian released Confluence 6.0 November 2016. The biggest new feature is collaborative editing which requires websockets. All browsers already support websocks and now one more application requires it. This is ridiculous that the Sophos UTM STILL does not support it.

      • DouggaDougga commented  ·   ·  Flag as inappropriate

        Sophos... it appears you are showing yourselves to be a 2nd tier technology company which renders your products unacceptable for anyone interacting with "first tier" technology. The comment stream all but proves this.
        Please assign this as a Priority 0 development initiative, despite it being a trivial change.

        Please get this to the test team ASAP.

      • SimonSimon commented  ·   ·  Flag as inappropriate

        Jürgen, thanks for the repost. I also find it hard to believe that an internet protocol documented with and RFC is still not being supported. It's not like there is a lot of work to do as you mentioned. It's just configuration settings.

      • Jürgen SteinblockJürgen Steinblock commented  ·   ·  Flag as inappropriate

        612 votes and still nothing new with UTM 9.4, very sad.

        It's not a big feature that needs to be programmed first. It's just an additonal config value that has to be written to the config (maybe configurable with a checkbox in the virtual webserver setting).

        Since the link Simon provided is dead, here is how you can enable websocket support (until reboot).

        1. Load the apache module
        echo 'LoadModule proxy_wstunnel_module /usr/apache/modules/' >> /var/storage/chroot-reverseproxy/usr/apache/conf/modules.conf

        2. Edit the reverse proxy file and add this inside the correct <VirtualHost> section. This example works for mattermost. I figured out the ws location via chrome dev console (CTRL + SHIFT + I) / Console

        <Location "/api/v3">
        ProxyPass "wss://mattermost.local.domain/api/v3"

        3. Restart WAF

        /var/mdw/scripts/reverseproxy restart

      • DennisDennis commented  ·   ·  Flag as inappropriate

        I can only add to this: I need Websocket Support in WAF as well.
        In nginx I can do this:

        location /websocket1 {
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";


      • traxxustraxxus commented  ·   ·  Flag as inappropriate

        I dont know why Sophos is not going to implement this... Lack of knowledge?

      • Adrian GreenAdrian Green commented  ·   ·  Flag as inappropriate

        Please listen Sophos! Websocket is NOT just some transient experiment that you can safely ignore. It is being used in production everywhere. Your devices stand in the way of my business moving forward. I cannot use apps services that depend on it. No more subscriptions for you.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Any update on this? The WAF is really convenient to use for https/authentication to backend admin apps but some of our apps use websockets now.

      • Anonymous commented  ·   ·  Flag as inappropriate

        Yep, we too will not be renewing our licenses and selling our hardware once our licenses expire. We are done with Sophos as well.

      ← Previous 1

      Feedback and Knowledge Base

      icon-data-protection icon-endpoint-protection icon-phish-threat icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-central icon-sophos-mobile icon-sophos-utm icon-sophos-utm icon-sophos-utm icon-web-appliance icon-xg-firewall icon-xg-firewall icon-lightbulbCreated with Sketch.