Sophos XG Reverse Proxy

MrKuenning · December 15, 2019, 10:35pm

I have HASS running on a Docker VM
I have reverse web proxy configured on my SophosXG firewall.

I am able to connect to it perfectly from almost everywhere.
Work, Home, Mobile, etc…

However, there is one location that ALSO has a Sophos XG firewall that can NOT log into my HASS. I get the login screen and then I get the “unable to connect” screen.

I have tried multiple browsers, usernames, and computers from that location and they all fail to connect.
I also tried turning off all of the HTTP scanning and Intrusion prevention policies on the firewall at both ends and it still fails.

I did test temporarily setting up a port forward to 8123 on my home firewall and I am able to log into that from the other firewall location.

So it seems like there is an authentication issue when trying to login to from a site with a sophosXG firewall to HASS that is sitting behind a sophosXG reverse proxy.

Any help would be appreciated.

MrKuenning · December 19, 2019, 6:15am

This is resolved.

Some amount of clearing FW policies, clearing auth tokens, updating both firmware and HASS image on docker and then waiting 5 days fixed the issue.

jspanitz · January 18, 2022, 1:33pm

@MrKuenning do you still use this setup? Can you provide the settings on the XG side as I’m struggling a bit with the waf config

MrKuenning · January 31, 2022, 11:06pm

I have HASS running on esxi as on HASSOS.

In Sophos:

Under webserver I have an entry with:
Name HASS
Host: HASS (VM) ← Filled in under hosts and services
Type: Plaintext
Port: 8123
Keep alive: Yes
Disable Backend: off
Timeout: 300

Under Rules and Policies:
Rule Called: HASS WAF
To make it a web server ruleset action to: Protect with web server protection
Hosted Address: Port2 (WAN)
Listening Port: 80
Domains: home.mydomain.com, hass.mydomain.com
Web server: HASS

Separately I also have NAT rules to allow me to connect to port 8123 directly.
Either work for me at the moment.

So I can access it via:

#home.mydomain.com
#hass.mydomain.com
#mydomain.com:8123

jspanitz · February 3, 2022, 4:20pm

OK, I have mostly the same config. Really interested in your WAF protection policy setting and if you’ve found a way to only allow the mobile clients and block browser access - user agent perhaps.

MrKuenning · February 4, 2022, 5:46pm

I have not tried to block browser access, as I use my phone and laptop remotely.