Jump to content

reverse proxy and SSL certificate check


This topic is 2079 days old. Please don't post here. Open a new topic instead.

Recommended Posts

Because I have only 1 external IP address in the office here, I have set up a reverse proxy on my Sophos UTM 9 firewall, they call it WAF or Web Application Firewall. In this setup, you define a number of "real" web servers with their internal IP addresses, you also define a number of "virtual" web servers by DNS name m type ( http or https ) and port ( 80, 443, or whatever you would like). This works great if you want to host different web servers on different internal machines. BTW they are all VMs.

I also configured this for FileMaker Server, so everything https related is nicely routed to the fms machine. That also works great, apart from 1 small thing. The client complains about the certificate.

There is nothing wrong with the certificate, as this works fine when I connect to the server internally ( using the same DNS name of course ). Everything nicely green. It only goes wrong when contacting it externally.

FileMaker shows an error dialog that it cannot verify the identity of the server. See screen 1. When I click on "View Certificate" it shows perfectly fine certificates, as shown in screen 2, 3 and 4.

There must be something wrong with the way the firewall is implementing the reverse proxy. I think I configured it correctly: I am passing the host headers, and the virtual filemaker site is correctly associated with the wildcard certifcate, just like the regular virtual apache web site that I am running as well and which gives not problems whatsoever. Someone at the Sophos forum indicated that perhaps the firewall is inserting some certificate information that is not making FileMaker itself happy.

It appears to me that FileMaker is using 2 technologies here, one that is a custom FileMaker certificate client, which is detecting something it doesn't like, and the "View Certificate" dialog is almost certainly using standard system software ( webkit? ) and decides everything is fine. They are not agreeing with each other, that is for sure.

Are there any IT people on this forum who have set up something like this? Any help is very much appreciated.

screen 1.png

screen 2.png

screen 3.png

screen 4.png

Edited by Peter Wagemans
Link to comment
Share on other sites

If this is for FileMaker Pro traffic, it needs to communicate on port 5003, not 443. Is your WAF doing any kind of https intercept, where you configure SSL there instead of the web server? That is not compatible with FM Pro traffic, as the SSL certificate must be configured on the FM server, and the same port (5003) is used for all traffic, regardless if SSL is enabled or not. Perhaps if the exact same certificate is used at BOTH points, it may work.

Link to comment
Share on other sites

Thanks Mike,

So are you saying that the SSL certificate verification is happening over port 5003, while the "view certificate" button uses port 443?

Quote

Is your WAF doing any kind of https intercept, where you configure SSL there instead of the web server?

Yes for the intercept part, yes for the configuring part, but no for the "instead". It is also configured on the FMS web server.I am using the exact same certificate on both the FileMaker Server and the reverse proxy. 

For the 5003 part I use simple NAT port forwarding, it has always worked fine and will probably continue to do so. I have a little trouble believing that the SSL verification is happening over port 5003. Port 5003 is not proxied, there is no interception anywhere.

Important to know here is that from the private network, everything works correctly.

This is a firewall issue I am trying to solve. I know how to configure FileMaker Server. I just have trouble configuring this freaking firewall, maybe I have to try another distribution like pfsense.

Link to comment
Share on other sites

Hello,

Have i make a custom dns records on Internet ?

Your domain clarify.net is register online so you have to make a cname record that pointing to your local server.

Tom

Link to comment
Share on other sites

Hi Tom,

All DNS setup has been correctly done. Or I wouldn’t even be able to reach the server using fms.clarify.net, and make the screen shots.

But... I have currently disabled the server, so if you try that address you will nog get a response anymore. Maybe that explains your reaction.

Link to comment
Share on other sites

Indeed. I reinstalled the server to find the reason for the problem, and did not configure it yet. So the other test files are hidden now because they require a password. Thanks for mentioning it. There's no Pentagon secrets on this server, luckily. 🙂

You should now only see the HTML Snippet Library, which is a public freeware project I did years ago with Andries Heylen, and a PluginManager test file, that should be rather well protected.

As for the problem itself, I discovered using the SSL Labs site https://www.ssllabs.com/ssltest/ that  there is a problem with the intermediate certificate.

And that explains the trouble I am having. The Sophos UTM firewall is only proxying the clarify.net certificate. But not the intermediate one, because there is not even a way to configure that. I'll take this up with Sophos, at least I know now where the problem orginates.

Link to comment
Share on other sites

Thanks for the explain and i didn't try to open any file ;)

I mention it only for help.

i'm following you're problem, let us know

Right now i can't see anything without fill user and password (sorry for my english)

Tom

Link to comment
Share on other sites

Aucun problème Tom. I saw from your screen shot you are French speaking. I also speak French but most of the time I do not know what I am saying. 🙂

I found the solution to the problem.

Using https://www.markbrilman.nl/2012/07/creating-a-pfx-file-with-chain/  as documentation I created a pfx file that contains the main AND the intermediate certificate. I first removed the old wildcard crt file from the firewall, then imported the pfx file, and assigned it to the virtual servers that run over https.

They now return a green A sign on sslabs and... the FileMaker client problem disappeared!!

Thanks everyone for helping me understand and solve this.

Link to comment
Share on other sites

This topic is 2079 days old. Please don't post here. Open a new topic instead.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...

Important Information

By using this site, you agree to our Terms of Use.