Site Path Routing
On the Web Application Firewall > Site Path Routing tab you can define to which real webservers incoming requests are forwarded. You can for example define that all URLs with a specific path, e.g., /products/, are sent to a specific webserver. On the other hand you can allow more than one webserver for a specific request but add rules how to distribute the requests among the servers. You can for example define that each session is bound to one webserver throughout its lifetime (sticky session). This may for example be necessary if you host an online shop and want to make sure that users stick to one server during their shopping session. You can also configure to send all requests to one webserver and use the others only as a backup.
For each virtual webserver, one default site path route (with path /) is created automatically. Sophos UTM automatically applies the site path routes in the most reasonable way: starting with the strictest, i.e., longest paths and ending with the default path route which is only used if no other more specific site path route matches the incoming request. The order of the site path route list is not relevant. If no route matches an incoming request, e.g., because the default route was deleted, the request will be denied.
Note – The Site Path Routing tab can only be accessed after at least one virtual webserver has been created.
To create a site path route, proceed as follows:
-
Click the New Site Path Route button.
The Add Site Path Route dialog box opens.
-
Specify the following settings:
Name: Enter a descriptive name for the site path route.
Virtual webserver: Select the original target host of the incoming traffic.
Path: Enter the path for which you want to create the site path route, e.g., /products/. Regular expressions or wildcards are not supported.
Reverse authentication: Select the authentication profile with the users or groups that should have access to this site path route. When no profile is selected, no authentication is required.
Caution – Using a reverse authentication profile on a Virtual Webserver running in plain text mode will expose user credentials. Continuing will cause the Web Application Firewall to send user credentials in an unsafe manner.
Caution – An authentication profile with frontend mode Form can only be deployed once on any one virtual webserver.
Real Webservers: Select the checkboxes in front of the real webservers which are to be used for the specified path. The order of the selected webservers is only relevant for the Enable hot-standby mode option. With the sort icons you can change the order.
Access control: If selected, you can allow or block specific client networks for the Virtual webserver. Clients only get access when their IPs are listed in the Allowed networks list. IPs in the Denied networks list will be blocked. If both lists are empty no one will be able to connect to the Virtual webserver. If you want to block only specific networks, allow Any and select or add Denied networks. If you want to allow specific networks only, you need to select or add Allowed networks and leave Denied networks empty.
Allowed networks: Select or add the allowed networks that should be able to connect to the Virtual webserver.
Denied networks: Select or add the denied networks that should be blocked to your Virtual webserver.
Comment (optional): Add a description or other information.
-
Optionally, make the following advanced settings:
Enable sticky session cookie: Select this option to ensure that each session will be bound to one real webserver. If enabled, a cookie is passed to the users' browser, which provokes Sophos UTM to route all requests from this browser to the same real webserver. If the server is not available, the cookie will be updated, and the session will switch to another webserver.
Enable hot-standby mode: Select this option if you want to send all requests to the first selected real webserver, and use the other webservers only as a backup. The backup servers are only used in case the main server fails. As soon as the main server is back working, the sessions will switch back—unless you selected the Enable sticky session cookie option.
Enable WebSocket passthrough: Select this option if you want to allow WebSocket communication. That way WebSocket traffic is not controlled by the WAF at all and any other option you may have enabled in the WAF will not apply to WebSocket traffic.
-
Click Save.
-
Enable the site path route.
The new site path route is disabled by default (toggle switch is gray). Click the toggle switch to enable the site path route.
The site path route is now enabled (toggle switch is green).
To either edit or delete a site path route, click the corresponding buttons.