Using Sophos UTM's Request Redirection Feature in v9.5

One key feature that was missing from the Sophos UTM SG platform prior to version 9.5 was the ability to use Sophos UTM itself to perform request redirects. We published an article on how to work around this issue here. Thankfully, Request Redirection functionality is now built into the Sophos UTM SG platform!

There are two common reasons to use Request Redirection.

1. Temporarily show a maintenance page for a website that is being worked on or updated.
2. Redirect all users for all request from http:// to https://

The method for performing the redirect in both situations is the same, however, the response codes are different. This article takes you through configuring Sophos UTM's Request Redirection feature to perform both of these common use cases.

Redirect to a Maintenance Page

Let's first use Sophos UTM's Request Redirection feature to temporarily show a maintenance page.

1. In Sophos UTM, go to Webserver Protection | Web Application firewall | Request Redirection and click + new Request Redirection
2. Set the following values:
   • Name: Maintenance-Page
   • Source - Virtual Server: Select the Appropriate virtual server.
   • Source - Path: / (unless you have a very specific path you want to redirect)
   • Target - Host: externalhost.domain
   • Target - Path: /MaintenancePage.htm
   • Target - Protocol: Plaintext HTTP)
   • Target - Port: 80
   • Target - Response code: Found (302)
3. Click Save.
4. Turn on the new Request Redirectionn rule with the toggle switch.

Any request to the virtual server (because we specified path = /) will now get redirected to http://externalhost.domain/maintenancepage.htm (or your specified maintenance page).  When the Sophos UTM performs the redirect, it will also send the response code 302 to the client browser.

Status code "302 Found" is a temporary redirect and should be used if the target resource resides temporarily at a different URI.

From an HTTP header perspective, this looks like:

Client request: GET /index.html HTTP/1.1 Host: www.example.com

Server response: HTTP/1.1 302 Found Location: http://www.iana.org/domains/example/

The 302 response is not cacheable. The browser will therefore always try the original URL before going to the redirected one. This is perfect for a maintenance page.

Redirect HTTP requests to HTTPS

Now let's use Sophos UTM's Request Redirection feature to permanently redirect all HTTP requests to HTTPS.

1. In Sophos UTM, go to Webserver Protection | Web Application firewall | Request Redirect and click + new Request Redirection.
2. Set the following values:
   • Name: HTTPS-Redirect
   • Source - Virtual Server: Select the Appropriate HTTP one
   • Source - Path: / (unless you have a very specific path you want to redirect)
   • Target - Host: typically the same as the virtual server
   • Target Path: /
   • Target Protocol: Encrypted (HTTPS)
   • Target Port: 443
   • Target Response Code: 301
3. Click Save.
4. Turn on the new Request Redirection rule with the toggle switch.

Any request to the virtual server (because we specified path = /) will now be redirected to https://host.domain/. When the Sophos UTM performs the redirect, it will also send the response code 301 to the client browser.

Client request: GET /index.php HTTP/1.1 Host: www.example.org

Server response: HTTP/1.1 301 Moved Permanently Location: http://www.example.org/index.asp

Status Code "301 MOVED PERMANENTLY"  should be used when the target resource has been assigned a new permanent URI. A 301 response is cacheable, so the client can use the new URL for future requests to the original URL.  You can see that a 301 is far more suitable for this than a 302 would be.

The Request Redirection rules view allows you to see which rules are created, which targets they specify, as well as the response codes being used.

Other Response Code Options

Beyond the traditional 301 and 302 options discussed above, you can also use the following status codes:

• See Other (303): The request should be redirected to another URL (GET method).
• Temporary Redirect (307): The request should be repeated with another URL. Future requests should still use the original URL. This status code is similar to 302 (Found), except that it does not allow changing the request method from POST to GET.
• Permanent Redirect (308): The request and all future requests should be repeated using another URL. This status code is similar to 301 (Moved Permanently), except that it does not allow changing the request method from POST to GET.

For more information, check out this excellent article on choosing the right HTTP Status Code.

Conclusion

The Request Redirection feature of the Sophos UTM SG platform allows you to redirect clients at the perimeter (virtual server) rather than allowing them through onto the real web server and then redirecting from there.

In an example such as the HTTP to HTTPS redirect, it is the difference between having the real server requiring HTTP configured, or being able to close that attack surface altogether.

It is not only a convenience feature that has been added, but a good security feature. You can harden the security of your web application further by using more advanced path-specific redirects, and excluding certain clients from accessing parts of your application.