One key feature that was missing from the Sophos UTM SG platform prior to version 9.5 was the ability to use Sophos UTM itself to perform request redirects. We published an article on how to work around this issue here. Thankfully, Request Redirection functionality is now built into the Sophos UTM SG platform!
There are two common reasons to use Request Redirection.
The method for performing the redirect in both situations is the same, however, the response codes are different. This article takes you through configuring Sophos UTM's Request Redirection feature to perform both of these common use cases.
Let's first use Sophos UTM's Request Redirection feature to temporarily show a maintenance page.
Any request to the virtual server (because we specified path = /) will now get redirected to http://externalhost.domain/maintenancepage.htm (or your specified maintenance page). When the Sophos UTM performs the redirect, it will also send the response code 302 to the client browser.
Status code "302 Found" is a temporary redirect and should be used if the target resource resides temporarily at a different URI.
From an HTTP header perspective, this looks like:
Client request: GET /index.html HTTP/1.1 Host: www.example.com
Server response: HTTP/1.1 302 Found Location: http://www.iana.org/domains/example/
The 302 response is not cacheable. The browser will therefore always try the original URL before going to the redirected one. This is perfect for a maintenance page.
Now let's use Sophos UTM's Request Redirection feature to permanently redirect all HTTP requests to HTTPS.
Any request to the virtual server (because we specified path = /) will now be redirected to https://host.domain/. When the Sophos UTM performs the redirect, it will also send the response code 301 to the client browser.
Client request: GET /index.php HTTP/1.1 Host: www.example.org
Server response: HTTP/1.1 301 Moved Permanently Location: http://www.example.org/index.asp
Status Code "301 MOVED PERMANENTLY" should be used when the target resource has been assigned a new permanent URI. A 301 response is cacheable, so the client can use the new URL for future requests to the original URL. You can see that a 301 is far more suitable for this than a 302 would be.
The Request Redirection rules view allows you to see which rules are created, which targets they specify, as well as the response codes being used.
Beyond the traditional 301 and 302 options discussed above, you can also use the following status codes:
For more information, check out this excellent article on choosing the right HTTP Status Code.
The Request Redirection feature of the Sophos UTM SG platform allows you to redirect clients at the perimeter (virtual server) rather than allowing them through onto the real web server and then redirecting from there.
In an example such as the HTTP to HTTPS redirect, it is the difference between having the real server requiring HTTP configured, or being able to close that attack surface altogether.
It is not only a convenience feature that has been added, but a good security feature. You can harden the security of your web application further by using more advanced path-specific redirects, and excluding certain clients from accessing parts of your application.
Download the free 30 day trial, or schedule a demo and we'll show you how it works!
How To Remove False Positives in Sophos UTM's Web Application Firewall
How To Publish Websites with Sophos UTM Web Server Protection