Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » External HTTPS requests don't work - "HTTP: Non-ASCII bytes detected in HTTP request"

Messages: 9
Karma: 0
Send a private message to this user
I am currently running the latest version of KWF 6.4.2 build 3672.

I have a traffic policy that allows HTTP and HTTPS requests to come in from the Internet and then forward to my web server inside of my network.

The HTTP requests are working fine, however, the HTTPS requests do not work.

I get this error message in the security log:
HTTP: Non-ASCII bytes detected in HTTP request: client: x.x.x.x, server: x.x.x.x

I searched the forums for this problem and see that other users have had this issue years ago, although not quite the same scenario. It has been suggested that I set "DetectMaliciiousHeaders" to 0 in the winroute.cfg file, but when I tried that, the HTTPS requests just hang and take forever, however I don't see the error in the security log anymore.

The weird thing is that this has worked before and suddenly stopped working without making any modifications.

Also, I have a rule that directs requets from my local network to the web server so that my local computers can access the internal web server, and they can get the HTTPS version without any problem, even though it's still passing through KWF, so it would appear that it only happens from outside of the network.

I tried this from multiple browsers and other people, so I know it's not a browser/client issue.

What I would like to know is how can I disable this behavior of KWF? How can I make it work? I really need people to be able to access my web server, and I would like to keep my server behind the firewall.

I would REALLY appreciate it if anybody can help.

[Updated on: Thu, 17 April 2008 00:52]

Pavel Dobry (Kerio)

Messages: 5245
Karma: 251
Send a private message to this user
First of all, do not use HTTP protocol inspector for HTTPS connections. It simply can't work. Make sure that protocol inspector in mapping traffic rule is set to "Default". Otherwise create two separate rules for HTTP and HTTPS and set protocol inspector to "None" in HTTPS rule.

"DetectMaliciousHeaders" option in the configuration should be enabled as it protects your applications and clients in local network.

Messages: 9
Karma: 0
Send a private message to this user
Thank you for the reply.

I am not using the HTTP protocol inspector for HTTPS connections.

Also, I change the mapping for incoming HTTPS requests from my web server to point to the KWF server, which will display the SSL-VPN page. Strangely enough, I was then able to access the HTTPS content.

I then thought that it might be a problem with my web server. I noticed that there were several updates recently installed from Windows Update, and I then removed all of the recent updates and rebooted my web server.

Afterwards, I pointed all incoming HTTPS traffic back to the web server, and now it works again!

So it looks like that it's not a direct fault of KWF (although the error message can be a little unclear). However, it is still a bit strange that accessing HTTPS from the local network works fine, but externally it did not.

I do have it working now, and DetectMaliciousHeaders is enabled as well.

Later on in the day, I will install the Windows Updates on my web server one-by-one to see if I can narrow down which one affected it.


Messages: 9
Karma: 0
Send a private message to this user
Here's a follow up to my response.

I did start messing with the KWF Traffic Policy again, and was able to reproduce this issue again, so I don't think it is related to the udpates that I ran on the web server.

Originally, I had HTTP and HTTPS services in one rule. I then separated it into two separate rules.

I also had it setup so that the Source for the rules was set to the Internet Network Adapater, but changed it to Any.

It seems to be working again, but this problem is a little annoying.
Previous Topic: At high loading on disk subsystem on gateway slowly answers ping
Next Topic: Providers Ignoring DNS TTL?
Goto Forum:

Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon Nov 20 20:13:50 CET 2017

Total time taken to generate the page: 0.00408 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.