Recently we were presented with an issue one of our customers was experiencing when downloading intranet reports via a VPN tunnel from Mumbai from UK. The report generally takes a few minutes to generate and was previously working as expected, however since migrating to a Sophos XG UTM on the Mumbai side of the VPN tunnel the webpage would return fairly quickly with an HTTP 504 Gateway Timeout error.
Running a wireshark capture or using the inspector within Google Chrome to analyse the HTTP headers revealed that the 504 timeout was occurring after exactly 60 seconds, and the header was prefixed with ‘HTTP/1.1 Sophos Proxy’. This led us to look at the Sophos XG UTM and its inbuilt web protection, which proxies web traffic when in bridge mode.
There are articles available on how to adjust the HTTP proxy timeout for the earlier versions of Sophos UTM [such as this one], but nothing that covers the relatively new XG series – and the existing command will not work. This is something that even the vendor support was unable to provide a solution to. We discovered the relevant command and are pleased to share the following instructions on how to adjust the HTTP proxy timeout on XG series UTMs.
Changing the HTTP Proxy timeout on the Sophos XG
- Ensure that your XG UTM is running SFOS 16.01.2 or later version
- SSH to the XG UTM
- Select option [5. Device Management] and then [3. Advanced Shell]
- Run the command [cish]
- Run the command [set http_proxy response_timeout 180]
- Run the command [exit]
- Run the command [service awarrenhttp:restart -ds nosync] to restart the HTTP proxy service
Please note when this is applied it will terminate any existing HTTP(S) connections!