OPNsense Forum

Hello,

I'm trying out opnwaf cause it interests me.

My test setup is really simple. I'm reverse proxying the website of my pihole.

WAN ---> IPv4 pihole.external.example.com ---> DEC740 Port 443 ---> OPNWAF + ACME ---> raspi03.internal.example.com with self signed HTTPS cert

I have configured everything like the documentation.

The result looks very strange, I thought it was the SSL termination at first, that's why I implemented a self signed HTTPS cert so the apache proxy can proxy on 443 instead of 80, but the Website of the Pihole looks kinda mangled up.

Then I also tried out with and without mod security enabled, but that didn't change anything.

Since I only used nginx as reverse proxy before, the result surprised me. Is that to be expected, or is my test scenario just a bad choice? I've wanted to use it as reverse proxy choice for internal services like checkmk, otobo or nextcloud in the end.

Thanks for any input.  :)


root@opn02:~ # cat /usr/local/etc/apache24/Includes/acme.conf
# Let's encrypt renewal
MDCertificateAgreement accepted
MDNotifyCmd /usr/local/sbin/configctl apache reload
MDContactEmail admin@example.com


/usr/local/etc/apache24/Includes/gateway_vhosts.conf
root@opn02:~ # cat /usr/local/etc/apache24/Includes/gateway_vhosts.conf

Listen 443

<Proxy balancer://ff9fefd4-3a8c-489d-bfb4-3dafb1485380>
    BalancerMember https://raspi03.internal.example.com/admin
</Proxy>

MDomain pihole.external.example.com

<VirtualHost *:443>
    ServerName pihole.external.example.com
    Options -FollowSymLinks
    Options -Indexes
    Options -ExecCGI
    LogLevel warn
    ProxyRequests Off
    SSLProxyEngine On
    SSLProxyCheckPeerName On

    SSLEngine on
    Protocols h2 http/1.1 acme-tls/1

    # https://wiki.mozilla.org/Security/Server_Side_TLS
    # TLS modern configuration
    SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1 -TLSv1.2
    SSLHonorCipherOrder     off
    SSLSessionTickets       off
    SSLOptions              +StrictRequire

    SSLUseStapling          On


    <Location "/">
        ProxyPreserveHost Off
        ProxyPass "balancer://ff9fefd4-3a8c-489d-bfb4-3dafb1485380/"
        ProxyPassReverse "balancer://ff9fefd4-3a8c-489d-bfb4-3dafb1485380/"
    </Location>

    Header always merge Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
    # Add security and privacy related headers
    Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
    Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
    Header set X-Content-Type-Options "nosniff"
    Header set X-XSS-Protection "1; mode=block"
    Header set Referrer-Policy "strict-origin"
    Header set X-Frame-Options: "deny"
    SetEnv modHeadersAvailable true


</VirtualHost>


In most cases, I would expect the browser is unable to fetch "something", like a javascript file. Certainly when all waf features are disabled for the vhost (as no content modification should be happening then). Some (older) applications also don't like headers being modified by the way, in which case you could try to disable "header security".

Can you check the network traffic and console in your browser?

Best regards,

Ad

You were totally right about header security.

I've missed that, disabling it makes everything look normal.

Thanks so much and have a great weekend :)

hehe, it's funny as I had similar issues while developing this and using it on an older application internally. Good to hear this fixed your issue.

Have a great weekend too!