Dear community,
I've setup a web application firewall with OPNWAF (Business) and ACME Letsencrypt. It works well, but I cannot obtain on SSL Labs the A+ because there's an invalid HSTS policy.
I don't want to deploy the certificates on every Nextcloud and we are using the service ACME Client on the OPNsense firewall with a wildcard. Is there a possibility to setup Nextcloud and OPNWAF to act as reverse proxy to solve this problem? I would like that SSL Labs check the HSTS from the OPNWAF and not from the Nextcloud to keep the easy aspect of the self-signed on every system.
Is there any other possibility with OPNsense?
I've no clue anymore.
Thanks an advance for your help.
Regards,
Joel T.
The HSTS and other security headers are a contract between the web application itself, and the browser accessing it.
Manipulating these headers with a reverse proxy should be avoided whenever possible.
The webserver that serves the Nextcloud has to add these headers. These headers should pass the reverse proxy unaltered.
I understand this point. Is there a possibility to distribute / deploy the wildcard Letsencrypt certificate from the OPNsense to the diverse systems in the DMZ? To simplify the process and don't have every system requesting a renewal every time.
Thank you ahead.
Regards,
Joel T.