I tried using Naxsi to detect and block these kind attack . However I need connect VPN to OPNSENSE and set opnsense as proxy to achieve this objective.
It should be no correct as attacker will no connect VPN and set proxy . Any solution that make users visit the website and these XSS and sql injection will be blocked at OPNsense level before go to website.