Hi everyone,
I'm relatively new to OPNsense.
I'm in the process of getting a new virtual environment based on Proxmox set up. I orded the business license so I have access to OPNWAF.
Downloaded the plugin and didn't receive any errors during installation.
If I try to enable the module without any further config within web protection or gateways nothing happens.
I see a short progress bar and nothing's working.
System log file only gives "Notice root /usr/local/etc/rc.d/apache24: WARNING: failed to start apache24". I could not find any other related log files on the system.
Can anyone give me a hint where to start looking?
Did you configure virtual servers etc. to actually set up services protected by the WAF?
It's all quite extensively documented here: https://docs.opnsense.org/vendor/deciso/opnwaf.html
I followed the documentation and set up all parts.
As the service didn't start I tried to remove all parts from "Gateways", disabled "Web Protection", and just left the bare service enabled.
Still running in the same problem.
I know that it runs just fine and a quite some business customers use it in with complex configurations.
Not starting means there is a port overlap most likely.
Give this output from the command line:
# sockstat -l
If you see any other services using 80 or 443 you know what to stop.
After handling that, OPNWAF needs at least one virtual server defined to start.
Ok, removed the module and reinstalled everything - even though I am sure I've done the same as before it's working now.
I moved the Admin GUI to port 444 already before.
I am running in to a proxy error now "The proxy server could not handle the request. Reason: Error during SSL Handshake with remote server"
I already set up Let's Encrypt before with a wildcard certificate. I am using this certificate for the Web GUI.
I set the virtual server to use the same certificate and left all other ACME options unticked (as they have already been set up before).
Changing to the OPNsense self-signed certificate works fine (apart from the wrong certificate).
Am I doing anything wrong here?
Just for the context:
I trying to provide access to servers in the DMZ for user logged in via WireGuard.
The virtual server is listening on an internal IP address so I won't be able to use LE to autogenerate new certificates for this virtual server.
The web error log file entries are as followed:
2025-09-04T09:51:53 Informational httpd [proxy_http:error] [pid 69219:tid 66041327699968] [client 10.99.255.2:55615] AH01097: pass request body failed to 10.100.20.23:443 (10.100.20.23) from 10.99.255.2 ()
2025-09-04T09:51:53 Informational httpd [proxy:error] [pid 69219:tid 66041327699968] [client 10.99.255.2:55615] AH00898: Error during SSL Handshake with remote server returned by /
2025-09-04T09:51:53 Informational httpd [proxy:error] [pid 69219:tid 66041327699968] (20014)Internal error (specific information not available): [client 10.99.255.2:55615] AH01084: pass request body failed to 10.100.20.23:443 (10.100.20.23)
Alright,
I followed the suggestion in https://forum.opnsense.org/index.php?topic=34923.msg196467#msg196467 and deactivated "SSLProxyCheckPeerName".
Seems to be working now :)