Hi all,
I am running the HAProxy plugin as reverse-proxy for providing my self-hosted services that need to be public (behind a bunch of blocklists including geoblocking).
If I understand correctly, HAProxy runs directly on the OPNsense system, and not somehow as a container or VM. I was wondering, if an attacker could exploit a vulnerability of HAproxy and with that gain access to OPNsense itself, the core of my home network? Would I gain anything in terms of security when putting HAproxy in an LXC or VM on proxmox (different hardware than my bare metal OPNsense box), living in its separate DMZ vlan.
How do you all run HAproxy? As OPNsense plugin or standalone? If standalone, do you edit the config files directly, or is there something similar to the OPNsense webUI that facilitates changes in the config?
Sorry if this has been asked before, I did search but maybe not with the best keywords.
Cheers and thanks in advance,
Untoasted
I consider haproxy battle-tested and secure, with a lot of resources behind it as in people developing, using, reporting defects, etc. A lot more than more recent thingies like caddy and such likes. I see haproxy similar in security as nginx.
That said mostly for placebo maybe I am using crowdsec on haproxy to permaban those scanners types.
As for being a plugin it has pros and cons. You get a nice UI but not every functionality is exposed by it. For the basic reverse proxy is excellent, maybe webadmin can help if using it on a separate VM or LXC. I haven't looked. So if you need/wnat to do config changes it is easier more flexible without the plugin. See for instance https://github.com/opnsense/plugins/issues/4923