OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: andre4 on June 24, 2018, 02:01:51 pm
-
Hi everyone, I am a happy new owner of an opnsense firewall and trying
to access from internet a service behind my firewall via an URL like this one
<dynDNSURL>:<portExt>/<mypath1..n>
Based upon the provided <mypath1..n> a corresponding internal server and internal port should be selected.
So from my understanding there is a need for a port mapping as i want to use this for different kind of services which are externally hidden behind a URL-Path.
Example 1: mydns.de:443/hiddensshforServer1 should map to the Server1 ssh demon on port 22.
Example 2: mydns.de:443/hiddenXXXforServer3 should map to the Server3 XXX demon on port yyy.
PS So i am trying to make this work for many different services not based on http.
I would like opnsense only to answer requests to this services when a specific path is provided by the requester.
I would really appreciate any hint in the right direction which service and features to use if this is possible.
Best Andre
-
So you are looking for an HTTP proxy supporting the CONNECT method. Squid may be able to do that but I am not sure. In general it sounds not very standard compliant because CONNECT requests would look like documented here:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/CONNECT
-
Hello Fabian, thanks for your suggestion and quick reply.
in case of the http proxy and the connect request. Would all communication afterwards as well forwarded transparently by the http proxy to the client which is my intention or is this non-standard? And if this depends, on what? As this is only for my own purposes on owned infrastructure i would not care about the potential men in the middle on my side by the transparent http proxy....
I am just looking into the http request redirect feature of the the HAproxy. However i have no glue if this would work with something not pointing to an http service... or work at all.
PS to explain my intention. Even so security by obscurity is for sure not the best i am trying with that hidden access path to add an additional layer of security for some services exposed to the internet beside two factors which i for sure will deploy...
Best Andre
-
It is not a transparent proxy - it would be a standard proxy. After the proxy answers with an OK, you will get a normal TCP connection to the backend server which can be any protocol (the proxy will pass though everything in both directions).
-
thank you Fabian, that sounds like exactly what i try build. I had a quick look on the squid project pages. Squid seems to be able to handle Connect. However they state that it should be used "carefully". Hence they disabled Connect by standard, however it can be enabled.
Given my idea of reducing the public attack surface by hiding responses to specific URLs, i wonder what you think about this? Is this a valuable idea to enhance security in combination with typical 2FA? Or do you think it is more an additional potential security hole?
Another benefit from my point of view is more flexibility in the management of incoming ports. E.G. I could use 443 as single port exposed to internet for several types of connection to my internal site as the target service is encoded in the URL-path.
PS is it possible to configure the squid inside opnsense to use first the built-in 2FA for incoming CONNECT request and then to open the CONNECT session? Or would I have to built something around? i understood so far that i can combine the 2FA with every service of opnsense..
Kind regards
Andre
-
CONNECT without carefully designed ACLs are dangerous in the way, that your proxy may be abused for illegal traffic. If you do everything correctly, I don't know any issues with the protocol itself. Keep in mind that you should allow [HTTP-Verb CONNECT, Your Host, Single Port] or you will open a security hole into your network or may be abused by a botnet for distributing malicious traffic. In theory you could do the same with SOCKS or hide your Servers using the TOR plugin (you can require a key for a hidden service).