Show Posts
1
Web Proxy Filtering and Caching / Migration from PFSense to OPNSense - HA Proxy - Transparent Proxy
« on: January 25, 2021, 12:21:17 pm »
Hi guys.
Im in the process of migrating from PFSense to OPNSense.
On my PFSense Installation I have a reverse proxy (Made with HA Proxy) that redirect several Web Server I have on my network to the respective domains.
Now I've moved these configurations across and it's working, even with the SSL but some websites uses a user login and registration (Discourse Platform) and since the website it's behind the new HA Proxy I always get a CSFR Error and I guess it's due to the fact that HAProxy is using it's own address to connect to the service and not keeping the one of the client from the wan.
On PFSense under the HA Proxy config there is this tick box that was making everything working:
https://imgur.com/a/ty3nJrH
PFSense called it "Transparent ClientIP" But I can't manage to find a way to replicate the same behaviour on OPNSense too.
Practically now every Discourse Host they open correctly and they work with no issue, even the SSL it's working perfectly, but every login, or logout operation don't work due the CSFR Error that I don't know how to solve.
The X-Forward-For Option is already been turned on and in the firewall I've created a rule for port 80 and 443 to pass to "This Firewall"
Currently the setup is the following to give you guys an idea:
domain1.com -> WAN-IP -> HAProxy -> LocalServer (10.0.1.50)
domain2.com -> WAN-IP -> HAProxy -> LocalServer (10.0.1.51)
and so on.
I did this using a shared frontend (sorry still used to the old naming of PFSense) where the applied rules redirect the traffic to the correct local server
This frontend use the X-Forward-For option and the SSL Offloads, so I can reach the correct Local Server with the correct assigned certificate, with no flags from the browser or anything.
Issue is that the websites, as I said before, they all report the CSFR Error when I try to login or register (They are Discourse Installations) and looking in the HTTP Header, the ip reported to the web server is indeed the local ip and not the origin ip from the outside world.
The same config on the local webserver was working like a charm on PFSense so the webserver itself don't present an issue on this, the problem is probably in HA Proxy on OPNsense that might work slightly different, and I'm missing something.
Anyone can give me a hint on what I'm missing here?
Im in the process of migrating from PFSense to OPNSense.
On my PFSense Installation I have a reverse proxy (Made with HA Proxy) that redirect several Web Server I have on my network to the respective domains.
Now I've moved these configurations across and it's working, even with the SSL but some websites uses a user login and registration (Discourse Platform) and since the website it's behind the new HA Proxy I always get a CSFR Error and I guess it's due to the fact that HAProxy is using it's own address to connect to the service and not keeping the one of the client from the wan.
On PFSense under the HA Proxy config there is this tick box that was making everything working:
https://imgur.com/a/ty3nJrH
PFSense called it "Transparent ClientIP" But I can't manage to find a way to replicate the same behaviour on OPNSense too.
Practically now every Discourse Host they open correctly and they work with no issue, even the SSL it's working perfectly, but every login, or logout operation don't work due the CSFR Error that I don't know how to solve.
The X-Forward-For Option is already been turned on and in the firewall I've created a rule for port 80 and 443 to pass to "This Firewall"
Currently the setup is the following to give you guys an idea:
domain1.com -> WAN-IP -> HAProxy -> LocalServer (10.0.1.50)
domain2.com -> WAN-IP -> HAProxy -> LocalServer (10.0.1.51)
and so on.
I did this using a shared frontend (sorry still used to the old naming of PFSense) where the applied rules redirect the traffic to the correct local server
This frontend use the X-Forward-For option and the SSL Offloads, so I can reach the correct Local Server with the correct assigned certificate, with no flags from the browser or anything.
Issue is that the websites, as I said before, they all report the CSFR Error when I try to login or register (They are Discourse Installations) and looking in the HTTP Header, the ip reported to the web server is indeed the local ip and not the origin ip from the outside world.
The same config on the local webserver was working like a charm on PFSense so the webserver itself don't present an issue on this, the problem is probably in HA Proxy on OPNsense that might work slightly different, and I'm missing something.
Anyone can give me a hint on what I'm missing here?