"
I own a small homelab which has a dedicated opnsense firewall. The servers of the homelab are the only devices on this network. I have been running Surricata IDS + IPS on my LAN interface for some time now. As I host a Website (encrypted) I thought about adding some additional protection in the form of a WAF. Therefore I installed the nginx Plugin and set it up to terminate SSL and activated the WAF. It's perfectly working, but I wonder what the implications for Suricata might be.
Here are some of my assumptions and questions:
A) if I pass the data to my backend server unencrypted this allows Surricata running on LAN to scan the actual payload, therefore making it more effective.
B) The source of all requests now appears to be the firewall itself, as it's running the reverse proxy. Does this make Surricata less effective? Does this mean it could start blocking my reverse proxy? If yes, is there a way around it? Does it make a difference as listening on LAN is behind NAT anyway?
C) I don't see a way to configure nginx as a transparent proxy using the official plugin. Is this correct? I could use X-Forwarded-For, but this apparently doesn't work with IPS, am I right? Or does it?
D) In case of a detected intrusion will only the current connection be dropped or everything from that IP (reverse proxy potentially)
E) is there another way I could make WAF + TLS offloading + Surricata IPS work?
Up until now I had a pretty rough time figuring this out. I hope someone is going to be able to help with that.
Cheers!
Here are some of my assumptions and questions:
A) if I pass the data to my backend server unencrypted this allows Surricata running on LAN to scan the actual payload, therefore making it more effective.
B) The source of all requests now appears to be the firewall itself, as it's running the reverse proxy. Does this make Surricata less effective? Does this mean it could start blocking my reverse proxy? If yes, is there a way around it? Does it make a difference as listening on LAN is behind NAT anyway?
C) I don't see a way to configure nginx as a transparent proxy using the official plugin. Is this correct? I could use X-Forwarded-For, but this apparently doesn't work with IPS, am I right? Or does it?
D) In case of a detected intrusion will only the current connection be dropped or everything from that IP (reverse proxy potentially)
E) is there another way I could make WAF + TLS offloading + Surricata IPS work?
Up until now I had a pretty rough time figuring this out. I hope someone is going to be able to help with that.
Cheers!
