Messages

Hello, thank you for the suggestions.

After increasing the regex limits, I was able to identify additional rules that were blocking the attachment upload.

However, I then reached a point where processing these rules caused the CPU usage to spike to 100% continuously — even though the attachments themselves were only a few KB in size.

At the moment, I have disabled all 941XXX and 942XXX rules. When these OWASP rules are skipped, the issue no longer occurs and attachments work as expected. From a security perspective, I cannot fully assess the impact of this change. However, we do have additional security measures in place, which likely helps keep the overall risk manageable.

Best regards

Hello everyone,

we are currently migrating from Sophos UTM9 to OPNsense Business Edition and are using the OPNWAF plugin.

The goal is to publish Outlook Web Application (Exchange Server SE) exclusively via reverse proxy/WAF. In general, access to OWA is already working stable.


Problem:

Uploading or attaching files in emails does not work. The upload area just shows a loading spinner which never completes.

No visible rule in the security log that is blocking the upload (at least not identifiable to me)

If Web Protection is disabled → uploads work immediately
If Web Protection is set to "Detect Only" → uploads still do not work ???
If Web Protection is enabled and all triggered rules are excluded/disabled, it also works



I have already disabled or excluded several triggered rules, including:

941100, 920451, 941160, 920640, 920450, 920420, 920180, 920440, 920650,
941180, 920480, 920340, 954130, 920171, 920540, 949059, 949159, 921130, 934100


Has anyone successfully run OWA behind OPNWAF?

If yes, which rules had to be disabled to make file uploads work?


Thanks in advance for any hints.

Best regards

Thanks for the fast reply!
OK, That makes sense. I'll go ahead and try using the regular ACME plugin together with OPNWAF as you suggested.

Thanks again!

Hy everyone,

I'm not sure if this is the right place for feature requests, but I'd like to ask for DNS-01 validation support in the ACME functionality of the OPNWAF Plugin in the Business Edition.

Right now, I can only find HTTP-01 validation in the Business ACME integration. Maybe I overlooked something, but DNS-01 support doesn't seem to be available.

Since the ACME plugin in the Community Edition already supports DNS-01, it would be extremely helpful to have the same capability in the Business Edition. Especially for environments where HTTP validation isn't possible (internal services, restricted firewalls, wildcard certificates, etc.).

Thanks, and apologies if this post should be placed elsewhere!