Show Posts
1
General Discussion / Info Request: WAF/Publishing Web Sites & Web Sockets
« on: September 26, 2018, 05:51:17 pm »
All,
About five years ago, I used pfSense but left it to go to Sophos UTM primarily because of ease of configuration for the Sophos Web Application Firewall (WAF). I am currently running into one problem and one major inconvenience that I would like to address. I "think" OPNsense may be a solution and am requesting validation assistance before I jump totally onboard.
The problem is that Sophos UTM WAF cannot handle web sockets. The only work around is to use NAT to forward a specific port. This does not work at my work locations where I am limited to ports 80/443.
The inconvenience is that managing LetsEncrypt certificates is still a somewhat manual process. I prefer a solution that handles the renewals in an automatic manner.
My representative givens are:
There are additional functional requirements regarding custom firewall rules and port forwarding that I know OPNsense can perform based upon my previous experience with pfSense. I have purposely excluding these to focus on the issues that are not as clear to me from my current investigation?
My questions are:
Thanks in advance for your assistance!
LBE
About five years ago, I used pfSense but left it to go to Sophos UTM primarily because of ease of configuration for the Sophos Web Application Firewall (WAF). I am currently running into one problem and one major inconvenience that I would like to address. I "think" OPNsense may be a solution and am requesting validation assistance before I jump totally onboard.
The problem is that Sophos UTM WAF cannot handle web sockets. The only work around is to use NAT to forward a specific port. This does not work at my work locations where I am limited to ports 80/443.
The inconvenience is that managing LetsEncrypt certificates is still a somewhat manual process. I prefer a solution that handles the renewals in an automatic manner.
My representative givens are:
- Home Network
- Network Geometry - Internal <=> FW <=> External
- Reverse proxy on FW
- LetsEncrypt on FW
- Internal web servers:
- http://sabnzbd.example.com:9000
- https://sickrage.example.com:9100
- https://guac.example.com (websockets)
- https://proxmox1.example.com:8006 (websockets)
- Separate DNS internal and external
- Access above web servers using the following names both internally and externally on TCP/443:
- https://sabnzbd.example.com
- https://sickrage.example.com
- https://guacamole.example.com with upgrade to websockets
- https://proxmox1.example.com with upgrade to websockets
- Configure LetsEncrypt for each of these web servers via web user interface
- Have LetsEncrypt automatically update certificates prior to their expiration
There are additional functional requirements regarding custom firewall rules and port forwarding that I know OPNsense can perform based upon my previous experience with pfSense. I have purposely excluding these to focus on the issues that are not as clear to me from my current investigation?
My questions are:
- Can my functional requirements be met with OPNsense?
- If so, what are the recommended modules (i.e. I assume haproxy for the for the reverse proxy, ...)?
- Are there any howtos or guides for this type of configuration?
- Are there any warnings or gotchas that I should be aware of?
Thanks in advance for your assistance!
LBE