1
General Discussion / Re: Someone could help please with the OPNWAF-Plugin
« on: April 26, 2024, 02:45:21 pm »
In discussion with Caddy server thread we found out with maintainer that there is since Caddy 1.5.1 the advanced "hidden" parameter TLS Server Name which is documented as:
Luckily I setup "ages" ago also similar Apache proxies (aand later NGinx proxies) so I remembered that there is a similar ProxyPreserveHost parameter available.
Checking then default behavior of TLSStrictSNI which is On and can here set in Advances Options to Off now I additional searched for ProxyPreserveHost parameter is Off by default and as checked in config it's also explicit set as Off.
After setting it manually to On and reload Web Access service it was running as expected with TLS background service check with correct TLS name in certificate.
The LogLevel option would be nice to have it basically set in general settings but it would be also a good idea to let it set by vhost sometimes in future to avoid useless logging for higher used Web Access proxies if only one backend has to be debugged.
Here one example vhost generated by Web Access GUI:
/usr/local/etc/apache24/Includes/gateway_vhosts.conf:
Would be nice to get the 5 failure points fixed/implemened and maybe also the addition 3 points sometime in future when possible.
Quote
If the SAN (Subject Alternative Name) of the offered trusted CA certificate or self-signed certificate doesn’t match with the IP address or hostname of the Upstream Domain, enter it here. This will change the SNI (Server Name Identification) of Caddy to the TLS Server Name. IP address e.g. 192.168.1.1 or hostname e.g. localhost or opnsense.local are all valid choices. Only if the SAN and SNI match, the TLS connection will work, otherwise an error is logged that can be used to troubleshoot.
Luckily I setup "ages" ago also similar Apache proxies (aand later NGinx proxies) so I remembered that there is a similar ProxyPreserveHost parameter available.
Checking then default behavior of TLSStrictSNI which is On and can here set in Advances Options to Off now I additional searched for ProxyPreserveHost parameter is Off by default and as checked in config it's also explicit set as Off.
After setting it manually to On and reload Web Access service it was running as expected with TLS background service check with correct TLS name in certificate.
The LogLevel option would be nice to have it basically set in general settings but it would be also a good idea to let it set by vhost sometimes in future to avoid useless logging for higher used Web Access proxies if only one backend has to be debugged.
Here one example vhost generated by Web Access GUI:
/usr/local/etc/apache24/Includes/gateway_vhosts.conf:
Code: [Select]
<VirtualHost *:443>
ServerName host.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
SSLProxyEngine On
SSLProxyCheckPeerName Off
SSLEngine on
Protocols h2 http/1.1
SSLCertificateFile /var/etc/apache_b465c420-6703-481e-acab-6a91a06e08bf.pem
SSLCertificateKeyFile /var/etc/apache_b465c420-6703-481e-acab-6a91a06e08bf.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
<Location "/">
ProxyPreserveHost Off
ProxyPass "balancer://64e6acb1-3b46-4006-9a46-a5e582df6f24/"
ProxyPassReverse "balancer://64e6acb1-3b46-4006-9a46-a5e582df6f24/"
</Location>
Header always merge Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
# Add security and privacy related headers
Header set Content-Security-Policy "default-src 'self'; upgrade-insecure-requests;"
Header always edit Set-Cookie (.*) "$1; HttpOnly; Secure"
Header set X-Content-Type-Options "nosniff"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin"
Header set X-Frame-Options: "deny"
SetEnv modHeadersAvailable true
</VirtualHost>
<Proxy balancer://555f9699-86b5-4214-a027-437004b5f9d7>
BalancerMember https://10.30.2.167
</Proxy>
Would be nice to get the 5 failure points fixed/implemened and maybe also the addition 3 points sometime in future when possible.