Reverse proxy and opnsense issues from local network

Started by Xumepoc, May 19, 2023, 02:06:49 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
May 19, 2023, 02:06:49 PM
Hi,
First if that topic is already covered, excuse me. I did a search but nothing exactly the same as my issue (most are  due to IPS restrictions).

My setup

I have a opnsense router with 4 ports, one for WAN and three for LAN connections. I have a second machine with nginx acting as reverse proxy and web server with Let's Encrypt cerbot. The third machine is a Proxmox server with some VMs. The second machine, the third machine and some of the VMs have their own web addresses with url hostnames  - web.myhost.com, vm.myhost.com, etc.

Accessing all of these machines works just fine from outside the network. But if I try to access any of the machines in the network from within using the url hostnames (web.myhost.com for example) I get "A potential DNS Rebind attack has been detected." and Opnsense webpage.

If I activate the 1:1 option in the firewall, I can access the machines from within, but they now lose access to outside the network (I can't update them for example). I can still access them from outside of the network.

Is this a reverse proxy configuration issue or opnsense configuration issue?

May 19, 2023, 02:33:29 PM #1
Hi, I just searched for "DNS rebind attack" and found this issue marked as solved https://forum.opnsense.org/index.php?topic=14088.0.
May 19, 2023, 02:45:41 PM #2
Unfortunately I already read and tested the implementation but it did not fixed the issue. What happened when I added the alternate hostnames of the machines in the network was that doing this I exposed the opnsense login page to the outside when trying to access the machines using the url hostnames (web.myhost.com for example).
January 29, 2024, 05:00:12 AM #3
I have the same issue as well. Using caddy instead of nginx. Were you able to solve it? If so, how?
January 29, 2024, 08:55:58 AM #4 Last Edit: January 29, 2024, 08:58:12 AM by Monviech
If you use a reverse proxy as additional VM behind the OPNsense, you need to use Reflection and Hairpin NAT in order to get it work from inside your network. Because when you open your external IP address from inside your network, the OPNsense thinks it has to answer it.

https://docs.opnsense.org/manual/how-tos/nat_reflection.html

As alternative if you use Caddy, you can also run that directly on the OPNsense (look at my signature). With that, you don't need any complicate NAT rules for things to just work. (I explained why here, when somebody asked that about HA Proxy and NAT https://forum.opnsense.org/index.php?topic=38239)

Hardware:
DEC740
Print
Go Up Pages1
User actions