OPNWAF beginners problems

Started by TalkingSense, September 03, 2025, 03:41:40 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 03, 2025, 03:41:40 PM
Hi everyone,

I'm relatively new to OPNsense.
I'm in the process of getting a new virtual environment based on Proxmox set up. I orded the business license so I have access to OPNWAF.
Downloaded the plugin and didn't receive any errors during installation.
If I try to enable the module without any further config within web protection or gateways nothing happens.
I see a short progress bar and nothing's working.
System log file only gives "Notice   root   /usr/local/etc/rc.d/apache24: WARNING: failed to start apache24". I could not find any other related log files on the system.

Can anyone give me a hint where to start looking?
September 03, 2025, 03:47:09 PM #1
Did you configure virtual servers etc. to actually set up services protected by the WAF?

It's all quite extensively documented here: https://docs.opnsense.org/vendor/deciso/opnwaf.html
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
September 04, 2025, 07:36:39 AM #2
I followed the documentation and set up all parts.
As the service didn't start I tried to remove all parts from "Gateways", disabled "Web Protection", and just left the bare service enabled.
Still running in the same problem.
September 04, 2025, 08:45:18 AM #3
I know that it runs just fine and a quite some business customers use it in with complex configurations.

Not starting means there is a port overlap most likely.

Give this output from the command line:

# sockstat -l

If you see any other services using 80 or 443 you know what to stop.

After handling that, OPNWAF needs at least one virtual server defined to start.
Hardware:
DEC740
September 04, 2025, 09:02:00 AM #4 Last Edit: September 04, 2025, 09:54:19 AM by TalkingSense
Ok, removed the module and reinstalled everything - even though I am sure I've done the same as before it's working now.
I moved the Admin GUI to port 444 already before.

I am running in to a proxy error now "The proxy server could not handle the request. Reason: Error during SSL Handshake with remote server"
I already set up Let's Encrypt before with a wildcard certificate. I am using this certificate for the Web GUI.
I set the virtual server to use the same certificate and left all other ACME options unticked (as they have already been set up before).

Changing to the OPNsense self-signed certificate works fine (apart from the wrong certificate).
Am I doing anything wrong here?

Just for the context:
I trying to provide access to servers in the DMZ for user logged in via WireGuard.
The virtual server is listening on an internal IP address so I won't be able to use LE to autogenerate new certificates for this virtual server.

The web error log file entries are as followed:
2025-09-04T09:51:53   Informational   httpd   [proxy_http:error] [pid 69219:tid 66041327699968] [client 10.99.255.2:55615] AH01097: pass request body failed to 10.100.20.23:443 (10.100.20.23) from 10.99.255.2 ()   
2025-09-04T09:51:53   Informational   httpd   [proxy:error] [pid 69219:tid 66041327699968] [client 10.99.255.2:55615] AH00898: Error during SSL Handshake with remote server returned by /   
2025-09-04T09:51:53   Informational   httpd   [proxy:error] [pid 69219:tid 66041327699968] (20014)Internal error (specific information not available): [client 10.99.255.2:55615] AH01084: pass request body failed to 10.100.20.23:443 (10.100.20.23)
September 04, 2025, 10:29:00 AM #5
Alright,
I followed the suggestion in https://forum.opnsense.org/index.php?topic=34923.msg196467#msg196467 and deactivated "SSLProxyCheckPeerName".
Seems to be working now :)
Print
Go Up Pages1
User actions