HAproxy: OPNsense plugin or isolated standalone

Started by Untoasted9563, February 02, 2026, 10:38:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 02, 2026, 10:38:33 PM
Hi all,

I am running the HAProxy plugin as reverse-proxy for providing my self-hosted services that need to be public (behind a bunch of blocklists including geoblocking).

If I understand correctly, HAProxy runs directly on the OPNsense system, and not somehow as a container or VM. I was wondering, if an attacker could exploit a vulnerability of HAproxy and with that gain access to OPNsense itself, the core of my home network? Would I gain anything in terms of security when putting HAproxy in an LXC or VM on proxmox (different hardware than my bare metal OPNsense box), living in its separate DMZ vlan.

How do you all run HAproxy? As OPNsense plugin or standalone? If standalone, do you edit the config files directly, or is there something similar to the OPNsense webUI that facilitates changes in the config?

Sorry if this has been asked before, I did search but maybe not with the best keywords.

Cheers and thanks in advance,
Untoasted
February 02, 2026, 11:35:16 PM #1
I consider haproxy battle-tested and secure, with a lot of resources behind it as in people developing, using, reporting defects, etc. A lot more than more recent thingies like caddy and such likes. I see haproxy similar in security as nginx.
That said mostly for placebo maybe I am using crowdsec on haproxy to permaban those scanners types.
As for being a plugin it has pros and cons. You get a nice UI but not every functionality is exposed by it. For the basic reverse proxy is excellent, maybe webadmin can help if using it on a separate VM or LXC. I haven't looked. So if you need/wnat to do config changes it is easier more flexible without the plugin. See for instance https://github.com/opnsense/plugins/issues/4923
Today at 01:02:57 AM #2
I also prefer to have a single chokepoint for public inbound access. I run Caddy and HAproxy depending on the requirements.
Paired with block lists I feel safe enough to sleep well.

This of course calls for a couple of procedural/administrative measures to be in place:

- update regularly and timely
- follow common security information sources like mailing lists (of the upstream projects e.g. Caddy/HAproxy), this forum, or more general cve.org.
  (although I would argue that globally the CVE process is broken)
- in case of any published exploit have or acquire the expertise to assess if it applies to you at all

Seriously, running HAproxy on a separate machine with OPNsense passing the traffic won't buy you much. The machine/container will be compromised, it's well inside (behind OPNsense) your network, upstream services published to the Internet by definition trust this proxy ...

All the traffic is TLS encrypted, anyway. So OPNsense in front of that hypothetical separate proxy cannot inspect the traffic.

All in all: Do put your eggs in one basket and watch that bloody basket!

That's the job of a firewall in my opinion.

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions