Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs
« previous
next »
Print
Pages: [
1
]
Author
Topic: OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs (Read 224 times)
Wuensch-AG-Adm
Newbie
Posts: 12
Karma: 0
OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs
«
on:
August 14, 2024, 08:01:08 pm »
Dear community,
I've setup a web application firewall with OPNWAF (Business) and ACME Letsencrypt. It works well, but I cannot obtain on SSL Labs the A+ because there's an invalid HSTS policy.
I don't want to deploy the certificates on every Nextcloud and we are using the service ACME Client on the OPNsense firewall with a wildcard. Is there a possibility to setup Nextcloud and OPNWAF to act as reverse proxy to solve this problem? I would like that SSL Labs check the HSTS from the OPNWAF and not from the Nextcloud to keep the easy aspect of the self-signed on every system.
Is there any other possibility with OPNsense?
I've no clue anymore.
Thanks an advance for your help.
Regards,
Joel T.
Logged
Monviech
Hero Member
Posts: 1365
Karma: 160
Re: OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs
«
Reply #1 on:
August 14, 2024, 08:28:58 pm »
The HSTS and other security headers are a contract between the web application itself, and the browser accessing it.
Manipulating these headers with a reverse proxy should be avoided whenever possible.
The webserver that serves the Nextcloud has to add these headers. These headers should pass the reverse proxy unaltered.
Logged
Hardware:
DEC740
Wuensch-AG-Adm
Newbie
Posts: 12
Karma: 0
Re: OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs
«
Reply #2 on:
August 15, 2024, 08:43:13 am »
I understand this point. Is there a possibility to distribute / deploy the wildcard Letsencrypt certificate from the OPNsense to the diverse systems in the DMZ? To simplify the process and don't have every system requesting a renewal every time.
Thank you ahead.
Regards,
Joel T.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
General Discussion
»
OPNWAF with Nextcloud, wildcard Letsencrypt only A rating in ssl labs