HAproxy: OPNsense plugin or isolated standalone

[Untoasted9563]

Hi all,

I am running the HAProxy plugin as reverse-proxy for providing my self-hosted services that need to be public (behind a bunch of blocklists including geoblocking).

If I understand correctly, HAProxy runs directly on the OPNsense system, and not somehow as a container or VM. I was wondering, if an attacker could exploit a vulnerability of HAproxy and with that gain access to OPNsense itself, the core of my home network? Would I gain anything in terms of security when putting HAproxy in an LXC or VM on proxmox (different hardware than my bare metal OPNsense box), living in its separate DMZ vlan.

How do you all run HAproxy? As OPNsense plugin or standalone? If standalone, do you edit the config files directly, or is there something similar to the OPNsense webUI that facilitates changes in the config?

Sorry if this has been asked before, I did search but maybe not with the best keywords.

Cheers and thanks in advance,
Untoasted