[TUTORIAL] Nginx as simple reverse proxy with web application firewall and SSL

[akong77]

In the Opnsense/nginx log.The remote IP is show real IP.So I need change apache or nginx web server.Right?

[Fright]

if you set "Real IP Source" to none in GUI.
and enable logging of x-real-ip and x-forwarded-for headers on apache:
x-real-ip should show real client IP and
x-forwarded-for should show something like "clientIP,+opnsenseIP"

[akong77]

Thanks.I found log format problem.I fix it.It's all ok.Thank you very much.

[vikozo]

Hello @Rene_

Thanks for this nice tutorial!
i did try to config the HAProxy  but it is not running
https://forum.opnsense.org/index.php?topic=19897.0

would nginx reverse Proxy be the alternative to use?

have a nice day
vinc

[spetrillo]

Anyone got an example of the firewall rules needed for this?

[RamSense]

@spetrillo

For websites behind nginx go to: firewall - rule - wan - add a rule:
protocol IPv4 TCP/UDP - destination <this firewall> - port 443 (https) - description < something you like>
+
protocol IPv4 TCP/UDP - destination <this firewall> - port 80 (http) - description < something you like>

that should put the traffic to your opnsense nginx

[spetrillo]

@spetrillo

For websites behind nginx go to: firewall - rule - wan - add a rule:
protocol IPv4 TCP/UDP - destination <this firewall> - port 443 (https) - description < something you like>
+
protocol IPv4 TCP/UDP - destination <this firewall> - port 80 (http) - description < something you like>

that should put the traffic to your opnsense nginx

Is this good to go?

[RamSense]

That looks correct.

[ddywz]

Thanks for the tutorial.  I have followed it and done everything correctly but the service won't start on nginx.  Something is not right on it.  When I try to enable nginx under general settings and try to start the service it won't start.  If I disable nginx on general settings the service starts (at least the green arrow) shows up but it cannot be stopped with the square icon.  I have to go on dashboard and then stop it from there. 

Not sure why it is doing this.  Do you need to reboot after you set this up?

Thanks,

[toomanylogins]

Can you explain the last line ?

Be sure to have correct firewall rules (from wan to this device, port 80 & 443)

What is this device ? I seem to get stuck here every time

Thanks

[toomanylogins]

I have also got mine working but I dont understand why the destination is any and not wan address on this rule.
I would have thought it should be wan to wan address, source any destination this firewall port https.  To my thinking the destination is the wan address which is the external ip ?
Please excuse if I have this all wrong.
Thanks

[Fright]

@toomanylogins
clarify the question please

[toomanylogins]

Hopefully this is a better explanation. I am confused by the log file. If I want to let email port 25 from my internal network 10.10.10.19 (orange) I have to create a rule as follows. See image of log file before the rule below where outbound email blocked


NIC Orange
Direction IN
Source 10.10.10.19 Port any ie my server
Destination Any ie outside world
Dest Port 25

To my way of thinking if I want to let email OUT of my system I'm confused why you have to create a rule where the direction is IN.  I cant be the only one confused by this.
Thanks
Paul

[Fright]

sorry, I still don't quite understand your configuration (use nginx to stream smtp traffic?)
in general, before a packet can leave the OPN, it must reach OPN. this requires an allowing incoming rule

[dati]

Nice Tutorial!
But for general Testing in a Homelab it is a bit too complicated to set up. If you want to quickly add another Service for testing, you have to set up 4 different entrys in 4 submenus.
I think I have to take a look at HAProxy;)