Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
opnsense Nginx, website on synology webstation
« previous
next »
Print
Pages: [
1
]
2
3
...
5
Author
Topic: opnsense Nginx, website on synology webstation (Read 24464 times)
RamSense
Hero Member
Posts: 595
Karma: 10
opnsense Nginx, website on synology webstation
«
on:
December 23, 2020, 08:51:55 am »
Nginx website protection opnsense
Hi all, I am recently running opnsense and I love all that it does. It works like a charm, but now I want to make my website protected behind nginx plugin with WAF.
I changed the default port of OPNsense to 444, so now port conflicts
My setup is now ISP – Opnsense – access point – Synology webstation.
I have on my opnsense – firewall – NAT - a port forward for 80 and 443 to the IP of the Synology webstation 198.168.1.133
Synology runs the webstation with an Lets encrypt certificate for the webserver, and the site runs correctly with https. Port 80 is for lets encrypt to renew certificates and 443 for the ssl for instance I think.
Now I want to remove the port forward and have the website behind / through the nginx plugin with waf. This is what I have done, but it does not work. What have I done wrong? What steps do I have to add / change?
Your help is very much appreciated!
1. I have configured the upstream server. Description “webserver”, ip 198.168.1.133, port 80, priority 1, maximum connections 2500, max fails 10 and time out 60
2. I have configured the upstream. Description “backend”, server I selected the above “webserver”, load balancing “weighted round robin”, enable tls: selected/checked, tls supported tls v1.2 and v1.3, tls session reuse: selected/checked, tls trusted certificate: none selected
3. I have downloaded the NAXSI WAF rules
4. I added a new location HTTPS: description “webserver_root”, URL pattern / , match type “ none”, url rewriting “ nothing selected”, enable security rules: selected/checked, then 3 blank, custom security policy: I have selected all the options. Upstream servers “backend”, patch prefix empty, cache directory “ empty”, Force HTTPS: selected/checked, enable HTTP/2 preloading: selected/checked.
5. I added HTTP server: http listen port: 80, https listen port: 443, domain “mywebserverdomain.com”, locations “webserver root”, url rewriting “ nothing selected”, file system root: empty, TLS sertificate “none”, client CA certificate “none”, access log “default”, enable Lets Encrypt plugin support: selected/checked, Charset utf-8, HTTPS only: selected/checked, IP ACL “none”, advanced ACL_authentication backend “local database”, security header “none”, limit request “ nothing selected”
(Do I need to install the lets encrypt plugin in opnsense? And how to configure that? I have not done so because the certificates are on the sinology. )
6. I made a port forward rule: NAT – portfoward: interface WAN, tcp/ip version: IPv4, protocal TCP/UDP, destination “ wan address”, destination port range from HTTPS to HTTPS, redirect target ip “ 192.168.1.1” (opnsense ip), redirect target port HTTPS, description “port forward to nginx proxy”. (p.s. I have deleted the earlier made port forward rules 80 and 443 to the ip of the synology web station.)
7. Nginx global settings, enable nginx selected/checked
The result is that my website does not load on LAN devices, and it does not load from external devices.
What have I done wrong / forgot / have to change?!
Thank you very much in advance for your help!!
Regards
Ramon
«
Last Edit: December 23, 2020, 08:53:29 am by RamSense
»
Logged
fabian
Moderator
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: opnsense Nginx, website on synology webstation
«
Reply #1 on:
December 23, 2020, 05:28:54 pm »
Port forward is definitly wrong -> Firewall rule on WAN and all the other interfaces where you would like to access nginx on the required tcp ports (I guess TCP/80 and TCP/443).
The next thing is you do not have configured a Certificate so the HTTP-Server cannot run in HTTPS mode. Without opening the TLS connection on OPNsense in the nginx plugin, you will not be able to access the data so the WAF will not work. If you want to pass through the connection to your NAS you can still do that using a stream server but I would recommend to have the LE-Certificate and Key on OPNsense so nginx can look into the connection and can handle it as it should (as an HTTP aware server).
It is possible to have LE outside of OPNsense but then you have to update it from time to time.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: opnsense Nginx, website on synology webstation
«
Reply #2 on:
December 23, 2020, 05:52:08 pm »
Thank you Fabian for your reply.
So in the firewall I should delete the portforward, go to firewall rule- wan - and add a rule for ports HTTPS and HTTP, and to what destination do I point? the wan address?
And I have to export the lets encrypt certificate from synology and import it in opnsense. ok.
And every time the free certificated is being updated I have to change it in opnsens? Is there not an automation way like synology updates it with lets encrypt? Sorry if this sounds like easy questions. Opnsense is very new for me
thanks again,
Ramon
Logged
fabian
Moderator
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: opnsense Nginx, website on synology webstation
«
Reply #3 on:
December 23, 2020, 08:00:05 pm »
For the firewall I would recommend to use 'this firewall' as destination.
If you install the acme plugin, you can issue the certificates directly on OPNsense. The nginx plugin has an advanced option in the http server to forward the challenge to the acme plugin.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: opnsense Nginx, website on synology webstation
«
Reply #4 on:
December 24, 2020, 09:04:12 am »
Thanks Fabian!
The firewall rule was the key. Got nginx running... somewhat.
Now I have to figure out how to get it working with proper ssl certificate and HTTPS.
i will do a web search/google into ACME plugin..
do you know of some sort of a guide for nginx https and acme?
Thanks again for pointing me into the right direction!
Logged
fabian
Moderator
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: opnsense Nginx, website on synology webstation
«
Reply #5 on:
December 24, 2020, 11:16:15 pm »
If you install the acme plugin, you can enable the checkbox for lets encrypt in nginx and reconfigure nginx. Then the HTTP-01 type challenge works immediately if you configure it. If you have it, you should get a certificate, which can be used by nginx.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: opnsense Nginx, website on synology webstation
«
Reply #6 on:
December 25, 2020, 01:50:57 pm »
Dear Fabian, First Merry Christmas!
I have nginx running with the " manual mode". The lets encrypt certificate imported at opnsense and used them in nginx. The website is running, so thank you for your help with that. With this manual mode I have to manually import the certificate every time there is a renewal. I understand that.
Now if I go for the automation option with ACME. Do I understand it correctly that ACME will make and renew the lets encrypt certificate automatically and I use then in nginx proxy. And does the synology webstation also maintain its lets encrypt certificate like currently in the manual version I am using now, or is that not correct? and has synology webstation in this ACME solution no longer a certificate on the synology itself?
Kind regards
Ramon
Logged
fabian
Moderator
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: opnsense Nginx, website on synology webstation
«
Reply #7 on:
December 26, 2020, 08:50:57 am »
If you enable the automatic certificate creation on OPNsense, you cannot use the HTTP-01 challenge type on your NAS. That is all. If you use the DNS challenge on your NAS, both will work. The good thing is that you do not really need a public trusted certificate there because nginx will replace it by Let's Encrypt so you have a publicly trusted certificate there and you can use your internal CA on your home which needs to be trusted by OPNsense.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: opnsense Nginx, website on synology webstation
«
Reply #8 on:
December 26, 2020, 09:53:11 am »
Thanks again for your help!
That sounds logic. I am going to experiment further with this. It feels great to have this working. Could not have done it without you! Loving OPNsense more and more everyday.
Best regards
Ramon
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: opnsense Nginx, website on synology webstation
«
Reply #9 on:
December 27, 2020, 10:08:26 pm »
Hi Fabian,
I have one strange thing left. When I use my ISP ip on an external device, it shows up my webserver website, while using the mydomain.com show the correct website, I do not want to have my ISP ip to load a website.
do you know how to prevent this?
best regards
Ramon
Logged
fabian
Moderator
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: opnsense Nginx, website on synology webstation
«
Reply #10 on:
December 27, 2020, 10:17:43 pm »
This is how nginx works, It will choose the first server if there is no default if none of them is matching. I do not know a way to turn off this behaviour entirely.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: opnsense Nginx, website on synology webstation
«
Reply #11 on:
December 28, 2020, 08:27:26 am »
Thanks for the explanation. Maybe I can change the behavior by pointing the isp ip in nginx to another (empty) webpage on the synology? should have a self signed certificate I presume?
thnx again for helping with my learning curve in OPNSense
Logged
fabian
Moderator
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: opnsense Nginx, website on synology webstation
«
Reply #12 on:
December 28, 2020, 06:24:23 pm »
If you do not point nginx to anything, it will serve the content fom the default directory which should be empty. No need to involve a 3rd party application.
Logged
RamSense
Hero Member
Posts: 595
Karma: 10
Re: opnsense Nginx, website on synology webstation
«
Reply #13 on:
December 28, 2020, 09:06:23 pm »
thnx again for your help and fast reply.
regards
Ramon
Logged
printablething
Newbie
Posts: 1
Karma: 0
January 2022 Calendar Printable
Re: opnsense Nginx, website on synology webstation
«
Reply #14 on:
January 08, 2021, 10:50:06 am »
Thank you for sharing such information, but my browser block that proxies.
Logged
January 2022 Calendar Printable
,
february 2022 calendar printable
,
march 2022 calendar printable
Print
Pages: [
1
]
2
3
...
5
« previous
next »
OPNsense Forum
»
English Forums
»
Web Proxy Filtering and Caching
(Moderator:
fabian
) »
opnsense Nginx, website on synology webstation