Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
IDS + Haproxy + SSL decrypt
« previous
next »
Print
Pages: [
1
]
Author
Topic: IDS + Haproxy + SSL decrypt (Read 5467 times)
klamath
Newbie
Posts: 47
Karma: 0
IDS + Haproxy + SSL decrypt
«
on:
January 25, 2021, 04:49:22 pm »
Howdy,
I just got finished up with converting the majority of my portforwards to haproxy terminated endpoints. The SSL termination + re-encryption is taking place on my opnsense firewall. I have IDS monitoring my external WAN connections, I was wondering if there is anything else i need to get setup to have IDS inspect the "in the clear" data while it is transversing the firewall?
Thanks
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: IDS + Haproxy + SSL decrypt
«
Reply #1 on:
January 26, 2021, 08:46:04 am »
Hi
I do not think that scheme allows suricata to be used for analyzing https traffic. The decrypted traffic must somehow arrive on the interface the suricata is listening to for it to parse.
For IDS mode, this method might work:
https://laskowski-tech.com/2020/03/29/opnsense-and-ssl-decryption-using-sslsplit/
For the IPS mode, I think you will need a chain of servers with intermediate servers between which unencrypted traffic will pass.
Nginx plugin uses naxsi WAF for web-traffic inspection (thanks @fabian for adding such a great feature)
Logged
klamath
Newbie
Posts: 47
Karma: 0
Re: IDS + Haproxy + SSL decrypt
«
Reply #2 on:
January 26, 2021, 08:40:13 pm »
This is disappointing, I get the issues with inspection around SSL and decrypting the traffic. Is there any plans to getting a system in place to make SSL inspection on opnsense work in the future? The more im digging into IDS/IPS is a non-starter on opnsense in the current state without fronting a CA cert or using unencrypted traffic on the backend.
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: IDS + Haproxy + SSL decrypt
«
Reply #3 on:
January 27, 2021, 08:01:44 am »
May I ask why you prefer IDS over WAF for HTTPS-inspection?
There are clear limitations when running a reverse-proxy and IDS on the same host related to the layers at which the IDS and proxy is running. As a result, when IDS sees incoming web traffic, it is not yet decrypted, and when it sees outgoing traffic, it is already encrypted. and additional steps are required for the IDS to receive traffic suitable for analysis (and even more so for IPS).
WAF, on the other hand, was originally designed to analyze web-traffic on a reverse proxy.
I don't know about plans to integrate modsecurity and HAProxy, but OPN already has a excellent bundle of nginx+ naxsi and looking at the activity on github some updates can be expected
Logged
klamath
Newbie
Posts: 47
Karma: 0
Re: IDS + Haproxy + SSL decrypt
«
Reply #4 on:
January 27, 2021, 09:57:17 pm »
To be honest I have more experience with HAproxy so I used what I know. I took the plunge today and setup nginx and running into nothing but problems with a Exchange server. I have read a bunch of tickets around the issue and cannot find a place in the GUI to input such variables, I am hoping these options are there and I don't have to hand-jam them into a config.
Thanks,
Tim
https://forum.opnsense.org/index.php?topic=16595.0
https://forum.opnsense.org/index.php?topic=12939.0
https://stackoverflow.com/questions/14839712/nginx-reverse-proxy-passthrough-basic-authenication
Logged
Fright
Hero Member
Posts: 1777
Karma: 164
Re: IDS + Haproxy + SSL decrypt
«
Reply #5 on:
January 28, 2021, 07:22:28 am »
can you start a new topic in "Web Proxy Filtering and Caching" with more details?
Logged
klamath
Newbie
Posts: 47
Karma: 0
Re: IDS + Haproxy + SSL decrypt
«
Reply #6 on:
January 28, 2021, 04:16:05 pm »
Understood and created.
https://forum.opnsense.org/index.php?topic=21154.0
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
20.7 Legacy Series
»
IDS + Haproxy + SSL decrypt