Web Application Firewall in OPNsense

Started by ddywz, February 08, 2021, 04:32:58 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 08, 2021, 04:32:58 AM
Hello, this is my first post here as I decided to try out OPNsense and setup a new hardware Qotom-Q575G6-S05 with
OPNsense 21.1-amd64
FreeBSD 12.1-RELEASE-p12-HBSD
OpenSSL 1.1.1i 8 Dec 2020

Hardware is Intel(R) Core(TM) i7-7500U CPU @ 2.70GHz (4 cores)  and 16GB RAM

The basic installation went fine and main rules are in place.  All is working fine so far.  Today is my 3 day of running it.

I was using before sophos UTM and thought to try OPNsense and while I'm doing so I have the following question?

I have about 4 websevers that need to have external access from internet via HTTPS.   In sophos I was using WAF feature (Web Application Firewall)  where I would create a "Real" webserver (you basically tell define the real http or https path of the internal server) and link it with an external one created in the sophos UTM where I would upload the certificate and so the mapping is done via SNI and no ports were opened in the firewall to allow https traffic.  This also helped with the fact that I can use the same 443 port for all servers connections coming from the single WAN address.

How would I accomplish this in OPNsense?  can this be done in the webproxy section?  I also saw a plugin called
"Nginx HTTP server and reverse proxy"  would this help for the issue I'm having?

Thanks in advance.
February 08, 2021, 06:33:49 AM #1
Hello,
You need to use Haproxy.
It is a plugin for that
February 08, 2021, 11:13:08 AM #2
nginx and haproxy will be able to do that.
There is even an acme-client-plugin which will take care of your TLS encryption by installing and renewing Let's Encrypt certs
,,The S in IoT stands for Security!" :)
February 09, 2021, 04:36:41 AM #3
Thank you guys.  Found it. installed the plugin and trying to configure it.  I actually have three certificates that I have purchased and are valid till end of 2022 so I was going to import them in the "trust" menu.  Is there a rule on how to import them? There are only two fields
1.X509 PEM cert
2. private key. 

I have

1. .crt file
2. ca-bundle file
3. privkey.pem file

Should I combine .crt and ca-bundle into one pem file and enter it in the cert field?  Is there a particular order for this?  I could not find any details on the doc for this.

Thanks!
Print
Go Up Pages1
User actions