Author Topic: Multiple webservers and services behind OPNWaf? (Read 100 times)

jackbrenn · « **on:** December 01, 2024, 10:29:20 pm »

Hi,

At the moment, I have around 8 web servers behind HAProxy, with rules and conditions sending packets where they need to go.

I have TLS on both HAProxy and the destination servers.

Example:

https://domain.io > webserver0:443
https://service1.domain.io > webserver1:443
https://service2.domain.io > webserver2:443
https://service3.domain.io > webserver3:443
https://service4.domain.io > webserver4:443
https://service4.domain.io > webserver5:443

If you visit https://service1.domain.io then HAProxy routes you to Webserver1 and so on. This works extremely well.

So to add WAF I've been looking at the OPNWaf plugin. Does does the OPNWaf support a configuration like this?

I've been reading the documentation, but it seems it might only support multiple webservers if they all have different locations /service1, /service2 and so on. Rather than routing based on hostname alone?

https://docs.opnsense.org/vendor/deciso/opnwaf.html

Monviech (Cedrik) · « **Reply #1 on:** December 02, 2024, 06:10:48 am »

It essentially does SNI bases reverse proxying.

So if you have

app1.example.com -> 192.168.1.1:80 (webserver1)
app2.example.com -> 192.168.1.2:80 (webserver2)

It can do that. But it can also send multple apps to the same webserver via host header (SNI) passthrough.

If you have any issues configuring it tell me, Im maintaining it right now.

jackbrenn · « **Reply #2 on:** December 02, 2024, 12:48:39 pm »

Very interesting, and thanks for the reply.

I'll get it installed and have a look at it within a few days. SNI would work extremely well for me.

Author Topic: Multiple webservers and services behind OPNWaf? (Read 100 times)

jackbrenn

Multiple webservers and services behind OPNWaf?

Monviech (Cedrik)

Re: Multiple webservers and services behind OPNWaf?

jackbrenn

Re: Multiple webservers and services behind OPNWaf?