Multiple webservers and services behind OPNWaf?

Started by jackbrenn, December 01, 2024, 10:29:20 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
December 01, 2024, 10:29:20 PM
Hi,

At the moment, I have around 8 web servers behind HAProxy, with rules and conditions sending packets where they need to go.

I have TLS on both HAProxy and the destination servers.

Example:

https://domain.io > webserver0:443
https://service1.domain.io > webserver1:443
https://service2.domain.io > webserver2:443
https://service3.domain.io > webserver3:443
https://service4.domain.io > webserver4:443
https://service4.domain.io > webserver5:443

If you visit https://service1.domain.io then HAProxy routes you to Webserver1 and so on. This works extremely well.

So to add WAF I've been looking at the OPNWaf plugin. Does does the OPNWaf support a configuration like this?

I've been reading the documentation, but it seems it might only support multiple webservers if they all have different locations /service1, /service2 and so on. Rather than routing based on hostname alone?

https://docs.opnsense.org/vendor/deciso/opnwaf.html
December 02, 2024, 06:10:48 AM #1 Last Edit: December 02, 2024, 06:12:40 AM by Monviech (Cedrik)
It essentially does SNI bases reverse proxying.

So if you have

app1.example.com -> 192.168.1.1:80 (webserver1)
app2.example.com -> 192.168.1.2:80 (webserver2)

It can do that. But it can also send multple apps to the same webserver via host header (SNI) passthrough.

If you have any issues configuring it tell me, Im maintaining it right now.
Hardware:
DEC740
December 02, 2024, 12:48:39 PM #2
Very interesting, and thanks for the reply.

I'll get it installed and have a look at it within a few days. SNI would work extremely well for me.
December 15, 2024, 12:14:03 AM #3
I've had a look at the software.

I must admit I'm a little confused. Maybe I have to configure it from the command line?

As an example.
I configure a single website.

Virtual Server
Enabled: Yes
ServerName: mydomain.com
Port: 443

Locations
Enabled: Yes
Virtual Server: mydomain.com:443
Type: Proxy Pass
Path: /
Remote Destination: https://192.168.1.5

Outcome: Works great!

I add another website

Virtual Server
Enabled: Yes
ServerName: coolsite.com
Port: 443

Locations
Enabled: Yes
Virtual Server: coolsite.com:443
Type: Proxy Pass
Path: /
Remote Destination: https://192.168.1.6

This doesn't seems to work?

Initially I got an error, that only a single Location can have the "/" plath specified. However, now I can add new Locations with the "/", but they are only visible in the config file. They are not visible in the GUI. It also breaks the configuration.

I have no doubt I've misunderstood something, but I'm just throwing this out here in case it's easy to understand what I'm doing wrong.
Print
Go Up Pages1
User actions