WAF + IPS + TLS offloading implications

[nfa04]

I own a small homelab which has a dedicated opnsense firewall. The servers of the homelab are the only devices on this network. I have been running Surricata IDS + IPS on my LAN interface for some time now. As I host a Website (encrypted) I thought about adding some additional protection in the form of a WAF. Therefore I installed the nginx Plugin and set it up to terminate SSL and activated the WAF. It's perfectly working, but I wonder what the implications for Suricata might be.

Here are some of my assumptions and questions:
A) if I pass the data to my backend server unencrypted this allows Surricata running on LAN to scan the actual payload, therefore making it more effective.
B) The source of all requests now appears to be the firewall itself, as it's running the reverse proxy. Does this make Surricata less effective? Does this mean it could start blocking my reverse proxy? If yes, is there a way around it? Does it make a difference as listening on LAN is behind NAT anyway?
C) I don't see a way to configure nginx as a transparent proxy using the official plugin. Is this correct? I could use X-Forwarded-For, but this apparently doesn't work with IPS, am I right? Or does it?
D) In case of a detected intrusion will only the current connection be dropped or everything from that IP (reverse proxy potentially)
E) is there another way I could make WAF + TLS offloading + Surricata IPS work?

Up until now I had a pretty rough time figuring this out. I hope someone is going to be able to help with that.

Cheers!

[jonny5]

A) if I pass the data to my backend server unencrypted this allows Surricata running on LAN to scan the actual payload, therefore making it more effective.

Yes, otherwise Suricata won't be able to inspect the encrypted traffic and would minimize the effectiveness of inspection

B) The source of all requests now appears to be the firewall itself, as it's running the reverse proxy. Does this make Surricata less effective? Does this mean it could start blocking my reverse proxy? If yes, is there a way around it? Does it make a difference as listening on LAN is behind NAT anyway?

XFF is how you 'know who requested the traffic', you will need to make sure that the Reverse Proxy you setup in the OPNSense is adding the XFF and that you can inspect/account for that data - that said, make sure you setup Nginx/your-web-host to handle the redirects correctly - I had to learn about extra conf options for Nginx to operate correctly behind Traefik as I'd have really odd port issues otherwise

C) I don't see a way to configure nginx as a transparent proxy using the official plugin. Is this correct? I could use X-Forwarded-For, but this apparently doesn't work with IPS, am I right? Or does it?

It does, but... only if you set it up correctly - you can have the XFF value be replaced in the 'source' via Suricata settings and for you, that sounds like what you will want to do - this "SHOULD" tell the IPS to block the XFF address not itself. For me, I have an external system parsing a specific set of 'xffeve.json' events that does replace the 'source' IP with the 'XFF' IP and so that system (CrowdSec) will add the XFF/source to the Firewall and block it - I do not know if the IPS (using Suricata's built in blocker) will handle this variation correctly - I do not IPS, I just reactive-IDS (add to firewall)

D) In case of a detected intrusion will only the current connection be dropped or everything from that IP (reverse proxy potentially)

Again, using XFF correctly you can mitigate this

E) is there another way I could make WAF + TLS offloading + Surricata IPS work?

IMHO - it is a bit more useful to have Suricata in an IDS mode, customize the 'custom.yaml' for Suricata so it outputs an eve event log with the source IP replaced with the XFF IP, name it something like xffeve.json and have CrowdSec parse that log. CrowdSec will add the IP to your firewall in very short time, and you can setup CrowdSec Multi-Server (one Multi-Server instance is free) and protect quite a group of things so long as you are able to connect all the Agents (Parsers/Blockers/Appsec) back to your LAPI. Yes I am suggesting a whole new Plug-in (a native OPNSense one) to solve the issue - but as far as terminating TLS/SSL you must use an actual Reverse Proxy, and that means XFF is now in the picture, there is no 'transparent reverse proxy' here, that would only happen if you are not terminating TLS/SSL and doing pass-through (which you can do in some reverse proxies... but you have to have a good reason to do this - and that would leave the traffic encrypted, which you do not want...)