WAF for SSL Traffic

[runo10]

Hello,
I want to buy opnsense business for my proxmox server. I will use it between internet and virtual servers on proxmox. Can I use WAF for SSL traffic without Root CA Certificate. Self signed certificates don't trusted by browsers so I can't use it. Is there any other solution on OPNsense?

[Patrick M. Hausen]

You mean implementing WAF for inbound public services? That's what is commonly called WAF. That case is easy - terminate SSL with your official public certificates on OPNsense, then proxy to your web application servers.

But WAF is only available in the business edition.

[runo10]

Yes, I will buy business edition for WAF. I mean there will VDSs which belongs to customers who can use their custom certificates which we don't have. Can OPNsense issue SSLs automatically for websites inside VDS which we dont have any info about?

[Monviech (Cedrik)]

The WAF component in OPNsense can issue certificates automatically via Lets Encrypt using the HTTP or TLS ALPN challenge.

After the TLS termination, it can be sent further upstream either vis HTTP or HTTPS.

I assume the customers with the random certificates are upstream?

[Patrick M. Hausen]

There will be some FQDN for the application which must point to the IP address of OPNsense, not the customer web server. Because WAF == proxy. With the connection terminating on OPNsense you should be able to generate a certificate with Letsencrypt and the HTTP challenge method.

You will not be able to do anything transparent and inspect traffic. If the customer certificate on the application server must be used, that means no inspection, no WAF.

[runo10]

OPNsense dont need to use Customers certificates. But VDSs has different IPs. OPNsense will be bridge not proxy, will it differ? OPNsense can terminate different ips for different domains and use auto issued certificates?

[Patrick M. Hausen]

You cannot use WAF with bridge afaik. WAF is a part of the proxy. If you proxy transparently you will to my knowledge not be able to inspect. You need to decrypt and re-encrypt. I might be mistaken but the certificates will provide a challenge.

[runo10]

Actually it must be possible but probably there is no configurations for that and I will not be able to configure this. When I talk gemini, Its says routing public ips to private ips of vps as reverse proxy. Not domain based but ip based proxy.

[Patrick M. Hausen]

IP based proxy is perfectly possible, yes. But the proxy will still have to terminate SSL and present a valid cert to the client browser or the client will reject the connection. Or you proxy TCP but then you cannot run a WAF because the connection is SSL encrypted.

If you want to inspect content you have to decrypt. For decryption to work without client browsers complaining you must have a valid certificate. Certificates for HTTPS are based on domain names, not IP addresses.

You did not tell the entire user story of your planned setup. You just asked about WAF. So I'm telling you that you must decrypt to run that.

[runo10]

Gateway -> Opnsense server -> Proxmox Server(VDSs)

multiple ips -> Opnsense -> VDSs

Gemini suggests 1:1 Nat routing for waf and multiple ips. But I need to assign MAC adresses manually.

[Patrick M. Hausen]

Do whatever you want if you trust the bullshit generation machine. I am not wasting my time with so called AI.

[runo10]

Dude why did you get angry? I have just asked for solutions. Its suggestion looks logical to me but if its wrong please correct. Here is complete explanation:

Map Public IPs to OPNsense: Your internet provider or data center will route your entire block of public IPs to your OPNsense WAN interface. In OPNsense, you'll configure these as Virtual IPs (Interfaces > Virtual IPs). This tells OPNsense that it is responsible for handling all of those IPs.

Assign Private IPs to VDSs: Inside your Proxmox server, you'll need to configure each VDS to have a static private IP address (e.g., 10.0.0.1, 10.0.0.2, etc.). This is a crucial step to ensure the IP-based routing works correctly, as the VDS's private IP won't change.

Configure 1:1 NAT: This is the most important part. You'll set up 1:1 NAT (Network Address Translation) rules in OPNsense (Firewall > NAT > 1:1). Each rule will create a permanent, one-to-one mapping between a public IP and a private VDS IP. For example:

Public IP 203.0.113.10 is mapped to private IP 10.0.0.1.

Public IP 203.0.113.11 is mapped to private IP 10.0.0.2.

Manage SSL and WAF: With the traffic routed correctly, you can now manage SSL certificates and WAF rules for each VDS in the reverse proxy settings. OPNsense's ACME client will automatically issue and renew certificates for each domain, and the WAF will inspect traffic for each VDS separately.

[Patrick M. Hausen]

If you use 1:1 NAT you already bypassed any proxy you might configure later. That's just basic networking. So again no WAF with NAT.

I am no angry about you, sorry. So called AI is bad. Period. I'm dying on that hill and I categorically refuse to use that stuff.

As this example neatly shows - you can use NAT or proxy but not both.

You CAN try to build a transparent bridge proxy - but you will have to tackle the certificate issues. You must present a proper cert to the customer's customers' web browsers. I do not have experience with any such setup because I prefer a proper layer 3 separation and routing or proxying over "transparent" trickery. The latter is always less reliable and harder to debug.

[runo10]

Thanks a lot, then better the go with bridge mode and l3-l4 security.