Info Request: WAF/Publishing Web Sites & Web Sockets

[learnedbyerror]

All,

About five years ago, I used pfSense but left it to go to Sophos UTM primarily because of ease of configuration for the Sophos Web Application Firewall (WAF).  I am currently running into one problem and one major inconvenience that I would like to address.  I "think" OPNsense may be a solution and am requesting validation assistance before I jump totally onboard.

The problem is that Sophos UTM WAF cannot handle web sockets.  The only work around is to use NAT to forward a specific port.  This does not work at my work locations where I am limited to ports 80/443.

The inconvenience is that managing LetsEncrypt certificates is still a somewhat manual process.  I prefer a solution that handles the renewals in an automatic manner.

My representative givens are:

• Home Network
• Network Geometry - Internal <=> FW <=> External
• Reverse proxy on FW
• LetsEncrypt on FW
• Internal web servers:


• http://sabnzbd.example.com:9000
• https://sickrage.example.com:9100
• https://guac.example.com (websockets)
• https://proxmox1.example.com:8006 (websockets)
• Separate DNS internal and external

Functionality Requirements:

• Access above web servers using the following names both internally and externally on TCP/443:


• https://sabnzbd.example.com
• https://sickrage.example.com
• https://guacamole.example.com with upgrade to websockets
• https://proxmox1.example.com with upgrade to websockets
• Configure LetsEncrypt for each of these web servers via web user interface
• Have LetsEncrypt automatically update certificates prior to their expiration

There are additional functional requirements regarding custom firewall rules and port forwarding that I know OPNsense can perform based upon my previous experience with pfSense.  I have purposely excluding these to focus on the issues that are not as clear to me from my current investigation?

My questions are:

• Can my functional requirements be met with OPNsense?
• If so, what are the recommended modules (i.e. I assume haproxy for the for the reverse proxy, ...)?
• Are there any howtos or guides for this type of configuration?
• Are there any warnings or gotchas that I should be aware of?

Thanks in advance for your assistance!

LBE

[fabian]

If so, what are the recommended modules (i.e. I assume haproxy for the for the reverse proxy, ...)?

nginx plugin 1.1 (not yet released) - it supports websockets (just a checkbox) and WAF (note that it this may be hard to configure), haproxy would be just a reverse proxy

Are there any howtos or guides for this type of configuration?

https://docs.opnsense.org/manual/how-tos/nginx.html (basic help for 1.0)

Are there any warnings or gotchas that I should be aware of?

nginx has bot protection which is currently always running and manages a firewall alias you can use and if you enable the WAF without adding MainRule(s), it currently blocks everything - will be fixes at some time in the future (awaiting upstream patch which is already available).

[learnedbyerror]

Thanks for your response!  I will research and test this weekend.