OPNsense could have a reverse proxy feature in addition to NAT port forwarding. This would
- work on a given port and interface
- use a http/https URL as a target
- offer SSL encryption by use of a certificate from OPNsense's list
- use any configurable hostname
- add proper headers so the internal server can figure out the hostname for redirects etc
This would allow us to have a http service inside the network, proxied to the outer world, with an SSL certificate and hostname defined on the firewall but not on the inside network.
datenimperator
All 15 comments
@datenimperator @fraenki is working on a haproxy package implementation, some more information about his progress can be found in his initial pull request https://github.com/opnsense/plugins/pull/10
I'm not sure this covers all your needs, but it might be interesting to look at.
AdSchellevis
on 19 Apr 2016
@fraenki assigned just for feedback tracking purposes :)
fichtner
on 20 Apr 2016
Would it be possible to add Nginx to the system? I use it today on a separate VM and it does reverse proxying very nice!
enoch85
on 31 May 2016
@enoch85 I think we can add the port, but its highly unlikely that there will be gui any time soon. just let us know if the port is enough for you.
AdSchellevis
on 31 May 2016
@enoch85 If you want to configure the reverse proxy with the OPNsense GUI, I'd recommend to install the HAProxy plugin in OPNsense.
fraenki
on 31 May 2016
@AdSchellevis Sorry, what do you mean by port? Could I install Nginx in FreeBSD and configure it from there and then set a seperate interface or something? It would be great to be able to run Nginx directly from OPNsense on bare metal.
enoch85
on 31 May 2016
@enoch85 ports is the system we use to build packages from, so if the port is available and we build a package for it, you can install it on the console with something like:
pkg install nginx
but from there, you have to configure the rest manually, if that works for you, just let me know.
AdSchellevis
on 31 May 2016
@AdSchellevis Sure, that would be great! Something to start with anyway, and later on you could implement a GUI ;)
enoch85
on 31 May 2016
@enoch85 I've added it to the build list (https://github.com/opnsense/tools/commit/42cca748f6a09dc717b75d6f70411d3704634354) it should be available in the next release.
AdSchellevis
on 31 May 2016
@datenimperator Hey Christian, did HAProxy plugin solve your question or are there open points?
Cheers,
Franco
fichtner
on 23 Jul 2016
How do I install that haproxy plugin?
Does it do transparent proxying?
I've downloaded 16.7 and there is no mentioning of plugins anywhere in the GUI...
rduffner
on 31 Jul 2016
@rduffner under System: Firmware: Updates there is a Plugins tab. It may require checking for updates in order for "os-haproxy" to show up
fichtner
on 31 Jul 2016
Ah, there it is - thanks.
The search function in the top right seems to only work for stuff that is already installed...
rduffner
on 31 Jul 2016
After installing 16.7 I've had a first look at HAproxy. The amount settings necessary to establish a simple web proxy seems overwhelming. I'll give it a try once I have some time to play with it, but this isn't something I'd recommend to anybody without a decent knowledge on network infrastructure.
Maybe there will some some easier solution?
datenimperator
on 1 Aug 2016
nothing to do here from core perspective
fichtner
on 22 Nov 2016
Related issues
namezero111111
路
5Comments
linuxmail
路
4Comments
BPtLNfxZWo
路
3Comments
xpac1985
路
5Comments
lordraiden
路
7Comments
Most helpful comment
@enoch85 I've added it to the build list (https://github.com/opnsense/tools/commit/42cca748f6a09dc717b75d6f70411d3704634354) it should be available in the next release.