Website protection with OPNsense

Installing OPNsense

In the old days, installing an open-source firewall was a tricky task, but today it can be done with a few clicks (or keystrokes). In this article, I’ll not describe the detailed OPNsense installation process, but you can watch this video that was extracted from my OPNsense course available in Udemy. The video is in the Portuguese language, but with the CC Youtube translation feature, you may be able to follow it without problems (if you don’t are a Portuguese speaker, of course) :-)

OPNsense installation video (Portuguese)

Plugin installation

To install the plugin, follow these simple steps:

  1. Access your OPNsense firewall web GUI: (https://<YOUR_IP>)
os-nginx plugin installtion

Initial configuration

Before the configuration, we need to understand some terms:

  • Upstream Server: The real webserver that will host the web page/application;
  • Upstream: The backend where will be configured the server(s);
  • Location: The URL pattern that should have an Upstream configured;
  • HTTP Server: The frontend that should have one or more Locations configured;

1. Upstream Server

click on add button
Upstream Server: Example configuration

2. Upstream

click on the add button
Select the Upstream Server configured in the previous step

3. Download the NAXSI (WAF) rules

About NAXSI: (extracted from:

Click on Download button to fetch the NAXSI rules
You must accept the NAXSI repository licence to Download the rules
After download process, the rules will be shown

4. Location

Create a new Location:

Location Submenu
Click on add button
  • Description: Fill with something that makes sense to you;
  • URL pattern: To match with your webserver root fill with “/”. To match with another path change it to something like “/anotherpath/”;
  • Enable Security Rules: This option enables WAF protection. Combined with the Custom Security Policy you will be able to protect your website from the specified policies (group of rules);
  • Learning mode: In this mode, the plugin will not block the requests that match with the selected policies, will only log the requests. It’s a good idea to adjust your own whitelist rule before starting to block requests.

5. HTTP Server

Finally, create your website frontend:

Click on the add button
  • Server Name: the FQDN name of your website;
  • Locations: the Location created in the previous step;
  • TLS Certificate / CA Certificate/ Enable Let’s Encrypt Plugin: If you want (you should) enable HTTPS (TLS) in your website, these options need to be configured with your TLS and CA certificate. If you already have a valid one, you can install and configure the Let’s Encrypt Plugin that will create those for you at no cost.
HTTP Server configured

6. OPNsense configuration adjusts

We’ll need to adjust some WebGUI configurations to enable our Nginx service without port conflict problems.

Change the WebGUI HTTPS port and disable the HTTP Redirect rule (port 80)
Check Enable and click on the Apply button
After applied the configuration, the service will become up and running


I tried to cover in this article the basic configuration of this great plugin to the excellent OPNsense security platform to provide some website protection. It’s possible to get advanced protection with this plugin, but it will demand many others articles to explore all possibilities.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Julio Cesar Camargo (JCC)

Julio Cesar Camargo (JCC)

Cyber security professional / open source and aviation enthusiast. CTO@Cloudfence —