Website protection with OPNsense

with the nginx plugin, OPNsense become a strong full-featured Web Application Firewall (WAF)

The OPNsense security platform can help you to protect your network and your webservers with the Nginx plugin addition.

Installing OPNsense

In old days, install an open-source firewall was a very tricky task, but today it can be done with few clicks (or keystrokes). In this article, I’ll not describe the detailed OPNsense installation process, but you can watch this video that was extracted from my OPNsense course available in Udemy. The video is in Portuguese language, but with the translation CC Youtube feature you may be able to follow it without problems (if you don’t are a PortuguesePortuguese speaker of course) :-)

from my Udemy OPNsense course: check out here !

OPNsense installation video (portuguese)

Depend on the platform you are installing the OPNsense, the steps may vary, following the official installation guide:

Plugin installation

To install the plugin, follow these simple steps:

  1. Access your OPNsense firewall web GUI: (https://<YOUR_IP>)

2. Go to the Menu: System: Firmware: Plugins

3.Find the os-nginx plugin and click the install option [+]

Image for post
Image for post
os-nginx plugin installtion

Initial configuration

Before the configuration, we need to understand some terms:

  • Upstream Server: The real webserver that will host the web page/application;
  • Upstream: The backend where will be configured the server(s);
  • Location: The URL pattern that should have an Upstream configured;
  • HTTP Server: The frontend that should have one or more Locations configured;

The configuration will start with the Upstream Server configuration:

To make the initial configuration, go to the Nginx configuration menu:

Image for post
Image for post

1. Upstream Server

Image for post
Image for post
Image for post
Image for post
click on add button
Image for post
Image for post
Upstream Server: Example configuration

The server params will depend on your web server/application and network environment. To better protection, it’s recommended that you set some limits in Maximum Connections/Failures and in the Fail Timeout.

2. Upstream

Image for post
Image for post
Image for post
Image for post
click on add button
Image for post
Image for post
Select the Upstream Server configured in the previous step

In the above example we are not using TLS in the backend.

The configured Upstream will look like this:

Image for post
Image for post

3. Download the NAXSI (WAF) rules

About NAXSI: (extracted from: https://github.com/nbs-system/naxsi)

NAXSI means Nginx Anti XSS & SQL Injection.

Technically, it is a third party nginx module, available as a package for many UNIX-like platforms. This module, by default, reads a small subset of simple (and readable) rules containing 99% of known patterns involved in website vulnerabilities. For example, <, | or drop are not supposed to be part of a URI.

Before proceeding with the configuration, we will need to download the Naxsi rules, that will be enabled in our Location configuration later.

Go to the Submenu:

Image for post
Image for post
Image for post
Image for post
Click on Download button to fetch the NAXSI rules
Image for post
Image for post
You must accept the NAXSI repository licence to Download the rules
Image for post
Image for post
After download process, the rules will be shown

4. Location

Create a new Location:

Image for post
Image for post
Location Submenu
Image for post
Image for post
Click on add button
Image for post
Image for post
  • Description: Fill with something that makes sense to you;
  • URL pattern: To match with your webserver root fill with “/”. To match with another path change it to something like “/anotherpath/”;
  • Enable Security Rules: This option enables WAF protection. Combined with the Custom Security Policy you will be able to protect your website from the specified policies (group of rules);
  • Learning mode: In this mode, the plugin will not block the requests that match with the selected policies, will only log the requests. It’s a good idea to adjust your own whitelist rule before starting to block requests.

5. HTTP Server

Finally, create your website frontend:

Image for post
Image for post
Image for post
Image for post
Click on the add button
Image for post
Image for post
  • Server Name: the FQDN name of your website;
  • Locations: the Location created in the previous step;
  • TLS Certificate / CA Certificate/ Enable Let's Encrypt Plugin: If you want (you should) enable HTTPS (TLS) in your website, these options need to be configured with the your TLS and CA certificate (if you already have a valid one) or you can install and configure the Let's Encrypt Plugin that will create those to you at no cost.
Image for post
Image for post
HTTP Server configured

6. OPNsense configuration adjusts

To enable our nginx service without port conflict problems, we'll need to adjust some webgui configurations.

!! Make sure that you have access to your OPNsense from your LAN interface or add the required rules before changing the following configurations !!

Go to the System: Setting: Administration menu

Image for post
Image for post
Change the Webgui HTTPS port and disable the HTTP Redirect rule (port 80)

Back to the menu Services: Nginx: Configuration and enable the service:

Image for post
Image for post
Image for post
Image for post
Check Enable and click on Apply button
Image for post
Image for post
After applied the configuration, the service will become up and running

The final step is to create the required Firewall Rules to allow the HTTP/HTTPS traffic on desired network interface (probabilly the WAN).

Conclusion

I tried to cover in this article the basic configuration of this great plugin to the awesome OPNsense security platform, to provide some website protection. It's possible to get an advanced protection with this plugin, but it will demand many others articles to explore all possibilities.

Thanks to the OPNsense team and community!

If you need some help with OPNsense, open source security or Cloud Managed Security Services:

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store