Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    WAF for HAProxy (Reverse Proxy)

    Firewalling
    2
    5
    8.1k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      skalyx
      last edited by

      Hello everyone,

      We have a reverse proxy with HAProxy on Pfsense and it works great. To be honest, we are very satisfied with Pfense. However, there is no "WAF" for our reverse proxy. Is there any way for us to mitigate threats such as OWASP top 10 on HAPoxy with Pfsense?

      We have some web services that are public-facing and want to protect them as much as possible. They already are behind Cloudflare proxy.

      Thanks!

      DaddyGoD 1 Reply Last reply Reply Quote 0
      • DaddyGoD
        DaddyGo @skalyx
        last edited by

        @skalyx said in WAF for HAProxy (Reverse Proxy):

        However, there is no "WAF" for our reverse proxy.

        Hi,

        ๐Ÿ˜‰ I'm sorry, but I think you are confusing the concepts of NGFW and WAF in this case,.... firewall and web firewall...

        pfSense, even if you use the proxy option, will not give you WAF..

        pls. install a WAF, behind the web server system, be it VPS? shared hosting, whatever

        • best and simple for you is a paid plan with CF (CloudFlare with WAF)
        • or install a free ComodoWAF
        • or Atomic OSSEC
        • or this https://github.com/SpiderLabs/ModSecurity

        Cats bury it so they can't see it!
        (You know what I mean if you have a cat)

        S 1 Reply Last reply Reply Quote 1
        • S
          skalyx @DaddyGo
          last edited by

          @DaddyGo
          Thanks a lot for your response. I am not really confusing both, but I am not a subject matter expert for sure!!!

          Actually, I am looking to secure my pfsense without adding too much overhead and investment, but Cloudflare's WAF seems to be a good solution to be honest... Is there nothing else we can do?

          Thanks!

          DaddyGoD 1 Reply Last reply Reply Quote 0
          • DaddyGoD
            DaddyGo @skalyx
            last edited by DaddyGo

            @skalyx said in WAF for HAProxy (Reverse Proxy):

            Is there nothing else we can do?

            ๐Ÿ˜‰ Nothing to do about in pfSense question, it is not recommended to install anything on a front-line protection device that has not been released by the manufacturer.

            I can help, if you have questions about WAF, in short, we use Atomic products on our high-traffic sites and CWAF for lower loads.
            (the high load sites are also behind the CF pay plan, so double WAF)

            I suppose a CWAF would be enough for you at first?
            https://waf.comodo.com/

            It uses ModSec stuff and it's easy to use, it works well, I mostly use on Ubuntu FocalFossa, works from CLI too and if you don't like that you can go to Webmin under graphical interface

            a little taste: (15TB NextCloud server on Ubuntu 20.04-03, Apache + PHP-fpm, PostgreSQL + ComodoWAF + ClamAV)

            6b016b85-cbc0-45ee-94c8-3e281725d85b-image.png

            b90ebdc8-ad72-47b8-a461-7e93bc1a07f8-image.png

            13ab885f-7508-4d0e-8d4b-9d98cc760705-image.png

            Cats bury it so they can't see it!
            (You know what I mean if you have a cat)

            S 1 Reply Last reply Reply Quote 1
            • S
              skalyx @DaddyGo
              last edited by

              @daddygo
              I really appreciate the great answer. I see! I think I should go with both, but budget is something I am considering. I really miss time these days for my very small company and I am trying to keep costs as low as possible. However, I will really look at CWAF. It seems really promising!

              Thanks again.

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.