Need help setting up apache/modsecurity reverse proxy - 403 forbidden?
-
Hello all,
I have installed the Apache with mod_security-dev package on my pfsense machine, and I'm trying to set it up as a reverse proxy to protect a web server. However, I could not find any documentation on how to set it up. I spent hours trying various settings, but so far I've only been able to get it to return "403 forbidden".
Here's the setup I had BEFORE I installed the apache reverse proxy (which worked fine):
The web server is connected to the LAN, with IP address 192.168.0.9. I want the web server to use the same public IP address as the pfSense machine, so I disabled webConfigurator on port 80. Then, I added a port forwarding rule to forward inbound port 80 on the WAN ip to 192.168.0.9, and a corresponding firewall rule was automatically added allowing traffic to 192.168.0.9 on port 80. In my DNS, I added a subdomain webserver.domain.com pointing to my pfSense WAN IP, and I was able to access http://webserver.domain.com as expected.
Here's what I've tried doing to set up the reverse proxy:
Presumably I don't need the port forwarding rule anymore, since the pfSense machine will be serving the website to visitors, so I removed the port forward rule and the firewall rule. Then, I added a new firewall rule allowing traffic to my WAN IP on port 80.Here are my apache reverse proxy settings:
Daemon options tab:
Global site E-mail administrator: default email address
Server hostname: pfSense default hostname
Default Bind to IP Address: WAN address
Default Bind to port: 80
All other boxes are empty.
Backends/Balancers
I have a single entry with the following settings:
Enable: checked
Balancer name: webserver
Description: none
Protocol: HTTP
Internal servers:
FDQN or IP Port Route ID Weight Ping
192.168.0.9 80 1 1
(I really had no idea what to put in the internal servers section so I wouldn't be surprised if it's wrong)
Locations tab:
I have one entry with the following settings:
Identifier: webserver
gzip: yes
Site path: /
Balancer: webserver
LB Method: byrequests
Backend path: /
ModSecurity: base
Manipulations: blank
Balancer options: blank
Virtual Hosts tab:
I have one entry with the following settings:
Enable: checked
Protocol: HTTP
Server name: webserver.domain.com
Inbound Interface: WAN address
Port: 80
Email address: blank
Description: blank
Location: webserverBut like I said, I keep getting 403 forbidden when I try to visit the site. What am I doing wrong? I feel like I'm pretty close, but some minor setting is preventing it from working.
This is the error that shows up in the apache error log:
Client address: [my-ip] client denied by server configuration: /usr/pbi/proxy_mod_security-amd64/www/apache22
-
Hi, i have the same issue