How to add username/password for fort forwadring in pfsense

caigeliu

You're right. We want an auth before a person reach our website inside LAN, because we have no confidence that our website inside LAN is solid enough to protect any attacks worldwide.

reverse proxy by nginx in Linux should work, but we need to set a separate host for. If HAproxy in pfSense can work, it should be good. Not sure how to find a simple way to configure it.

Crunk_Bass

I only configured HAProxy once so unfortunately I can not give you a very detailed guide with explanations.
Also english is no my native language so I struggle a bit when writing but I'll try my best.
You can find a lot of how-tos online.

THIS IS ONLY FOR TESTING. PLEASE DO YOUR OWN RESEARCH FOR USING IN A PRODUCTIVE ENVIRONMENT.

First you need to install the package (obviously), then go to HAProxy settings and enable it.
Set the internal stats port (I used 2200).
Under Global Advanced pass thru put

userlist SoftwareUsers
user user1 insecure-password randompassword

Next create a backend.
Enter a Name and add a server to the list.
Give it a recognizable name like nameofyourcustomsoftware, put in the address and port and check the Encrypt(SSL) box.

Under Loadbalancing options select none
Health cheking -> none (you don't need it because there is only one backend and no option for a failover)

Now create a frontend.
Listen address -> LAN address (for testing)
Port -> your decision
Type -> ssl / https

Access Control lists:
UserAuthOkay Custom acl: http_auth(SoftwareUsers)

Actions:
http-request auth !UserAuthOkay
realm: realm UserAuthOkay

Derelict

That would just be running another web server application in front.

What OP wants is a VPN.

keyser

In my experience the feature OP is asking for is a really good and very usable idea. Remember that the world is full of old insecure enterprise software that no one knows how to maintain.

I have used the Authentication feature in Microsofts long dead TMG Firewall for that feature for many years. It allowed you to setup a reverse https proxy where you had to complete form based user authentication to the proxy before the backend site was fetched/accessed.

Unfortunately TMG is dead now, and we started to use VPN because I at the time could not find a solution for HAproxy on pfSense.
VPN is Very cumbersome and annoying to say the least - so I would love if we could get the suggested HAproxy solution to work :-) I’m not able to test right now as it will be a couple of weeks before I’m back @ pfSsense maintenance

Pretty good idea in my opinion.

Crunk_Bass

@keyser I got this HAProxy authentication thing working at home.
The only thing that is different is I am using http for communication between proxy and server on the internal network.
Just play with it for a few hours. It is not that complicated.
If you get stuck maybe I can help you with your configuration.

keyser

@Crunk_Bass Thank you so much for that confirmation. I’ll give it a go when I get back. If I can make it work, I think it merrits a little tutorial writeup so others can take advantage of the feature.

keyser

Even though I’m not home right now, the feedback from @Crunk_Bass has provided enough info to confirm that HAproxy now does support user authentication, and it is fairly simple to setup. I found this guide which I think will easily be adopted to pfSense:

https://blog.taragana.com/guide-haproxy-http-basic-authentication-for-specific-sites-ssl-termination-15813

Really cool HAproxy has this feature now. I don’t think it was the case about 8 years ago when I was looking for a TMG replacement - at least I was unable to google my way to the solution if it did exist.

Excellent discovery :-)

johnpoz

@keyser said in How to add username/password for fort forwadring in pfsense:

VPN is Very cumbersome and annoying to say the least

Huh?? The corp world, every user every single day uses vpn... We have 1 customer that has 300+ users vpn'd in every single day.. That is just slow day - if its a snow day or something and more users working at home there are 500+ users vpn'd in.. To access corp resources.

To say its cumbersome is just nonsense plain and simple... Its a click, and auth.. Can it be annoying when you have to put in your pin number to your ticks card in twice in less than 10 seconds sure ;) But this is how security works..

Now they don't have 300+ users coming in via pfsense vpn... But you could ;)

While such a thing is possible with haproxy, its not by any means the best solution to secure access to your apps.

keyser

@johnpoz I’m not arguing that VPN is not widely used or not the best solution. I’m just arguing that in lots af scenarios it’s a hazzle and annoying.
Most users don’t understand what VPN does to their networking connection/stack, some don’t get how and when to use i properly. We have lots of users without fixed devices, so they can only use it intermittenly.
On top of that there’s the whole distribution/installation/management of VPN clients on different clients... just sayin

For webservices access a HTTPS authenticating Proxy has similar security as a VPN client. If you need the two factor auth, you can require a client certificate in HAproxy as well (that does open up the can of management and trouble again though :-) )

tinju

@keyser said in How to add username/password for fort forwadring in pfsense:

Even though I’m not home right now, the feedback from @Crunk_Bass has provided enough info to confirm that HAproxy now does support user authentication, and it is fairly simple to setup. I found this guide which I think will easily be adopted to pfSense:

https://blog.taragana.com/guide-haproxy-http-basic-authentication-for-specific-sites-ssl-termination-15813

Really cool HAproxy has this feature now. I don’t think it was the case about 8 years ago when I was looking for a TMG replacement - at least I was unable to google my way to the solution if it did exist.

Excellent discovery :-)

Interesting that the question in this topic came to my mind yesterday. However there is Kemp and the ESP feature that is actually the same as you described with TMG. There is also a free version just check the limitations.
The reason why one would like the authentication done by Pfsense and not at the service is that the service behind Pfsense is not known by bots. Thus you will not have 5000 css attempts a day on your WordPress site. And no webshell installed now and then. VPN is different. You mostly need software to access it. Its better in many cases but if you would like to give a Link and a Password to a friend. VPN is not the best match.
I try to setup this and let you know. There is already haproxy, LetsEncrypt and some backend servers for my domain. A password for some backend servers would be awesome.

caigeliu

Thanks for all posts. I have tried HAProxy in pfSense, but it make our OpenVPN unable to access the same webpages in LAN. I stopped trying HAProxy, I don't know what I am wrong (I have read many online instructions.).

I don't know how to enable nginx in pfsense. Because there is no nginx in package manager of pfSense, but nginx is in pfsense.

I setup a separate host with nginx inside our LAN, and use port forwarding from outside via pfSense to the nginx after authentication, then forward to our service in LAN. It works.

It is good if we can combine the nginx host into pfSense.

johnpoz

huh? I use ha proxy and share the port... Are you trying to use 443 with openvpn and on haproxy? If so then you have to tell openvpn to share port.

But yeah if your going to require a auth on the port your trying to do openvpn on - you could have issues for sure.

Derelict

I port forward to HAproxy listening on a Localhost VIP and use split DNS to access inside HAproxy sites from inside/VPNs. (Outside connections get forwarded to the Localhost VIP, inside connections connect straight to the localhost VIP)

pwood999

I also think VPN is the way to go (OpenVPN would be my choice), especially if you already have VPN for other staff. Simply configure overrides to restrict your development LAN from general users, and then create Clients for Win, Mac & Linux. Basic users can simply install the clients, wheres more knowledgeable peeps can use the raw config files or package.

I have done exactly this for various customer lab setups that required different access groups for various servers.