Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Block Incoming Requests that point to IP vs. URL

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 287 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jsylvia007
      last edited by

      Howdy all!

      Is it possible to block incoming requests to the WAN IP address on a specific port, but allow requests that come in via URL?

      Example:

      Request from WAN comes into 123.45.67.89 to port 80. Block this request.

      Request from WAN comes into example.com to port 80. Allow the request.

      Thanks!

      1 Reply Last reply Reply Quote 0
      • keyserK
        keyser Rebel Alliance
        last edited by

        Yes, but it will require you to use a reverse HTTP/HTTPS proxy service such as HAProxy. HAProxy exists as a package for pfSense, so it’s fairly easy to setup.
        Basically what you do is:
        1: Install HAProxy as a package, set it up to listen on the loopback adapter.
        2: Create the backend Webservice link to the real webserver in your network
        3: Setup a frontend webservice that allows ONLY requests for the URL’s you want to pass. It will deny everything else
        4: Create a NAT pass rule from WAN to the Loopback adaptor IP on port 80

        The beauty is this can also be made to work with HTTPS as you can install the certificate on HAproxy and that will then terminate and decrypt the session and look at the URL.

        Love the no fuss of using the official appliances :-)

        1 Reply Last reply Reply Quote 0
        • J
          jsylvia007
          last edited by

          Thanks for the tips! This doesn't look too difficult. I may give it a try. I'm not sure how this is going to work with LetsEncrypt certificates (my webserver gets it's own). Something else to look into, but this appears to allow what I'm looking for!

          Thanks!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.