Block Incoming Requests that point to IP vs. URL



  • Howdy all!

    Is it possible to block incoming requests to the WAN IP address on a specific port, but allow requests that come in via URL?

    Example:

    Request from WAN comes into 123.45.67.89 to port 80. Block this request.

    Request from WAN comes into example.com to port 80. Allow the request.

    Thanks!



  • Yes, but it will require you to use a reverse HTTP/HTTPS proxy service such as HAProxy. HAProxy exists as a package for pfSense, so it’s fairly easy to setup.
    Basically what you do is:
    1: Install HAProxy as a package, set it up to listen on the loopback adapter.
    2: Create the backend Webservice link to the real webserver in your network
    3: Setup a frontend webservice that allows ONLY requests for the URL’s you want to pass. It will deny everything else
    4: Create a NAT pass rule from WAN to the Loopback adaptor IP on port 80

    The beauty is this can also be made to work with HTTPS as you can install the certificate on HAproxy and that will then terminate and decrypt the session and look at the URL.



  • Thanks for the tips! This doesn't look too difficult. I may give it a try. I'm not sure how this is going to work with LetsEncrypt certificates (my webserver gets it's own). Something else to look into, but this appears to allow what I'm looking for!

    Thanks!