• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

WAF for HAProxy (Reverse Proxy)

Scheduled Pinned Locked Moved Firewalling
5 Posts 2 Posters 8.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S
    skalyx
    last edited by Dec 15, 2021, 10:54 AM

    Hello everyone,

    We have a reverse proxy with HAProxy on Pfsense and it works great. To be honest, we are very satisfied with Pfense. However, there is no "WAF" for our reverse proxy. Is there any way for us to mitigate threats such as OWASP top 10 on HAPoxy with Pfsense?

    We have some web services that are public-facing and want to protect them as much as possible. They already are behind Cloudflare proxy.

    Thanks!

    D 1 Reply Last reply Dec 15, 2021, 10:03 PM Reply Quote 0
    • D
      DaddyGo @skalyx
      last edited by Dec 15, 2021, 10:03 PM

      @skalyx said in WAF for HAProxy (Reverse Proxy):

      However, there is no "WAF" for our reverse proxy.

      Hi,

      😉 I'm sorry, but I think you are confusing the concepts of NGFW and WAF in this case,.... firewall and web firewall...

      pfSense, even if you use the proxy option, will not give you WAF..

      pls. install a WAF, behind the web server system, be it VPS? shared hosting, whatever

      • best and simple for you is a paid plan with CF (CloudFlare with WAF)
      • or install a free ComodoWAF
      • or Atomic OSSEC
      • or this https://github.com/SpiderLabs/ModSecurity

      Cats bury it so they can't see it!
      (You know what I mean if you have a cat)

      S 1 Reply Last reply Dec 15, 2021, 11:17 PM Reply Quote 1
      • S
        skalyx @DaddyGo
        last edited by Dec 15, 2021, 11:17 PM

        @DaddyGo
        Thanks a lot for your response. I am not really confusing both, but I am not a subject matter expert for sure!!!

        Actually, I am looking to secure my pfsense without adding too much overhead and investment, but Cloudflare's WAF seems to be a good solution to be honest... Is there nothing else we can do?

        Thanks!

        D 1 Reply Last reply Dec 16, 2021, 9:41 AM Reply Quote 0
        • D
          DaddyGo @skalyx
          last edited by DaddyGo Dec 16, 2021, 9:45 AM Dec 16, 2021, 9:41 AM

          @skalyx said in WAF for HAProxy (Reverse Proxy):

          Is there nothing else we can do?

          😉 Nothing to do about in pfSense question, it is not recommended to install anything on a front-line protection device that has not been released by the manufacturer.

          I can help, if you have questions about WAF, in short, we use Atomic products on our high-traffic sites and CWAF for lower loads.
          (the high load sites are also behind the CF pay plan, so double WAF)

          I suppose a CWAF would be enough for you at first?
          https://waf.comodo.com/

          It uses ModSec stuff and it's easy to use, it works well, I mostly use on Ubuntu FocalFossa, works from CLI too and if you don't like that you can go to Webmin under graphical interface

          a little taste: (15TB NextCloud server on Ubuntu 20.04-03, Apache + PHP-fpm, PostgreSQL + ComodoWAF + ClamAV)

          6b016b85-cbc0-45ee-94c8-3e281725d85b-image.png

          b90ebdc8-ad72-47b8-a461-7e93bc1a07f8-image.png

          13ab885f-7508-4d0e-8d4b-9d98cc760705-image.png

          Cats bury it so they can't see it!
          (You know what I mean if you have a cat)

          S 1 Reply Last reply Dec 17, 2021, 5:44 PM Reply Quote 1
          • S
            skalyx @DaddyGo
            last edited by Dec 17, 2021, 5:44 PM

            @daddygo
            I really appreciate the great answer. I see! I think I should go with both, but budget is something I am considering. I really miss time these days for my very small company and I am trying to keep costs as low as possible. However, I will really look at CWAF. It seems really promising!

            Thanks again.

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received