Need help setting up apache/modsecurity reverse proxy - 403 forbidden?



  • Hello all,

    I have installed the Apache with mod_security-dev package on my pfsense machine, and I'm trying to set it up as a reverse proxy to protect a web server. However, I could not find any documentation on how to set it up. I spent hours trying various settings, but so far I've only been able to get it to return "403 forbidden".

    Here's the setup I had BEFORE I installed the apache reverse proxy (which worked fine):

    The web server is connected to the LAN, with IP address 192.168.0.9. I want the web server to use the same public IP address as the pfSense machine, so I disabled webConfigurator on port 80. Then, I added a port forwarding rule to forward inbound port 80 on the WAN ip to 192.168.0.9, and a corresponding firewall rule was automatically added allowing traffic to 192.168.0.9 on port 80. In my DNS, I added a subdomain webserver.domain.com pointing to my pfSense WAN IP, and I was able to access http://webserver.domain.com as expected.

    Here's what I've tried doing to set up the reverse proxy:
    Presumably I don't need the port forwarding rule anymore, since the pfSense machine will be serving the website to visitors, so I removed the port forward rule and the firewall rule. Then, I added a new firewall rule allowing traffic to my WAN IP on port 80.

    Here are my apache reverse proxy settings:
    Daemon options tab:
    Global site E-mail administrator: default email address
    Server hostname: pfSense default hostname
    Default Bind to IP Address: WAN address
    Default Bind to port: 80
    All other boxes are empty.
    Backends/Balancers
    I have a single entry with the following settings:
    Enable: checked
    Balancer name: webserver
    Description: none
    Protocol: HTTP
    Internal servers:
    FDQN or IP        Port      Route ID      Weight      Ping
    192.168.0.9        80          1                    1
    (I really had no idea what to put in the internal servers section so I wouldn't be surprised if it's wrong)
    Locations tab:
    I have one entry with the following settings:
    Identifier: webserver
    gzip: yes
    Site path: /
    Balancer: webserver
    LB Method: byrequests
    Backend path: /
    ModSecurity: base
    Manipulations: blank
    Balancer options: blank
    Virtual Hosts tab:
    I have one entry with the following settings:
    Enable: checked
    Protocol: HTTP
    Server name: webserver.domain.com
    Inbound Interface: WAN address
    Port: 80
    Email address: blank
    Description: blank
    Location: webserver

    But like I said, I keep getting 403 forbidden when I try to visit the site. What am I doing wrong? I feel like I'm pretty close, but some minor setting is preventing it from working.

    This is the error that shows up in the apache error log:

    Client address: [my-ip] client denied by server configuration: /usr/pbi/proxy_mod_security-amd64/www/apache22
    


  • Hi, i have the same issue