Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Need help setting up apache/modsecurity reverse proxy - 403 forbidden?

    Scheduled Pinned Locked Moved pfSense Packages
    2 Posts 2 Posters 4.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      tlng55
      last edited by

      Hello all,

      I have installed the Apache with mod_security-dev package on my pfsense machine, and I'm trying to set it up as a reverse proxy to protect a web server. However, I could not find any documentation on how to set it up. I spent hours trying various settings, but so far I've only been able to get it to return "403 forbidden".

      Here's the setup I had BEFORE I installed the apache reverse proxy (which worked fine):

      The web server is connected to the LAN, with IP address 192.168.0.9. I want the web server to use the same public IP address as the pfSense machine, so I disabled webConfigurator on port 80. Then, I added a port forwarding rule to forward inbound port 80 on the WAN ip to 192.168.0.9, and a corresponding firewall rule was automatically added allowing traffic to 192.168.0.9 on port 80. In my DNS, I added a subdomain webserver.domain.com pointing to my pfSense WAN IP, and I was able to access http://webserver.domain.com as expected.

      Here's what I've tried doing to set up the reverse proxy:
      Presumably I don't need the port forwarding rule anymore, since the pfSense machine will be serving the website to visitors, so I removed the port forward rule and the firewall rule. Then, I added a new firewall rule allowing traffic to my WAN IP on port 80.

      Here are my apache reverse proxy settings:
      Daemon options tab:
      Global site E-mail administrator: default email address
      Server hostname: pfSense default hostname
      Default Bind to IP Address: WAN address
      Default Bind to port: 80
      All other boxes are empty.
      Backends/Balancers
      I have a single entry with the following settings:
      Enable: checked
      Balancer name: webserver
      Description: none
      Protocol: HTTP
      Internal servers:
      FDQN or IP        Port      Route ID      Weight      Ping
      192.168.0.9        80          1                    1
      (I really had no idea what to put in the internal servers section so I wouldn't be surprised if it's wrong)
      Locations tab:
      I have one entry with the following settings:
      Identifier: webserver
      gzip: yes
      Site path: /
      Balancer: webserver
      LB Method: byrequests
      Backend path: /
      ModSecurity: base
      Manipulations: blank
      Balancer options: blank
      Virtual Hosts tab:
      I have one entry with the following settings:
      Enable: checked
      Protocol: HTTP
      Server name: webserver.domain.com
      Inbound Interface: WAN address
      Port: 80
      Email address: blank
      Description: blank
      Location: webserver

      But like I said, I keep getting 403 forbidden when I try to visit the site. What am I doing wrong? I feel like I'm pretty close, but some minor setting is preventing it from working.

      This is the error that shows up in the apache error log:

      Client address: [my-ip] client denied by server configuration: /usr/pbi/proxy_mod_security-amd64/www/apache22
      
      1 Reply Last reply Reply Quote 0
      • C
        cmenghi
        last edited by

        Hi, i have the same issue

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.