Monviech
commented
1 month ago Just to spin the issue further, shouldn't the most front end reverse proxy be responsible to block the bad actors?
In this case, Cloudflare should sanitize the traffic before they send it to you?
E.g., Cloudflare crowdsec bouncer?
Important notices Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe. OPNsense currently only supports the crowdsec-firewall-bouncer remediation component (bouncer). This works great for blocking direct traffic to the firewall but does not allow Layer 7 blocking. For example, I use Cloudflare proxy and my WAN only accepts inbound from the Cloudflare IP ranges (https://www.cloudflare.com/ips/). That's all the firewall sees so it can't block by the proxy protocol or x-forwarded-for header that caddy, nginx, and haproxy would see.
Describe the solution you'd like I would like to see these additional bouncers added as installation candidates in OPNsense.
Describe alternatives you've considered I have considered moving nginx off of my OPNsense box and running it in linux just to have this functionality but would ideally like to keep it where it's at.
I could also set up Crowdsec and the Bouncers on each one of my services but would prefer to have it right on the reverse proxy.
I have also looked into used the Crowdsec Blocklist Mirror bouncer but nginx does not allow the use of a file location in the IP ACL section and I would need to manually change the formatting to meet nginx requirements.
Additional context Crowdsec resources for the mentioned bouncers: Caddy Bouncer - https://app.crowdsec.net/hub/author/hslatman/remediation-components/caddy-crowdsec-bouncer nginx Bouncer - https://docs.crowdsec.net/u/bouncers/nginx Haproxy Bouncer - https://docs.crowdsec.net/u/bouncers/haproxy