Reverse Proxy

Thumbnail for — Securepoint OpenWeb Reverse Proxy

The goal of this tutorial is to access an internal web server via the reverse proxy

Last adaptation to the version: 14.1.1 (11.2025)

New:

Servergruppen und Sites werden in einer gemeinsamen Tabelle angezeigt
Regex expressions of the ACL sets can consider/ignore upper and lower case (v14.1.0)
Hinweis, das Sites mindestens ein ACL Set mit dstdomain beinhalten müssen (v14.1.0)

notempty

This article refers to a Beta version

14.0.1 12.7 12.6 12.3 12.1 11.7

notempty

With v12.7.0, nginx can be selected as the reverse proxy engine
Changing the engine will most likely result in an adjustment of the configuration, as each engine supports different features.
Unsupported settings are marked after the changeover

Intended use

With a reverse proxy, one can control access to the "internal" web servers from the Internet. In contrast to a port forwarding, dedicated filter rules can be created via the reverse proxy. In addition, with only one public IP address, several internal web servers can be addressed based on the domain.

Another highlight is offered by the load balancing. Servers can be combined into groups, to which the requests are then distributed using the selected algorithm (e.g. Round-Robin).

Requirements

The following values are assumed for the example configuration:

Web server with the private IP: 10.1.0.150
Domain: www.ttt-point.de

Preparations

Attention:
If the web server is also to be accessed via https, the port of the Userinterface must be changed first.

Server settings UTMuser@firewall.name.fqdnNetwork

In the factory setting, port 443 for https is already occupied by the user web interface of the UTM. This must then be changed to another port.
The settings for this are in the menu Area Appliance Settings in the section

Webserver

.

If necessary, packet filter rules that allow access to the user Webinterface must be adjusted.

Save

For https, the reverse proxy needs a certificate to accept the encrypted connection.
For this, a certificate is used from Authentication Certificates

If a locally self-created certificate is used, external users must confirm a certificate warning when calling up the certificate for the first time

It is better to import a publicly issued, purchased certificate or to create an ACME certificate

Important: the name of the certificate must be named like the domain.
In this example, a wildcard certificate *.ttt-point.de is used.

Packet filter rule

For the reverse proxy to be reachable, the following packet filter rule must be in place. This can be checked under Firewall Port filter . If this is not present, Add rule will add this rule.

	#	Source	Destination	Service	NAT	Logging	Acion	Active
		internet	external-interface	https		3/Min	Accept	On

notempty

If necessary, this packet filter rule must also be created using the

http service.

Use multiple IP addresses differently

notempty

New as of 05.2025:

notempty

If several public IP addresses are available, the ports of the different IP addresses can be used differently (e.g. for reverse proxy and VPN)

This can be helpful, as calls to certain ports from abroad are sometimes blocked. However, calls to port 443 are usually allowed

.
For this, the rule of the reverse proxy must explicitly specify that the “external interface” of the specific IP should be used as the destination. For the other use, the traffic is redirected using DestNAT, i.e. the traffic arrives on port 443, but is then redirected to another port (e.g. 1194 for VPN) using a packet filter rule.

#	Source	Destination	Service	NAT	Logging	Acion	Active
	internet	external-interface-ip3	openvpn-tcp	DN Netzwerkobjekt: external-interface-ip1 Dienst: https	3/Min	Accept	On
	internet	external-interface-ip2	https		3/Min	Accept	On

Setup wizard
Under Application Reverse-Proxy with the button Reverse-Proxy assistant the wizzard can be opened in the Header.
Step 1 - Internal
Caption	Value	Description	Reverse Proxy Assistant UTMuser@firewall.name.fqdnApplicationReverse-Proxy Target server already exists as a network object
Target Server:	www.ttt-point.de	If the host has already been created as a network object, it can be selected directly in the drop-down menu.
Target Server:	Add network object	If no network object has been created yet, a network object can be created using this button.
Port:	443	The web server should be accessed via an encrypted connection.
Use SSL:	On	Determines whether SSL can be used
[ - ] Advanced settings notempty These TLS settings apply to the connection between this appliance and the (local) server. For TLS settings between the clients and this appliance, the settings in the Authentication Encryption Area Reverse-Proxy dialog apply.
Use default TLS settings:	Yes	Allows connections with TLS 1.2 or 1.3 only
Minimal TLS version:	Use default value	The outdated TLS versions 1.1 and 1.0 can be selected.
Cipher-Suite:	Standardwert verwenden	Note that to directly use a OpenSSL security level, the notation @SECLEVEL=N can be used in the cipher string, where N represents the selected level from 0 to 5. This can also be used with the security level 0 for servers, which offers outdated and insecure algorithms. This is strongly not recommended, instead the server should be updated. A specific cipher or default must still be specified. Examples: DEFAULT@SECLEVEL=0 ECDHE-RSA-AES256-SHA@SECLEVEL=0
Next
Step 2 - External
External domain name:	www.ttt-point.de	Here you enter how the server behind the UTM is addressed. The public IP address that the client calls up from the Internet can also be entered here. However, it is then not possible to distinguish further individual servers via additional subdomains.	Configuring external access so that the reverse proxy responds to requests
Next
Step 3 - External (Global)
Mode	HTTP + HTTPS	Mode to be used
Proxy-Port:	80	Port for the proxy of the corresponding server
SSL-Proxy Port:	443	Port for the SSL proxy of the corresponding server
SSL certificate:	*.ttt-point.de	The certificate that was selected in the step Preparations is selected here.
Next
Step 4 - Authentication
Forward authentication:	Provide login data	The proxy should not perform authentication The string can include URL escapes (i.e. %20 for spaces). This also means % must be written as %%.	No authentication!
	Forward access data (client)	Forwards the client's authentication headers to the remote station. Login data received from the UTM is sent to the reverse proxy. Authentication is not required for this option.
	Forward access data (client & proxy)	Proxy and authentication headers are forwarded unchanged. Sends the login data received from the client to the reverse proxy. Both proxy and WWW authorisation headers are forwarded to the remote peer without modification.
Login name
Password
Finish

Server groups and Sites
notempty New as of: 14.1.1 Server groups and Sites			Reverse-Proxy UTMuser@firewall.name.fqdnApplication Reverse Proxy Assistant Automatically created server group

Add server group
The arrangement in server groups makes it possible to display different relationships in the reverse Proxy: 1:1 - One domain/IP : One server 1:N - One domain/IP : Multiple servers (load balancing) N:1 - Multiple domains/IPs : One server N:M - Multiple Domains/IPs : Multiple Servers (Load Balancing) A port forwarding only allows a 1:1 relationship, the connection is forwarded to one server.
Add server group		Adds a new server group. The wizard automatically creates a server group.
General
Caption	Value	Description	Add server group UTMuser@firewall.name.fqdnApplicationReverse-Proxy
Name		Name of the server group (not editable)
Use SSL	No	Determines whether SSL can be used
Authentication Authentication is only configured centrally for the entire group when using the ‘’‘nginx engine’‘’. When using the ‘’squid‘’ engine, this is done individually for each server.
Forward authentication:	Provide login data	The proxy should not perform authentication The string can include URL escapes (i.e. %20 for spaces). This also means % must be written as %%.
	Forward access data (client)	Forwards the client's authentication headers to the remote station. Login data received from the UTM is sent to the reverse proxy. Authentication is not required for this option.
	Forward access data (client & proxy)	Proxy and authentication headers are forwarded unchanged. Sends the login data received from the client to the reverse proxy. Both proxy and WWW authorisation headers are forwarded to the remote peer without modification.
Login name: Only for Provide login data
Password: Only for Provide login data
Forward connection-oriented Microsoft authentication: notempty New as of v12.7.1	off	Enables support for NTLM, Negotiate and Kerberos
Server
Server hinzufügen	Mittels dieser Schaltfläche lässt sich ein neuer Server hinzufügen		Add server group UTMuser@firewall.name.fqdnApplicationReverse-Proxy Example with different TLS versions and cipher suites using the nginx engine
		Search field for the servers
Network	www.ttt-point.de	Name
IP address	10.1.0.150	IP address of the webserver
Port	443	Port via which the server is to be addressed
TLS	Default @Sec Level=4	TLS settings for this server
Delete	Deletes the server from the reverse proxy server group
Edit	Der Server aus der Servergruppe kann darüber bearbeitet werden

Add server
General
Network		Name	Add server UTMuser@firewall.name.fqdnApplicationReverse-ProxyAdd server group
Network		Opens the dialogue for adding a network object
Port	80	Port via which the server is to be addressed

Advanced settings notempty These TLS settings apply to the connection between this appliance and the (local) server. For TLS settings between the clients and this appliance, the settings in the Authentication Encryption Area Reverse-Proxy dialog apply.
Use default TLS settings:	Yes	Allows connections with TLS 1.2 or 1.3 only
Minimal TLS version:	Use default value	The outdated TLS versions 1.1 and 1.0 can be selected.
Cipher-Suite:	Standardwert verwenden	Note that to directly use a OpenSSL security level, the notation @SECLEVEL=N can be used in the cipher string, where N represents the selected level from 0 to 5. This can also be used with the security level 0 for servers, which offers outdated and insecure algorithms. This is strongly not recommended, instead the server should be updated. A specific cipher or default must still be specified. Examples: DEFAULT@SECLEVEL=0 ECDHE-RSA-AES256-SHA@SECLEVEL=0

Sites
If a server group already exists, a site can be added using the button. notempty New as of v14.1.1 If there are invalid configurations, these are provided with a warning (). When hovering over this warning, a short description of the problem is also shown. All sites must have a dst_dom-ACL* active, otherwise they will be ignored. Edit ACL Set UTMuser@firewall.name.fqdnApplicationReverse-Proxy ACL set without dst_dom* Edit ACL Set UTMuser@firewall.name.fqdnApplicationReverse-Proxy ACL set ‘’'with'‘’ '‘dst_dom*’'			Reverse Proxy Assistant UTMuser@firewall.name.fqdnApplicationReverse-Proxy Sites overview when using the nginx engine

Site hinzufügen
Domain name:	www.ttt-point.de	This is where you enter how the server behind the UTM is addressed.	Site hinzufügen UTMuser@firewall.name.fqdnApplicationReverse-Proxy Edit sites when using the nginx engine
Server group:	servergroup-www.ttt-point.de	The associated server group is selected here
Client bandwidth:	0 kbits/s	Maximum bandwidth that should be available to a client
Load distribution:	round-robin	The connections are processed one after the other.
	userhash	A user's connections (hash on the user name) are always routed to the same server.
	sourcehash	Connections from the same source (IP address) are always routed to the same server.
Redirect HTTP: Only with mode: HTTP + HTTPS	No	When activated, HTTP requests are redirected to the HTTPS port
Websockets:	off	Activates Websockets connections for the site
Site-specific proxy port:	On 80 Default: off	Enables a specific port for HTTP connections in this site
Site-specific SSL proxy port:	On 8443 Default: off	Enables a specific port for HTTP connections in this site
Site-specific SSL certificate:	off	A site-specific server certificate can be selected

ACL Sets	TTT-Point Login allow	Selection of an ACL set to be added
	Add	Add selected ACL set
	Sites benötigen wenigstens ein ACL Set, in dem ein dstdomain oder dstdom_regex ACL vorhanden ist. Dieses ACL Set muss der Site mit der Aktion zulassen zugeordnet sein und den Status Ein aktiviert haben.
Pos.		The order of the ACL sets can be customised using drag and drop. The ‘’allowed‘’ ACL sets should generally come before the forbidden ones.
ACL Set	aclset-www.ttt-point.de	Name
Acion		Configuration of whether the ACL set should be permitted or prohibited
Status	On	Activation or deactivation of the configuration for the ACL set
Delete		Deletes the entry for the ACL set

Combination example
By combining different ACL sets with corresponding authorisations, it is possible, for example, to ensure that the login page of a server can only be accessed from a specific (e.g. your own) public IP address.
Add ACLSet UTMuser@firewall.name.fqdnApplicationReverse-Proxy Combination example step 1 Firstly, an ACL is required for this, which contains the dstdomain and the public IP address as src. Add ACLSet UTMuser@firewall.name.fqdnApplicationReverse-Proxy Combination example step 2 An ACL is then required, which contains the path as urlpath_regex. Edit site UTMuser@firewall.name.fqdnApplicationReverse-Proxy Combination example step 3 Finally, a site is set up where the first rule is allowed and the second rule is forbidden.

ACL Sets

Access rights can be assigned via ACLs.
ACLs	dstdomain: anyideas.deurlpath_regex: \/owa	Assigned ACL sets are displayed as labels.	Reverse-Proxy UTMuser@firewall.name.fqdn Application Overview ACL Sets
	dstdomain: anyideas.dedstdomain: ttt-point.deproto: HTTPS	Mehrere Sets unterschiedlichen Typs werden dabei als logische UND-Verknüpfung behandelt Mehrere Sets des gleichen Typs werden dabei als logische ODER-Verknüpfung behandelt Im Beispiel links werden sowohl anyideas als auch ttt-point akzeptiert. In beiden Fällen aber nur, wenn die Anfrage über https entgegen genommen wird.
	dstdom_regex: -i ttt-point\.de\/HOME	Regexe, die die Groß- und Kleinschreibung nicht beachten werden mit dem Parameter -i dargestellt notempty New as of v14.1.0
Edit		Opens the dialog for editing the ACL sets
Delete		Removes ACL-Sets
ACL Set hinzufügen		Opens the dialog to add ACL sets

Type	Description	Example	Add ACL UTMuser@firewall.name.fqdnApplicationReverse-ProxyAdd ACL Set ACL-Set time ACL Set urlpath_regex
dstdom_regex	Regex to the target domain	.*\ttt-point\.(de\|com)
dstdomain	Specifies the domain/IP of the destination server	www.ttt-point.de or IP address
proto	Protocol	http, https
req_header	Filter on the header of the client The name of the header and the regex that matches the value of the header must be passed.	Accept-Language en-US
src	Specifies the source IP of the client	203.0.103.203 oder 203.0.103.203/32
srcdom_regex Only for squid engine	Regex to the source domain The source domain is determined via a reverse IP lookup (using the client's IP address).	anyideas
srcdomain Only for squid engine	Specifies the domain of the sender	anyideas.de oder *.anyideas.de
time	Defines a period of time during which the website must be accessed	M T W H F 9:00-17:00 S - Sunday M - Monday T - Tuesday W - Wednesday H - Thursday F - Friday A - Saturday D - All weekdays
urlpath_regex	A regex expression that matches the URL behind the target domain	\/owa matcht auf ttt-point.de/owa
Note upper and lower case: Yes notempty New as of v14.1.0		Configures whether regex arguments are handled case-sensitively
		Save and close dialog

Options

Caption	Value	Description	Reverse-Proxy UTMuser@firewall.name.fqdnApplication Setting when using the nginx engine
Engine: notempty New as of v12.7.0	nginx	Selection of the engine to be used between nginx (recommended) or squid (deprecated) A change of engine will therefore most likely result in an adjustment of the configuration, as each engine supports different features. After the changeover, unsupported settings are marked. An engine change is only implemented with the Save.
Mode:	HTTP + HTTPS	Mode to be used
Proxy-Port:	80	Port for the proxy of the corresponding server
SSL-Proxy Port:	8443	Port for the SSL proxy of the corresponding server
SSL certificate: Only certificates with a private key part can be selected	*.ttt-point.de	Certificate for the corresponding server
Websocket Timeout: notempty New as of v12.7.0	60	Defines the time for a websocket timeout
Activate certificate-based authentication Activate certificate-based authentication notempty updated
SSL-CA:	CA ttt-point.de	Certificate for certificate-based authentication Can be activated for non-public (web) servers

Import of personal certificates

notempty

New in the wiki

In order for the Enable certificate-based authentication function to be used correctly, the personal certificate must be available in the browser used.

Fig.1

Open the folder with the certificate file and click on the file.

Fig.2

In the certificate import wizard, select the "Current User" option and confirm with "Next".

Fig.3

The certificate file to be imported is displayed in the File name input field. Click "Next" to start the next dialogue window.

Fig.4

The "Password" input field expects the same password that was assigned when the certificate file was downloaded. It is advisable to select the "Mark this key as exportable" and "Include all extended properties" radio buttons in case the personal certificate is to be exported from the browser later. Finally, the "Next" button is selected.

Fig.5

In the next step of the certificate import wizard, the option "Automatically select the certificate store ..." is set and confirmed with "Next".

Fig.6

The "Certificate Import Wizard" displays a summary of the settings made. The import of the personal certificate is carried out via "Finish".

Fig.7

The import process was successful.

Firefox can also be configured to use the Windows certificate store and the GPO can be distributed with the configuration entry "security.enterprise_roots.enabled = true".

Fig.1

The top Settings is selected from the application menu.

Fig.2

Select the "Data protection & security" category from the left-hand side of the window. In the right-hand window area, go to "Certificates". The "Show certificates ..." button can be selected there.

Fig.3

In the certificate management, switch to the "Your certificates" tab. The list is currently empty as no personal certificates have been imported yet. Now select the "Import" button.