Fixing “The HTTP_REFERER does not match the predefined settings” Error on OPNsense Behind Apache Reverse Proxy

Posted on by Rico

When integrating OPNsense with a unified internal domain through an Apache reverse proxy, you might encounter this error when accessing the web GUI:

The HTTP_REFERER "https://opnsense.demo.com/" does not match the predefined settings.
You can disable this check if needed under System: Settings: Administration.

🧩 Root Cause

This happens due to OPNsense’s built-in CSRF (Cross-Site Request Forgery) protection.
The firewall validates the HTTP_REFERER header to ensure that login requests originate from a trusted hostname.

When accessed via a reverse proxy (e.g., https://opnsense.demo.com/), the backend might see a different hostname (like 10.0.0.1), causing the check to fail.

✅ Solution 1: Disable the Check (Quick Fix)

  1. Log in directly using the internal IP (e.g., https://10.0.0.1/)
  2. Go to System → Settings → Administration
  3. Check “Disable HTTP_REFERER check
  4. Save and try again via proxy

⚠️ Not recommended for production — use only in isolated LAN environments.

✅ Solution 2 (Recommended): Adjust Hostname Settings

To keep security intact while allowing proxy access:

  1. Go to System → Settings → General
    • Hostname: opnsense
    • Domain: demo.com
  2. Go to System → Settings → Administration
    • Add opnsense.demo.com under “Alternate hostnames”
  3. Save changes and re-login

Now OPNsense recognizes opnsense.demo.com as a valid origin, and the referer validation will succeed.

🧱 Apache Reverse Proxy Example

<VirtualHost *:443>
    ServerName opnsense.demo.com

    SSLEngine on
    SSLCertificateFile      /etc/letsencrypt/live/opnsense.demo.com/fullchain.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/opnsense.demo.com/privkey.pem

    ProxyPreserveHost On
    SSLProxyEngine on
    SSLProxyVerify none
    SSLProxyCheckPeerName off
    SSLProxyCheckPeerExpire off

    ProxyPass        / https://10.0.0.1/
    ProxyPassReverse / https://10.0.0.1/

    RequestHeader set X-Forwarded-Proto "https"
    RequestHeader set X-Forwarded-For %{REMOTE_ADDR}s
    RequestHeader set X-Forwarded-Host %{HTTP_HOST}s

    ProxyPass        /ws wss://10.0.0.1/ws
    ProxyPassReverse /ws wss://10.0.0.1/ws

    ErrorLog  ${APACHE_LOG_DIR}/opnsense_error.log
    CustomLog ${APACHE_LOG_DIR}/opnsense_access.log combined
</VirtualHost>

🔐 Security Recommendations

  • Limit GUI access by IP range
  • Enable 2FA / TOTP for admin users
  • Use a valid SSL certificate (e.g., via ACME auto-renewal)
  • Ensure WebSocket (/ws) forwarding works correctly

📘 Conclusion

This Referer validation issue is common when placing OPNsense behind a reverse proxy.
By properly configuring the hostname and alternate hostnames fields in OPNsense, you can safely and conveniently access your firewall via a custom domain — without disabling security checks.