OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: anomaly0617 on December 23, 2019, 01:41:09 am
-
Hi there,
In the past, I have done this with pfS and the Squid Reverse Proxy tool. But it's been a few years.
I've got OPNsense 19.7-amd64 up and running at a location. I'd like to set up a number of web servers on the LAN side and have NGINX reverse proxy the traffic in to them based on the headers.
I'm not looking to load balance at this point, just setting it so that:
http://sitea.com proxies in to http://192.168.xxx.yyy:80
http://siteb.com:8091 proxies in to http://192.168.xxx.zzz:8091
http://sitec.com proxies in to http://192.168.xxx.aaa:80
https://sited.com proxies in to https://192.168.xxx.bbb:443
https://sitee.com proxies in to https://192.168.xxx.ccc:443
So, I'm starting with one server, siteb.com above. I followed this tutorial (https://docs.opnsense.org/manual/reverse_proxy.html), but I doubt I did it correctly. So here's what I've got....
Services: NGINX: Configuration: General
-- Enable nginx: Checked
Services: NGINX: Configuration: Upstream Server (1 Entry)
-- Description: Server1
-- Server: 192.168.xxx.zzz
-- Port: 8091
-- Server Priority: 1
Services: NGINX: Configuration: Upstream (1 Entry)
-- Description: com_siteb
-- Server Entries: Server1
-- Load Balancing Algo: Weighted Round Robin
-- Enable TLS: Checked
-- TLS: Servername override: [Blank]
-- TLS: Supported Versions: [Nothing Selected]
-- TLS: Session Reuse: [Not Checked]
-- TLS: Trusted Certificate: [Nothing Selected]
Services: NGINX: Configuration: HTTP(S): Location (1 Entry)
--Description: com_siteb
--URL Pattern: ^http://siteb.com
--Match Type: Case Insensitive Match ("~*")
--URL Rewriting: [Nothing Selected]
--Enable Security Rules: [Not Checked]
--Learning Mode: [Checked]
--Block XSS Score: [Blank]
--Block SQL Injection Score: [Blank]
--Custom Security Policy: [Nothing Selected]
--Upstream Servers: com_siteb
--Path Prefix: [Blank]
--Cache: Directory: [none]
--File System Room: [Blank]
--Index File: [Blank]
--Automatic Index: [Not Checked]
--Basic Authentication: [Blank]
--Basic Credentials List: [None]
--Enable Advanced ACLs: [Unchecked]
--IP ACL: [None]
--Force HTTPS: [Unchecked]
--Enable HTTP/2 Preloading: [Unchecked]
--Pass Request To Local PHP Interpreter / Threat Upstream As FastCGI: [Unchecked]
--(PHP) Router Script: [Blank]
Services: NGINX: Configuration: HTTP(S): URL Rewriting (1 Entry)
--Short description (to display): root
--Original URL Pattern (Regex): /
--New URL Pattern: $1
--Flag: Redirect
Services: NGINX: Logs: HTTP Access Logs: com_siteb
--Time: 22/Dec/2019:18:32:25 -0500
--IP: [Redacted, but it's mine]
--Username: -
--Status: 404
--Size: 5431
--Referer: http://siteb.com/
--User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/79.0.3945.88 Safari/537.36
--Forwarded For: -
--Requested Line: GET /favicon.ico HTTP/1.1
Services: NGINX: Logs: HTTP Error Logs: com_siteb
--Date: 2019/12/22
--Time: 18:32:24
--Severity: error
--Number: 35259#100189
--Message: *1 "/usr/local/etc/nginx/html/index.html" is not found (2: No such file or directory), client: [Redacted], server: com_siteb, request: "GET / HTTP/1.1", host: "siteb.com"
-
Die rewrite rule gehört weg und in der location auf / matchen und match type leer lassen, da die VHosts mit den servernamen über verschiedene HTTP Server abgebildet werden.
-
From Google Translate, since I'm terrible at German :) :
The rewrite rule belongs off and leave the location on / match and match type empty, since the VHosts are mapped with the server names via different HTTP servers.
Ok, with this advice I got one server proxy working. I'll attempt more later today. Here's what I did to make it work...
Services: NGINX: Configuration: General
-- Enable nginx: Checked
Services: NGINX: Configuration: Upstream Server (1 Entry)
-- Description: Server1
-- Server: 192.168.xxx.zzz
-- Port: 8091 (later moved to 80, after I got it working)
-- Server Priority: 1
Services: NGINX: Configuration: Upstream (1 Entry)
-- Description: com_siteb
-- Server Entries: Server1
-- Load Balancing Algo: Weighted Round Robin
-- Enable TLS: Unchecked
-- TLS: Servername override: [Blank]
-- TLS: Supported Versions: [Nothing Selected]
-- TLS: Session Reuse: [Checked] (I think by default)
-- TLS: Trusted Certificate: [Nothing Selected]
Services: NGINX: Configuration: HTTP(S): Location (1 Entry)
-- Description: com_siteb
-- URL Pattern: /
-- Match Type: None
-- URL Rewriting: [Nothing Selected]
-- Enable Security Rules: [Not Checked]
-- Learning Mode: [Not Checked]
-- Block XSS Score: [Blank]
-- Block SQL Injection Score: [Blank]
-- Custom Security Policy: [Nothing Selected]
-- Upstream Servers: com_siteb
-- Path Prefix: [Blank]
-- Cache: Directory: [none]
-- File System Room: [Blank]
-- Index File: [Blank]
-- Automatic Index: [Not Checked]
-- Basic Authentication: [Blank]
-- Basic Credentials List: [None]
-- Enable Advanced ACLs: [Unchecked]
-- IP ACL: [None]
-- Force HTTPS: [Unchecked]
-- Enable HTTP/2 Preloading: [Unchecked]
-- Pass Request To Local PHP Interpreter / Threat Upstream As FastCGI: [Unchecked]
-- (PHP) Router Script: [Blank]
Services: NGINX: Configuration: HTTP(S): HTTP Server (1 Entry)
-- HTTP Listen Port: 8091 (Later changed to 80)
-- HTTPS Listen Port: [Blank]
-- Server Name: 192.168.xxx.zzz
-- Locations: com_siteb
-- URL Rewriting: Nothing Selected
[Everything else left to defaults]
This section was completely deleted
Services: NGINX: Configuration: HTTP(S): URL Rewriting (1 Entry)
-- Short description (to display): root
-- Original URL Pattern (Regex): /
-- New URL Pattern: $1
-- Flag: Redirect
After a restart of NGINX, It routes! Thanks, Fabian!
-
For the other websites it will be likely the same configuration so you can clone the existing resources and rename them / change hosts and ports.