Topics

Just a heads up to my fellow HAProxy users.
HAProxy has a vulnerability that is quite nasty, see the following github link for mitigation until a fixed version is available:

https://github.com/haproxy/haproxy/commit/3b69886f7dcc3cfb3d166309018e6cfec9ce2c95

[dahs]

Saw this error when I logged into OPNsense today:

Code Select Expand


[28-Jun-2021 22:47:18 Europe/Stockholm] PHP Warning:  unlink(/tmp/mongodb_dahsboard60da35511c350.json): No such file or directory in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 97
[28-Jun-2021 22:47:18 Europe/Stockholm] PHP Warning:  unlink(/tmp/mongodb_dahsboard60da35511c350_result.json): No such file or directory in /usr/local/opnsense/mvc/app/controllers/OPNsense/Sensei/Api/WidgetController.php on line 98

If you look at the filename it's looking for a file called dahsboard.

So for some weird reason Sensei does not accept 127.0.0.1 to be used for DNS lookups under Reporting & Data

[Daily]

So, I run the scheduled reports once a week and for the last ten weeks the connections count always been capped at 10k.

Code Select Expand

Connections 10,000

Another smaller issue is that even though I run weekly reports the subject is:

"Sensei Daily Report for .."

Imo it would make more sense to just rename the subject to "Sensei Report for " unless you run a check that the Day of Week setting is set to every day.

Happy holidays  :)

Never mind, this was related to a power outage. Delete it please.

Ok, I was just too eager. A couple of minutes after posting this the reports started showing up. I guess it did not have enough data to display straight after an elasticsearch setup.




So seeing the discussions regarding offloading elasticsearch I figured it would be the right way to go.

However, after configuring Sensei to use external Elasticsearch everything looked fine in the setup wizard, but once I wanted to check reports I just get An error occured while report is being loaded! I'm using passwordless elasticsearch version 7.9.2.

Clicking on view error message:

Code Select Expand

{
  "error": {
    "root_cause": [
      {
        "type": "index_not_found_exception",
        "reason": "no such index [conn_all]",
        "resource.type": "index_or_alias",
        "resource.id": "conn_all",
        "index_uuid": "_na_",
        "index": "conn_all"
      }
    ],
    "type": "index_not_found_exception",
    "reason": "no such index [conn_all]",
    "resource.type": "index_or_alias",
    "resource.id": "conn_all",
    "index_uuid": "_na_",
    "index": "conn_all"
  },
  "status": 404
}

So I'm testing out running Authelia behind HAProxy in OPNsense and since a new commit to the Lua scripts it's finally possible to run without luasockets.

I'm trying to deploy this in the OPNsense webui as much as possible, incl. loading the Lua scripts. The reasoning for that is that any changes to the scripts will get synced to the standby CARP host.

However, I'm having some troubles when a Lua script tries to load another Lua script like this:

Code Select Expand

local http = require("haproxy-lua-http")

If I add the haproxy-lua-http script directly in OPNsense HAProxy Lua Scripts it will get a random generated name and the first script fails the code above with a Lua runtime error.

The solution is to put the script as /usr/local/share/lua/5.3/haproxy-lua-http.lua but then it will not get synced to standby host.

Is there any obvious solution that I'm missing?