OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: Junktroep on January 20, 2023, 03:29:35 pm
-
I have a reverse nginx proxy running on an ubuntu box.
Running non standard ssl ports, an example of my config:
server {
listen 9090 default_server ssl http2;
server_name blabla;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-XSS-Protection "1; mode=block";
ssl_certificate /etc/letsencrypt/live/blablafullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/blabla/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/blabla/chain.pem;
include snippets/ssl.conf;
error_page 497 https://$host:9090$request_uri;
access_log /var/log/nginx/blabla.access.log apm;
error_log /var/log/nginx/blabla.error.log warn;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect off;
}
}
I wanted to move this functionality to OPNsense, and it works nicely with the nginx plugin.
One thing I don't get to work the HTTP to HTTPS redirect.
In the example above I get this going with the: error_page 497 https://$host:9090$request_uri;
this redirects HTTP requests to HTTPS.
But I can't find this in the error pages overview in OPNsense, and no idea how I or even if this can be done.
Any tip or help is apreciated. Thanks.
-
"HTTPS Only" checkbox in Server config or "Force HTTPS" checkbox in Location config do the same with the
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
-
This checkbox does nothing for my config. Even after reboot.
On the opnsense reverse proxy server settings I have only specified a https port, just like in my example config.
It doesn't seem to like binding same port to https and http.
I still get: The plain HTTP request was sent to HTTPS port, error 400,
when connecting on http://mydomain.com:myport
-
yep, need to bind http also for this.
497 error_page is not in gui yet
so you need to use server hook for this imho (https://forum.opnsense.org/index.php?topic=31234.0)
there it will be possible to add a directive missing in the gui
-
The hook pointed me in the right direction
Creating the <uid>_post directory with a 497_error_page.conf in it.
Containing error_page 497 https://$host:9090$request_uri;
Makes http request to the https port redirect succesful.
Ps. adding the error_page 497 to the nginx.conf also makes it work.
But I guess this will not survive any modifications done in the GUI.
I hope this custom survives firmware upgrades.
Since this is a pretty nice way to redirect http to https I hope this will soon be added as defailt in GUI.