Hello,
is there a possibility to specify the "default_server" in the nginx module?
I use more than on http(s) server in direction WAN as well multiple servers as upload servers. Routing is done by domain name and by parameter "servername". All works fine. But if someone accesses my server by IP address I would like to point to a specific upload server. In nginx config I would realise this by the parameter "default_server". Currently any upload server is called, but always the same.
Is it possible to do specify the default server?
What is current logic the upload server is getting selected in case if access by IP?
As far as I know, it chooses the first server that is in your generated config. That order likely matches your config.xml file. There is no control in the UI.
QuoteBut if someone accesses my server by IP address
you can also add server with your ip in server_name
Quote from: fabian on September 27, 2020, 11:11:35 PM
As far as I know, it chooses the first server that is in your generated config. That order likely matches your config.xml file. There is no control in the UI.
This could be. At least the server shown by access via IP is the first one that is listed on the configuration page of nginx plugin.
If there now would be an easy way in nginx plugin to change the order without deleting and re-creating everything would be great and solve the issue.
Quote from: Fright on September 28, 2020, 12:16:50 PM
QuoteBut if someone accesses my server by IP address
you can also add server with your ip in server_name
Thank you. I did not know this.
But unfortunately in my case difficult due to dynamic IP on my home set-up.
You can use dynamic dns providers if you like to make it easier to call it anyway.
Quotedifficult due to dynamic IP on my home set-up
strange that someone is knocking on the dynamic IP )
also you can try to use regexp in server_name directive to catch requests with ip in HOST.
but i think that GUI will not allow you to insert regex for "any ip" (like "^(?:[0-9]{1,3}\.){3}[0-9]{1,3}$")
you can try to use regex for "any" (like "^(.+)$"). in both cases there will be problems with the names of the log-files (need to do something with log-files names in http.conf template)
or
you can look at using $http_host variable with rewrite directive (just guessing. haven't tried any of this)
Quote from: fabian on October 04, 2020, 11:28:12 AM
You can use dynamic dns providers if you like to make it easier to call it anyway.
Maybe I was misleading you.
All is fine when using host name even whit dynamic address. I am not intending to call my server by IP.
But if someone does call my server by IP, the response should be a specific server and not the one that currently is shown.
Hello all, this text is translated with deepl, i am not very good at writing english.
Are you any further along with this problem?
I have the exact same problem as Tubs. All unspecified requests are directed to a "default_server", for me nas.domain.
Example:
fhem.domain -> server available -> correct forwarding.
nas.domain -> server available -> correct forwarding
vpn.domain -> service available (1194) -> forwarding at 443 goes to nas.domain
public IP -> forwarded to nas.domain (but it has no NGINX entry)
opnsense.domain -> forwarded to nas.domain
I have tried many things but cannot stop this forwarding. What I noticed is that it has an * entry in the data traffic statistics under server zones.
Is this possibly a bug?
no. not a bug. its how nginx works
just add new "server" with IP in name field
https://forum.opnsense.org/index.php?topic=20329.0
Thanks for the information and the link, hope it helps me.
The default_server option has been implemented in 21.7.7.
Quote from: bimbar on January 03, 2022, 06:32:37 PM
The default_server option has been implemented in 21.7.7.
Unfortunately only for http - for https it's still missing. See https://github.com/opnsense/plugins/issues/2741 (https://github.com/opnsense/plugins/issues/2741)
@8191
Hi!. I see that the pr has already been merged. it seems to me or have now forgotten about the "proxy_protocol"? ;)
Does that even make sense for https? I intentionally only implemented it for http.
sorry, why not?
of course it should be possible to enbale proxy_protocol separately for http/https and this is not a part of a "default_server" quick fix
Quote from: bimbar on January 05, 2022, 04:42:30 PM
Does that even make sense for https? I intentionally only implemented it for http.
You mean because it will most likely be a certificate mismatch to the hostname in all cases? One could use wildcard certificates to overcome this.
Quote from: 8191 on January 05, 2022, 07:46:23 PM
You mean because it will most likely be a certificate mismatch to the hostname in all cases? One could use wildcard certificates to overcome this.
Actually, you can use other matches than hostnames in SAN. For example IP addresses, however I think this is quite uncommon and not in use by public CAs.