OPNsense Forum
English Forums => Tutorials and FAQs => Topic started by: abuabdullah on July 08, 2023, 08:41:16 pm
-
Hi,
Long time reader and first time poster. I have been using Opnsense for sometime and I always used HAProxy to set up access. Its worked well but me being me i like to change things up and I am partial to Nginx.
I setup Nginx in the normal way (following the tutorial here: https://forum.opnsense.org/index.php?topic=19305.0) and got communication working. For some reason if I use firefox to access NextCloud it works fine. If I use IOS or OSX Safari or even Curl it gives me an HTTP/2 error:
curl: (92) HTTP/2 stream 1 was not closed cleanly: PROTOCOL_ERROR (err 1)
I read online somewhere about a similar scenario with AWS LB and Nginx. Basically the LB was downgrading the original HTTP/2 request so Nginx would send out an upgrade response. AWS would forward the upgrade response back to the client which would just drop the connection because its already using HTTP/2.
Just to sanity check the services of Apache and Nextcloud I switched back from Nginx to HAProxy and it basically immediately started working again. I am not able to find any HTTP/2 settings in Nginx GUI and im not sure what I can do. It may well be the functionality is missing form the GUI.
-------------------------------------------- Update from within the new post --------------------------
I was drafting the above post to ask for help but I saw this comment posted 7 years ago (https://trac.nginx.org/nginx/ticket/923):
There are no plans to implement HTTP/2 support in the proxy module in the foreseeable future, see detailed answer here. If you want to use nginx to balance multiple servers, consider using the stream module to do this.
So still going to post this incase someone is trying to figure this out. If you arent able to hit your HTTP/2 services from Safari but can with Firefox this might be why. Nginx allows you to use streams which has some host header inspection options but I've spent a whole day on this and I am ready to give up. I cant find the relevant options in the GUI and I dont want to start modifying configs now. Maybe someone else will have more luck?
I need to route multiple mixed services either i have to disable HTTP/2 (a quick google search doesnt really come up with much, most people are trying to enable HTTP/2 on nextcloud) or just go back to HAProxy. Kind of a shame i wanted to use the basic waf rules which will have to done on an individual service level now.
-
Why not just combine HAProxy + NAXSI like this: https://www.haproxy.com/blog/high-performance-waf-platform-with-naxsi-and-haproxy ?
At least it gets the job done for me!
-
ooh this looks good ill try it out thanks, does look a bit complicated im guessing i need to make manual changes to the config on opnsense? im trying to keep everything firewall side just because it will be easier to manage.
-
You're welcome.
Yeah, unfortunately it is more complex but in return it's also more flexible and a good compromise to utilize Naxsi ruleset while still keeping the functionality of HAProxy.
Not really sure what you mean with "make manual changes to the config on opnsense" but I configured it all in the webui.