Hello everyone,
I am quite new to OPNsense, but I think I have slowly understood most of it...except for one topic that has been on my mind for 2 days: Nextcloud with the nginx plugin and naxsi.
Edited from here on to better readability and added error/solution parts
I set up a VIP and use it as listener ip for nginx http servers - in this case for domains i want to serve via webserver in my DMZ.
This worked fine at first glance, but while testing my nextcloud i had a few problems coming up:
My problems in particular were:
1. bot protection locking out mobile devices because of "okhttp" client which gets blocked
2. Nextcloud is reachable - but all DAV specific request like PROPFIND/SEARCH and so on are getting blocked (don't know by what exaclty, because logfiles sadly did not tell me anything) so nextcloud was not working properly (method not allowed errors)
- seems nginx only accepts "basic" http methods but not webdav specific ones
3. WAF Rules (in config file = BasicRule*) is always included in each location, even if i did not enable in location settings
- Enable WAF and setting learning mode still blocked all DAV specific things
Here my solutions to get my nextcloud working, but with lesser security than before because of settings i changed.
So nothing one should blindly follow!
1. Bot detection
- go to services | nginx | configuration | global http settings
- delete "okhttp" from "bot user agents"
- this got my mobile dav clients working to the point where the dav specific things now got blocked(aka "method not allowed" errors)
2. DAV/WAF/nginx stuff (here as one point, because only worked in combination and still have no clue what happened here exactly)
- contains changes in nginx files via shell!
- always make a file backup before ;)
- modify nginx template -> locations.conf
- /usr/local/opnsense/service/templates/OPNsense/Nginx/locations.conf
- i copied the whole thing and wrapped an if around so these changes only affect my nextcloud location later (jinja2 templating)
- change "BasicRule" to comment (this disables the forced WAF rules for this location)
- tell nginx to allow all methods i need
-
limit_except GET POST (any anything you need in addition) }
allow all;
}
- now we have to tell OPNsense to reload the template, so this is used if we change something via gui, otherwise the old template still will be used
- configctl template reload OPNsense/Nginx
- service nginx restart
This did the trick for me and only affects my nextcloud location.
The changed location.conf is managed via ansible in my case so that i'm able to quickly fix my stuff if an update will break this.
Maybe this will help someone with similar problems :D
Cheers