OPNsense Forum

Archive => 20.7 Legacy Series => Topic started by: Zofoor on January 08, 2021, 02:35:53 pm

Title: [FIXED] Web-gui not accessible after last upgrade
Post by: Zofoor on January 08, 2021, 02:35:53 pm

Hi all!
Today I have updated the system as usual from the web-gui.
The firewall was updated not so much time ago, so I think it was just a minor upgrade.

After some time I found that I was not able to access the web-gui. So, I rebooted it using ssh.

This didn't fixed the issue. The system is running 20.7.7_1.

I tried /usr/local/etc/rc.restart_webgui and checked that lighthttpd is running:

Code: [Select]

root@OPNsense:~ # ps aux | grep light
root    88505   0.0  0.2   18224  7472  -  S    14:19     0:00.10 /usr/local/sbin/lighttpd -f /var/etc/lighty-webConfigurator.conf
Looking at lighthttpd logs (nothing important as those logs are very old):

Code: [Select]

Sep 24 16:10:38 OPNsense lighttpd[97861]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-1  0 /tmp/php-fastcgi.socket
Sep 24 16:10:39 OPNsense lighttpd[97861]: (gw_backend.c.236) establishing connection failed: Connection refused socket: unix:/tmp/php-fastcgi.socket-1
Sep 24 16:10:41 OPNsense lighttpd[97861]: (gw_backend.c.315) gw-server re-enabled: unix:/tmp/php-fastcgi.socket-1
And php-fpm:

Code: [Select]

root@OPNsense:~ # tail /var/log/php-fpm.log
[10-Dec-2020 17:45:46] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

[10-Dec-2020 17:45:47] NOTICE: fpm is running, pid 26438
[10-Dec-2020 17:45:47] NOTICE: ready to handle connections
[08-Jan-2021 13:46:13] NOTICE: Finishing ...
[08-Jan-2021 13:46:13] NOTICE: exiting, bye-bye!
[08-Jan-2021 14:00:33] NOTICE: configuration file /usr/local/etc/php-fpm.conf test is successful

[08-Jan-2021 14:00:33] NOTICE: fpm is running, pid 23207
[08-Jan-2021 14:00:33] NOTICE: ready to handle connections

Checking file permissions:

Code: [Select]

root@OPNsense:~ # ls -la /tmp/php-fastcgi.socket-*
srwxr-xr-x  1 root  wheel  0 Jan  8 14:19 /tmp/php-fastcgi.socket-0
srwxr-xr-x  1 root  wheel  0 Jan  8 14:19 /tmp/php-fastcgi.socket-1

Any idea?


edit: this is the firewall log obtained from the shell (while accessing to the web gui from a client). It does not seems that there is any rule blocking it:

Code: [Select]

00:00:00.282300 rule 72/0(match): pass in on igb0: (tos 0x0, ttl 128, id 25963, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.91.130.10041 > 192.168.91.1.443: Flags [S], cksum 0x536c (correct), seq 2836207325, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.000071 rule 72/0(match): pass in on igb0: (tos 0x0, ttl 128, id 25964, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.91.130.10042 > 192.168.91.1.443: Flags [S], cksum 0x70be (correct), seq 2228559298, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.404254 rule 72/0(match): pass in on igb0: (tos 0x0, ttl 128, id 25974, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.91.130.10043 > 192.168.91.1.443: Flags [S], cksum 0xd4c3 (correct), seq 614537712, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.005782 rule 72/0(match): pass in on igb0: (tos 0x0, ttl 128, id 25980, offset 0, flags [DF], proto TCP (6), length 52)
    192.168.91.130.10044 > 192.168.91.1.443: Flags [S], cksum 0x67d1 (correct), seq 2702838376, win 64240, options [mss 1460,nop,wscale 8,nop,nop,sackOK], length 0
 00:00:00.585299 rule 73/0(match): pass out on igb2: (tos 0x0, ttl 127, id 16841, offset 0, flags [DF], proto TCP (6), length 52)
Log while accessing to the web-gui from the router itself:

Code: [Select]

192.168.91.1.51915 > 192.168.91.1.443: Flags [S], cksum 0x3782 (incorrect -> 0xcef2), seq 1690452735, win 65228, options [mss 16344,nop,wscale 7,sackOK,TS val 2548563096 ecr 0], length 0
 00:00:00.000141 rule 68/0(match): pass in on lo0: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60, bad cksum ff28 (->292)!)
EDIT 2:
I have changed the port assigned to the web-gui under /conf/config.xml , thinking that perhaps a firewall rule could block it, but that din't helped in any way.

Code: [Select]

<webgui>
      <protocol>https</protocol>
      <ssl-certref>5cf0d67021325</ssl-certref>
      <port>4433</port>
      <ssl-ciphers/>
      <interfaces>lan,opt3,opt4,opt5,opt6,opt1</interfaces>
      <compression/>
      <nodnsrebindcheck>1</nodnsrebindcheck>
    </webgui>
But after this change, accessing from the shell of the firewall the output changed from "connection timeout" to

Code: [Select]

root@OPNsense:~ # wget https://192.168.91.1:4433
--2021-01-08 15:48:26--  https://192.168.91.1:4433/
Connecting to 192.168.91.1:4433... connected.
OpenSSL: error:14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
Unable to establish SSL connection.
So, I tried to disable https and the output changed again:

Code: [Select]

root@OPNsense:~ # wget http://192.168.91.1:4433
--2021-01-08 15:52:27--  http://192.168.91.1:4433/
Connecting to 192.168.91.1:4433... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2952 (2.9K) [text/html]
Saving to: 'index.html'

index.html                                                                      100%[====================================================================================================================================================================================================>]   2.88K  --.-KB/s    in 0s

2021-01-08 15:52:27 (125 MB/s) - 'index.html' saved [2952/2952]
The web-gui is still not accessible from clients, but seems anyway an improvement on fixing this issue.

EDIT 3:
I tried unplugging the two WAN cables, and in this way the web-interface was accessible again. So it seems like some fw rules that were not applied. Applying the update of the firewall also reloaded the rules, and so I got cut-off from the web-gui.
I still need to better investigate on it but at least now I can access the web-gui and better investigate on the issue.

Title: Re: [FIXED] Web-gui not accessible after last upgrade
Post by: Stitch10925 on February 16, 2021, 11:26:02 pm

Any update on this by any chance?

Title: Re: [FIXED] Web-gui not accessible after last upgrade
Post by: Zofoor on February 17, 2021, 10:44:18 am

Quote from: Stitch10925 on February 16, 2021, 11:26:02 pm

Any update on this by any chance?

Honestly for now I am running the interface as http on another port because I hadn't the time to further investigate on this. I have also upgrade the system to release 21.1.

Title: Re: [FIXED] Web-gui not accessible after last upgrade
Post by: Stitch10925 on February 17, 2021, 10:00:27 pm

And in 21.1 you still have the same issue?

I updated to 21.1 recently and since then the UI is not working anymore. So I should pull the WAN cable and then I should have access to the UI again?

That is kind of odd. WAN should be blocked, but not LAN.

Title: Re: [FIXED] Web-gui not accessible after last upgrade
Post by: madcatZsSg on April 23, 2022, 11:50:20 am

In my experience, I have tried to SSH into my router (I guess too many times) which resulted in my web UI not loading for me any longer. So I set a static IP that wasn't currently assigned to anything and I was able to load back into the web UI. Before I switched IPs I was able to log in to the UI on my Proxmox VMs, which meant the UI was still reachable (if you can still ping the IP in CMD or Mac/Linux Terminal you should be good to follow the same instruction).