OPNsense Forum
English Forums => Web Proxy Filtering and Caching => Topic started by: Craash on February 23, 2021, 04:57:26 am
-
I've moved from pfSense to OPNsense and so far have had pretty good luck. On pfSense I had used haproxy to do the below and it worked well. I've tried to use NGINX now and I'm having issues with 404s.
UPDATE - It just hit me I don't have a "in URL" or "In Path" like I did in haproxy. Is that the issue?
NGINX config in OPNsense
- Site 1 - Nextcloud on dedicated server - works
Site 2 - Blue Iris on dedicated server - works
Site 3 - static HTML behind NGINX on "vm-Web" - works
Sites 4-6 - Wordpress sites behind NGINX on "vm-Web". - these result in immediate 404s.
If I change one of the wordpress sites to the static HTML site in OPNsense it then works.
Wordpress Server Block in next post.
-
Wordpress site 1-4, all 404's.
server {
listen 80;
## Your website name goes here.
server_name www.fauxsite.com;
## Your only path reference.
root /var/www/fauxsite.com;
## This should be in your http block and if it is, it's not needed here.
index index.php;
location = /favicon.ico {
log_not_found off;
access_log off;
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
location / {
# This is cool because no php is touched for static content.
# include the "?$args" part so non-default permalinks doesn't break when using query string
#try_files $uri $uri/ /index.php?$args;
try_files $uri $uri/ /index.php?q=$uri&$args;
}
location ~ \.php$ {
#NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
include fastcgi_params;
fastcgi_intercept_errors on;
fastcgi_pass php;
#The following parameter can be also included in fastcgi_params file
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
}
location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
expires max;
log_not_found off;
}
}
-
Static HTML Site which works:
server {
listen 80;
root /var/www/fauxsite2.com;
index index.php index.html index.htm index.nginx-debian.html;
server_name fauxsite2.com www.fauxsite2.com;
access_log /var/log/nginx/access.fauxsite2.log;
error_log /var/log/nginx/error.fauxsite2.log;
location / {
try_files $uri $uri/ =404;
}
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_pass unix:/var/run/php/php7.2-fpm.sock;
}
location ~ /\.ht {
deny all;
}
location = /favicon.ico { log_not_found off; access_log off; }
location = /robots.txt { log_not_found off; access_log off; allow all; }
location ~* \.(css|gif|ico|jpeg|jpg|js|png)$ {
expires max;
log_not_found off;
}
}
-
hi
fastcgi_pass php;
but there is no 'php' upstream
-
I'm sorry, could I ask you to expand on this? Am I missing that, or is it a capability that doesn't exist?
hi
fastcgi_pass php;
but there is no 'php' upstream
-
sorry
you have
fastcgi_pass php;
directive on "404"'s servers php-locations blocks. like on nginx help page:
https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/
but they use upstream for this:
upstream php {
server unix:/tmp/php-cgi.socket;
server 127.0.0.1:9000;
}
for fastcgi_pass diretive you can use Upstream name, FastCGI server address or UNIX-domain socket path (like you do on other server).
AFAIK when configured via GUI OPN nginx sets fastcgi_pass to 'unix:/var/run/php-www.socket;'
-
I think I'm following. So it is all in my server block, and not in OPNsense then?
I know in HAProxy I could run all the sites on port 80/443. It seems here I need to put them on different ports?
I REALLY appreciate the help.
sorry
you have
fastcgi_pass php;
directive on "404"'s servers php-locations blocks. like on nginx help page:
https://www.nginx.com/resources/wiki/start/topics/recipes/wordpress/
but they use upstream for this:
upstream php {
server unix:/tmp/php-cgi.socket;
server 127.0.0.1:9000;
}
for fastcgi_pass diretive you can use Upstream name, FastCGI server address or UNIX-domain socket path (like you do on other server).
AFAIK when configured via GUI OPN nginx sets fastcgi_pass to 'unix:/var/run/php-www.socket;'
-
in HAProxy I could run all the sites on port 80/443. It seems here I need to put them on different ports?
no no. you still can use one port for multiple sites.
i am just pointing out the error in the fastcgi_pass directive - you directed it to a non-existent upstream and this
and of course it's worth looking into the logs when something goes wrong
Services: Nginx: Logs - HTTP Error logs
-
I'm sorry for being so dense . . . I had hoped NGINX would make things less complicated than HAProxy, but I can't seem to get my head around it. I added the upstream PHP server part in the block. I didn't remove anything. I haven't done anything in the OPNsense GUI. What am I missing now?
Did I mention I really, really appreciate your support?
Logs: *1 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 172.20.0.1, server: fauxsite.com, request: "GET / HTTP/2.0", upstream: "http://172.20.0.105:80/", host: "www.fauxsite.com"
in HAProxy I could run all the sites on port 80/443. It seems here I need to put them on different ports?
no no. you still can use one port for multiple sites.
i am just pointing out the error in the fastcgi_pass directive - you directed it to a non-existent upstream and this
and of course it's worth looking into the logs when something goes wrong
Services: Nginx: Logs - HTTP Error logs
-
hm. now I'm confused
I don't understand where " upstream: "http://172.20.0.105:80/"" comes from. i dont see it in your config
i expected to see "no such file " or FastCGI errors
can you attach full nginx.conf file?
-
That is the internal IP address of the web server.
nginx.conf:
user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;
events {
worker_connections 768;
# multi_accept on;
}
http {
##
# Basic Settings
##
client_max_body_size 20M;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;
# server_names_hash_bucket_size 64;
# server_name_in_redirect off;
include /etc/nginx/mime.types;
default_type application/octet-stream;
##
# SSL Settings
##
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
ssl_prefer_server_ciphers on;
##
# Logging Settings
##
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
##
# Gzip Settings
##
gzip on;
# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascrip>
##
# Virtual Host Configs
##
include /etc/nginx/conf.d/*.conf;
include /etc/nginx/sites-enabled/*;
}
#mail {
# # See sample authentication script at:
# # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
# # auth_http localhost/auth.php;
# # pop3_capabilities "TOP" "USER";
# # imap_capabilities "IMAP4rev1" "UIDPLUS";
#
# server {
# listen localhost:110;
# protocol pop3;
# proxy on;
# }
#
# server {
# listen localhost:143;
# protocol imap;
# proxy on;
# }
#}
-
sorry
file does not look like an OPN nginx.conf-file at all :o
and it is actually empty (just http section)
maybe I didn't understand the question at all?
-
Ah, I pulled it from the webserver.
Where should I pull from?
-
I have the feeling that we are confusing each other )
can we start from the beginning?
what scheme? what should the OPNsense nginx do, where are the wordpress files located?
(do you want to place wordpress php-scripts on OPN box? or just proxy request to some internal site with wordpress scripts?)
Where should I pull from?
from that nginx where "Connection refused) while connecting to upstream" errors appears )
-
I'm a pro at confusion. :)
The error shows in the log of OPNsense. I should have mentioned that when I first used the server blocks, which worked on pfSense, I was getting a to many redirects error.
My hope is to use NGINX on OPNsense to forward to a NGINX instance on a different machine. OPN sense NGINX has Lets Encrypt SSL certificates and the separate servers are listening on port 80. This different machine houses 1 static html site, and 4 wordpress sites.
I'm hairpining the traffic at this point, as opposed to split DNS, because it is much easier from a zone management aspect with unbound and I don't have to maintain SSL certs on the inside of my network - OPNsense does it all. My pfsense box used HA proxy and split DNS and it all worked. I have 3 servers with one site - these are forwarded correctly, with SSL, from OPNsense. It is just the wordpress sites.
LAN 172.20.0.0/24
OPNsense 172.20.0.254
Web Server 172.20.0.105.
Test client machine 172.20.0.1
-
so it seems clearer :)
so its like
Public Net -> OPN with nginx -> Nginx(with wordpress)?
in this case you dont need all this fastcgi staff on OPN nginx: just servers,locations and upstream to proxy request
(and naxsi to protect WordPress).
in this case error
Logs: *1 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 172.20.0.1, server: fauxsite.com, request: "GET / HTTP/2.0", upstream: "http://172.20.0.105:80/", host: "www.fauxsite.com"
means exactly what is written imho. internal nginx refuses connection from OPN. and if config in https://forum.opnsense.org/index.php?topic=21687.msg102244#msg102244 is actual 172.20.0.105-nginx config, then it should not respond to requests. there is no servers in the config.
hen I first used the server blocks, which worked on pfSense, I was getting a to many redirects error.
it might be due to http-https redirects. hard to tell without configs and errors
-
Yes. Public Net -> OPN with nginx -> Nginx(with wordpress) (although a static website too, which works)
Still confused. I haven't done anything to Nginx outside of OPNsense's GUI. I think the fastcgi you are talking about is on the ubuntu Nginx.
-
.