OPNsense Forum

English Forums => Web Proxy Filtering and Caching => Topic started by: cookiemonster on July 28, 2022, 06:05:37 pm

Title: Where to place nginx customisations
Post by: cookiemonster on July 28, 2022, 06:05:37 pm

Hi.
I'm trying to replicate a working setup from a standalone nginx installation into the OPN nginx plugin.
So far I can see traffic hitting nginx but I can't get the service to work. It's most likely that I need to add customisation to the configuration at least whilst diagnosing.
Setup is:
OPNsense 22.1.10-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1q 5 Jul 2022
os-nginx (installed)   1.28_1

My config:
cat /usr/local/etc/nginx/nginx.conf

Code: [Select]

load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
load_module /usr/local/libexec/nginx/ngx_http_js_module.so;

user www staff;
worker_processes 1;

error_log  /var/log/nginx/error.log;

events {
    worker_connections  1024;
}

http {
include       mime.types;



log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';
log_format  main_ext  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" '
                      '"$host" sn="$server_name" '
                      'rt=$request_time '
                      'ua="$upstream_addr" us="$upstream_status" '
                      'ut="$upstream_response_time" ul="$upstream_response_length" '
                      'cs=$upstream_cache_status';
log_format  handshake   '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
log_format  anonymized  ':: - $remote_user [$time_local] "$request" '
                  '$status $body_bytes_sent "$http_referer" '
                  '"$http_user_agent" "$http_x_forwarded_for"';

#tcp_nopush     on;
# https intercept detection
js_import /usr/local/opnsense/scripts/nginx/ngx_functions.js;
js_set $tls_intercepted ngx_functions.check_intercept;

# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile Off;
default_type  application/octet-stream;
keepalive_timeout 60;

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;




# UPSTREAM SERVERS


include opnsense_http_vhost_plugins/*.conf;

}
stream {
    # LOG FORMATS
    log_format main '$remote_addr [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';
    log_format anonymized ':: [$time_local] '
                     '$protocol $status $bytes_sent $bytes_received '
                     '$session_time';

    # UPSTREAM SERVERS
    upstream upstream15ad4a8a20f14c19a47af261eaa5249e {
        server 192.168.5.1:53 weight=5;
    }
    upstream upstream7f19e5deb72b4c318458205c45343b52 {
        server 192.168.5.1:8053 weight=5;
    }

    # upstream maps


    include opnsense_stream_vhost_plugins/*.conf;

    # servers
    server {

        listen 127.0.0.1:8054 proxy_protocol;

        access_log  /var/log/nginx/stream_7e5528ea-bfe6-46f5-be19-3e967da85398.access.log main;
        error_log  /var/log/nginx/stream_7e5528ea-bfe6-46f5-be19-3e967da85398.error.log info;


        include 7e5528ea-bfe6-46f5-be19-3e967da85398_pre/*.conf;

        proxy_ssl off;
        proxy_pass upstream15ad4a8a20f14c19a47af261eaa5249e;
        proxy_protocol on;

        include 7e5528ea-bfe6-46f5-be19-3e967da85398_post/*.conf;

    }
}
# mail {
# }
I want to include for instance a njs module in my upstream "upstream15ad4a8a20f14c19a47af261eaa5249e" for example.
Similar a logging customisation for my stream block.

Where do I need to place them please?

p.s. the README in the opnsense_stream_vhost_plugins directory has this
"Place server {} in this directory - they are not affected by the enable / disable flag"
but I fail to understand if that's my hint.

Title: Re: Where to place nginx customisations
Post by: cookiemonster on July 29, 2022, 02:36:59 pm

I forgot to add, I am not using nginx as a reverse proxy, only as webserver behind HAProxy as reverse proxy.

Title: Re: Where to place nginx customisations
Post by: cookiemonster on August 01, 2022, 11:43:31 pm

Anyone?

Title: Re: Where to place nginx customisations
Post by: franco on August 02, 2022, 12:10:43 pm

Might be better to ask @fabianfrz and @kulikov-a directly via support issue: https://github.com/opnsense/plugins/issues/new?assignees=&labels=&template=question.md&title=


Cheers,
Franco

Title: Re: Where to place nginx customisations
Post by: cookiemonster on August 02, 2022, 02:32:33 pm

OK, will do, thannks Franco.