OPNsense Forum
English Forums => Development and Code Review => Topic started by: fabian on June 10, 2018, 12:35:30 pm
-
I work on a nginx plugin and made a developer preview (may still contain bugs):
Source: https://github.com/opnsense/plugins/pull/696 (https://github.com/opnsense/plugins/pull/696)
Package: pkg add https://files.fabian-franz.eu/os-nginx-devel-0.2.txz (https://files.fabian-franz.eu/os-nginx-devel-0.2.txz)
Please do not use it for production systems because it may contain unknown bugs.
-
I can try this on my dev system...
Erick
-
Do you know how to create your own build since the linked one is a bit older and the current one needs a custom patch for core:
https://github.com/opnsense/core/pull/2480
-
Oh, I do not know how ... yet.
I tried it on the dev build. Once I moved the default httpdlite to 8080, the nginx worked on 80 on the NAT side.
My goal is to set up an internal cloud, and have NGINX/OpnSense be the router/firewall/virtual hosting place. So HTTPS traffic would be decrypted at the OpnSenseo which would be my single certificate holder.
-
With the new build, you don't need to move the web interface because it will disable the local web server and handle it by itself - the advantage is that the same port can be used. you can clone the plugins repository and run make package inside the www/nginx directory which will build the pkg or use make install.
-
for core you need the following patches in core:
if you install it as a pkg, you can also use this code: https://github.com/opnsense/core/pull/2480/commits
opnsense-patch -a fabianfrz 505a8780eae55aa552b680cf6aced44b0e5f7f55 b8d8bfeba1b65b4a3da262af32cb1f750948a51f
-
Thanks
-
First let me say thanks for this plugin and it will prove very useful if all the features planned for it get worked out.
However I am coming up to a bit of a brick wall in using the gui because it seem the logic for passing to an upstream server is broken.
Basically what I am trying to do is expose a gucamole server to OPNsense which then acts as a nginx reverse proxy which holds all the Let's Encrypt certs and renewal.
I already did this configuration by hand using a dockerized nginx container which then had traditional NAT mapped to is via the previous routers. It worked fairly well on some dumb routers but for some reason with OPNSense it interrupted the connection every 30 seconds or so breaking the guacamole sessions.
So when I found nginx could be run on the OPNsense box itself I was like "Yeah, that'll do fine " because the guacamole server is exposed to the LAN anyway just on a HTTP alt port 8080.
So the problem I have with the plugin though is the rewrite rules seem to be applied only to the OPNsense HTTP server section and not to the proxy settings as well. Because the destination URL has to be http://10.1.8.12:8080/guacamole I should be able to append the /guacamole part somewhere to the proxy URI.
This is how it worked when I did it by hand.
location / {
root /usr/share/nginx/html;
return 301 https://$host/rs;
}
location /rs/ {
proxy_pass http://172.17.0.7:8080/guacamole/;
proxy_buffering off;
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
access_log off;
But this is how the GUI sort of mangles it:
# UPSTREAM SERVERS
upstream upstream70b4351bbf6548ba827f620ee5b55029 {
server 10.1.8.12:8080 weight=1 max_conns=100 max_fails=10 fail_timeout=5;
}
....
# apache htpasswd and htaccess
location ~ /\.ht {
return 403;
}
# those files may expose file system stuff
location ~ \.DS_Store$ {
return 403;
}
rewrite / /guacamole redirect;
location ~* $host/guacamole {
DeniedUrl "/waf_denied.html";
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
autoindex off;
proxy_set_header Host $host;
proxy_pass http://upstream70b4351bbf6548ba827f620ee5b55029;
So I realise that this is a beta plugin at best and you do say not to use it for production but obviously this way of parsing the conf file is a deal breaker for redirects like mine. I suspect I will have to just go back to making a manual config file and leaving the gui blank in case it overwrites my changes.
Unless there is another way I am missing of course ?
-
Websocket support will be in 1.1 (https://github.com/opnsense/plugins/pull/828)
For the location block: it looks very strange to me to include the hostname. Why?
-
Websocket support will be in 1.1 (https://github.com/opnsense/plugins/pull/828)
Oh that is cool. Great!
For the location block: it looks very strange to me to include the hostname. Why?
I think it was more convention than anything else. I took the same sort of rules I used for nginx is the standalone instance and one of the cool things is nginx (like apache) can have multiple 'identites' in different config files which can be very handy. So if you are coming in as say mail.host.domain you get the webmaill forwarding, if you come in as dashboard.host.domain you get another service. All the $host does is make sure that the urls stay consistent I think.
I assume you knew this because you can allow multiple entries to be created though I am still unclear how they are all supposed to work together with the same nginx.conf file. Or maybe I am just misunderstanding how it is all parsed, it was very late last night when I started looking into it going off into the weeds.
Either way looks like it is shaping up nicely and I don't mind playing around with it on a non-production install and ironing out other edge cases.
Thanks.
-
I think it was more convention than anything else. I took the same sort of rules I used for nginx is the standalone instance and one of the cool things is nginx (like apache) can have multiple 'identites' in different config files which can be very handy. So if you are coming in as say mail.host.domain you get the webmaill forwarding, if you come in as dashboard.host.domain you get another service. All the $host does is make sure that the urls stay consistent I think.
[/qoute]
No your URL for
location ~* $host/guacamole
would be: https://mail.host.domain/mail.host.domain/guacamole which is very uncommon and stupid.
I assume you knew this because you can allow multiple entries to be created though I am still unclear how they are all supposed to work together with the same nginx.conf file. Or maybe I am just misunderstanding how it is all parsed, it was very late last night when I started looking into it going off into the weeds.
you probably want a "/guacamole" or "/" location to forward to the upstream which it will reach with the same URL (without pre- or postfix).
Either way looks like it is shaping up nicely and I don't mind playing around with it on a non-production install and ironing out other edge cases.
If you find a normal case, it would be probably good for everyone to know about it.
-
Hi folks,
We are testing nginx with WAF enabled, according https://wiki.opnsense.org/manual/how-tos/nginx.html but when we enable the WAF we get denied page to localtion /, even in learning mode we got denied page.
This is the part of config ...
location / {
SecRulesEnabled;
LibInjectionXss;
CheckRule "$LIBINJECTION_XSS >= 8" BLOCK;
LibInjectionSql;
CheckRule "$LIBINJECTION_SQL >= 8" BLOCK;
DeniedUrl "/waf_denied.html";
autoindex off;
proxy_set_header Host $host;
proxy_pass http://upstream16d9678a48cf438b8f71617150c53c4c;
}
Could someone have ideia about it?
Regards
Carlos
-
It may be because of a naxsi bug which I have reported and is already fixed upstream but needs to get included in FreeBSD.
It blocks everything if there is no main rule present. Because if this, I've talked to the developers to get a patch and now it is documented that you can use this to prevent it from blocking everything: https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/ruleset.conf#L1
For some reason the naxsi patch has not reached us yet. A work around is just create some main rules. The project has some good ones:
https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules
-
Hello @Fabian,
Thank you by your clarify.
Well, if I understood, as workaround need I a Main rules. https://github.com/nbs-system/naxsi/blob/master/naxsi_config/naxsi_core.rules
But how can I add this using GUI. Or need I put it into specific directory!?
Regards
Carlos
-
Configure a naxsi rule, add it to a policy and add the policy to a location and it should be there.
-
Thanks @Fabian, I will test it.
Currently we facing a problem with HTTP servers.
When we add a second HTTP server the service does no start.
This is the code generated.
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
user www staff;
worker_processes 1;
error_log /var/log/nginx/error.log;
events {
worker_connections 1024;
}
http {
include mime.types;
MainRule wl:19;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format anonymized ':: - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#tcp_nopush on;
# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile Off;
default_type application/octet-stream;
keepalive_timeout 60;
# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;
# UPSTREAM SERVERS
upstream upstream16d9678a48cf438b8f71617150c53c4c {
server 10.15.0.9:80 weight=1 max_conns=500 max_fails=10 fail_timeout=10;
}
server {
listen [::]:80 ipv6only=off;
# proxy headers for backend server
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
server_name server1.com;
charset utf-8;
access_log /var/log/nginx/server1.com.access.log main;
error_log /var/log/nginx/server1.com.error.log;
#include tls.conf;
error_page 404 /opnsense_error_404.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header Content-Type text/plain;
add_header Charset utf-8;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
location /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/etc/acme-client/challenges;
}
# block based on User Agents - stuff I have found over the years in my server log
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu) {
return 418;
}
if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner")
{
return 418;
}
location = /opnsense-report-csp-violation {
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param SERVER-UUID "63cc87ec-228d-4bbd-a695-37118e761e8a";
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "63cc87ec-228d-4bbd-a695-37118e761e8a";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
server {
listen [::]:80 ipv6only=off;
# proxy headers for backend server
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
server_name server2.com;
charset utf-8;
access_log /var/log/nginx/server2.com.access.log main;
error_log /var/log/nginx/server2.com.error.log;
#include tls.conf;
error_page 404 /opnsense_error_404.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header Content-Type text/plain;
add_header Charset utf-8;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
location /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
root /var/etc/acme-client/challenges;
}
# block based on User Agents - stuff I have found over the years in my server log
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu) {
return 418;
}
if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner")
{
return 418;
}
location = /opnsense-report-csp-violation {
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param SERVER-UUID "1eb8f7b2-f81d-4f31-bbeb-173c9678bfa7";
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "1eb8f7b2-f81d-4f31-bbeb-173c9678bfa7";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
}
# mail {
# }
The error generated is
2018/09/24 18:23:03 [emerg] 65933#100194: duplicate listen options for [::]:80 in /usr/local/etc/nginx/nginx.conf:149
2018/09/24 18:23:03 [emerg] 66135#100194: duplicate listen options for [::]:80 in /usr/local/etc/nginx/nginx.conf:149
My comments
- is it needed duplicate the locations related to opnsense Gui ?
- I just fix the service replacing
this line
listen [::]:80 ipv6only=off;
by this
listen 80 ipv6only=off;
Could you help us with it?
Regards
CArlos
This reference help me with it https://serverfault.com/questions/638367/do-you-need-separate-ipv4-and-ipv6-listen-directives-in-nginx
-
@Fabian, I solve it.. and I create a proposed patch in https://github.com/opnsense/plugins/pull/868
With this all server directive it works
Best regards
Carlos
-
Hi @Fabian...
Currently we are trying proxy_pass to internal server with diferent path
like
location /name/ {
proxy_pass http://127.0.0.1/remote/;
}
as describe in documentation.
http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_pass
But it seems the Opnsense code does not implement it or I did not found it.
Is it possible you instruct us to do it!?
Best regards,
Carlos
-
@Fabian, related to my last post, I have created a small patch to implement it.
If it is usable and accord the code, I can sent a pull request.
Best regards
Carlos
--- opnsense/service/templates/OPNsense/Nginx/location.conf.ori 2018-09-25 12:19:57.540066000 -0300
+++ opnsense/service/templates/OPNsense/Nginx/location.conf 2018-09-25 12:20:46.343048000 -0300
@@ -87,7 +87,7 @@
{% if location.upstream is defined and (location.php_enable is not defined or location.php_enable != '1') %}
{% set upstream = helpers.getUUID(location.upstream) %}
proxy_set_header Host $host;
- proxy_pass http{% if upstream.tls_enable == '1' %}s{% endif %}://upstream{{ location.upstream.replace('-','') }};
+ proxy_pass http{% if upstream.tls_enable == '1' %}s{% endif %}://upstream{{ location.upstream.replace('-','') }}{% if location.new_urlpattern != '' %}{{ location.new_urlpattern }};{% endif %}
{% if upstream.tls_enable == '1' %}
{% if upstream.tls_client_certificate is defined and upstream.tls_client_certificate != '' %}
proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
--- opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml.ori 2018-09-25 12:22:43.430414000 -0300
+++ opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml 2018-09-25 13:09:52.750377000 -0300
@@ -205,6 +205,9 @@
<Required>N</Required>
<multiple>N</multiple>
</upstream>
+ <new_urlpattern type="TextField">
+ <Required>N</Required>
+ </new_urlpattern>
<root type="TextField">
<Required>N</Required>
</root>
--- opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml.ori 2018-09-25 13:13:04.693659000 -0300
+++ opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml 2018-09-25 13:16:54.587260000 -0300
@@ -62,6 +62,12 @@
<help>Select an upstream to proxy to or connect via FastCGI if chosen.</help>
</field>
<field>
+ <id>location.new_urlpattern</id>
+ <label>New location path</label>
+ <type>text</type>
+ <help>Select a new path for upstream to proxy.</help>
+ </field>
+ <field>
<id>location.limit_request_connections</id>
<label>Limit Requests</label>
<type>select_multiple</type>
-
it may work with a rewrite because this does append. You may also create a pull request if you really need it this way.
-
Hi @Fabian,
Could you please validate the new path_prefix patch according your suggestions on github?!
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
index 3cbfc2b..358875a 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -62,6 +62,12 @@
<help>Select an upstream to proxy to or connect via FastCGI if chosen.</help>
</field>
<field>
+ <id>location.path_prefix</id>
+ <label>Path prefix</label>
+ <type>text</type>
+ <help>Define an optional path prefix for this location.</help>
+ </field>
+ <field>
<id>location.limit_request_connections</id>
<label>Limit Requests</label>
<type>select_multiple</type>
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index 91f1669..4a56c7d 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -205,6 +205,10 @@
<Required>N</Required>
<multiple>N</multiple>
</upstream>
+ <path_prefix type="TextField">
+ <Required>N</Required>
+ <mask>/^[^" \t]+$/i</mask>
+ </path_prefix>
<root type="TextField">
<Required>N</Required>
</root>
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 6fb180f..70fbc2f 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -87,7 +87,11 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
{% if location.upstream is defined and (location.php_enable is not defined or location.php_enable != '1') %}
{% set upstream = helpers.getUUID(location.upstream) %}
proxy_set_header Host $host;
+{% if location.path_prefix is defined and location.path_prefix != '' %}
+ proxy_pass http{% if upstream.tls_enable == '1' %}s{% endif %}://upstream{{ location.upstream.replace('-','') }}{{ location.path_prefix }};
+{% else %}
proxy_pass http{% if upstream.tls_enable == '1' %}s{% endif %}://upstream{{ location.upstream.replace('-','') }};
+{% endif %}
{% if upstream.tls_enable == '1' %}
{% if upstream.tls_client_certificate is defined and upstream.tls_client_certificate != '' %}
proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
Best regards
Carlos
-
Except the label in the form it looks good (I would accept it). Every word should with an capital letter to be consistent with the rest of the UI. If you want to, you may mark it as advanced (form) to hide it in the normal view as it is not an everyday field. The i at the end is not required but also does not hurt because it means that the regular expression is not case sensitive (for example matching "Test" with /[a-z]+/i and /[a-z]+/ would deliver different results because the first one includes the "T", the second not)
-
Hi @Fabian, thank you by your comments.!!!
Let me know, the OPNsense 18.7.4 did not include the lasted nginx commit codes ?
Regards
Carlos
-
Does not look like it happend. FYI: If you are on the main page of the repository, you can choose also a tag in the dropdown which is the release. Then you can look into the plugin directory which will show the latest commit message.
-
I forgot: I've merged it to master so the changes should be in devel.
-
I forgot: I've merged it to master so the changes should be in devel.
Ohhh .... We are waiting this eheheh
-
just want to drop by and say: thanks for your work, guys! 8)
-
@Carlos: regarding your latest patches question? Do you use the development version or the release version? The release version wasn't updated.
-
Hello @Franco,
Well, my patches are sent using Master branch, but I don know where @Fabian make the commits :)
Regards
Carlos
-
I usually use a feature branch in the plugins repository. There is a select box to switch between branches. The advantage when I develop this way is that you need at least one parameter less in opnsense-patch and franco can commit on this branch as well (did not ever happen yet but maybe it will some day in the future).
-
Hello!
I've some trouble while trying with multiple upstream servers:
nginx: [emerg] "upstream" directive is not allowed here in /usr/local/etc/nginx/nginx.conf:56
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
I make a minor change in the upstream.conf jinja template that worked for me:
https://github.com/juliocbc/plugins/commit/82a47c38254691672a002a30e997d08d1e9a9b8e
-
Could you please open a pull request so I can merge it?
-
Sure!!
https://github.com/opnsense/plugins/pull/893
-
I am waiting for the additional approval of Franco, then it will be in the next update.
-
Hi Franz!
I've opened a ISSUE: https://github.com/opnsense/plugins/issues/902
version: os-nginx-devel-1.1
If it is set TLS Certificate option in HTTP Server the following error occurs:
PHP Warning: Invalid argument supplied for foreach() in /usr/local/opnsense/scripts/nginx/setup.php on line 88
-
Be sure Fabian is getting notified by any issue via Github :)
-
I tagged his user on the post!!
Thanks!
-
fix is provided. Thanks for reporting.
-
@Fabian
Thanks!!
Now the error don't occurs anymore, but the /usr/local/etc/nginx/nginx.conf is don't being updated with the WebGUI configuration.
Is there some additional step?
-
did you click on the reconfigure button (the one with the two arrows) and there is no error in the configd log?
-
Yes, I did it!
I didn't checked in configd.log (I was looking for errors on system.lof - Old habits from 16.x ::) )
Errors in configd.log:
Oct 10 10:37:36 OPNsense configd.py: [51c4c4a6-5895-47ff-b5de-136cd80f7624] Inline action failed with OPNsense/Nginx OPNsense/Nginx/nginx.conf 'None' has no attribute '@uuid' at Traceback (most recent call last): File "/usr/local/opnsense/service/modules/processhandler.py", line 507, in execute return ph_inline_actions.execute(self, inline_act_parameters) File "/usr/local/opnsense/service/modules/ph_inline_actions.py", line 51, in execute filenames = tmpl.generate(parameters) File "/usr/local/opnsense/service/modules/template.py", line 332, in generate raise render_exception Exception: OPNsense/Nginx OPNsense/Nginx/nginx.conf 'None' has no attribute '@uuid'
-
this could be everything but I've provided a fix for that as far as I know in core. Did you delete anything?
-
Nope...
I'll try to make again the devel package with the latest commits then...
-
The os-nginx-devel, I've get a new git clone from plugins repo and make again the package.
I've removed the packages os-nginx-devel and nginx and reinstalled both.
Am I missing something?
-
are you also on opnsense devel?
-
I'm not sure...
I don't think so.. I was getting from master branch.
-
then you can only send me your nginx section from your config.xml.
-
Hello Fabian!
My config.xml.
Thanks!
-
Hi julio, your portal b location will probably not work because you have enabled naxsi without rules but that should not break the OPNsense template.
-
@julio I've imported your config and it rendered ok. You are probably missing a core patch (https://github.com/opnsense/core/commit/a7bc2188016941d301bf276d4ccd0a62a4c6e4bb)
-
Thanks again Fabian!
-
Hi
Moderate to less than moderate nix skill, but I'm looking to migrate off Sophos UTM and WAF functionality is my biggest hurdle. I have been playing around, getting familiar with your plugin (great work) and can't figure out one thing (aside from the WAF security rules bug).
How do we specify a default_server in the listen directive? I want to display a not found or some generic page if someone hits my WAF by IP, etc. instead of one of the configured virtual host names. I understand security through obscurity is not much security, but if I can not have it show my Nextcloud page when someone hits the WAF IP (without hostname in the SNI header), that would be great.
Can I specify a .conf file which gets included outside of generated nginx.conf? (like a conf.d directory)
Thanks again for your work.
-
I realized this is probably the wrong thread for this stuff, but I sort of figured out a work-around. It seems NGINX treats the servers in order they appear in the config and configd seems to generate the file in order that they were added in the GUI. I just created the first server as a basic HTTP Server with no Locations configured. The other server comes after which has a location and upstreams configured. Will continue to test with some additional servers added in.
-
default is reserved for web interface which has an IP based ACL
-
That makes sense. I guess it worked for me because I changed the management port from 443 to an alternate.
-
The web interface is currently not enabled because the core part is missing. If you want to try it on a development instance, you can install the nginx plugin, remove the comment character from the config, kill the lighttpd process of the web interface and then use "service nginx restart" to restart nginx without rendering the template again.
Some things you will see:
* You will communicate over HTTP/2 if you use HTTPS
* You can use the same port for other sites as well
-
Hello Fabian,
Is there already any plans to implement some log rotation to the nginx logs?
-
Is there already any plans to implement some log rotation to the nginx logs?
Currently not, because I am working on TCP streams load balancing in the nginx plugin. Do you need something special (cron job to rotate manually configurable or always running at a special time like midnight)?
This feature is not a lot of work to do so please create a ticket with your expectations. It can be discussed in the issue tracker.
-
I'm rotating with logrotate installed for now. I was wondering if will be a good idea to make a logration plugin to serve another plugins that don't use circular log format.
-
I can also send the logs to syslog if that's what you want.
-
I've requested a build for logrotate: https://github.com/opnsense/tools/issues/104
-
Why not use https://www.freebsd.org/cgi/man.cgi?newsyslog
Cheers,
Franco
-
Hi guys, hi @Fabian,
I am looking for a way to block or unblock IP´s /IP-ranges in the location block.
like
location / {
# block one workstation
deny 192.168.1.1;
# allow anyone in 192.168.1.0/24
allow 192.168.1.0/24;
# drop rest of the world
deny all;
}
Is it already possible or is there another solution?
Best regards,
Andreas
-
There is already a pull request open waiting for approval. This is for 1.4. How long you have to wait for the feature depends on how long my pull request is stuck in the review process and when it passes it, to the next OPNsense update.
-
@Fabian Great, thanks a lot. I have found it
https://github.com/opnsense/plugins/pull/930 (https://github.com/opnsense/plugins/pull/930)
Great work
regards
Andreas
-
I've requested a build for logrotate: https://github.com/opnsense/tools/issues/104
@Franco Your wish is our command. ::)
https://github.com/opnsense/plugins/pull/982
-
merged
-
how to delete all banned ip's by nginx?
-
You can go to the banned page via the menu and unlock it again. Please note that it will unlock immediately and block again on the next violation. A button to delete all does not exist. You can script it if you want since it is fully API capable.
Is there any problem behind?
-
yep (
it is hard to write this script... and i want to ban this "banning" system... just to turn it off
-
That's easy: Just don't use the firewall alias as it does not hook into the firewall automatically.
-
ok, how to remove blocking rules?
i don't want to use it.
-
If you mean the function in the plugin which blocks the request, there is a advanced checkbox "Disable Bot Protection"
-
Should it be possible to add websocket support ?
The plugin is really cool, but a lot of application are using WebSocket.
Or could it be possible to add our own configuration ?
-
It's already there for a long time. It is a checkbox but I don't remember if I added it in the upstream or the location block.
-
My bad,
Yes, it's in there, but only available in "Advanced Mode" in Location definition.
-
That's a problem of the interface of nginx: it has so many settings that many of them must be advanced to prevent flooding the common interface.
-
Hi fabian!
Thanks for the awesome plugin, love it! One less machine in the network to tend to.
I have a couple of questions / requests though:
Is it possible to define a listening interface?
In my case nginx is a reverse proxy. That's it's only job. The only interface it should be accessible from is WAN.
Also I don't want it to combat the existing listeners on 80,443/tcp.
Could we get to define snippets that we can include per server?
This will help to use advanced features of nginx without further cluttering the web interface.
And also help me to limit the amount of code re usage I have to do per server :P
Can we use existing lists (pf aliases / nginx ACLs) as httpserver.trusted_proxies?
I run behind Cloudflare. And manually adding and maintaining all Cloudflare IPv4 (https://www.cloudflare.com/ips-v4) and v6 (https://www.cloudflare.com/ips-v6) ranges is a royal pain the buttox.
Is it possible to disable / enable httpservers?
I'm thinking the way we're able to enable / disable, say, firewall rules.
I might check if I can hack the first two together when time allows. The other are beyond my skills.
Love this solid piece of advise btw:
(https://i.imgur.com/K6qL0d2.png)
Applies to so many things.
-
since my session got killed and I don't want to write the long text again:
(1)
no, that is hard to implement in a stable way (interface status changes, ip address changes,...)
(2)
no but maybe an include directive can be added if it causes no problem when no file matches: https://nginx.org/en/docs/ngx_core_module.html#include
(3)
maybe since the PF aliases have been moved to MVC, they should be possible to refer in MVC models.
(4)
no but it would be just a boolean to add to the form and the model as well as an "if" to the template around the server block
---
for the advice: You probably know why I've written that into this help text ;)
-
@Alphakilo: See https://github.com/opnsense/plugins/pull/1198 - some are now implemented.
-
🥳 Thank you very much!
-
With the Naxsi plugin, how do I enable the core rules that are located in the /usr/local/etc/nginx folder? Also, I tried to recreate those rules, but when I attempt to create the policy, it won't let me select any operator except "=" (error: option not in list), and then I get this:
Incorrect line CheckRule $policy8f40a781e34045c193b56a9e5d37b585 = 4 (/usr/obj/usr/ports/www/nginx/work/naxsi-0.56/naxsi_src/naxsi_skeleton.c/646)... in /usr/local/etc/nginx/nginx.conf:229
-
this should be already fixed (was a bug in OPNsense core)
-
Yes, you are correct. Upgrading did fix the issue. However, I can't figure out how to use the whitelist feature via the GUI. I know that in the config file for nginx, "basic rule wl:11;" would whitelist rule 11. How do I do that via the GUI? I've tried creating a separate policy and attaching a basic rule with id 11 selecting a URL value, but nginx throws an error in the log:
2019/03/11 20:42:09 [emerg] 18627#100242: matchzone doesn't target an actual zone. in /usr/local/etc/nginx/nginx.conf:301
2019/03/11 20:42:09 [emerg] 18627#100242: Naxsi-Config : Incorrect line BasicRule id:11 (/usr/obj/usr/ports/www/nginx/work/naxsi-0.56/naxsi_src/naxsi_skeleton.c/474)... in /usr/local/etc/nginx/nginx.conf:301
-
it should be wl:11 not id:11