Messages

1

Development and Code Review / Re: nginx plugin

« on: September 20, 2018, 11:18:20 am »

Websocket support will be in 1.1 (https://github.com/opnsense/plugins/pull/828)

Oh that is cool. Great!

For the location block: it looks very strange to me to include the hostname. Why?

I think it was more convention than anything else. I took the same sort of rules I used for nginx is the standalone  instance and one of the cool things is nginx (like apache) can have multiple 'identites' in different config files which can be very handy. So if you are coming in as say mail.host.domain you get the webmaill forwarding, if you come in as dashboard.host.domain you get another service. All the $host does is make sure that the urls stay consistent I think.

I assume you knew this because you can allow multiple entries to be created though I am still unclear how they are all supposed to work together with the same nginx.conf file. Or maybe I am just misunderstanding how it is all parsed, it was very late last night when I started  looking into it going off into the weeds.

Either way looks like it is shaping up nicely and I don't mind playing around with it on a non-production install and ironing out other edge cases.

Thanks.

2

Development and Code Review / Re: nginx plugin

« on: September 20, 2018, 04:34:28 am »

First let me say thanks for this plugin  and it will prove very useful if all the features planned for it get worked out.

However I am coming up to a bit of a brick wall in using the gui because it seem the logic for passing to an upstream server is broken.

Basically what I am trying to do is expose a gucamole server to OPNsense which then acts as a nginx reverse proxy which holds all the Let's Encrypt certs and renewal.

I already did this configuration by hand using a dockerized nginx container which then had traditional NAT mapped to is via the previous routers. It worked fairly well on some dumb routers but for some reason with OPNSense it interrupted the connection every 30 seconds or so breaking the guacamole sessions.

So when I found nginx could be run on the OPNsense box itself I was like "Yeah, that'll do fine " because the guacamole server is exposed to the LAN anyway just on a HTTP alt port 8080.

So the problem I have with the plugin though is the rewrite rules seem to be applied only to the OPNsense HTTP server section and not to the proxy settings as well. Because the destination URL has to be http://10.1.8.12:8080/guacamole I should be able to append the /guacamole part somewhere to the proxy URI.

This is how it worked when I did it  by hand.

Code: [Select]


    location / {
        root   /usr/share/nginx/html;
        return 301 https://$host/rs;
}

   
location /rs/ {

      proxy_pass  http://172.17.0.7:8080/guacamole/;
      proxy_buffering off;
      proxy_http_version 1.1;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection $http_connection;
      access_log off;





But this is how the GUI sort of mangles it:

Code: [Select]

# UPSTREAM SERVERS
upstream upstream70b4351bbf6548ba827f620ee5b55029 {
server 10.1.8.12:8080 weight=1 max_conns=100 max_fails=10 fail_timeout=5;

}

....

Code: [Select]



    # apache htpasswd and htaccess
    location ~ /\.ht {
        return 403;
    }
    # those files may expose file system stuff
    location ~ \.DS_Store$ {
        return 403;
    }
    rewrite / /guacamole redirect;


location ~* $host/guacamole {
    DeniedUrl "/waf_denied.html";
    if ($scheme != "https") {
        return 302 https://$host$request_uri;
    }
    autoindex off;
    proxy_set_header Host $host;
    proxy_pass http://upstream70b4351bbf6548ba827f620ee5b55029;



So I realise that this is a beta plugin at best and you do say not to use it for production but obviously this way of parsing the conf file is a deal breaker for redirects like mine. I suspect I will have to just go back to making a manual config file and leaving the gui blank in case it overwrites my changes.

Unless there is another way I am missing of course ?

3

18.7 Legacy Series / Terminal upgrade from 18.1 to 18.7 fails

« on: September 06, 2018, 10:30:24 am »

Not sure what is going on here. or even why it is trying to download base-18.1.11-amd64.obsolete?

FTR this is a pre-installed APU2C4 box which came with 18.1. I am trying to change it to a production version.

Code: [Select]

*** OPNsense.buffaloeasy.com: OPNsense 18.1.13_1 (amd64/OpenSSL) ***

 LAN (igb1)      -> v4: 10.1.8.253/24
 WAN (igb0)      -> v4/DHCP4: 192.168.0.149/24
                    v6/DHCP6: fda9:a4e5:f466:0:20d:b9ff:fe4b:fc4c/64
 WAN2 (igb2)     ->

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Upgrade from console
  6) Reboot system                      13) Restore a backup

Enter an option: 12

Fetching change log information, please wait... fetch: transfer timed out
fetch: /tmp/changelog/changelog.txz.sig appears to be truncated: 0/1332 bytes

This will automatically fetch all available updates, apply them,
and reboot if necessary.

A major firmware upgrade is available for this installation: 18.7

Make sure you have read the release notes and migration guide before
attempting this upgrade.  Around 400MB will need to be downloaded and
require 800MB of free space.  Continue with this major upgrade by
typing the major upgrade version number displayed above.

Minor updates may be available, answer 'y' to run them instead.

Proceed with this action? [18.7/y/N]: y

Updating OPNsense repository catalogue...
pkg-static: Repository OPNsense has a wrong packagesite, need to re-create database
Fetching meta.txz: . done
Fetching packagesite.txz: .......... done
Processing entries: .......... done
OPNsense repository update completed. 506 packages processed.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (34 candidates): .......... done
Processing candidates (34 candidates): . done
Checking integrity... done (0 conflicting)
Your packages are up to date.
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 3 packages:

Installed packages to be REMOVED:
php71-intl-7.1.16
icu-62.1_1,1
isc-dhcp43-client-4.3.6P1

Number of packages to be removed: 3

The operation will free 49 MiB.
[1/3] Deinstalling php71-intl-7.1.16...
[1/3] Deleting files for php71-intl-7.1.16: .......... done
[2/3] Deinstalling icu-62.1_1,1...
[2/3] Deleting files for icu-62.1_1,1: .......... done
[3/3] Deinstalling isc-dhcp43-client-4.3.6P1...
[3/3] Deleting files for isc-dhcp43-client-4.3.6P1: .......... done
The following package files will be deleted:
/var/cache/pkg/pkg-1.10.5_1-59431f849e.txz
/var/cache/pkg/strongswan-5.6.3.txz
/var/cache/pkg/pkg-1.10.5_1.txz
/var/cache/pkg/unbound-1.7.3-0d42b8f702.txz
/var/cache/pkg/unbound-1.7.3.txz
/var/cache/pkg/suricata-4.0.5-c09241cf72.txz
/var/cache/pkg/suricata-4.0.5.txz
/var/cache/pkg/sudo-1.8.23_2-67a2562da9.txz
/var/cache/pkg/sudo-1.8.23_2.txz
/var/cache/pkg/strongswan-5.6.3-b39d3f37b0.txz
/var/cache/pkg/sqlite3-3.24.0_1-908d9881ec.txz
/var/cache/pkg/py27-sqlite3-2.7.15_7.txz
/var/cache/pkg/sqlite3-3.24.0_1.txz
/var/cache/pkg/readline-7.0.3_1-9e7f3029c9.txz
/var/cache/pkg/readline-7.0.3_1.txz
/var/cache/pkg/python27-2.7.15-1e8d254935.txz
/var/cache/pkg/python27-2.7.15.txz
/var/cache/pkg/py27-urllib3-1.22,1-bd41add33a.txz
/var/cache/pkg/py27-urllib3-1.22,1.txz
/var/cache/pkg/py27-sqlite3-2.7.15_7-a6702261a5.txz
/var/cache/pkg/py27-setuptools-40.0.0-fa402dea3a.txz
/var/cache/pkg/py27-Babel-2.5.3-7d5ebd2577.txz
/var/cache/pkg/py27-setuptools-40.0.0.txz
/var/cache/pkg/py27-pytz-2018.5,1-eaed01477f.txz
/var/cache/pkg/py27-pytz-2018.5,1.txz
/var/cache/pkg/py27-ipaddress-1.0.22-42db4796e1.txz
/var/cache/pkg/py27-ipaddress-1.0.22.txz
/var/cache/pkg/py27-certifi-2018.4.16-166bec02f3.txz
/var/cache/pkg/py27-certifi-2018.4.16.txz
/var/cache/pkg/php71-sqlite3-7.1.19.txz
/var/cache/pkg/py27-Babel-2.5.3.txz
/var/cache/pkg/php71-zlib-7.1.19-f14e7dc39f.txz
/var/cache/pkg/php71-zlib-7.1.19.txz
/var/cache/pkg/php71-xml-7.1.19-e910b4b6dc.txz
/var/cache/pkg/php71-xml-7.1.19.txz
/var/cache/pkg/php71-sqlite3-7.1.19-445863635f.txz
/var/cache/pkg/php71-sockets-7.1.19-b8c40249aa.txz
/var/cache/pkg/php71-pdo-7.1.19-4b10d24a2e.txz
/var/cache/pkg/php71-sockets-7.1.19.txz
/var/cache/pkg/php71-simplexml-7.1.19-8f28ce5e54.txz
/var/cache/pkg/php71-simplexml-7.1.19.txz
/var/cache/pkg/php71-session-7.1.19-36f2b8e037.txz
/var/cache/pkg/php71-session-7.1.19.txz
/var/cache/pkg/php71-phalcon-3.4.0-709d27b744.txz
/var/cache/pkg/php71-phalcon-3.4.0.txz
/var/cache/pkg/php71-openssl-7.1.19.txz
/var/cache/pkg/php71-pdo-7.1.19.txz
/var/cache/pkg/php71-openssl-7.1.19-403886cccb.txz
/var/cache/pkg/php71-mcrypt-7.1.19-91297ef6db.txz
/var/cache/pkg/php71-mcrypt-7.1.19.txz
/var/cache/pkg/php71-ldap-7.1.19-112df84fc9.txz
/var/cache/pkg/php71-ldap-7.1.19.txz
/var/cache/pkg/php71-json-7.1.19-3f9d1f6404.txz
/var/cache/pkg/php71-json-7.1.19.txz
/var/cache/pkg/php71-hash-7.1.19-6cb75af855.txz
/var/cache/pkg/php71-hash-7.1.19.txz
/var/cache/pkg/php71-gettext-7.1.19-81a0d479bc.txz
/var/cache/pkg/php71-gettext-7.1.19.txz
/var/cache/pkg/php71-filter-7.1.19-f47c299d44.txz
/var/cache/pkg/php71-filter-7.1.19.txz
/var/cache/pkg/php71-dom-7.1.19-5479cd799e.txz
/var/cache/pkg/php71-dom-7.1.19.txz
/var/cache/pkg/php71-curl-7.1.19-efcf4858a3.txz
/var/cache/pkg/php71-curl-7.1.19.txz
/var/cache/pkg/php71-ctype-7.1.19-e361b6ee62.txz
/var/cache/pkg/php71-7.1.19-4ce629d945.txz
/var/cache/pkg/php71-ctype-7.1.19.txz
/var/cache/pkg/php71-7.1.19.txz
/var/cache/pkg/perl5-5.26.2-c1aecac59e.txz
/var/cache/pkg/perl5-5.26.2.txz
/var/cache/pkg/pcre-8.42-fe30385858.txz
/var/cache/pkg/pcre-8.42.txz
/var/cache/pkg/opnsense-update-18.1.11-2147c7db2f.txz
/var/cache/pkg/opnsense-update-18.1.11.txz
/var/cache/pkg/opnsense-lang-18.1.7-964ffdc4ce.txz
/var/cache/pkg/opnsense-lang-18.1.7.txz
/var/cache/pkg/opnsense-18.1.13_1-a7e02b4ff6.txz
/var/cache/pkg/opnsense-18.1.13_1.txz
/var/cache/pkg/openvpn-2.4.6_1-4085ace4c2.txz
/var/cache/pkg/openssl-1.0.2o_4,1-51598e80e5.txz
/var/cache/pkg/openvpn-2.4.6_1.txz
/var/cache/pkg/openssl-1.0.2o_4,1.txz
/var/cache/pkg/openssh-portable-7.7.p1_6,1-48d41e9ec8.txz
/var/cache/pkg/openssh-portable-7.7.p1_6,1.txz
/var/cache/pkg/openldap-sasl-client-2.4.46-703c4abb75.txz
/var/cache/pkg/ntp-4.2.8p11_1-bb9d669f76.txz
/var/cache/pkg/openldap-sasl-client-2.4.46.txz
/var/cache/pkg/ntp-4.2.8p11_1.txz
/var/cache/pkg/lzo2-2.10_1-196c6d66be.txz
/var/cache/pkg/lzo2-2.10_1.txz
/var/cache/pkg/libyaml-0.1.6_2-10c41dc71a.txz
/var/cache/pkg/libyaml-0.1.6_2.txz
/var/cache/pkg/libxml2-2.9.7-f93abde855.txz
/var/cache/pkg/libnghttp2-1.32.0.txz
/var/cache/pkg/libxml2-2.9.7.txz
/var/cache/pkg/libucl-0.8.0-6a2c5eb884.txz
/var/cache/pkg/libucl-0.8.0.txz
/var/cache/pkg/libnghttp2-1.32.0-019f79b188.txz
/var/cache/pkg/libnet-1.1.6_5,1-140a168720.txz
/var/cache/pkg/libnet-1.1.6_5,1.txz
/var/cache/pkg/libmcrypt-2.5.8_3-5c60de2001.txz
/var/cache/pkg/libmcrypt-2.5.8_3.txz
/var/cache/pkg/liblz4-1.8.2,1-c35bca61d0.txz
/var/cache/pkg/liblz4-1.8.2,1.txz
/var/cache/pkg/libltdl-2.4.6-be3ebb8b7f.txz
/var/cache/pkg/libltdl-2.4.6.txz
/var/cache/pkg/libiconv-1.14_11-912b8dd0ed.txz
/var/cache/pkg/libffi-3.2.1_2-9169ac3369.txz
/var/cache/pkg/libiconv-1.14_11.txz
/var/cache/pkg/libffi-3.2.1_2.txz
/var/cache/pkg/libevent-2.1.8_1-56d761aecc.txz
/var/cache/pkg/libevent-2.1.8_1.txz
/var/cache/pkg/libedit-3.1.20170329_2,1-459dd14adb.txz
/var/cache/pkg/ldns-1.7.0_1-cf9b36d5d9.txz
/var/cache/pkg/libedit-3.1.20170329_2,1.txz
/var/cache/pkg/ldns-1.7.0_1.txz
/var/cache/pkg/krb5-1.16.1_5-5e46f8539f.txz
/var/cache/pkg/krb5-1.16.1_5.txz
/var/cache/pkg/jansson-2.11-137d5aecbc.txz
/var/cache/pkg/jansson-2.11.txz
/var/cache/pkg/icu-62.1_1,1-f1fc9a41fd.txz
/var/cache/pkg/ca_root_nss-3.38.txz
/var/cache/pkg/icu-62.1_1,1.txz
/var/cache/pkg/hyperscan-4.6.0-ce44581452.txz
/var/cache/pkg/hyperscan-4.6.0.txz
/var/cache/pkg/gettext-runtime-0.19.8.1_1-de856e7373.txz
/var/cache/pkg/freetype2-2.9.1-2bec6a8aff.txz
/var/cache/pkg/gettext-runtime-0.19.8.1_1.txz
/var/cache/pkg/freetype2-2.9.1.txz
/var/cache/pkg/expat-2.2.5-c82f91d5ea.txz
/var/cache/pkg/expat-2.2.5.txz
/var/cache/pkg/cyrus-sasl-2.1.26_13-d10d53c067.txz
/var/cache/pkg/curl-7.60.0-123a4410d8.txz
/var/cache/pkg/cyrus-sasl-2.1.26_13.txz
/var/cache/pkg/curl-7.60.0.txz
/var/cache/pkg/ca_root_nss-3.38-f4bc7684d5.txz
/var/cache/pkg/GeoIP-1.6.12-c2bcab4f61.txz
/var/cache/pkg/GeoIP-1.6.12.txz
/var/cache/pkg/dhcp6c-20180412-94bf3e8e91.txz
/var/cache/pkg/dhcp6c-20180412.txz
/var/cache/pkg/isc-dhcp44-server-4.4.1_3-21a16c8f90.txz
/var/cache/pkg/isc-dhcp44-server-4.4.1_3.txz
/var/cache/pkg/isc-dhcp44-relay-4.4.1-340bb619a1.txz
/var/cache/pkg/dpinger-3.0-8962d9fc8a.txz
/var/cache/pkg/isc-dhcp44-relay-4.4.1.txz
/var/cache/pkg/dpinger-3.0.txz
The cleanup will free 74 MiB
Deleting files: .......... done
All done
Starting web GUI...done.
Generating RRD graphs...done.
Fetching base-18.1.11-amd64.obsolete: .............................. failed

*** OPNsense.buffaloeasy.com: OPNsense 18.1.13_1 (amd64/OpenSSL) ***

 LAN (igb1)      -> v4: 10.1.8.253/24
 WAN (igb0)      -> v4/DHCP4: 192.168.0.149/24
                    v6/DHCP6: fda9:a4e5:f466:0:20d:b9ff:fe4b:fc4c/64
 WAN2 (igb2)     ->

  0) Logout                              7) Ping host
  1) Assign interfaces                   8) Shell
  2) Set interface IP address            9) pfTop
  3) Reset the root password            10) Firewall log
  4) Reset to factory defaults          11) Reload all services
  5) Power off system                   12) Upgrade from console
  6) Reboot system                      13) Restore a backup

Enter an option:


Any pointers? Must admit I am kinda new to OPNsense but have used pfsense in the past so it is not totally foreign to me.

Thanks.