1
Development and Code Review / Re: Nginx plugin SNI Hostname Mapping
« on: January 02, 2022, 05:18:39 pm »
Thank you! All working now. Have created a pull request to change that type.
Show Posts
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Pages: [1]
2
Development and Code Review / Nginx plugin SNI Hostname Mapping
« on: January 02, 2022, 02:01:12 pm »
Hi,
I need to write a SNI Hostname Mapping containing a regex for my nginx stream config.
But for some reason the UI does not allow to insert something thats not a hostname.
If I change this manually in /usr/local/etc/nginx/nginx.conf and restart all is ok, so it's supported by nginx.
I searched around and tried to find whats going on here
The Nginx SettingsController.php extends ApiMutableModelControllerBase but where is the assumption that hostname inside the sni_mapping_table should be a valid hostname?
https://github.com/opnsense/plugins/issues/2733
I need to write a SNI Hostname Mapping containing a regex for my nginx stream config.
Code: [Select]
# upstream maps
map $ssl_preread_server_name $hostmap810accf68e0940739a1a2e6e120da638 {
~(.*).xxx.example.com upstream648aa196e04c4ad89c034af56d947d20;
default upstream99238aa963f043548157e74820e3cb70;
}
But for some reason the UI does not allow to insert something thats not a hostname.
If I change this manually in /usr/local/etc/nginx/nginx.conf and restart all is ok, so it's supported by nginx.
I searched around and tried to find whats going on here
Code: [Select]
$nginx->serializeToConfig(); but I have no glue where the hostname validation is applied.The Nginx SettingsController.php extends ApiMutableModelControllerBase but where is the assumption that hostname inside the sni_mapping_table should be a valid hostname?
https://github.com/opnsense/plugins/issues/2733
3
General Discussion / IPSEC Unbound DNS
« on: June 09, 2019, 09:05:09 pm »
Hi,
I have setup my opnsense with ipsec and I can connect to my gateway with my android phone. Also ip adresses are accessible. For some reason there is no DNS entry on the phone. Setting it explicitly on the phone resolves the issue and everything is browsable.
There is a section below VPN -> Ipsec -> Mobile Clients -> DNS Servers where I have set the internal opnsense ip running unbound. After that I have added the virtual IP range to the Unbound Access List.
Now the dns server is written to the strongswan.conf in the attr {} plugin
But for some reason this is not set up on the device.
Manually adding rightdns = 192.168.40.1 to the generated ipsec.conf does work!
But for this option there is no ui input.
The strongswan doc says to use the attr plugin there must be a virtual ip request ... and yes i am requesting a virtual ip from 10.0.10.0/24
https://wiki.strongswan.org/projects/strongswan/wiki/Attrplugin
Any ideas?
I have setup my opnsense with ipsec and I can connect to my gateway with my android phone. Also ip adresses are accessible. For some reason there is no DNS entry on the phone. Setting it explicitly on the phone resolves the issue and everything is browsable.
There is a section below VPN -> Ipsec -> Mobile Clients -> DNS Servers where I have set the internal opnsense ip running unbound. After that I have added the virtual IP range to the Unbound Access List.
Now the dns server is written to the strongswan.conf in the attr {} plugin
Code: [Select]
Automatically generated, please do not modify
starter {
load_warning = no
}
charon {
threads = 16
ikesa_table_size = 32
ikesa_table_segments = 4
init_limit_half_open = 1000
ignore_acquire_ts = yes
syslog {
identifier = charon
daemon {
ike_name = yes
}
}
cisco_unity = yes
plugins {
attr {
subnet = 0.0.0.0/0
split-include = 0.0.0.0/0
dns = 192.168.40.1
}
xauth-pam {
pam_service = ipsec
session = no
trim_email = yes
}
}
} But for some reason this is not set up on the device.
Manually adding rightdns = 192.168.40.1 to the generated ipsec.conf does work!
But for this option there is no ui input.
The strongswan doc says to use the attr plugin there must be a virtual ip request ... and yes i am requesting a virtual ip from 10.0.10.0/24
https://wiki.strongswan.org/projects/strongswan/wiki/Attrplugin
Any ideas?
Pages: [1]