Messages

OPNsense 22.1.10. Nginx failed to start with this error

invalid number of arguments in "rewrite" directive in /usr/local/etc/nginx/nginx.conf:2302

I have been testing rewrite rules and created a few then deleted them. In nginx conf line 2302 there was the following,

include 2b940020-1678-409e-a6b1-1760fdd107cb_pre/*.conf;
rewrite ;
rewrite ;

So it looks like the rule is deleted but not the line rewrite ;

Spoke to soon. If you restart/refresh config the lines reappear in nginx.conf

How do I resolve this delete the include line as well ?

Thanks

For those that also see this please see. Its not in docs.

https://forum.opnsense.org/index.php?topic=17569.msg119574

NAT Portforward on interface LAN, source LAN net, destination LAN address, tcp, port 11334, redirect target 127.0.0.1

then ssh into the firewall and run: rspamadm configwizard

All working.

Hello,
I have followed the tutorial for setting up rspamd redis clamav and and postfix. The email being delivered still includes spam. My question is that I have no idea if these services are working correctly. There does not appear to be anywhere to monitor incoming unsolicited email and what is being rejected. I'm asking this in order to improve the settings to further restrict the unsolicited email been received. I can't seem to find any logs anywhere to show how the incoming email is restricted.

Can somebody point me in the right direction.
Thanks.

Turns out this is an issue with the upstream sever which I fixed via restore a backup. Trouble is I dont understand why.

Evening, My setup has been faultless for 12 months but I am now getting Access denied on all my dev sites. I have opnsense running as a vm on proxmox and moved the guest a few days ago. Not sure if thats a co-incidence. In Nginx logs.

284 kevent() reported that connect() failed (61: Connection refused) while connecting to upstream, client: 10.10.1.3, server: www2.xxx.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://10.10.10.19:80/favicon.ico", host: "wordpress.xxx.com", referrer: "http://wordpress.xxx.com/"

I use the lets encrypt plugin and downstream is https the upstream is on port 80. I can connect directly to the site on the upstream server on http if I edit my hosts file so upstream seems to be working.

Is the problem Nginx config or is the issue upstream server ?

Thanks
Paul

Thanks for reply. This turned out to be a WordPress issue. For anybody with the same problem insert this code at the top of the wpconfig file

/** SSL */ 
define('FORCE_SSL_ADMIN', true); 
// in some setups HTTP_X_FORWARDED_PROTO might contain 
// a comma-separated list e.g. http,https 
// so check for https existence 
if (strpos($_SERVER['HTTP_X_FORWARDED_PROTO'], 'https') !== false) 
    $_SERVER['HTTPS']='on';

When using the nginx plugin for WordPress site where the certificate is served by nginx and the apache server running behind a proxy is using http WordPress gives a mixed content error.  There are numerous examples of this on the Internet. The answer apparently is to include
proxy_set_header X-Forwarded-Proto https;
However not sure how to incorporate this in the settings.
Any idea
thanks
Paul

Hello,

I seem to struggle with creating rules some sort of mental block. I previously had postfix setup on a guest and it was working okay using NAT rule. Just set up the postfix plug-in and after following the instructions the last paragraph is as follows.

"In the next step, you should go to the Firewall menu. Create a new rule to pass port TCP/25 traffic from Any to This Firewall."

So new rule on WAN interface as follows ?

Interface WAN
source any ?
source port 25
Destination This firewall?
dest port 25

In logs I am getting incoming to the dest is wan address and blocked

Can someone put me out of my misery.

Thanks
Paul

I thought that but read somewhere on here that if you edit the conf file its gets overwritten by the plugin. The plug-in itself does not have the option for an include file.  Setting up the first server in the list using the IP address of the WAN works resolves the problem this captures all of the undefined domain requests. However I have now caused another problem with CloudFront which is giving 502 I suspect because the certificate which CloudFront has probably cached somewhere was attached to the first domain.

It seems we need a default server for non existent domains

https://stackoverflow.com/questions/9824328/why-is-nginx-responding-to-any-domain-name

see

https://forum.opnsense.org/index.php?topic=20329.0

"nginx listens all addresses if the request arrives and its does not match any Server Names in the config, nginx uses the default server config. for now plugin does not support the directive for specifying the default server, so the first server is taken from the config"

I amended the first server in the list to a domain I am not using without  location and this serves the opnsense 404 page.

I agree. I had a look at /usr/local/etc/nginx/nginx.conf and it is correct. There is no server name defined for www2.mydomain.com only www.

In the firewall I have two rules for WAN on ports 80 and 443 for inbound point to this firewall ie

IPv4 TCP/UDP    *    *    This Firewall    443 (HTTPS)    *    *

There are no other rules for ports 80 and 443.

In my plesk log the traffic for www2 is shown as coming from the firewall.

The other odd thing is that the LE cert is not defined for www2 so I get the warning in the browser there for nginx is not serving the ssl which is correct. No idea how traffic is reaching this server.

Update.

The log of the first server in the list inc the requests for non matching domains

10.10.1.61 - - [18/Mar/2021:11:43:48 +0000] "GET /how-to-claim HTTP/2.0" 200 11687 "-" "Mozilla/5.0 (iPhone; CPU OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/32.1  Mobile/15E148 Safari/605.1.15" "-"

The above is in the access log for www2.domainA.com but the request was www2.domainb.com which does not have an http server.

Enabled extended log. Here is offending line.  "www2.domainb.com" sn="www2.domainA.com"

10.10.1.61 - - [18/Mar/2021:12:09:42 +0000] "GET /modules/mod_improved_ajax_login/cache/275/8fc07486905ddc143c702ba40050de24.png HTTP/2.0" 404 360 "https://www2.domainb.com/who-pays-who" "Mozilla/5.0 (iPhone; CPU OS 13_1_3 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) FxiOS/32.1  Mobile/15E148 Safari/605.1.15" "-" "www2.domainb.com" sn="www2.domainA.com" rt=0.551 ua="10.10.1.19:80" us="404" ut="0.550" ul="978" cs=-

Does that make sense to anyone.
Thanks

I am very familiar with Nginx but not in the context of opnsense. I have the reverse proxy working however it is letting traffic through and I don't understand why.

I have single external IP address and production websites prefix www are configured for the Nginx reverse proxy pointing to the orange network a server on 10.10.10.xx

I have another server on my green network used for staging websites these listen on www2. ISP DNS www2 and www both point to my external IP address.

If I use my phone ie not via the internal network and visit site www2 the traffic is routed via Nginx to the green network.

However I do not have nginx Http sever config for www2 only www and even so it is connected to the orange upstream network. So I do not understand how external traffic ends up going to the green network.

Does the Nginx setup ignore the prefix ?

Basically I'm trying to restrict traffic for the live websites or enable staging sites for specific address.

If a request arrives for which there is no matching http server what happens ? I noticed that the www2 are in the nginx log but not in the matching www http server config log. So www2 reguest are routed somewhere by default ?

Apologies if this sounds really convoluted.
Thanks
Paul

Hopefully this is a better explanation. I am confused by the log file. If I want to let email port 25 from my internal network 10.10.10.19 (orange) I have to create a rule as follows. See image of log file before the rule below where outbound email blocked


NIC Orange
Direction IN
Source 10.10.10.19 Port any ie my server
Destination Any ie outside world
Dest Port 25

To my way of thinking if I want to let email OUT of my system I'm confused why you have to create a rule where the direction is IN.  I cant be the only one confused by this.
Thanks
Paul

I have also got mine working but I dont understand why the destination is any and not wan address on this rule.
I would have thought it should be wan to wan address, source any destination this firewall port https.  To my thinking the destination is the wan address which is the external ip ?
Please excuse if I have this all wrong.
Thanks

Thanks, I have more than one dns but will look into it.
I spoke to soon. I have it working to view a site by domain name from my lan but looks like external users cannot get access. I am baffled by the firewall rules. Nginx ix not showing an incoming request in the access log but I have a firewall rule on wan address for 80 and 443 pointing to this.firewall. Which I think is correct ?
Paul