Messages

1

24.1 Legacy Series / Re: Request: Please Allow Tunnel Interfaces to Be Assigned IPs or Atleast Gateways

« on: March 21, 2024, 08:28:52 pm »

I had a working setup for at least a year with a site-to-site Wireguard tunnel according to this setup: https://docs.netgate.com/pfsense/en/latest/recipes/wireguard-s2s.html

When I tried to add another Wireguard interface to my setup, I was facing this exact issue. Entering an IP and selecting a gateway for a wireguard interface was possible in an older version, and now it isn't anymore. What is the correct way of doing this now (24.1.4)?

Regards

2

Zenarmor (Sensei) / Re: Issues since Update to 1.12

« on: November 20, 2022, 06:06:04 pm »

Is there an update in this regard? I still have DNS problems with 1.12.1.

Not sure if it is related, but I’m seeing issues in resolving my local DNS domain where DNS queries are being blocked for that particular domain only. It usually starts after a couple of hours and can then only get it to work again when restarting Zenarmor. It will then work for like 12-20 hours before it fails again.
All other DNS works fine, only the domain I use for my internal hosts is affected… very strange.

This is probably related to the problems I'm having at the moment. I can't reach my self-hosted services through their domain ([service].[mydomain].com) after a while. Restarting ZenArmor helps.

3

Zenarmor (Sensei) / Re: mongodb issue

« on: August 13, 2022, 02:53:37 pm »

Code: [Select]

pkg remove php74-pecl-mongodb

I had the same issue and this solved it.
Thank you!

4

Zenarmor (Sensei) / Re: Elastic search won't start on 22.1

« on: January 28, 2022, 10:02:55 am »

Same issue here. Cannot start the Elasticsearch database.
I did upgrade to 22.1 as well as the Zenarmor packages.

5

Web Proxy Filtering and Caching / Re: HAProxy / Nextcloud / unRaid

« on: April 20, 2020, 11:21:32 pm »

Noone  ?

6

Web Proxy Filtering and Caching / HAProxy / Nextcloud / unRaid

« on: April 10, 2020, 08:17:57 pm »

Hello,

i recently switched from Sophos UTM to OPNsense and got almost everything running so far. One thing I cannot get working, is getting access to my Nextcloud Docker (running on a unRaid Server) via HAProxy. I have setup everything according to popular HowTos, but I cannot get beyond an error "503 Service Unavailable" - either via IPv4 from inside my network or URL from inside/outside my network. On my Sophos UTM setup everything worked fine with the shown nextcloud/nginx config.

I have a Bitwarden and a Plex Docker running, which are accessible from outside via HAProxy perfectly fine.

I have spend quite a lot of time now with screening threads, manuals and troubleshooting but cannot find a mistake. If you have a look at my configuration, I would be glad. Following you can find my current HAProxy and Nextcloud config. Not mentioned settings were left as default. Sensible data was replaced by *text*.

HAProxy settings:

Real server
Name: nextcloud_server
IP: *Internal server IPv4*
Port: *server port*
SSL: check
Verify SSL Certificate: check
SSL Verify CA: LE Authority X3

Backend pool
Name: nextcloud_backend
Health Checking: unchecked
Servers: nextcloud_server
Rules: redirect_ssl

Public services
Name: http_public
Listen Adresses: *public IPv6*:80
X-Forwarded-For header: checked
rules: redirect_ssl

Name: https_public
Listen Adresses: *public IPv6*:443
Enable SSL offloading: check
Certificates: *LE certificate*
X-Forwarded-For header: checked
rules: nextcloud

Conditions
Name: not-ssl
Condition type: Traffic is SSL (locally deciphered)
Negate condition: check

Name: nextcloud
Condition type: Host ends with
Host Suffix: *URL pointing to public IPv6*

Rules
Name: redirect_ssl
Test type: IF
Select conditions: not-ssl
Execute function: http-request redirect
HTTP Redirect: scheme https code 301

Name: nextcloud
Test type: IF
Select conditions: nextcloud
Execute function: Use specific Backend Pool
HTTP Redirect: nextcloud_backend

Nextcloud docker nginx config:

Code: [Select]

upstream php-handler {
server 127.0.0.1:9000;
}
server {
    listen 80;
    listen [::]:80;
    server_name *URL pointing to public IPv6*;
    return 301 https://$server_name:443$request_uri;
}
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name *URL pointing to public IPv6*;
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.

    add_header X-Content-Type-Options nosniff;
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-Permitted-Cross-Domain-Policies none;
    add_header Referrer-Policy no-referrer;
    fastcgi_hide_header X-Powered-By;
    root /config/www/nextcloud/;
    # display real ip in nginx logs when connected through reverse proxy via docker network
    set_real_ip_from 172.0.0.0/8;
    real_ip_header X-Forwarded-For;
    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
    }
    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
    location / {
        rewrite ^ /index.php;
    }
    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }
    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        fastcgi_param modHeadersAvailable true;
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }
    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers
        # Before enabling Strict-Transport-Security headers please read into this
        # topic first.
        #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Robots-Tag none;
        add_header X-Download-Options noopen;
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-Permitted-Cross-Domain-Policies none;
        add_header Referrer-Policy no-referrer;
        access_log off;
    }
    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        access_log off;
    }
}

Nextcloud docker nextcloud config:

Code: [Select]

<?php$CONFIG = array (  'memcache.local' => '\\OC\\Memcache\\APCu',  'datadirectory' => '/data',  'instanceid' => '***',  'passwordsalt' => '***',  'secret' => '***',  'trusted_domains' =>   array (    0 => '*URL pointing to public IPv6*',    1 => '*Internal server IPv4*:*Server Port*',  ),  'trusted_proxies' =>   array (    0 => '*IPv4 OPNsense*',    1 => '*link-local IPv6 OPNsense*',  ),  'dbtype' => 'mysql',  'version' => '18.0.3.0',  'overwrite.cli.url' => 'https://*URL pointing to public IPv6*',  'overwritehost' => '*URL pointing to public IPv6*',  'overwriteprotocol' => 'https',   'dbname' => '***',  'dbhost' => '***',  'dbport' => '',  'dbtableprefix' => 'oc_',  'mysql.utf8mb4' => true,  'dbuser' => '***',  'dbpassword' => '***',  'installed' => true,  'mail_from_address' => '***',  'mail_smtpmode' => 'smtp',  'mail_sendmailmode' => 'smtp',  'mail_domain' => '***',  'mail_smtpauthtype' => 'LOGIN',  'mail_smtpauth' => 1,  'mail_smtphost' => '***',  'mail_smtpport' => '465',  'mail_smtpsecure' => 'ssl',  'mail_smtpname' => '***',  'mail_smtppassword' => '***',  'maintenance' => false,  );