OPNsense
  • Home
  • Help
  • Search
  • Login
  • Register

  • OPNsense Forum »
  • Profile of leprasmurf »
  • Show Posts »
  • Messages
  • Profile Info
    • Summary
    • Show Stats
    • Show Posts...
      • Messages
      • Topics
      • Attachments

Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

  • Messages
  • Topics
  • Attachments

Messages - leprasmurf

Pages: [1]
1
General Discussion / Re: mdns repeater in cluster ha setup
« on: May 24, 2021, 01:30:54 pm »
I've started messing with this issue on my HA config.

Experimenting with firewall rules to block the traffic from non-carp firewall interfaces, but haven't quite gotten there yet.

Either way, thank you for this information!

This is the WIP script for stopping the mdns-repeater on carp members for anyone else that comes across this thread.  Updating as I have time to test and fix.

Code: [Select]
#!/usr/bin/env bash

set -euo pipefail

if [ $( sysctl -a | awk '/net.inet.carp.allow/ {print $2}' ) -ne 1 ];
then
echo "Carp is not enabled";
exit 0;
fi

if [ ! -f /conf/config.xml ];
then
echo "Unable to find Opnsense config";
exit 1;
fi

DEMOTE=$( sysctl -a | awk '/net.inet.carp.demotion/ {print $2}' );
PREEMPT=$( sysctl -a | awk '/net.inet.carp.preempt/ {print $2}' );

if [ ${DEMOTE} -gt 0 ];
then
echo "Stopping MDNS Repeater on demoted CARP member";
service mdns-repeater stop
else
if [ ${PREEMPT} -eq 0 ];
then
echo "Stopping MDNS Repeater on non-primary CARP member";
service mdns-repeater stop
fi
fi

2
Web Proxy Filtering and Caching / Re: Nginx SSL termination lag
« on: January 27, 2021, 01:46:33 pm »
Thank you for the replies, sorry it took me so long to reply.  I've been experimenting with the settings and configuration but I've been unable to isolate the issue.

The timeout in the nginx config has been reduced to 15 seconds but resources continue to stall for up to a minute before loading.  I'm worried I might have some bad routing or something.

I'll post more as I find it.

3
Web Proxy Filtering and Caching / Nginx SSL termination lag
« on: January 05, 2021, 04:42:49 pm »
Hi all.  I've got Nginx working as an SSL terminating load balancer with the acme plugin for certificates.  I've also got the CA cert installed locally from before the acme integration was working for me.

I keep running into lag issues when accessing the web gui through nginx.  CSS and JS files either time out or finish after a long delay (60 seconds+).

Request delay (sanitized):

    GET /ui/js/bootstrap-select.min.js?v=7762533db81d1dfa HTTP/1.1
    Host: firewall.my.domain.com
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
    DNT: 1
    Accept: */*
    Sec-Fetch-Site: same-origin
    Sec-Fetch-Mode: no-cors
    Sec-Fetch-Dest: script
    Referer: https://firewall.my.domain.com/ui/acmeclient
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en-US,en;q=0.9
    Cookie: remoteClock=1612442552000; localClock=1609764275495; cookie_test=8f418ff1294353c6bea9cefbd02ee806; PHPSESSID=2fdb4670a1e4244a7506758e4a1aaa8c

Response headers:

    HTTP/1.1 200 OK
    Server: nginx
    Date: Tue, 05 Jan 2021 14:33:49 GMT
    Content-Type: text/javascript
    Content-Length: 13004
    Connection: keep-alive
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Last-Modified: Thu, 22 Oct 2020 07:55:36 GMT
    ETag: "2420155145"
    Accept-Ranges: bytes
    Expires: Thu, 07 Jan 2021 16:33:49 GMT
    Cache-Control: max-age=180000

This 13kb js file took a full minute to transfer whereas the largest of the files (SourceSansPro-Regular.woff @ 119kb) took 53ms.

I'm struggling to identify the source of this bottleneck, but it makes accessing the web ui through this ssl endpoint painfully slow.

If I access the HTTP side via port 8080 everything is as responsive as expected.  Response headers (sanitized):

    GET /ui/js/bootstrap-select.min.js?v=7762533db81d1dfa HTTP/1.1
    Host: firewall.my.domain.com:8080
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache
    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36
    DNT: 1
    Accept: */*
    Referer: http://firewall.my.domain.com:8080/services_dhcp.php?if=opt2
    Accept-Encoding: gzip, deflate
    Accept-Language: en-US,en;q=0.9
    Cookie: PHPSESSID=2fdb4670a1e4244a7506758e4a1aaa8c; remoteClock=1612535979000;     localClock=1609857583008

Response header:

    HTTP/1.1 200 OK
    Vary: Accept-Encoding
    Content-Encoding: gzip
    Last-Modified: Thu, 22 Oct 2020 07:55:36 GMT
    ETag: "2420155145"
    Content-Type: text/javascript
    Accept-Ranges: bytes
    Expires: Thu, 07 Jan 2021 16:40:12 GMT
    Cache-Control: max-age=180000
    Content-Length: 13004
    Date: Tue, 05 Jan 2021 14:40:12 GMT
    Server: OPNsense

This time the asset took 38ms to download.

Any guidance or thoughts would be appreciated.

Kind regards,
Tim

Pages: [1]
OPNsense is an OSS project © Deciso B.V. 2015 - 2024 All rights reserved
  • SMF 2.0.19 | SMF © 2021, Simple Machines
    Privacy Policy     | XHTML | RSS | WAP2