Messages

1

Web Proxy Filtering and Caching / Re: How to use ssl_stapling_file in nginx?

« on: January 02, 2024, 11:48:03 am »

Thank you for your assessment.
I see from this that it should obviously not be done with a small adjustment to the configuration.
That actually sounds very advanced to me.

What should be done to warm up the servers after the nginx start?

I had originally activated the function to have maximum security.
So would you recommend deactivating ocsp must staple instead?

2

Web Proxy Filtering and Caching / Re: How to use ssl_stapling_file in nginx?

« on: December 17, 2023, 02:01:24 pm »

OK. I wasn't aware of that.

What would be needed for a functioning solution?

3

Web Proxy Filtering and Caching / Re: Optimal nginx configuration for Nextcloud

« on: December 15, 2023, 10:08:46 am »

Ok, thanks for the feedback.

With the "regular" configuration and a few adjustments, Nextcloud is running and I have not been able to detect any errors so far.
I was also able to get an A+ ranking in the Nextcloud security scan and at securityheaders.com.

I just wanted to make sure that the web server is optimally configured.

4

Web Proxy Filtering and Caching / Re: How to use ssl_stapling_file in nginx?

« on: December 15, 2023, 10:03:14 am »

I haven't got anything yet.
However, I have found these instructions here:
https://www.kuketz-blog.de/nginx-aktivierung-von-ocsp-must-staple-ohne-timeout/

But I don't know how this could be implemented in OPNsense.

5

Web Proxy Filtering and Caching / Re: Optimal nginx configuration for Nextcloud

« on: December 14, 2023, 04:07:28 pm »

suggested config is for NC on the same host with nginx (/var/www/nextcloud)

Hi,
Unfortunately, this is not practicable with the Docker installation of Nextcloud.

6

Web Proxy Filtering and Caching / How to use ssl_stapling_file in nginx?

« on: December 14, 2023, 10:58:13 am »

Hello,

I encountered this problem with my setup (OPNsense 23.7.10).

here it is described that for troubleshooting ssl_stapling_file can be used.

How can I use ssl_stapling_file?

7

Web Proxy Filtering and Caching / Optimal nginx configuration for Nextcloud

« on: December 14, 2023, 10:55:12 am »

Hello,

the official Nextcloud documentation provides extensive recommendations for the correct configuration of the upstream nginx.

Unfortunately, I find it difficult to transfer the configuration from the example to the nginx configuration of the OPNsense, as the configuration there has a completely different structure.

Can someone here help me to create the optimal configuration under OPNsense according to the Nextcloud documentation?

8

23.7 Legacy Series / Re: How to use ssl_stapling_file in nginx?

« on: September 01, 2023, 01:03:44 pm »

Does anyone have any ideas about this?

I get this error message virtually every time I first open a page in Firefox:
MOZILLA_PKIX_ERROR_REQUIRED_TLS_FEATURE_MISSING

In some cases, it then does not continue beyond this error message on subsequent page loads.

But I would not like to miss the OSCP-Stapling feature.

9

23.7 Legacy Series / How to use ssl_stapling_file in nginx?

« on: August 30, 2023, 09:37:43 am »

Hello,


I encountered this problem with my setup (OPNsense 23.7.2-amd64).


here it is described that for troubleshooting ssl_stapling_file can be used.


How can I use ssl_stapling_file?

10

23.1 Legacy Series / Re: Gui becomes unresponsive (can't reach it)

« on: January 30, 2023, 10:53:29 am »

Had the same problem after upgrading to 23.1.

In the console it said

Code: [Select]

Starting web GUI...failed.Trying to access the webgui gave me error "503 - Service unavailable".
I've also nginx on Port 80 and 443 running, and the webgui listens to 8443.
It seems that this port was already in use.

After a restart of OPNsense I can access the webgui and every service (including nginx) seems to work fine.
But the service monitor on the Dashboard says, "webgui" is not started.
And it also cannot be started when I press the arrow.
This is very strange, since I already access it via the web interface (which is not running according to the service monitor).

11

Zenarmor (Sensei) / Re: Massive problems since upgrade to version 22.10

« on: November 09, 2022, 05:08:45 pm »

Addendum:
After adjusting the mentioned optimisation, restarting OPNsense and reactivating the ZenArmor services, there now seems to be a problem with the name resolution again.
It is now no longer possible to search for firmware updates via the OPNsense interface.

No DNS servers are entered under System -> Settings -> General.
Name resolution is done exclusively via Unbound DNS.

If I enter DNS servers under System -> Settings -> General, it is also possible to search for firmware updates if ZenArmor remains activated.


After deactivating the ZenArmor packet machine and restarting OPNsense, the search for firmware updates is possible again. Also without DNS server under System -> Settings -> General. Just as it was before the update.

This time all services (incl. nginx) could be started without errors.

It seems that there are other problems with ZenArmor in connection with the update that cannot be solved simply by adjusting the optimisation 'dev.netmap.buf_num'.

12

Zenarmor (Sensei) / Re: Massive problems since upgrade to version 22.10

« on: November 09, 2022, 04:50:49 pm »

I have made the setting and will now test it for some time.
A Bug Report has been sent afterwards to the supplement.


Besides this Nginx still has problems starting.

The log says:

Code: [Select]

invalid PID number "" in "/var/run/nginx.pid".and

Code: [Select]

bind() to unix:/var/run/nginx_status.sock failed (48: Address already in use)
bind() to 0.0.0.0:443 failed (48: Address already in use)
bind() to [::]:443 failed (48: Address already in use)
bind() to 0.0.0.0:80 failed (48: Address already in use)
bind() to [::]:80 failed (48: Address already in use)

After some time and manual start-up attempts, nginx can be started and works.

This behaviour did not occur before the upgrade to the new OPNsense version.

13

Zenarmor (Sensei) / Re: Massive problems since upgrade to version 22.10

« on: November 08, 2022, 10:58:30 am »

I have now deactivated ZenArmor.

Since then, all networks can be reached again and the system can also be restarted cleanly.


Nevertheless, the logs look like a lot of errors to me.
The services cron, nginx and nut_upsmon also need a lot of time to come up.

14

Zenarmor (Sensei) / Re: Massive problems since upgrade to version 22.10

« on: November 08, 2022, 08:54:55 am »

Can only find the mail address of the sales Team here.
Last time it took a few days since i got an answer on this email.

15

Zenarmor (Sensei) / Re: Massive problems since upgrade to version 22.10

« on: November 08, 2022, 08:43:16 am »

Then you need to contact support to get it fixed asap.

Where can I reach the responsible support as quickly as possible?

Do you have a test environment or lab to do the upgrades before it goes into production??

No, we are only a small school without the necessary capacity and resources for such things.