Messages

Thanks for the input. Couple weeks back I did modify the config when bulk removing banned IPs (were bogos anyway), which is why I didn't want to go through the entire config and see whats up manually.
What ended up fixing the issue (for now) is reinstalling opnsense and re-importing the entire config (without changes). I'll monitor the webui performance but will note this as the answer to myself

Running into the same issue on

OPNsense 25.7.1_1-amd64
FreeBSD 14.3-RELEASE-p1
OpenSSL 3.0.17

Config file is 600kb with ~15k lines, most of it nginx (but not banned ips, actual config). is there any way to regenerate the config stripping out disabled/deleted stuff without having to redo the entire nginx setup?

ok, so i figured out what it was. Somehow routing to that one VM within the subnet isn't working anymore by default. Setting a static route to the VM in opnsense fixed it. Really weird.

A few more infos for somebody else troubleshooting or wanting to fix this:
Opnsense with VLAN 10.10.0.0/24, mgmt net 192.168.178.0/24 (local network of ISP router).
access to VMs within VLAN with routes set to mgmt address setup in ISP router
With these static routes, I could access the VMs by IP from mgmt-net, but nginx couldn't. Where it now needs a static route, it didn't before 22.7. Maybe this is wanted for more granular routing control.

also this was the reason why nginx reload took so long, for anybody asking.

So that seemed to have worked. Now nginx reloads quick again, but I can only access one of my two upstream servers. Both within the same subnet. If i change the IP of the faulty upstream server I can access it again. Don't know how that's possible. Haven't changed anything else.

Haven't had this problem in at least a year. Then, upgrade to 22.7 and it's back.
Restarting nginx from webui or cli will take ages (+5min).

But as soon as I restore a snapshot from 22.1 everything works just fine. Zero changes except the update.

Running opnsense in a esxi vm.

I've submitted a crash report via the webui and put the URL to this topic in the description. Don't know if it'll help

Well yeah, but in the nginx config only the basics of the basic-rule are included.
I attached a screenshot of the basic rule I created, added to a policy, and added that to a location and applied.
vs what shows in the location block

Code Select Expand

BasicRule wl:1100 "mz:RAW_BODY";
note that it's missing

Code Select Expand

X-Plex-Token=[0-9a-zA-Z]*. I'm new to naxsi, so i don't know if it's applied somewhere else, just that i can't find any other reference to the constraints I've made other than in the opnsense config

So I'm currently setting up my WAF for various web apps and the nginx WebUI gives options to add conditions like "only match this specific GET argument, but only if it matches this regex" but when generating the nginx.conf i only see the "only this specific GET argument" part and not the regex.
Example:in the webui i have a rule setup that matches a GET argument named url but only if it's value matches

Code Select Expand

X-Plex-Token=[0-9a-zA-Z]*. Now in the nginx conf it only shows

Code Select Expand

BasicRule wl:1103 "mz:$ARGS_VAR:url";.
I don't see any links to include other configs, where it could specify what exactly to match.
Anybody know what I'm missing?