Messages

Ah, I see. I was used to OPNsense giving a warning about when some things changed to apply the configuration so I figured that all changes were immediate. I don't know when I last applied the changes but when I did things started working perfectly.

Many thanks for the assist and apologies for the stupid reason things didn't work.

I have already deleted the stream servers but maybe nginx.conf is not updating?

Ah yes, I see there's an error in the nginx log

It is complaining about a duplicate address and port pair. I think that has to do with the fact that I have multiple HTTP Server entries all listening to the same IP and port? Do I need to remove all but 1 entries and cram all my vhosts into that singular HTTP server entry?

Yes, Enable TLS is enabled.

See screenshot (I have removed the (sub)domain names from the screenshot but they are set)

The FQDN is set correctly AFAIK. See attached config

I have now enabled TLS SNI Forwarding in the advanced Location setting for the hostname that I want to map, I have also checked " Enable TLS (HTTPS)" in the Upstream for the host and set the "TLS: Client Certificate" to the ACME cert of the host i want to route. The " TLS: Servername override" now is set to the external subdomain of the upstream host.

However when I go to the desired subdomain still the incorrect cert and incorrect host is chosen. When I look at the HTTP Access logs I see the connection coming in for the wrong host.

Is there anything else I can try?

Can you explain the difference a bit? I only switched from normal HTTP servers to SNI based routing because the normal HTTP servers did not proxy the connection correctly to the correct backend host.

Hi Fright,

I indeed see the error you mention. Am I then correct in assuming I need to remove all the hosts at HTTP server and only use the Stream Servers?

I am trying to get the nginx reverse proxy to work with multiple upstream servers using their own ssl cert. The issue that I'm running into is that one of the upstreams is not used and when a client requests a specific webpage the wrong server is used.

When I look in /usr/local/etc/nginx/nginx.conf I see that the upstream servers are listed and point to the correct servers.

In HTTP(S) -> HTTP Server I have 4 servers all listening on the same IP (my OPNsense has only 1 wan ip) on port 443.

In HTTP(S) -> Location I have 3 locations matching "/" with Match Type "None" and no URL rewriting.
Security rules and Learning mode are enabled.
Custom Security Policies are enabled based on the NAXSI WAF.
Upstream servers is pointing to the correct servers.

In Data Streams -> Stream servers I have 2 entries which both listen on the WAN address on port 443 using the TLS cert that is configured by ACME and pointing to the correct Upstream Servers.
The "Route With" option is currently set to "SNI Upstream Mapping" with the correct Upstream Server and corresponding SNI Upstream Mapping.
For this it doesn't matter if I use SNI Upstream Mapping as "Route with" or "Upstream".

In Data Streams -> SNI based routing I have 2 entries.
Entry one has hostname map sub.domain.tld pointing to the correct upstream server and www.sub.domain.tld pointing to the same upstream server.
Entry two is basically the same but using a different domain and different upstream server.

In Upstream -> Upstream server I have 6 entries (3 backend servers using 443 and 80 for which I only need to configure 2 for the time being). All Upstream servers have priority 1.

In Upstream -> Upstream I have 3 entries for the 3 servers that are in the backend.


See attached nginx.conf for reference

I have the following setup:

OPNsense WAN: 84.xx.xx.xx
OPNsense LAN: 192.168.1.1/24 (dhcp enabled)

VPS1 LAN: 192.168.1.2 (dhcp)
VPS1 WAN: 37.xx.xx.xx (static IP, not connected to same network)

When I do a curl http://37.xx.xx.xx I see in the live logs that traffic on the LAN interface of OPNsense coming from the WAN interface of the VPS is being blocked. Immediately I don't understand why that traffic is hitting the OPNsense firewall at all since they should be seperate networks, but alright...

The firewall rule that is triggered is the automatically generated default deny rule on that interface but I seem to be unable to create an exception for the traffic coming from the 37.xx.xx.xx interface.

When I go to my LAN rules I have added a rule for IPv4+6 which allows traffic from all IP's and ports to all IP's and ports but still this default rule (which is set to "last match") is blocking the connections.

When I look online I see that people generally recommend disabling automatic rule generation during interface setup time but I don't want to have to redo all the custom rules I've set up by removing the interface and re-adding it.

Where do I go from here?

[edit]
It's DNS. It's always DNS. Even when it isn't DNS, it's still DNS.

After a week of banging my head against the wall I noticed that /etc/resolv.conf only had an entry for 192.168.1.1 which was being blocked by OPNsense. I have modified the nameserver and everything started working immediately.

Hello world!

I have HAproxy running on OPNsense with 4 backend servers where the backend server is chosen based on a "Host contains" rule. When navigating to the site(s) with http I just get an empty response.

I tried to get https working with the following condition and rule:

Condition:
Traffic is HTTP

Rule:
http-request redirect
HTTP redirect:
scheme https

When I enable this config all backend servers become unavailable, rebooting opnsense doesn't change anything and when going back to the old config doesn't help either so I have to restore opnsense from backup.

What can I do to make the redirect work and what should I keep in mind when changing the settings?

Kind regards