Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - rudiratlos63

Pages: [1] 2

Web Proxy Filtering and Caching / Homeassistant behind nginx proxy not working

« on: February 25, 2024, 04:05:34 pm »

Hi, I try to run Homeassistant (running on port 8123) behind the nginx plugin.
in homeassistant configuration.yaml in section http: I have the entries use_x_forwarded_for: true and trusted_proxies: <lan address of opnsense>

in nginx logs http access, I get error status codes 304 400 499

according to
https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

there are headers needed like:
proxy_http_version 1.1;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

but I can not get it to run.

Is there a way to set the headers via the opnsense web gui?

German - Deutsch / Re: Einstellungen OPNsense hinter FritzBox - Zugriff von außen

« on: February 24, 2024, 02:43:53 pm »

installiere auch das crowdsec plugin.

German - Deutsch / Re: Einstellungen OPNsense hinter FritzBox - Zugriff von außen

« on: February 24, 2024, 02:23:53 pm »

Hi,
habe ähnliche konfig. FritzBox (FB) und dahinter eine esxi vm mit opnsense.
In der FB habe ich die opnsense ip als exposed host eingetragen. Die FB filtert somit nicht. das soll alles opnsense machen. dyndns macht ausschließlich opnsense. Ich habe noch in der dmz (2.eth anschluß) einen mailserver, hängen, der smtp anbietet sowie eine weboberfläche zum emial handling.
Dafür verwende ich nginx proxy. haproxy habe ich nicht installiert. nginx hört auf port 443 und leitet das zum port 80 des mailservers. das zertifikat handling macht somit ausschließlich nginx auf der opnsense mit dem acme client.
ich habe mehrere zertifakte für webmail.mydomain.xx ftp.mydomain.xx usw. nginx proxy kann dann anhand dieser domains auf die enzelnen upstream server in der dmz verzweigen.

in der firewall alias section:
definiere einen alias namen webaccess mit dem content 80 und 443
weitere aliase, je nach Bedarf e.g. für ftp ical usw.

in der firewall rules WAN section jeweils einen entry erzeugen:
protocol:IP4 Source:* Port:* Destination:WAN address Port:webaccess Gateway:* Schedule:*

NAT brauchst du für die einzelnen nginx upstream server nicht. Brauchst du nur für services die den nginx proxy nicht verwenden. e.g. ftp

Web Proxy Filtering and Caching / Re: Youtube Restricted Mode when using opnsense

« on: February 10, 2024, 02:08:40 pm »

any news or solutions for that problem?

24.1 Legacy Series / Re: acme not working anymore (since 21 Dec 2023)

« on: February 09, 2024, 06:29:06 pm »

according to this message:
https://forum.opnsense.org/index.php?topic=38694.0
I reinstalled acme. But same result. certs can not be renewed

24.1 Legacy Series / Re: acme not working anymore (since 21 Dec 2023)

« on: February 05, 2024, 05:05:38 pm »

my response for http://<internal IP of my openses>/.well-known/acme-challenge/XXXXidXXXXX
is still forbidden. Opensense Version OPNsense 24.1_1-amd64

24.1 Legacy Series / acme not working anymore (since 21 Dec 2023)

« on: February 02, 2024, 11:50:18 am »

my last automatic cert renewal was executed last December. After upgrading opensense, (couldnt remeber when), cert renewals are failing. I looks like that the lighthtpd process running on port 43580 respond with Forbidden.

1. test on opensense root cli:
# fetch http://localhost:43580
fetch: http://localhost:43580: Forbidden

2. test on desktop firefox, calling
http://<internal IP of my openses>/.well-known/acme-challenge/XXXXidXXXXX....
results in Forbidden

sockstat -4 -l
USER COMMAND PID FD PROTO LOCAL ADDRESS FOREIGN ADDRESS
root lighttpd 94028 4 tcp4 127.0.0.1:43580 *:*

Web Proxy Filtering and Caching / Re: Youtube Restricted Mode when using opnsense

« on: November 15, 2023, 12:02:47 pm »

I have the same problem, if I'm connected to my Wlan behind opensense.
Unbound DNS: Blocklist / Force SafeSearch is OFF
Connecting to my RouterWlan (it's my guest wlan) I have no issue.

22.7 Legacy Series / Re: postfix rspamd clamav not working, test with eicar pattern

« on: December 12, 2022, 12:37:48 pm »

thank you, it's working.
I used an alternative service, which sent me an eicar email.

22.7 Legacy Series / Re: tftp not working

« on: December 10, 2022, 12:48:16 pm »

i put 0.0.0.0 into listen address instead of the internal ip fw address.

same result:
tftp> status
Connected to <myintfwip>
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> get test
Transfer timed out.

22.7 Legacy Series / Re: postfix rspamd clamav not working, test with eicar pattern

« on: December 10, 2022, 09:32:11 am »

/var/log/rspamd # cat rspamd.log | grep antivirus shows nothing
/var/log/rspamd # cat rspamd.log | grep clamav
shows this single entry:
2022-12-10 09:25:07 #5307(normal) <0c1b62>; lua; clamav.lua:131: clamav: message or mime_part is clean

but the id <0c1b62> is not the id from the message/mail with the eicar attachment <48af5d>

22.7 Legacy Series / Re: tftp not working

« on: December 10, 2022, 09:13:25 am »

thanks, I've created this directory and placed a file 'test' into it
IPaddr is the internal IP of my fw. service has started.

I logged into a rpi, which has an ip of the internal net.
follwing test:
tftp <ip_of_int_fw>
tftp> status
Connected to <ip_of_int_fw>
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> get test
Transfer timed out.
tftp> quit

in opnsense logfile:
tftpd: read(ack): Connection refused

fw rule: pls. see attachment

22.7 Legacy Series / tftp not working

« on: December 09, 2022, 12:42:44 pm »

just installed TFTP plugin on OPNsense 22.7.9_3-amd64

listen addr: 127.0.0.1
enable
and save

service is not starting

logmsg:
Notice root /usr/local/etc/rc.d/tftpd: WARNING: failed to start tftpd

22.7 Legacy Series / Re: postfix rspamd clamav not working, test with eicar pattern

« on: December 08, 2022, 04:23:30 pm »

I did the change (uncomment) in /usr/local/opnsense/service/templates/OPNsense/Rspamd/antivirus.conf
reapply rspamd config in gui

send an email with eicar attachment, rspamd logs the entry, but no entry (message or mime_part is clean) in rspam log

22.7 Legacy Series / Re: postfix rspamd clamav not working, test with eicar pattern

« on: December 08, 2022, 09:56:05 am »

just checked again, sending email with eicar attachment and observing on opnsense:

/var/log/clamav # tail -f clamd.log
...
Thu Dec 8 09:45:23 2022 -> SelfCheck: Database status OK.

no scan entry at all

eicar email is in my inbox

tail -f /var/log/rspamd/rspamd.log :

2022-12-08 10:01:46 #91594(rspamd_proxy) <39070b>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/milter.sock port 0
2022-12-08 10:01:46 #91594(rspamd_proxy) <39070b>; milter; rspamd_milter_process_command: got connection from 134.255.237.108:46794
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_worker_body_handler: accepted connection from /var/run/rspamd/normal.sock port 0, task ptr: 00000008087368A0
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_message_parse: loaded message; id: <20221208090145.E5515A07D4@mx.mycompany.com>; queue-id: <2BA002549F>; size: 1047; checksum: <b329334dcb0c7b0d8d4f1c6680c5468a>
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; ratelimit.lua:557: skip ratelimit for whitelisted recipient
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; spf.lua:160: use cached record for mycompany.com (0x1c03809a7b10fcaf) in LRU cache for 247 seconds
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 96; 200 required
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 87; 200 required
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; greylist.lua:331: Score too low - skip greylisting
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_stat_check_autolearn: <20221208090145.E5515A07D4@mx.mycompany.com>: autolearn ham for classifier 'bayes' as message's score is negative: -0.81
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; neural.lua:442: skip ham sample to keep spam/ham balance; probability 0.39834024896265563; 580 spam and 963 ham vectors stored
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_task_write_log: id: <20221208090145.E5515A07D4@mx.mycompany.com>, qid: <2BA002549F>, ip: 134.255.237.108, from: <postmaster@mycompany.com>, (default: F (no action): [-0.81/15.00] [DMARC_POLICY_ALLOW(-0.50){mycompany.com;none;},R_SPF_ALLOW(-0.20){+a:mx.mycompany.com:c;},MIME_GOOD(-0.10){multipart/mixed;text/plain;},MX_GOOD(-0.01){},ARC_NA(0.00){},ASN(0.00){asn:197071, ipnet:134.255.237.0/24, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1047, time: 441.904ms, dns req: 17, digest: <b329334dcb0c7b0d8d4f1c6680c5468a>, rcpts: <postmaster@mycompany.com>, mime_rcpts: <postmaster@mycompany.com>
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 172 regexps total, 78 regexps cached, 0B scanned using pcre, 710B scanned total
2022-12-08 10:01:46 #91594(rspamd_proxy) <d0edc5>; proxy; proxy_milter_finish_handler: finished milter connection

Pages: [1] 2