Messages

Hi, I try to run Homeassistant (running on port 8123) behind the nginx plugin.
in homeassistant configuration.yaml in section http: I have the entries use_x_forwarded_for: true and trusted_proxies: <lan address of opnsense>

in nginx logs http access, I get error status codes 304 400 499

according to
https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

there are headers needed like:
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

but I can not get it to run.

Is there a way to set the headers via the opnsense web gui?

installiere auch das crowdsec plugin.

Hi,
habe ähnliche konfig. FritzBox (FB) und dahinter eine esxi vm mit opnsense.
In der FB habe ich die opnsense ip als exposed host eingetragen. Die FB filtert somit nicht. das soll alles opnsense machen. dyndns macht ausschließlich opnsense. Ich habe noch in der dmz (2.eth anschluß) einen mailserver, hängen, der smtp anbietet sowie eine weboberfläche zum emial handling.
Dafür verwende ich nginx proxy. haproxy habe ich nicht installiert. nginx hört auf port 443 und leitet das zum port 80 des mailservers. das zertifikat handling macht somit ausschließlich nginx auf der opnsense mit dem acme client.
ich habe mehrere zertifakte für webmail.mydomain.xx ftp.mydomain.xx usw. nginx proxy kann dann anhand dieser domains auf die enzelnen upstream server in der dmz verzweigen.

in der firewall alias section:
definiere einen alias namen webaccess mit dem content 80 und 443
weitere aliase, je nach Bedarf e.g. für ftp ical usw.

in der firewall rules WAN section jeweils einen entry erzeugen:
protocol:IP4 Source:* Port:* Destination:WAN address Port:webaccess Gateway:* Schedule:*

NAT brauchst du für die einzelnen nginx upstream server nicht. Brauchst du nur für services die den nginx proxy nicht verwenden. e.g. ftp

any news or solutions for that problem?

according to this message:
https://forum.opnsense.org/index.php?topic=38694.0
I reinstalled acme. But same result. certs can not be renewed

my response for http://<internal IP of my openses>/.well-known/acme-challenge/XXXXidXXXXX
is still forbidden.  Opensense Version OPNsense 24.1_1-amd64

my last automatic cert renewal was executed last December. After upgrading opensense, (couldnt remeber when), cert renewals are failing. I looks like that the lighthtpd process running on port 43580 respond with Forbidden.

1. test on opensense root cli:
# fetch http://localhost:43580
fetch: http://localhost:43580: Forbidden

2. test on desktop firefox, calling
http://<internal IP of my openses>/.well-known/acme-challenge/XXXXidXXXXX....
results in Forbidden


sockstat -4 -l
USER     COMMAND    PID   FD PROTO  LOCAL ADDRESS         FOREIGN ADDRESS     
root     lighttpd   94028 4  tcp4   127.0.0.1:43580       *:*

I have the same problem, if I'm connected to my Wlan behind opensense.
Unbound DNS: Blocklist /  Force SafeSearch is OFF
Connecting to my RouterWlan (it's my guest wlan) I have no issue.

thank you, it's working.
I used an alternative service, which sent me an eicar email.

i put 0.0.0.0 into listen address instead of the internal ip fw address.

same result:
tftp> status
Connected to <myintfwip>
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> get test
Transfer timed out.

/var/log/rspamd # cat rspamd.log | grep antivirus   shows nothing
/var/log/rspamd # cat rspamd.log | grep clamav
shows this single entry:
2022-12-10 09:25:07 #5307(normal) <0c1b62>; lua; clamav.lua:131: clamav: message or mime_part is clean

but the id <0c1b62> is not the id from the message/mail with the eicar attachment <48af5d>

thanks, I've created this directory and placed a file 'test' into it
IPaddr is the internal IP of my fw. service has started.

I logged into a rpi, which has an ip of the internal net.
follwing test:
tftp <ip_of_int_fw>
tftp> status
Connected to <ip_of_int_fw>
Mode: netascii Verbose: off Tracing: off
Rexmt-interval: 5 seconds, Max-timeout: 25 seconds
tftp> get test
Transfer timed out.
tftp> quit

in opnsense logfile:
tftpd: read(ack): Connection refused

fw rule: pls. see attachment

just installed TFTP plugin on OPNsense 22.7.9_3-amd64

listen addr: 127.0.0.1
enable
and save

service is not starting

logmsg:
Notice   root   /usr/local/etc/rc.d/tftpd: WARNING: failed to start tftpd

I did the change (uncomment) in /usr/local/opnsense/service/templates/OPNsense/Rspamd/antivirus.conf
reapply rspamd config in gui

send an email with eicar attachment, rspamd logs the entry, but no entry (message or mime_part is clean) in rspam log

just checked again, sending email with eicar attachment and observing on opnsense:

/var/log/clamav # tail -f clamd.log
...
Thu Dec  8 09:45:23 2022 -> SelfCheck: Database status OK.

no scan entry at all

eicar email is in my inbox

tail -f /var/log/rspamd/rspamd.log :

2022-12-08 10:01:46 #91594(rspamd_proxy) <39070b>; proxy; proxy_accept_socket: accepted milter connection from /var/run/rspamd/milter.sock port 0
2022-12-08 10:01:46 #91594(rspamd_proxy) <39070b>; milter; rspamd_milter_process_command: got connection from 134.255.237.108:46794
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_worker_body_handler: accepted connection from /var/run/rspamd/normal.sock port 0, task ptr: 00000008087368A0
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_message_parse: loaded message; id: <20221208090145.E5515A07D4@mx.mycompany.com>; queue-id: <2BA002549F>; size: 1047; checksum: <b329334dcb0c7b0d8d4f1c6680c5468a>
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; ratelimit.lua:557: skip ratelimit for whitelisted recipient
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; spf.lua:160: use cached record for mycompany.com (0x1c03809a7b10fcaf) in LRU cache for 247 seconds
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_SPAM of classifier bayes: not enough learns 96; 200 required
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_redis_connected: skip obtaining bayes tokens for BAYES_HAM of classifier bayes: not enough learns 87; 200 required
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_stat_classifiers_process: skip statistics as SPAM class is missing
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; greylist.lua:331: Score too low - skip greylisting
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_stat_check_autolearn: <20221208090145.E5515A07D4@mx.mycompany.com>: autolearn ham for classifier 'bayes' as message's score is negative: -0.81
2022-12-08 10:01:46 #92749(normal) <3f0e65>; lua; neural.lua:442: skip ham sample to keep spam/ham balance; probability 0.39834024896265563; 580 spam and 963 ham vectors stored
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_task_write_log: id: <20221208090145.E5515A07D4@mx.mycompany.com>, qid: <2BA002549F>, ip: 134.255.237.108, from: <postmaster@mycompany.com>, (default: F (no action): [-0.81/15.00] [DMARC_POLICY_ALLOW(-0.50){mycompany.com;none;},R_SPF_ALLOW(-0.20){+a:mx.mycompany.com:c;},MIME_GOOD(-0.10){multipart/mixed;text/plain;},MX_GOOD(-0.01){},ARC_NA(0.00){},ASN(0.00){asn:197071, ipnet:134.255.237.0/24, country:DE;},FROM_EQ_ENVFROM(0.00){},FROM_NO_DN(0.00){},HAS_ATTACHMENT(0.00){},MID_RHS_MATCH_FROMTLD(0.00){},MIME_TRACE(0.00){0:+;1:+;2:~;},RCPT_COUNT_ONE(0.00){1;},RCVD_COUNT_TWO(0.00){2;},RCVD_TLS_LAST(0.00){},R_DKIM_NA(0.00){},TO_DN_NONE(0.00){},TO_EQ_FROM(0.00){},TO_MATCH_ENVRCPT_ALL(0.00){}]), len: 1047, time: 441.904ms, dns req: 17, digest: <b329334dcb0c7b0d8d4f1c6680c5468a>, rcpts: <postmaster@mycompany.com>, mime_rcpts: <postmaster@mycompany.com>
2022-12-08 10:01:46 #92749(normal) <3f0e65>; task; rspamd_protocol_http_reply: regexp statistics: 0 pcre regexps scanned, 2 regexps matched, 172 regexps total, 78 regexps cached, 0B scanned using pcre, 710B scanned total
2022-12-08 10:01:46 #91594(rspamd_proxy) <d0edc5>; proxy; proxy_milter_finish_handler: finished milter connection