Show Posts
1
General Discussion / nginx with multiple subdomains forwarding traffic to wrong server when using VPN
« on: September 22, 2023, 03:10:45 pm »
Hello everyone,
I am running nginx on my OPNsense as a reverse proxy for 4 different services: Vaultwarden password manager, Nextcloud, Grafana and Home Assistant. Two of those services (nextcloud and vaultwarden) should be accessible from everywhere (server bind is set to ::443, 0.0.0.0:443) and the other two (home assistant and grafana) are accessible from within LAN only (server bind is $private_ip:443).
The problem I have is that when I connect to VPN from the outside using Wireguard, I cannot use my password manager because nginx forwards my requests going to vw.subdomain.org to homeassistant.subdomain.org incl. giving me SSL errors (because of the incorrect URL used to access homeassistant.subdomain.org which I didn't want to access).
I have set up my local dns to point to the internal IP address of the firewall running nginx for all of those services I want to proxy.
When I access the service vw.subdomain.org from outside of LAN without connecting to VPN it works, because homeassistant.subdomain.org only binds to $internal_ip:443 and therefore isn't available without VPN?
Any help would be much appreciated!
Cheers
EDIT: After clearing my browser cache it seems to work just fine both from computers within LAN, from devices outside of LAN and from devices connected to VPN from the outside.
Please find my nginx.conf below:
I am running nginx on my OPNsense as a reverse proxy for 4 different services: Vaultwarden password manager, Nextcloud, Grafana and Home Assistant. Two of those services (nextcloud and vaultwarden) should be accessible from everywhere (server bind is set to ::443, 0.0.0.0:443) and the other two (home assistant and grafana) are accessible from within LAN only (server bind is $private_ip:443).
The problem I have is that when I connect to VPN from the outside using Wireguard, I cannot use my password manager because nginx forwards my requests going to vw.subdomain.org to homeassistant.subdomain.org incl. giving me SSL errors (because of the incorrect URL used to access homeassistant.subdomain.org which I didn't want to access).
I have set up my local dns to point to the internal IP address of the firewall running nginx for all of those services I want to proxy.
When I access the service vw.subdomain.org from outside of LAN without connecting to VPN it works, because homeassistant.subdomain.org only binds to $internal_ip:443 and therefore isn't available without VPN?
Any help would be much appreciated!
Cheers
EDIT: After clearing my browser cache it seems to work just fine both from computers within LAN, from devices outside of LAN and from devices connected to VPN from the outside.
Please find my nginx.conf below:
Code: [Select]
[admin@gw ~]$ cat /usr/local/etc/nginx/nginx.conf
load_module /usr/local/libexec/nginx/ngx_stream_module.so;
load_module /usr/local/libexec/nginx/ngx_http_naxsi_module.so;
load_module /usr/local/libexec/nginx/ngx_mail_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_filter_module.so;
load_module /usr/local/libexec/nginx/ngx_http_brotli_static_module.so;
load_module /usr/local/libexec/nginx/ngx_http_js_module.so;
load_module /usr/local/libexec/nginx/ngx_http_vhost_traffic_status_module.so;
user www staff;
worker_processes 1;
#error_log /var/log/nginx/error.log;
error_log syslog:server=unix:/var/run/log,facility=local6,nohostname warn;
events {
worker_connections 1024;
}
http {
include mime.types;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
log_format main_ext '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for" '
'"$host" sn="$server_name" '
'rt=$request_time '
'ua="$upstream_addr" us="$upstream_status" '
'ut="$upstream_response_time" ul="$upstream_response_length" '
'cs=$upstream_cache_status';
log_format handshake '"$http_user_agent" "$ssl_ciphers" "$ssl_curves"';
log_format anonymized ':: - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
#tcp_nopush on;
# https intercept detection
js_import /usr/local/opnsense/scripts/nginx/ngx_functions.js;
js_set $tls_intercepted ngx_functions.check_intercept;
# 200M should be big enough for file servers etc.
client_max_body_size 200M;
brotli_static on;
brotli on;
gzip_static on;
gzip on;
server_tokens off;
sendfile Off;
default_type application/octet-stream;
keepalive_timeout 60;
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
# Map used in location.conf for proxy_ssl_name
map $ssl_server_name $upstream_sni_name {
default $ssl_server_name;
'' $host;
}
include http_post/*.conf;
# TODO add when core is ready for allowing nginx to serve the web interface
# include nginx_web.conf;
# UPSTREAM SERVERS
upstream upstream66159cbf933d462587a6484cc75be201 {
server $redacted_private_ip_1 weight=1;
}
upstream upstream418d35f81df645e381948db502d85fa1 {
server $redacted_private_ip_2 weight=1;
}
upstream upstream409fe77b69dd43dfb61bbb7ce0d07da7 {
server $redacted_private_ip_3 weight=1;
}
upstream upstream49cb26ee3fb64f359194182963646bb4 {
server $redacted_private_ip_4 weight=1;
}
include opnsense_http_vhost_plugins/*.conf;
server {
listen 80;
listen [::]:80;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
ssl_client_certificate /usr/local/etc/nginx/key/nc.subdomain.org_ca.pem;
ssl_verify_client off;
ssl_certificate_key /usr/local/etc/nginx/key/nc.subdomain.org.key;
ssl_certificate /usr/local/etc/nginx/key/nc.subdomain.org.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_stapling off;
sendfile Off;
server_name nc.subdomain.org;
real_ip_header X-Forwarded-For;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
charset utf-8;
access_log /var/log/nginx/nc.subdomain.org.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/nc.subdomain.org.error.log error;
client_max_body_size 5000m;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
# security rules
add_header Referrer-Policy "no-referrer" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents - stuff I have found over the years in my server log
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0) {
return 418;
}
if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
{
return 418;
}
if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
{
return 418;
}
location = /opnsense-report-csp-violation {
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param SERVER-UUID "6ce57e64-6b88-4d33-8468-e87920c2731d";
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "6ce57e64-6b88-4d33-8468-e87920c2731d";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
include 6ce57e64-6b88-4d33-8468-e87920c2731d_pre/*.conf;
location / {
LearningMode;
BasicRule wl:19;
DeniedUrl "/waf_denied.html";
client_max_body_size 5000m;
autoindex off;
http2_push_preload off;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
# proxy headers for backend server
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_ignore_client_abort off;
proxy_request_buffering off;
proxy_max_temp_file_size 4096m;
proxy_buffering off;
proxy_pass http://upstream66159cbf933d462587a6484cc75be201;
proxy_hide_header X-Powered-By;
proxy_hide_header Referrer-Policy;
proxy_hide_header X-XSS-Protection;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header Strict-Transport-Security;
include b6be1c31-178a-4c88-9823-883fa4c09b4f_post/*.conf;
}
include 6ce57e64-6b88-4d33-8468-e87920c2731d_post/*.conf;
}
server {
listen $internal_ip:80;
listen $internal_ip:443 http2 ssl;
ssl_client_certificate /usr/local/etc/nginx/key/homeassistant.subdomain.org_ca.pem;
ssl_verify_client off;
ssl_certificate_key /usr/local/etc/nginx/key/homeassistant.subdomain.org.key;
ssl_certificate /usr/local/etc/nginx/key/homeassistant.subdomain.org.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_stapling off;
sendfile Off;
server_name homeassistant.subdomain.org;
real_ip_header X-Forwarded-For;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
charset utf-8;
access_log /var/log/nginx/homeassistant.subdomain.org.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/homeassistant.subdomain.org.error.log error;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents - stuff I have found over the years in my server log
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0) {
return 418;
}
if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
{
return 418;
}
if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
{
return 418;
}
location = /opnsense-report-csp-violation {
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param SERVER-UUID "9380e492-4559-4bd6-8a28-f5d9e9cc04c6";
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "9380e492-4559-4bd6-8a28-f5d9e9cc04c6";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
include 9380e492-4559-4bd6-8a28-f5d9e9cc04c6_pre/*.conf;
location / {
BasicRule wl:19;
DeniedUrl "/waf_denied.html";
autoindex off;
http2_push_preload off;
proxy_set_header Host $host;
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
# proxy headers for backend server
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
proxy_ignore_client_abort off;
proxy_request_buffering off;
proxy_max_temp_file_size 1024m;
proxy_buffering off;
proxy_pass http://upstream418d35f81df645e381948db502d85fa1;
proxy_hide_header X-Powered-By;
include 2402dfe9-c2c5-4d3c-bc0d-575d5f10e152_post/*.conf;
}
include 9380e492-4559-4bd6-8a28-f5d9e9cc04c6_post/*.conf;
}
server {
listen $internal_ip:80;
listen $internal_ip:443 http2 ssl;
ssl_certificate_key /usr/local/etc/nginx/key/grafana.subdomain.org.key;
ssl_certificate /usr/local/etc/nginx/key/grafana.subdomain.org.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_stapling off;
sendfile On;
server_name grafana.subdomain.org;
real_ip_header X-Forwarded-For;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
charset utf-8;
access_log /var/log/nginx/grafana.subdomain.org.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/grafana.subdomain.org.error.log error;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
# block based on User Agents - stuff I have found over the years in my server log
if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0) {
return 418;
}
if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
{
return 418;
}
if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
{
return 418;
}
location = /opnsense-report-csp-violation {
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param SERVER-UUID "29ddbf30-4149-4aea-92f7-bed70d8262bb";
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "29ddbf30-4149-4aea-92f7-bed70d8262bb";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_param AUTH_SERVER "Local Database";
fastcgi_intercept_errors on;
include fastcgi_params;
}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
include 29ddbf30-4149-4aea-92f7-bed70d8262bb_pre/*.conf;
location / {
BasicRule wl:19;
DeniedUrl "/waf_denied.html";
autoindex off;
http2_push_preload off;
proxy_set_header Host $host;
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
# proxy headers for backend server
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
proxy_ignore_client_abort off;
proxy_request_buffering on;
proxy_max_temp_file_size 1024m;
proxy_buffering on;
proxy_pass http://upstream409fe77b69dd43dfb61bbb7ce0d07da7;
proxy_hide_header X-Powered-By;
include 11d4e578-5842-43b4-9afa-53d2ed799690_post/*.conf;
}
include 29ddbf30-4149-4aea-92f7-bed70d8262bb_post/*.conf;
}
server {
listen 80;
listen [::]:80;
listen 443 http2 ssl;
listen [::]:443 http2 ssl;
ssl_client_certificate /usr/local/etc/nginx/key/vw.subdomain.org_ca.pem;
ssl_verify_client off;
ssl_certificate_key /usr/local/etc/nginx/key/vw.subdomain.org.key;
ssl_certificate /usr/local/etc/nginx/key/vw.subdomain.org.pem;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ciphers ECDHE-ECDSA-CAMELLIA256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-CAMELLIA256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-CAMELLIA128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-CAMELLIA128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-CAMELLIA256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-CAMELLIA256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-CAMELLIA128-SHA256:ECDHE-RSA-AES128-SHA256;
ssl_session_timeout 1d;
ssl_session_cache shared:SSL:50m;
ssl_session_tickets off;
ssl_prefer_server_ciphers on;
ssl_stapling off;
sendfile Off;
server_name vw.subdomain.org;
real_ip_header X-Forwarded-For;
client_header_buffer_size 1k;
large_client_header_buffers 4 8k;
charset utf-8;
access_log /var/log/nginx/vw.subdomain.org.access.log main;
access_log /var/log/nginx/tls_handshake.log handshake;
error_log /var/log/nginx/vw.subdomain.org.error.log error;
#include tls.conf;
error_page 403 /opnsense_error_403.html;
error_page 404 /opnsense_error_404.html;
error_page 405 /waf_denied.html;
error_page 500 501 502 503 504 /opnsense_server_error.html;
location = /opnsense_error_403.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_error_404.html {
internal;
root /usr/local/etc/nginx/views;
}
location = /opnsense_server_error.html {
internal;
root /usr/local/etc/nginx/views;
}
# security rules
add_header Referrer-Policy "no-referrer" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
# location to ban the host permanently
set $naxsi_extensive_log 0;
location @permanentban {
access_log /var/log/nginx/permanentban.access.log main;
internal;
add_header "Content-Type" "text/plain; charset=UTF-8" always;
return 403 "You got banned permanently from this server.";
}
error_page 418 = @permanentban;
location = /waf_denied.html {
root /usr/local/etc/nginx/views;
access_log /var/log/nginx/waf_denied.access.log main;
}
location ^~ /.well-known/acme-challenge/ {
default_type "text/plain";
proxy_pass http://127.0.0.1:43580;
}
location = /opnsense-report-csp-violation {
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param SERVER-UUID "d05c57d3-cc5b-470f-9797-541ee625ac7f";
fastcgi_intercept_errors on;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location /opnsense-auth-request {
internal;
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param Original-URI $request_uri;
fastcgi_param Original-HOST $host;
fastcgi_param SERVER-UUID "d05c57d3-cc5b-470f-9797-541ee625ac7f";
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/ngx_auth.php;
fastcgi_intercept_errors on;
include fastcgi_params;
}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
include d05c57d3-cc5b-470f-9797-541ee625ac7f_pre/*.conf;
location / {
BasicRule wl:19;
DeniedUrl "/waf_denied.html";
autoindex off;
http2_push_preload off;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header X-TLS-Cipher $ssl_cipher;
proxy_set_header X-TLS-Protocol $ssl_protocol;
proxy_set_header X-TLS-SNI-Host $ssl_server_name;
# proxy headers for backend server
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
proxy_read_timeout 3600s;
proxy_send_timeout 3600s;
proxy_ignore_client_abort off;
proxy_request_buffering off;
proxy_max_temp_file_size 4096m;
proxy_buffering off;
proxy_pass http://upstream49cb26ee3fb64f359194182963646bb4;
proxy_hide_header X-Powered-By;
proxy_hide_header Referrer-Policy;
proxy_hide_header X-XSS-Protection;
proxy_hide_header X-Content-Type-Options;
proxy_hide_header Strict-Transport-Security;
include 229d6355-e88d-471a-9707-06a8f395fd1a_post/*.conf;
}
include d05c57d3-cc5b-470f-9797-541ee625ac7f_post/*.conf;
}
}
stream {
# LOG FORMATS
log_format main '$remote_addr [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
log_format anonymized ':: [$time_local] '
'$protocol $status $bytes_sent $bytes_received '
'$session_time';
# UPSTREAM SERVERS
upstream upstream66159cbf933d462587a6484cc75be201 {
server $redacted_private_ip_1 weight=1;
}
upstream upstream418d35f81df645e381948db502d85fa1 {
server $redacted_private_ip_2 weight=1;
}
upstream upstream409fe77b69dd43dfb61bbb7ce0d07da7 {
server $redacted_private_ip_3 weight=1;
}
upstream upstream49cb26ee3fb64f359194182963646bb4 {
server $redacted_private_ip_4 weight=1;
}
# upstream maps
include opnsense_stream_vhost_plugins/*.conf;
}
# mail {
# }