Messages

Yeah seems like this is somewhat out of my league and power, but I'm happy to provide/do any testing for this to be resolved, as this is kind of the online major pain-point I currently have in my homelab.


On a side note, on this thread, I'm also helping to troubleshoot Forward Auth in zoraxy when using authentik: https://github.com/tobychui/zoraxy/issues/895#issuecomment-3621381598

Here there is a image of zoraxy that logs far more verbose data, maybe this is in any way helpful?

I can't seem to get the debug lighttpd working.

I updated the following:

/usr/local/etc/lighttpd/conf.d/debug.con
-> uncommented:

Code Select Expand

debug.log-response-header         = "enable"
debug.log-request-header          = "enable"
In the file: /usr/local/etc/lighttpd/conf.d/access_log.conf
I changed syslog-level from 6 to 7

Code Select Expand

accesslog.syslog-level     = 7
I uncommented this line:

Code Select Expand

accesslog.use-syslog       = "enable"
and commented out:

Code Select Expand

accesslog.filename          = log_root + "/access.log"
After that I restarted lighttpd:

Code Select Expand

configctl webgui restart
/usr/local/etc/rc.restart_webgui

I also rebooted the node.
Though after doing all that, I could not see any additional logfiles being written to /var/log/lighttpd/ and the default one still only contains the informational data:

Code Select Expand

2025-12-09T21:56:04
Informational
lighttpd
10.10.20.9 opnsense.XXX.dev - [09/Dec/2025:21:56:04 +0100] "GET / HTTP/2.0" 400 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0"
I also checked dmesg, but that did also not contain the debug logs of lighttpd, maybe this is something trivial that I'm missing with my limited FreeBSD knowledge.

Maybe someone knowns what I'm doing wrong?


I also did some further tests with curl on http2/ http1.1 if this sparks any idea for someone reading this?

Here directly via IP using http2

Code Select Expand

⚡tobia ❯❯ ./curl -vk --http2 https://10.50.20.1
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
*   Trying 10.50.20.1:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*   subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*   start date: May 12 14:22:51 2024 GMT
*   expire date: Jun 13 14:22:51 2025 GMT
*   issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*   Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
*  SSL certificate verification failed, continuing anyway!
* Established connection to 10.50.20.1 (10.50.20.1 port 443) from 192.168.1.200 port 53262
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://10.50.20.1/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: 10.50.20.1]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.17.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: 10.50.20.1
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/2 200
< set-cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< set-cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 21:21:34 GMT; Max-Age=3600; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: same-origin
< content-type: text/html; charset=UTF-8
< strict-transport-security: max-age=31536000
< accept-ranges: bytes
< content-length: 2789
< date: Tue, 09 Dec 2025 20:21:33 GMT
< server: OPNsense
<
<!doctype html>
<html lang="en-US" class="no-js">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="robots" content="noindex, nofollow" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-capable" content="yes">

    <title>Login | OPNsense</title>

    <link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
    <link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">

    <script src="/ui/js/jquery-3.5.1.min.js"></script>

        <script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>


            <script>
              $( document ).ready(function() {
                  $.ajaxSetup({
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "Mg_cQQ_BwGrt5cZfGZCH2Q" );
                  }
                });
              });
            </script>
            </head>
  <body class="page-login">

  <div class="container">
    <main class="login-modal-container">
      <header class="login-modal-head" style="height:50px;">
        <div class="navbar-brand">
              <img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
            </div>
      </header>

      <div class="login-modal-content">
        <div id="inputerrors" class="text-danger">&nbsp;</div><br />

            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="QdgI-W_IbDP7V2LuCt37pw" value="Mg_cQQ_BwGrt5cZfGZCH2Q" autocomplete="new-password" />

        <div class="form-group">
          <label for="usernamefld">Username:</label>
          <input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
        </div>

        <div class="form-group">
          <label for="passwordfld">Password:</label>
          <input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
        </div>

        <button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>

      </form>




          </div>

      </main>
      <div class="login-foot text-center">
        <a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025        <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
      </div>

    </div>

    </body>
  </html>
* Connection #0 to host 10.50.20.1:443 left intact
Here using zoraxy with http2

Code Select Expand

⚡tobia ❯❯ ./curl -vk --http2 https://opnsense.XXX.dev
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
* Host opnsense.XXX.dev:443 was resolved.
* IPv6: (none)
* IPv4: 10.10.20.9
*   Trying 10.10.20.9:443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / [blank] / UNDEF
* ALPN: server accepted h2
* Server certificate:
*   subject: CN=*.XXX.dev
*   start date: Nov 14 12:53:44 2025 GMT
*   expire date: Feb 12 12:53:43 2026 GMT
*   issuer: C=US; O=Let's Encrypt; CN=R12
*   Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
*  SSL certificate verification failed, continuing anyway!
* Established connection to opnsense.XXX.dev (10.10.20.9 port 443) from 192.168.1.200 port 53371
* using HTTP/2
* [HTTP/2] [1] OPENED stream for https://opnsense.XXX.dev/
* [HTTP/2] [1] [:method: GET]
* [HTTP/2] [1] [:scheme: https]
* [HTTP/2] [1] [:authority: opnsense.XXX.dev]
* [HTTP/2] [1] [:path: /]
* [HTTP/2] [1] [user-agent: curl/8.17.0]
* [HTTP/2] [1] [accept: */*]
> GET / HTTP/2
> Host: opnsense.XXX.dev
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/2 400
< content-type: text/html
< date: Tue, 09 Dec 2025 20:24:22 GMT
< server: OPNsense
< content-length: 162
<
<!DOCTYPE html>
<html lang="en">
 <head>
  <meta charset="UTF-8" />
  <title>400 Bad Request</title>
 </head>
 <body>
  <h1>400 Bad Request</h1>
 </body>
</html>
* Connection #0 to host opnsense.XXX.dev:443 left intact
Here directly via IP using http1.1

Code Select Expand

⚡tobia ❯❯ ./curl -vk --http1.1 https://10.50.20.1
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
*   Trying 10.50.20.1:443...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
*   subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*   start date: May 12 14:22:51 2024 GMT
*   expire date: Jun 13 14:22:51 2025 GMT
*   issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*   Certificate level 0: Public key type ? (4096/128 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
*  SSL certificate verification failed, continuing anyway!
* Established connection to 10.50.20.1 (10.50.20.1 port 443) from 192.168.1.200 port 53497
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.50.20.1
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< Set-Cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 21:28:14 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Cache-Control: no-store, no-cache, must-revalidate
< Pragma: no-cache
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Referrer-Policy: same-origin
< Content-type: text/html; charset=UTF-8
< Strict-Transport-Security: max-age=31536000
< Accept-Ranges: bytes
< Content-Length: 2789
< Date: Tue, 09 Dec 2025 20:28:14 GMT
< Server: OPNsense
<
<!doctype html>
<html lang="en-US" class="no-js">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="robots" content="noindex, nofollow" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-capable" content="yes">

    <title>Login | OPNsense</title>

    <link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
    <link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">

    <script src="/ui/js/jquery-3.5.1.min.js"></script>

        <script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>


            <script>
              $( document ).ready(function() {
                  $.ajaxSetup({
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "QHvHZSgsipJdn7QCOlywiA" );
                  }
                });
              });
            </script>
            </head>
  <body class="page-login">

  <div class="container">
    <main class="login-modal-container">
      <header class="login-modal-head" style="height:50px;">
        <div class="navbar-brand">
              <img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
            </div>
      </header>

      <div class="login-modal-content">
        <div id="inputerrors" class="text-danger">&nbsp;</div><br />

            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="H6oJ5FEb0wUfRprByrj2DQ" value="QHvHZSgsipJdn7QCOlywiA" autocomplete="new-password" />

        <div class="form-group">
          <label for="usernamefld">Username:</label>
          <input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
        </div>

        <div class="form-group">
          <label for="passwordfld">Password:</label>
          <input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
        </div>

        <button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>

      </form>




          </div>

      </main>
      <div class="login-foot text-center">
        <a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025        <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
      </div>

    </div>

    </body>
  </html>
* Connection #0 to host 10.50.20.1:443 left intact
Here using http1.1 and directly via IP:

Code Select Expand

⚡tobia ❯❯ ./curl -vk --http1.1 https://opnsense.XXX.dev
Note: Using embedded CA bundle (230814 bytes)
Note: Using embedded CA bundle, for proxies (230814 bytes)
* Host opnsense.XXX.dev:443 was resolved.
* IPv6: (none)
* IPv4: 10.10.20.9
*   Trying 10.10.20.9:443...
* ALPN: curl offers http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* SSL Trust: peer verification disabled
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Unknown (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256 / [blank] / UNDEF
* ALPN: server accepted http/1.1
* Server certificate:
*   subject: CN=*.XXX.dev
*   start date: Nov 14 12:53:44 2025 GMT
*   expire date: Feb 12 12:53:43 2026 GMT
*   issuer: C=US; O=Let's Encrypt; CN=R12
*   Certificate level 0: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
*   Certificate level 1: Public key type ? (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* SSL certificate OpenSSL verify result: unable to get local issuer certificate (20)
*  SSL certificate verification failed, continuing anyway!
* Established connection to opnsense.XXX.dev (10.10.20.9 port 443) from 192.168.1.200 port 53562
* using HTTP/1.x
> GET / HTTP/1.1
> Host: opnsense.XXX.dev
> User-Agent: curl/8.17.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Length: 2789
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< Content-Type: text/html; charset=UTF-8
< Date: Tue, 09 Dec 2025 20:30:14 GMT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Referrer-Policy: same-origin
< Server: OPNsense
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< Set-Cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 21:30:14 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
<
<!doctype html>
<html lang="en-US" class="no-js">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="robots" content="noindex, nofollow" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-capable" content="yes">

    <title>Login | OPNsense</title>

    <link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
    <link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">

    <script src="/ui/js/jquery-3.5.1.min.js"></script>

        <script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>


            <script>
              $( document ).ready(function() {
                  $.ajaxSetup({
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "vCn25poe5-7duF4xaGVFqg" );
                  }
                });
              });
            </script>
            </head>
  <body class="page-login">

  <div class="container">
    <main class="login-modal-container">
      <header class="login-modal-head" style="height:50px;">
        <div class="navbar-brand">
              <img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
            </div>
      </header>

      <div class="login-modal-content">
        <div id="inputerrors" class="text-danger">&nbsp;</div><br />

            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="Y-eTdSKnnMVkTXU-RgdR8g" value="vCn25poe5-7duF4xaGVFqg" autocomplete="new-password" />

        <div class="form-group">
          <label for="usernamefld">Username:</label>
          <input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
        </div>

        <div class="form-group">
          <label for="passwordfld">Password:</label>
          <input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
        </div>

        <button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>

      </form>




          </div>

      </main>
      <div class="login-foot text-center">
        <a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025        <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
      </div>

    </div>

    </body>
  </html>
* Connection #0 to host opnsense.XXX.dev:443 left intact

I see.

I'm not particularly sure if this is the correct way, but I added the following lines to the file: /usr/local/etc/lighttpd/lighttpd.conf

Code Select Expand

debug.log-request-header = "enable"
debug.log-response-header = "enable"
Then running:

Code Select Expand

/usr/local/etc/rc.restart_webgui
I could see the following when selecting Debug and Informational:

Code Select Expand

2025-12-09T15:15:36
Informational
lighttpd
10.10.20.9 opnsense.XXX.dev - [09/Dec/2025:15:15:36 +0100] "GET / HTTP/2.0" 400 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0"
2025-12-09T15:15:36
Informational
lighttpd
10.10.20.9 opnsense.XXX.dev - [09/Dec/2025:15:15:36 +0100] "GET / HTTP/2.0" 400 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0"
2025-12-09T15:15:34
Informational
lighttpd
10.10.20.9 opnsense.XXX.dev - [09/Dec/2025:15:15:34 +0100] "GET / HTTP/2.0" 400 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0"
2025-12-09T15:15:33
Informational
lighttpd
10.10.20.9 opnsense.XXX.dev - [09/Dec/2025:15:15:33 +0100] "GET / HTTP/2.0" 400 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:145.0) Gecko/20100101 Firefox/145.0"
But that does not really look like "debug" info to me, any ideas what I'm missing?

Shhhh use the caddy plugin on opnsense.

I think i actually was in that zoraxy thread in github.

For caddy all of that is figured out and you also have a nice GUI directly on the OPNsense.

Hi,

Thanks for the suggestion, but I'd prefer to stick with Zoraxy as it's working perfectly for my other services. Switching to Caddy just for OPNsense feels like avoiding the root cause rather than fixing it.
The issue seems to be lighttpd rejecting Zoraxy's requests with a 400 Bad Request, while direct curl access works fine?

Any ideas if my attempt for changing the lighttpd config was the correct file? Or any idea which specific headers could interfere here?

Also see this reply from the maintainer: https://github.com/tobychui/zoraxy/discussions/228#discussioncomment-12095120


According to this comment: https://github.com/opnsense/plugins/issues/4471#issuecomment-2602517275
It seems like Opnsense got a PR to disable HTTP/3, so this issue should be resolved now? Yet for zoraxy "the issue" still appears.

Hi

So issue is between Zoraxy (Reverse Proxy written in Go) and OPNsense WebUI. Currently Zoraxy seems to work with most if not all sites except OPNSense.

When trying to add a HTTP Proxy for OPNsense there are a couple of options available:

- [] Allow plain HTTP access # Allow inbound connections without TLS/SSL
- [] Disable Requests Logging # Disable logging for all incoming requests for this hostname
- [] Disable Statistic Collection # Disable collecting statistics for this hostname but keep request logging
- [] Monitor Uptime # Enable active uptime monitor and auto disable upstreams that are offline
- [] Use Sticky Session # Enable stick session on load balancing
- [] Disable Chunked Transfer Encoding # Enable this option if your upstream uses a legacy HTTP server implementation (e.g. Proxmox / opencloud)
- [] Require TLS # Proxy target require HTTPS connection
- [] Skip Verification # Check this if proxy target is using self signed certificates
- [] Skip WebSocket Origin Check # Check this to allow cross-origin websocket requests
It's also possible to set/remove headers on zoraxy>client or zoraxy>origin

I've tried about every possible way and could not get it to work, I seem to be not the only one: https://github.com/tobychui/zoraxy/discussions/228


I've tried this suggestion: https://github.com/opnsense/plugins/issues/4471#issuecomment-2742109624 which did not work and also this one https://github.com/opnsense/plugins/issues/4471#issuecomment-2599639355 by adding the line

Code Select Expand

server.http-parseopts = ( "method-get-body" => "enable" ) to the file: /usr/local/etc/lighttpd/lighttpd.conf I hope that's the correct one? Both of these suggested fixes did not work for zoraxy, I'm still getting the Bad request error:


Here a curl output of the site:

Code Select Expand

❯❯ curl -v https://opnsense.XXX.dev
* Host opnsense.XXX.dev:443 was resolved.
* IPv6: (none)
* IPv4: 10.10.20.9
*   Trying 10.10.20.9:443...
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* Established connection to opnsense.XXX.dev (10.10.20.9 port 443) from XXX port 57877
* using HTTP/1.x
> GET / HTTP/1.1
> Host: opnsense.XXX.dev
> User-Agent: curl/8.16.0
> Accept: */*
>
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* Request completely sent off
< HTTP/1.1 200 OK
< Accept-Ranges: bytes
< Cache-Control: no-store, no-cache, must-revalidate
< Content-Length: 2789
< Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< Content-Type: text/html; charset=UTF-8
< Date: Tue, 09 Dec 2025 09:10:56 GMT
< Expires: Thu, 19 Nov 1981 08:52:00 GMT
< Pragma: no-cache
< Referrer-Policy: same-origin
< Server: OPNsense
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly; SameSite=Lax
< Set-Cookie: PHPSESSID=XXX; path=/; secure; HttpOnly
< Set-Cookie: cookie_test=XXX; expires=Tue, 09 Dec 2025 10:10:56 GMT; Max-Age=3600; path=/; secure; HttpOnly
< Strict-Transport-Security: max-age=31536000
< X-Content-Type-Options: nosniff
< X-Frame-Options: SAMEORIGIN
< X-Xss-Protection: 1; mode=block
<
<!doctype html>
<html lang="en-US" class="no-js">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="robots" content="noindex, nofollow" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-capable" content="yes">

    <title>Login | OPNsense</title>

    <link href="/ui/themes/rebellion/build/css/main.css?v=190a5ea47ddfe74a" rel="stylesheet">
    <link href="/ui/themes/rebellion/build/images/favicon.png?v=190a5ea47ddfe74a" rel="shortcut icon">

    <script src="/ui/js/jquery-3.5.1.min.js"></script>

        <script src="/ui/js/theme.js?v=190a5ea47ddfe74a"></script>


            <script>
              $( document ).ready(function() {
                  $.ajaxSetup({
                  'beforeSend': function(xhr) {
                      xhr.setRequestHeader("X-CSRFToken", "lsIHDJMZv7fNwZEWS_S0Pw" );
                  }
                });
              });
            </script>
            </head>
  <body class="page-login">

  <div class="container">
    <main class="login-modal-container">
      <header class="login-modal-head" style="height:50px;">
        <div class="navbar-brand">
              <img src="/ui/themes/rebellion/build/images/default-logo.png?v=190a5ea47ddfe74a" height="30" alt="logo" />
            </div>
      </header>

      <div class="login-modal-content">
        <div id="inputerrors" class="text-danger">&nbsp;</div><br />

            <form class="clearfix" id="iform" name="iform" method="post" autocomplete="off"><input type="hidden" name="NqqKPVoCWf2rymUXMqttXQ" value="lsIHDJMZv7fNwZEWS_S0Pw" autocomplete="new-password" />

        <div class="form-group">
          <label for="usernamefld">Username:</label>
          <input id="usernamefld" type="text" name="usernamefld" class="form-control user" tabindex="1" autofocus="autofocus" autocapitalize="off" autocorrect="off" />
        </div>

        <div class="form-group">
          <label for="passwordfld">Password:</label>
          <input id="passwordfld" type="password" name="passwordfld" class="form-control pwd" tabindex="2" />
        </div>

        <button type="submit" name="login" value="1" class="btn btn-primary pull-right">Login</button>

      </form>




          </div>

      </main>
      <div class="login-foot text-center">
        <a target="_blank" href="https://opnsense.org/">OPNsense</a> (c) 2014-2025        <a target="_blank" href="https://www.deciso.com/">Deciso B.V.</a>
      </div>

    </div>

    </body>
  </html>
* Connection #0 to host opnsense.XXX.dev:443 left intact

Zoraxy does not seem to have an option to force a specific HTTP version, and as this is not neccessary for any other proxy setup in my homelab (50+ http proxies) I think there should be another way?


It would be very nice if we could get to the bottom of this, thanks!

Awesome :)

Yeah you are right.

For me the issue seems resolved, hopefully it does not re-appear.

Though as other seem to have the same problem, it may be quite unfortunate for all N100 users as it's quite a common device, no?

Let me know if I can provide any details.

I did a fresh install which fixed the issues.

My SDD does not have issues, at least that's what smart data is telling me it's on about 3% wear and has passed the overall smart check.

As multiple people with N100 seem to have this issue right after/during the update to 25.7.2 this does not seem like a full hardware issue to me.

Warning to anyone here, using opnsense-bootstrap renders the running installation unusable and manual reinstall is neccessary:

Code Select Expand

root@OPNsense:/home/tobias # sh opnsense-bootstrap.sh.in
Must specify an OPNsense release.
root@OPNsense:/home/tobias # sh opnsense-bootstrap.sh.in -r 25.7
This utility will attempt to turn this installation into the latest
OPNsense 25.7 release.  All packages will be deleted, the base
system and kernel will be replaced, and if all went well the system
will automatically reboot.

Proceed with this action? [y/N]: y
fetch: https://github.com/opnsense/core/archive/stable/25.7.tar.gz: size of remote file is not known
/tmp/opnsense-bootstrap/core.tar.gz                     11 MB 3878 kBps    03s
pkg: 163 packages installed
beep-1.0_2: already unlocked
boost-libs-1.88.0_1: already unlocked
brotli-1.1.0,1: already unlocked
ca_root_nss-3.115: already unlocked
choparp-20150613_1: already unlocked
cpdup-1.22_1: already unlocked
cpustats-0.1: already unlocked
curl-8.14.1: already unlocked
cyrus-sasl-2.1.28_5: already unlocked
cyrus-sasl-gssapi-2.1.28: already unlocked
dhcp6c-20250513: already unlocked
dhcrelay-1.0: already unlocked
dmidecode-3.6: already unlocked
dnsmasq-2.91_1,1: already unlocked
dpinger-3.3: already unlocked
easy-rsa-3.2.3,1: already unlocked
expat-2.7.1: already unlocked
filterlog-0.7_1: already unlocked
flock-2.37.2_1: already unlocked
flowd-0.9.1_5: already unlocked
gettext-runtime-0.23.1: already unlocked
glib-2.84.1_3,2: already unlocked
gmp-6.3.0: already unlocked
hostapd-2.11_3: already unlocked
hyperscan-5.4.2: already unlocked
icu-76.1,1: already unlocked
ifinfo-13.0_1: already unlocked
iftop-1.0.p4_1: already unlocked
indexinfo-0.3.1_1: already unlocked
isc-dhcp44-server-4.4.3P1_2: already unlocked
ivykis-0.43.2: already unlocked
jansson-2.14.1: already unlocked
jq-1.8.0: already unlocked
json-c-0.18: already unlocked
kea-2.6.3_1: already unlocked
krb5-1.21.3_1: already unlocked
ldns-1.8.4: already unlocked
libargon2-20190702_1: already unlocked
libcbor-0.12.0_2: already unlocked
libedit-3.1.20250104,1: already unlocked
libevent-2.1.12: already unlocked
libffi-3.5.1: already unlocked
libfido2-1.16.0: already unlocked
libiconv-1.17_1: already unlocked
libidn2-2.3.8: already unlocked
libinotify-20240724_2: already unlocked
libltdl-2.5.4: already unlocked
liblz4-1.10.0,1: already unlocked
libmcrypt-2.5.8_4: already unlocked
libnet-1.3,1: already unlocked
libnghttp2-1.66.0: already unlocked
libpfctl-0.15: already unlocked
libpsl-0.21.5_2: already unlocked
libsodium-1.0.19: already unlocked
libucl-0.9.2_1: already unlocked
libunistring-1.3: already unlocked
libuuid-2.41.1_1: already unlocked
libxml2-2.14.5: already unlocked
libyaml-0.2.5: already unlocked
lighttpd-1.4.79: already unlocked
log4cplus-2.1.2: already unlocked
lua54-5.4.8: already unlocked
lzo2-2.10_1: already unlocked
monit-5.35.2: already unlocked
mpd5-5.9_19: already unlocked
mpdecimal-4.0.1: already unlocked
nano-8.4: already unlocked
nettle-3.10.2: already unlocked
nspr-4.37: already unlocked
ntp-4.2.8p18_4: already unlocked
oniguruma-6.9.10: already unlocked
openldap26-client-2.6.10: already unlocked
openssh-portable-10.0.p1_1,1: already unlocked
openssl-3.0.17,1: already unlocked
openvpn-2.6.14: already unlocked
opnsense-installer-25.1: already unlocked
opnsense-lang-25.1.11: already unlocked
opnsense-update-25.7: already unlocked
os-dmidecode-1.2: already unlocked
os-telegraf-1.12.12_1: already unlocked
os-theme-rebellion-1.9.3: already unlocked
os-wol-2.5_1: already unlocked
p5-Error-0.17030: already unlocked
pam_opnsense-24.1: already unlocked
pcre2-10.45_1: already unlocked
perl5-5.40.2_2: already unlocked
pftop-0.13: already unlocked
php83-8.3.23: already unlocked
php83-ctype-8.3.23: already unlocked
php83-dom-8.3.23: already unlocked
php83-filter-8.3.23: already unlocked
php83-gettext-8.3.23: already unlocked
php83-mbstring-8.3.23: already unlocked
php83-pcntl-8.3.23: already unlocked
php83-pdo-8.3.23: already unlocked
php83-pear-1.10.13: already unlocked
php83-pecl-mcrypt-1.0.7: already unlocked
php83-pecl-radius-1.4.0b1_3: already unlocked
php83-phalcon-5.9.3: already unlocked
php83-phpseclib-3.0.46: already unlocked
php83-session-8.3.23: already unlocked
php83-simplexml-8.3.23: already unlocked
php83-sockets-8.3.23: already unlocked
php83-xml-8.3.23: already unlocked
php83-zlib-8.3.23: already unlocked
pkcs11-helper-1.29.0_3: already unlocked
pkg-1.19.2_5: already unlocked
py311-Babel-2.17.0_1: already unlocked
py311-Jinja2-3.1.6: already unlocked
py311-anyio-4.9.0: already unlocked
py311-async_generator-1.10_1: already unlocked
py311-attrs-25.3.0: already unlocked
py311-bottleneck-1.3.8_1: already unlocked
py311-certifi-2025.7.14: already unlocked
py311-cffi-1.17.1: already unlocked
py311-charset-normalizer-3.4.2: already unlocked
py311-h11-0.16.0: already unlocked
py311-h2-4.1.0_1: already unlocked
py311-hpack-4.0.0_1: already unlocked
py311-hyperframe-6.0.0_1: already unlocked
py311-idna-3.10: already unlocked
py311-ldap3-2.9.1_1: already unlocked
py311-markupsafe-3.0.2: already unlocked
py311-netaddr-1.3.0: already unlocked
py311-numexpr-2.11.0: already unlocked
py311-numpy-1.26.4_6,1: already unlocked
py311-outcome-1.3.0_2: already unlocked
py311-packaging-25.0: already unlocked
py311-pyasn1-0.6.0: already unlocked
py311-pyasn1-modules-0.4.1: already unlocked
py311-pycparser-2.22: already unlocked
py311-pylsqpack-0.3.22: already unlocked
py311-pysocks-1.7.1_1: already unlocked
py311-python-dateutil-2.9.0: already unlocked
py311-pytz-2025.2_1,1: already unlocked
py311-pyyaml-6.0.1_1: already unlocked
py311-requests-2.32.4: already unlocked
py311-six-1.17.0: already unlocked
py311-sniffio-1.3.1: already unlocked
py311-socksio-1.0.0_1: already unlocked
py311-sortedcontainers-2.4.0_1: already unlocked
py311-trio-0.30.0: already unlocked
py311-truststore-0.10.1: already unlocked
py311-typing-extensions-4.14.1: already unlocked
py311-tzdata-2025.2: already unlocked
py311-ujson-5.10.0_1: already unlocked
py311-urllib3-1.26.20,1: already unlocked
py311-vici-5.9.11_1: already unlocked
python311-3.11.13: already unlocked
radvd-2.20: already unlocked
readline-8.2.13_2: already unlocked
rrdtool-1.9.0_1: already unlocked
samplicator-1.3.8.r1_1: already unlocked
strongswan-5.9.14: already unlocked
sudo-1.9.17p1: already unlocked
syslog-ng-4.8.2_3: already unlocked
tailscale-1.86.4: already unlocked
telegraf-1.35.1: already unlocked
unbound-1.23.1: already unlocked
wol-0.7.1_5: already unlocked
wpa_supplicant-2.11_5: already unlocked
zip-3.0_4: already unlocked
zstd-1.5.7: already unlocked
Checking integrity... done (0 conflicting)
Deinstallation has been requested for the following 163 packages (of 0 packages in the universe):

Installed packages to be REMOVED:
        beep: 1.0_2
        boost-libs: 1.88.0_1
        brotli: 1.1.0,1
        ca_root_nss: 3.115
        choparp: 20150613_1
        cpdup: 1.22_1
        cpustats: 0.1
        curl: 8.14.1
        cyrus-sasl: 2.1.28_5
        cyrus-sasl-gssapi: 2.1.28
        dhcp6c: 20250513
        dhcrelay: 1.0
        dmidecode: 3.6
        dnsmasq: 2.91_1,1
        dpinger: 3.3
        easy-rsa: 3.2.3,1
        expat: 2.7.1
        filterlog: 0.7_1
        flock: 2.37.2_1
        flowd: 0.9.1_5
        gettext-runtime: 0.23.1
        glib: 2.84.1_3,2
        gmp: 6.3.0
        hostapd: 2.11_3
        hyperscan: 5.4.2
        icu: 76.1,1
        ifinfo: 13.0_1
        iftop: 1.0.p4_1
        indexinfo: 0.3.1_1
        isc-dhcp44-server: 4.4.3P1_2
        ivykis: 0.43.2
        jansson: 2.14.1
        jq: 1.8.0
        json-c: 0.18
        kea: 2.6.3_1
        krb5: 1.21.3_1
        ldns: 1.8.4
        libargon2: 20190702_1
        libcbor: 0.12.0_2
        libedit: 3.1.20250104,1
        libevent: 2.1.12
        libffi: 3.5.1
        libfido2: 1.16.0
        libiconv: 1.17_1
        libidn2: 2.3.8
        libinotify: 20240724_2
        libltdl: 2.5.4
        liblz4: 1.10.0,1
        libmcrypt: 2.5.8_4
        libnet: 1.3,1
        libnghttp2: 1.66.0
        libpfctl: 0.15
        libpsl: 0.21.5_2
        libsodium: 1.0.19
        libucl: 0.9.2_1
        libunistring: 1.3
        libuuid: 2.41.1_1
        libxml2: 2.14.5
        libyaml: 0.2.5
        lighttpd: 1.4.79
        log4cplus: 2.1.2
        lua54: 5.4.8
        lzo2: 2.10_1
        monit: 5.35.2
        mpd5: 5.9_19
        mpdecimal: 4.0.1
        nano: 8.4
        nettle: 3.10.2
        nspr: 4.37
        ntp: 4.2.8p18_4
        oniguruma: 6.9.10
        openldap26-client: 2.6.10
        openssh-portable: 10.0.p1_1,1
        openssl: 3.0.17,1
        openvpn: 2.6.14
        opnsense-installer: 25.1
        opnsense-lang: 25.1.11
        opnsense-update: 25.7
        os-dmidecode: 1.2
        os-telegraf: 1.12.12_1
        os-theme-rebellion: 1.9.3
        os-wol: 2.5_1
        p5-Error: 0.17030
        pam_opnsense: 24.1
        pcre2: 10.45_1
        perl5: 5.40.2_2
        pftop: 0.13
        php83: 8.3.23
        php83-ctype: 8.3.23
        php83-dom: 8.3.23
        php83-filter: 8.3.23
        php83-gettext: 8.3.23
        php83-mbstring: 8.3.23
        php83-pcntl: 8.3.23
        php83-pdo: 8.3.23
        php83-pear: 1.10.13
        php83-pecl-mcrypt: 1.0.7
        php83-pecl-radius: 1.4.0b1_3
        php83-phalcon: 5.9.3
        php83-phpseclib: 3.0.46
        php83-session: 8.3.23
        php83-simplexml: 8.3.23
        php83-sockets: 8.3.23
        php83-xml: 8.3.23
        php83-zlib: 8.3.23
        pkcs11-helper: 1.29.0_3
        pkg: 1.19.2_5
        py311-Babel: 2.17.0_1
        py311-Jinja2: 3.1.6
        py311-anyio: 4.9.0
        py311-async_generator: 1.10_1
        py311-attrs: 25.3.0
        py311-bottleneck: 1.3.8_1
        py311-certifi: 2025.7.14
        py311-cffi: 1.17.1
        py311-charset-normalizer: 3.4.2
        py311-h11: 0.16.0
        py311-h2: 4.1.0_1
        py311-hpack: 4.0.0_1
        py311-hyperframe: 6.0.0_1
        py311-idna: 3.10
        py311-ldap3: 2.9.1_1
        py311-markupsafe: 3.0.2
        py311-netaddr: 1.3.0
        py311-numexpr: 2.11.0
        py311-numpy: 1.26.4_6,1
        py311-outcome: 1.3.0_2
        py311-packaging: 25.0
        py311-pyasn1: 0.6.0
        py311-pyasn1-modules: 0.4.1
        py311-pycparser: 2.22
        py311-pylsqpack: 0.3.22
        py311-pysocks: 1.7.1_1
        py311-python-dateutil: 2.9.0
        py311-pytz: 2025.2_1,1
        py311-pyyaml: 6.0.1_1
        py311-requests: 2.32.4
        py311-six: 1.17.0
        py311-sniffio: 1.3.1
        py311-socksio: 1.0.0_1
        py311-sortedcontainers: 2.4.0_1
        py311-trio: 0.30.0
        py311-truststore: 0.10.1
        py311-typing-extensions: 4.14.1
        py311-tzdata: 2025.2
        py311-ujson: 5.10.0_1
        py311-urllib3: 1.26.20,1
        py311-vici: 5.9.11_1
        python311: 3.11.13
        radvd: 2.20
        readline: 8.2.13_2
        rrdtool: 1.9.0_1
        samplicator: 1.3.8.r1_1
        strongswan: 5.9.14
        sudo: 1.9.17p1
        syslog-ng: 4.8.2_3
        tailscale: 1.86.4
        telegraf: 1.35.1
        unbound: 1.23.1
        wol: 0.7.1_5
        wpa_supplicant: 2.11_5
        zip: 3.0_4
        zstd: 1.5.7

Number of packages to be removed: 163

The operation will free 1 GiB.
[1/163] Deinstalling rrdtool-1.9.0_1...
[1/163] Deleting files for rrdtool-1.9.0_1:   0%
rrdtool-1.9.0_1: missing file /usr/local/bin/rrdcached
[1/163] Deleting files for rrdtool-1.9.0_1:   4%
rrdtool-1.9.0_1: missing file /usr/local/bin/rrdcreate
[1/163] Deleting files for rrdtool-1.9.0_1:   8%
rrdtool-1.9.0_1: missing file /usr/local/bin/rrdinfo
[1/163] Deleting files for rrdtool-1.9.0_1:  12%
rrdtool-1.9.0_1: missing file /usr/local/bin/rrdtool
[1/163] Deleting files for rrdtool-1.9.0_1:  16%
rrdtool-1.9.0_1: missing file /usr/local/bin/rrdupdate
[1/163] Deleting files for rrdtool-1.9.0_1:  20%
rrdtool-1.9.0_1: missing file /usr/local/etc/rc.d/rrdcached
[1/163] Deleting files for rrdtool-1.9.0_1:  25%
rrdtool-1.9.0_1: missing file /usr/local/include/rrd.h
[1/163] Deleting files for rrdtool-1.9.0_1:  29%
rrdtool-1.9.0_1: missing file /usr/local/include/rrd_client.h
[1/163] Deleting files for rrdtool-1.9.0_1:  33%
rrdtool-1.9.0_1: missing file /usr/local/include/rrd_format.h
[1/163] Deleting files for rrdtool-1.9.0_1:  37%
rrdtool-1.9.0_1: missing file /usr/local/lib/librrd.a
[1/163] Deleting files for rrdtool-1.9.0_1:  41%
rrdtool-1.9.0_1: missing file /usr/local/lib/librrd.so
[1/163] Deleting files for rrdtool-1.9.0_1:  45%
rrdtool-1.9.0_1: missing file /usr/local/lib/librrd.so.8
[1/163] Deleting files for rrdtool-1.9.0_1:  50%
rrdtool-1.9.0_1: missing file /usr/local/lib/librrd.so.8.3.0
[1/163] Deleting files for rrdtool-1.9.0_1:  54%
rrdtool-1.9.0_1: missing file /usr/local/lib/perl5/site_perl/RRDp.pm
[1/163] Deleting files for rrdtool-1.9.0_1:  58%
rrdtool-1.9.0_1: missing file /usr/local/lib/perl5/site_perl/mach/5.40/RRDs.pm
[1/163] Deleting files for rrdtool-1.9.0_1:  62%
rrdtool-1.9.0_1: missing file /usr/local/lib/perl5/site_perl/mach/5.40/auto/RRDp/.packlist
[1/163] Deleting files for rrdtool-1.9.0_1:  66%
rrdtool-1.9.0_1: missing file /usr/local/lib/perl5/site_perl/mach/5.40/auto/RRDs/.packlist
[1/163] Deleting files for rrdtool-1.9.0_1:  70%
rrdtool-1.9.0_1: missing file /usr/local/lib/perl5/site_perl/mach/5.40/auto/RRDs/RRDs.so
[1/163] Deleting files for rrdtool-1.9.0_1:  75%
rrdtool-1.9.0_1: missing file /usr/local/lib/perl5/site_perl/man/man3/RRDp.3.gz
[1/163] Deleting files for rrdtool-1.9.0_1:  79%
rrdtool-1.9.0_1: missing file /usr/local/lib/perl5/site_perl/man/man3/RRDs.3.gz
[1/163] Deleting files for rrdtool-1.9.0_1:  83%
rrdtool-1.9.0_1: missing file /usr/local/libdata/pkgconfig/librrd.pc
[1/163] Deleting files for rrdtool-1.9.0_1:  87%
rrdtool-1.9.0_1: missing file /usr/local/share/licenses/rrdtool-1.9.0_1/GPLv2
[1/163] Deleting files for rrdtool-1.9.0_1:  91%
rrdtool-1.9.0_1: missing file /usr/local/share/licenses/rrdtool-1.9.0_1/LICENSE
[1/163] Deleting files for rrdtool-1.9.0_1:  95%
rrdtool-1.9.0_1: missing file /usr/local/share/licenses/rrdtool-1.9.0_1/catalog.mk
[1/163] Deleting files for rrdtool-1.9.0_1: 100%
pkg: sqlite error while executing DELETE FROM packages WHERE id = 1508; in file pkgdb.c:2296: database disk image is malformed
root@OPNsense:/home/tobias #
I will now manually reinstall the machine via usb-stick

Hi Franco,

So what are we supposed to do?

I see other people having the same issue, so there seems to be something broken.

Can we fix the db or examine this further?

seems like the db is corrupt, can we fix it or will this be fixed upstream?

Is any more details needed?
Can I somehow correct that db, or what is the cause of this?

Feel free to follow this thread: https://forum.opnsense.org/index.php?topic=48365.0

Linking this to https://forum.opnsense.org/index.php?topic=48594 as it seems to be the same issue.

Still experiencing this error with an upgrade to 25.7.2

@franco

Code Select Expand

***GOT REQUEST TO UPDATE***
Currently running OPNsense 25.7 (amd64) at Mon Aug 25 07:55:17 CEST 2025
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Updating OPNsense repository catalogue...
OPNsense repository is up to date.
All repositories are up to date.
Checking for upgrades (39 candidates): .......... done
Processing candidates (39 candidates): .......... done
The following 39 package(s) will be affected (of 0 checked):

Installed packages to be UPGRADED:
boost-libs: 1.88.0_1 -> 1.88.0_2
curl: 8.14.1 -> 8.15.0
ivykis: 0.43.2 -> 0.43.2_1
jq: 1.8.0 -> 1.8.1
krb5: 1.21.3_1 -> 1.22
libinotify: 20240724_2 -> 20240724_3
libpfctl: 0.15 -> 0.16
libucl: 0.9.2_1 -> 0.9.2_2
lighttpd: 1.4.79 -> 1.4.81
nss: 3.113.1_1 -> 3.115
opnsense: 25.7 -> 25.7.2
opnsense-lang: 25.1.11 -> 25.7.2
opnsense-update: 25.7 -> 25.7.2
os-telegraf: 1.12.12_1 -> 1.12.13
os-wol: 2.5_1 -> 2.5_3
perl5: 5.40.2_2 -> 5.40.3_2
php83: 8.3.23 -> 8.3.24
php83-ctype: 8.3.23 -> 8.3.24
php83-curl: 8.3.23 -> 8.3.24
php83-dom: 8.3.23 -> 8.3.24
php83-filter: 8.3.23 -> 8.3.24
php83-gettext: 8.3.23 -> 8.3.24
php83-ldap: 8.3.23 -> 8.3.24
php83-mbstring: 8.3.23 -> 8.3.24
php83-pcntl: 8.3.23 -> 8.3.24
php83-pdo: 8.3.23 -> 8.3.24
php83-session: 8.3.23 -> 8.3.24
php83-simplexml: 8.3.23 -> 8.3.24
php83-sockets: 8.3.23 -> 8.3.24
php83-sqlite3: 8.3.23_1 -> 8.3.24
php83-xml: 8.3.23 -> 8.3.24
php83-zlib: 8.3.23 -> 8.3.24
py311-duckdb: 1.3.1_1 -> 1.3.2
py311-jq: 1.8.0_1 -> 1.10.0
py311-numpy: 1.26.4_6,1 -> 1.26.4_7,1
python311: 3.11.13 -> 3.11.13_1
sudo: 1.9.17p1 -> 1.9.17p2
syslog-ng: 4.8.2_3 -> 4.8.2_4
telegraf: 1.35.1 -> 1.35.3_1

Number of packages to be upgraded: 39

140 MiB to be downloaded.
[1/39] Fetching lighttpd-1.4.81.pkg: .......... done
[2/39] Fetching php83-filter-8.3.24.pkg: ... done
[3/39] Fetching opnsense-update-25.7.2.pkg: ..... done
[4/39] Fetching php83-curl-8.3.24.pkg: ...... done
[5/39] Fetching boost-libs-1.88.0_2.pkg: .......... done
[6/39] Fetching py311-numpy-1.26.4_7,1.pkg: .......... done
[7/39] Fetching nss-3.115.pkg: .......... done
[8/39] Fetching php83-ldap-8.3.24.pkg: ..... done
[9/39] Fetching jq-1.8.1.pkg: .......... done
[10/39] Fetching krb5-1.22.pkg: .......... done
[11/39] Fetching php83-simplexml-8.3.24.pkg: .... done
[12/39] Fetching php83-pdo-8.3.24.pkg: ....... done
[13/39] Fetching syslog-ng-4.8.2_4.pkg: .......... done
[14/39] Fetching php83-sockets-8.3.24.pkg: ...... done
[15/39] Fetching py311-jq-1.10.0.pkg: ....... done
[16/39] Fetching php83-pcntl-8.3.24.pkg: ... done
[17/39] Fetching php83-sqlite3-8.3.24.pkg: .... done
[18/39] Fetching python311-3.11.13_1.pkg: .......... done
[19/39] Fetching libinotify-20240724_3.pkg: .... done
[20/39] Fetching ivykis-0.43.2_1.pkg: .......... done
[21/39] Fetching php83-session-8.3.24.pkg: ..... done
[22/39] Fetching php83-mbstring-8.3.24.pkg: .......... done
[23/39] Fetching php83-gettext-8.3.24.pkg: . done
[24/39] Fetching telegraf-1.35.3_1.pkg: .......... done
[25/39] Fetching php83-zlib-8.3.24.pkg: ... done
[26/39] Fetching os-wol-2.5_3.pkg: . done
[27/39] Fetching php83-ctype-8.3.24.pkg: . done
[28/39] Fetching curl-8.15.0.pkg: .......... done
[29/39] Fetching php83-8.3.24.pkg: .......... done
[30/39] Fetching os-telegraf-1.12.13.pkg: .. done
[31/39] Fetching libpfctl-0.16.pkg: .. done
[32/39] Fetching php83-xml-8.3.24.pkg: ... done
[33/39] Fetching php83-dom-8.3.24.pkg: .......... done
[34/39] Fetching libucl-0.9.2_2.pkg: .......... done
[35/39] Fetching perl5-5.40.3_2.pkg: .......... done
[36/39] Fetching opnsense-25.7.2.pkg: .......... done
[37/39] Fetching py311-duckdb-1.3.2.pkg: .......... done
[38/39] Fetching sudo-1.9.17p2.pkg: .......... done
[39/39] Fetching opnsense-lang-25.7.2.pkg: .......... done
Checking integrity... done (0 conflicting)
[1/39] Upgrading python311 from 3.11.13 to 3.11.13_1...
pkg-static: sqlite error while executing INSERT OR REPLACE INTO packages( origin, name, version, comment, desc, message, arch, maintainer, www, prefix, flatsize, automatic, licenselogic, time, manifestdigest, dep_formula, vital)VALUES( 'lang/python311', 'python311', '3.11.13_1', 'Interpreted object-oriented programming language', 'Python is an interpreted object-oriented programming language, and is
often compared to Tcl, Perl or Scheme.', '[{"message":"Note that some standard Python modules are provided as separate ports\nas they require additional dependencies. They are available as:\n\npy311-gdbm       databases/py-gdbm@py311\npy311-sqlite3    databases/py-sqlite3@py311\npy311-tkinter    x11-toolkits/py-tkinter@py311","type":"install"}]', 'FreeBSD:14:amd64', 'python@FreeBSD.org', 'https://www.python.org/', '/usr/local', 211048567, 1, 1, NOW(), '2$2$n7q3f14jmcorkwcqbzfescqd858unir8uqe7fgbc5qbpdqq4u3ccueyyeeytcup49a9efi9etmg3earnbrunefij6uzjd9bp65hxfkb', NULL, 0 ) in file pkgdb.c:1633: database disk image is malformed
Starting web GUI...done.
***DONE***