Menu

Show posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Show posts Menu

Messages - maoz

Pages1
#1
Web Proxy Filtering and Caching / Re: [solved] opnsense-nginx-opnsense redirection
October 20, 2024, 09:59:35 PM
Changed System>Settings>HTTPS to HTTP.
Kept the last NGINX config with wildcard cert for the domain.
So it works that way HTTP>Opnsense>NGINX(forced redirect to HTTPS)>proxied to HTTP Opnsense

Weird, but works for home only, I think cause I don't have to mess with certs in the local network (even if any domain + cloudflare solves it).
#2
Web Proxy Filtering and Caching / Re: opnsense-nginx-opnsense redirection
October 20, 2024, 08:33:46 PM
Possibly the problem is here, but a browser works with no problem directly with the Opnsense. So I thought there should be no problem. To solve it I tried to use HTTP instead of HTTPS after redirection.
Code Select

root@nginx:/etc/nginx/conf.d# curl -Iv https://10.10.10.1
*   Trying 10.10.10.1:443...
* Connected to 10.10.10.1 (10.10.10.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
#3
Web Proxy Filtering and Caching / [SOLVED] opnsense-nginx-opnsense redirection
October 20, 2024, 07:00:50 PM
Hi!
I have a basic setup:
home network as WAN 192.168.1.0 - LAN 10.10.10.0
Behind firewall sits NGINX rev proxy.
And I forward 80 and 443 from WAN to NGINX

So I want to enter Opnsense via LAN 10.10.10.1.

So my current scheme is:
192.168.1.101 (opnsense WAN)-to-10.10.10.2(NGINX REV. PROXY)-to-10.10.10.1(Opnsense LAN address)

But I faced with problems that NGINX change HTTP to HTTPS while reversing to Opnsense. Other services work fine line NGINX static web page etc.

How to solve it?

Code Select

C:\Users\artem>curl -Lvk http://10.10.10.1
*   Trying 10.10.10.1:80...
^C
C:\Users\artem>curl -Lvk http://192.168.1.101
*   Trying 192.168.1.101:80...
* Connected to 192.168.1.101 (192.168.1.101) port 80
> GET / HTTP/1.1
> Host: 192.168.1.101
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sun, 20 Oct 2024 16:26:29 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://192.168.1.101/
< Test_header: test
<
* Ignoring the response-body
* Connection #0 to host 192.168.1.101 left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://192.168.1.101/'
*   Trying 192.168.1.101:443...
* connect to 192.168.1.101 port 443 from 0.0.0.0 port 62405 failed: Connection refused
* Failed to connect to 192.168.1.101 port 443 after 2076 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to 192.168.1.101 port 443 after 2076 ms: Couldn't connect to server

C:\Users\artem>curl -Lvk http://192.168.1.101
*   Trying 192.168.1.101:80...
* Connected to 192.168.1.101 (192.168.1.101) port 80
> GET / HTTP/1.1
> Host: 192.168.1.101
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sun, 20 Oct 2024 16:27:46 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://10.10.10.1/
< Test_header: test
<
* Ignoring the response-body
* Connection #0 to host 192.168.1.101 left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://10.10.10.1/'
*   Trying 10.10.10.1:443...
* connect to 10.10.10.1 port 443 from 0.0.0.0 port 62434 failed: Timed out
* Failed to connect to 10.10.10.1 port 443 after 21048 ms: Couldn't connect to server
* Closing connection
curl: (28) Failed to connect to 10.10.10.1 port 443 after 21048 ms: Couldn't connect to server


From LAN Opnsense is reachable:

Code Select

root@nginx:/etc/nginx/conf.d# curl -kLv 10.10.10.1
*   Trying 10.10.10.1:80...
* Connected to 10.10.10.1 (10.10.10.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.1
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://10.10.10.1/
< Content-Length: 0
< Date: Sun, 20 Oct 2024 16:38:40 GMT
< Server: OPNsense
<
* Connection #0 to host 10.10.10.1 left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://10.10.10.1/'
*   Trying 10.10.10.1:443...
* Connected to 10.10.10.1 (10.10.10.1) port 443 (#1)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  start date: Oct  4 15:09:55 2024 GMT
*  expire date: Nov  5 15:09:55 2025 GMT
*  issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: 10.10.10.1]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55aeebbbc7f0)
> GET / HTTP/2
> Host: 10.10.10.1
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200
< set-cookie: PHPSESSID=a1c528aef7da098b20163db04128c8e7; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: PHPSESSID=a1c528aef7da098b20163db04128c8e7; path=/; secure; HttpOnly
< set-cookie: cookie_test=34e933bad01e167f8fbc1b3521de218a; expires=Sun, 20 Oct 2024 17:38:40 GMT; Max-Age=3600; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: same-origin
< content-type: text/html; charset=UTF-8
< accept-ranges: bytes
< content-length: 2787
< date: Sun, 20 Oct 2024 16:38:40 GMT
< server: OPNsense
<
<!doctype html>
<html lang="en-US" class="no-js">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="robots" content="noindex, nofollow" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-capable" content="yes">

    <title>Login | OPNsense</title>




And my NGINX config:

Code Select

server {
    listen 80;
#    server_name *.test-laba.duckdns.org;

    access_log /var/log/nginx/test-access-logs.log custom_log;

    location / {
        proxy_pass http://10.10.10.1:80;  # Location from the map
#        proxy_set_header Host $host; - just to see a filal address at output
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Test_header test;
    }
}




Also tried a 'proper' config but only got looping.

Code Select

# Define a custom log format
log_format custom_log '"Request: $request\n Status: $status\n Request_URI: $request_uri\n Host: $host\n Client_IP: $remote_addr\n Proxy_IP(s): $proxy_add_x_forwarded_for\n Proxy_Host: $proxy_host\n"';


# HTTP server block to handle port 80 and redirect to HTTPS
server {
    listen 80;
    server_name *.test-laba.duckdns.org;


    # Redirect all HTTP requests to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# Map для определения backend по серверному имени
map $host $backend {
    opnsense.test-laba.duckdns.org http://10.10.10.1:80;
}


# Основной SSL серверный блок для всех доменов
server {
    listen 443 ssl;
    server_name *.test-laba.duckdns.org;

    # SSL configuration for wildcard certificate
    ssl_certificate /etc/letsencrypt/live/test-laba.duckdns.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test-laba.duckdns.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/test-access-logs.log custom_log;

    # Proxy to backend service for all subdomains
    location / {
        proxy_pass $backend;  # Location from the map
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Test_header jay;
    }
}




Code Select

C:\Users\artem>curl -Lv http://opnsense.test-laba.duckdns.org --max-redirs 1
* Host opnsense.test-laba.duckdns.org:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.101
*   Trying 192.168.1.101:80...
* Connected to opnsense.test-laba.duckdns.org (192.168.1.101) port 80
> GET / HTTP/1.1
> Host: opnsense.test-laba.duckdns.org
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sat, 19 Oct 2024 19:38:39 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Location: https://opnsense.test-laba.duckdns.org/
<
* Ignoring the response-body
* Connection #0 to host opnsense.test-laba.duckdns.org left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://opnsense.test-laba.duckdns.org/'
* Host opnsense.test-laba.duckdns.org:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.101
*   Trying 192.168.1.101:443...
* Connected to opnsense.test-laba.duckdns.org (192.168.1.101) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET / HTTP/1.1
> Host: opnsense.test-laba.duckdns.org
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sat, 19 Oct 2024 19:38:40 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://10.10.10.1/
< Test_header: jay
<
* Ignoring the response-body
* Connection #1 to host opnsense.test-laba.duckdns.org left intact
* Maximum (1) redirects followed
curl: (47) Maximum (1) redirects followed



Thanks!
Pages1