Messages

you didn't configure it as in the post you linked.
The check needs to be "custom" pointing on the script you placed in /usr/local/opnsense/scripts/OPNsense/Monit/

I have the same caddy settings as you (your screenshot). You also  need to tick "forward basic auth" in reverse proxy handler config. No header to add in domain or handler settings.

edit: Strange thing. I wanted to check; and when connecting from lan i'm logged in but in logs  i have the same error message as you.
I also have authentication disabled for local adresses.
When connecting from wan i'm logged in without problem and no error message.
I guess there might be a problem with the app itself.

I started on opnsense a few months ago with kea. But i quickly moved to isc as static mappings where not really enforced and some devices couldn't get an address.
If you choose to move to dnsmasq (which i happily used years ago), do you have to use it for dns also or can you stay with unbound ?

For those like me migrating from a network controller on a server (unraid docker in my case) to the plugin on opnsense, db version is not a concern only controller version.
You simply have to take a backup of the old controller, start the new one (opnsense plugin) and select restore from a backup. Then connect with ssh to network devices and update inform host.
If you have other services running on ports 8080 (crowdsec in my case) and 8443 (opnsense gui in my case) you have to edit system.properties with the correct ports (/usr/local/share/java/unifi/data/system.properties)

Thanks for your answer.

i use crowdsec for parsing caddy logs and it's not very convincing. I had to disable some http based scenarios.
For example as soon as one user of nextcloud move files in his directory he is banned by crowdsec.
How do you add blocklists ? Adding them from the web console is enough ? nothing to do from the local gui in opnsense ?
I tried in the web console using opnsense integration but it didn't seem to do anything. I also tried with the registered security engine. I can see which lists i registered to.
Nothing is visible on the local gui in opnsense.

Hello,
i noticed for a few weeks (not sure when it started) i have messages in isc dhcp log file:
Unable to add forward map from hostname.domain.tld to 192.168.2.42: REFUSED
i have the message for all hostnames (with static or dynamic mapping)

However when i ping or nslookup the hostname the answer is correct.
I read about blocklist which could be problematic and i disabled all blocklists.
unbound seems to be running:

Code Select Expand

sudo ps aux|grep unbound
Password:
root     2888   0.9  1.6  194784  132924  -  S    12:12       0:00.93 /usr/local/bin/python3 /usr/local/opnsense/scripts/unbound/logger.py (python3.11)
unbound 96843   0.2  0.6  103064   52000  -  Ss   12:12       0:00.31 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
root       23   0.0  0.2   32980   18344  -  Ss   12:12       0:00.44 /usr/local/bin/python3 /usr/local/opnsense/scripts/dhcp/unbound_watcher.py --domain mydomain.tld (python3.11)
root     1014   0.0  0.0   13760    2340  -  Is   12:12       0:00.00 daemon: /usr/local/opnsense/scripts/unbound/logger.py[2888] (daemon)
fred    10073   0.0  0.0   13744    2448  0  S+   12:12       0:00.00 grep unbound
Does this inspire you some comments ?

I setup opnsense a few months ago. My config is not finished yet and i want to better use crowdsec.
I installed crowdsec and registered it to the console. But until now i didn't had time to explore it.
It's working but with too many false postives. I had to remove some scenarios as i was constantly banned.
I guess there might be other methods than removing scenarios.
How do you troubleshoot false positives ?
I registered on crowdsec web console and i saw that for free edition you can subscribe to 3 blocklists. 
What are the best to subscribe to ?

here are my collections:

Code Select Expand

crowdsecurity/base-http-scenarios enabled,tainted 1.0 http common : scanners detection
crowdsecurity/caddy enabled,tainted 0.1 caddy support : parser and generic http scenarios
crowdsecurity/freebsd enabled 0.3 core freebsd support : syslog+geoip+ssh
crowdsecurity/http-cve enabled 2.9 Detect CVE exploitation in http logs
crowdsecurity/opnsense enabled 0.4 core opnsense support
crowdsecurity/opnsense-gui enabled 0.1 OPNSense web authentication support
crowdsecurity/sshd enabled 0.5 sshd support : parser and brute-force detection
firewallservices/pf enabled 0.2 Parser and scenario for Packet Filter logs
and my scenarios:

Code Select Expand

crowdsecurity/CVE-2017-9841 enabled 0.2 Detect CVE-2017-9841 exploits
crowdsecurity/CVE-2019-18935 enabled 0.2 Detect Telerik CVE-2019-18935 exploitation attempts
crowdsecurity/CVE-2022-26134 enabled 0.2 Detect CVE-2022-26134 exploits
crowdsecurity/CVE-2022-35914 enabled 0.2 Detect CVE-2022-35914 exploits
crowdsecurity/CVE-2022-37042 enabled 0.2 Detect CVE-2022-37042 exploits
crowdsecurity/CVE-2022-40684 enabled 0.3 Detect cve-2022-40684 exploitation attempts
crowdsecurity/CVE-2022-41082 enabled 0.4 Detect CVE-2022-41082 exploits
crowdsecurity/CVE-2022-41697 enabled 0.2 Detect CVE-2022-41697 enumeration
crowdsecurity/CVE-2022-42889 enabled 0.3 Detect CVE-2022-42889 exploits (Text4Shell)
crowdsecurity/CVE-2022-44877 enabled 0.3 Detect CVE-2022-44877 exploits
crowdsecurity/CVE-2022-46169 enabled 0.2 Detect CVE-2022-46169 brute forcing
crowdsecurity/CVE-2023-22515 enabled 0.1 Detect CVE-2023-22515 exploitation
crowdsecurity/CVE-2023-22518 enabled 0.2 Detect CVE-2023-22518 exploits
crowdsecurity/CVE-2023-49103 enabled 0.3 Detect owncloud CVE-2023-49103 exploitation attempts
crowdsecurity/CVE-2024-0012 enabled 0.1 Detect CVE-2024-0012 exploitation attempts
crowdsecurity/CVE-2024-38475 enabled 0.1 Detect CVE-2024-38475 exploitation attempts
crowdsecurity/CVE-2024-9474 enabled 0.1 Detect CVE-2024-9474 exploitation attempts
crowdsecurity/apache_log4j2_cve-2021-44228 enabled 0.6 Detect cve-2021-44228 exploitation attemps
crowdsecurity/f5-big-ip-cve-2020-5902 enabled 0.2 Detect cve-2020-5902 exploitation attemps
crowdsecurity/fortinet-cve-2018-13379 enabled 0.3 Detect cve-2018-13379 exploitation attemps
crowdsecurity/grafana-cve-2021-43798 enabled 0.2 Detect cve-2021-43798 exploitation attemps
crowdsecurity/http-admin-interface-probing enabled 0.4 Detect generic HTTP admin interface probing
crowdsecurity/http-backdoors-attempts enabled 0.6 Detect attempt to common backdoors
crowdsecurity/http-bad-user-agent enabled 1.2 Detect usage of bad User Agent
crowdsecurity/http-cve-2021-41773 enabled 0.3 Apache - Path Traversal (CVE-2021-41773)
crowdsecurity/http-cve-2021-42013 enabled 0.3 Apache - Path Traversal (CVE-2021-42013)
crowdsecurity/http-cve-probing enabled 0.6 Detect generic HTTP cve probing
crowdsecurity/http-open-proxy enabled 0.5 Detect scan for open proxy
crowdsecurity/http-path-traversal-probing enabled 0.4 Detect path traversal attempt
crowdsecurity/http-sqli-probing enabled 0.4 A scenario that detects SQL injection probing with minimal false positives
crowdsecurity/http-wordpress-scan enabled 0.2 Detect WordPress scan: vuln hunting
crowdsecurity/http-xss-probing enabled 0.4 A scenario that detects XSS probing with minimal false positives
crowdsecurity/jira_cve-2021-26086 enabled 0.3 Detect Atlassian Jira CVE-2021-26086 exploitation attemps
crowdsecurity/netgear_rce enabled 0.4 Detect Netgear RCE DGN1000/DGN220 exploitation attempts
crowdsecurity/opnsense-gui-bf enabled 0.3 Detect bruteforce on opnsense web interface
crowdsecurity/pulse-secure-sslvpn-cve-2019-11510 enabled 0.3 Detect cve-2019-11510 exploitation attemps
crowdsecurity/spring4shell_cve-2022-22965 enabled 0.3 Detect cve-2022-22965 probing
crowdsecurity/ssh-bf enabled 0.3 Detect ssh bruteforce
crowdsecurity/ssh-cve-2024-6387 enabled 0.2 Detect exploitation attempt of CVE-2024-6387
crowdsecurity/ssh-slow-bf enabled 0.4 Detect slow ssh bruteforce
crowdsecurity/thinkphp-cve-2018-20062 enabled 0.6 Detect ThinkPHP CVE-2018-20062 exploitation attemps
crowdsecurity/vmware-cve-2022-22954 enabled 0.3 Detect Vmware CVE-2022-22954 exploitation attempts
crowdsecurity/vmware-vcenter-vmsa-2021-0027 enabled 0.2 Detect VMSA-2021-0027 exploitation attemps
firewallservices/pf-scan-multi_ports enabled 0.5 Detect aggressive portscans (pf)
ltsich/http-w00tw00t enabled 0.2 detect w00tw00t

Hello,

I have my unifi controller running as a compose stack on an unraid server.
It uses a mongodb 7 database. I installed the plugin and saw that it uses a mongodb 6 database. Are you aware of a downgrade path of mongo database from 7 to 6 ?

For now i did not start the plugin as i see it uses port 8443 which is the port used for opnsense gui. Is there a way to change it before enabling the plugin ?

edit: it seems there is no downgrade path for 7.0 to 6.0 mongo database.

do you plan to release to release a plugin version with mongo 7?

done. Thank you.

I managed to do it. I don't know if it's the best way but it works.
I first disabled the concerned handler => caddy generated a file without this handler.
I created a file radarr.conf under  /usr/local/etc/caddy/caddy.d/
with the content of the whole previous radarr reverse proxy "block" and added Authorization to the copy_headers directive.
Now I can login to Authentik and be automatically logged in radarr.

Before that I searched a way to add "Authorization" without having to write the whole reverse proxy block but didn't find a way to do it.

edit: I didn't try with other apps using Basic Auth but I expect they should behave the same.
So adding "Authorization" to copy_headers seems to solve the problem.

Thanks for your reply.
I'm currently trying to figure out how to add a custom configuration file.
I guess I need to add it in /usr/local/etc/caddy/caddy.d/.  and name it my_file.conf but have no clue on what to put in.
Would I need a confirmation file per handler?

I already saw this post and it's why I tried to add authorization header.
I also explore the possibility to set authorization method to external; it works and you can define which user can access the app. But accessing radarr with local address leaves it open.

Finally made a step forward (Radarr for now I have to test with some others apps). but I need advice to go further.

I added to caddy config/reverse proxy/headers a header_up type Authorization value: "Basic username:password" (username:password has to be encoded in base64)
Then in handlers definition (advanced mode) I added the header created above to http headers.

With that config I can now login to radarr. The downside is of course that username and password are hardcoded in caddy and authorization no longer relies on Authentik group. So I have to find a way to make Authentik generate the authorization header and pass it to caddy.
I'm a complete noob in this field  so any help would be greatly appreciated.

i made small steps.
the uri I used was wrong. it's mentioned "/outpost.goauthentik.io/auth/caddy" but was using "/outpost.goauthentik.io/caddy"
I forgot to check dns challenge in domain definition and to uncheck a dns override in unbound.

Now when  I enter the external url of the app I'm redirect to Authentik which forwards me to the app but without passing the Basic Auth so I have to log in the app with credentials. I payed attention to the creation of the group in Authentik. I don't know where to search now.

edit: within the logs I can see that:
in Authentik logs says I'm logged in and aupplication authorized.
in Radarr : "Basic was not authenticated. Failure message: Authorization header missing."

So I don't think it's in my config. Moreover in caddy it's said that you can't add headers when using authentic for Forward Auth.

I don't really understand the way it works.
So far I configured the reverse proxy and dns override parts to access my apps with http://films.domain.tld (it opens http://ip-of-radar:7878)

I also configured Authentik to be used to login in portainer (app compatible with oauth2) without passing through caddy.
I managed to login to portainer using reverse proxy. It works but after authenticating (login + password) in authentik I have an error message in portainer that states "Failure Invalid OAuth state, try again."
I then click again on login with auth and I'm logged in without entering again login and password

But when I enable Forward Auth in the reverse proxy handler config I have 404 error or a page with " Not found powered by Authentik"