Messages

1

Web Proxy Filtering and Caching / Re: web filtering https without mitm

« on: May 04, 2021, 01:51:42 am »

Thanks, I'm trying to move to the unbound dns via DNSBL, but the lists are not as extensive as those for the proxy.  If I wanted to block all video streaming sites, it would be a very difficult task via DNSBL.  I just can't find good lists like you can with squid. 

2

Web Proxy Filtering and Caching / web filtering https without mitm

« on: April 27, 2021, 02:06:05 am »

I want to use the web proxy filtering for ssl without doing the entire ca ssl mitm.  I don't need to inspect, cache or authenticate anything.  I just want to block people from going to youtube and social media sites.  That shouldn't require me doing anything within SSL.  However, I can't get it to work.  When I do the transparent proxy forward on the ssl port, it just breaks the internet.

help please
thanks

3

General Discussion / DHCP Registration (DNS) vs Dynamic DNS (DHCP)

« on: March 16, 2021, 01:31:37 am »

I want the client names to be automatically registered in DNS.  It seems both of these seem to do that, but what is the difference?  Are both needed?

Under DHCP, we have Dynamic DNS.
"Enter the dynamic DNS domain which will be used to register client names in the DNS server. Note: Leave blank to disable dynamic DNS"

Under DNS, we have DHCP Registration
"If this option is set, then machines that specify their hostname when requesting a DHCP lease will be registered in Unbound, so that their name can be resolved."

4

General Discussion / Unbound DNS - Register DHCP leases

« on: January 26, 2021, 06:56:18 am »

Is there any place to see the dynamic DNS added via DHCP leases in Unbound DNS?  I created a static reservation and now Unbound has both the old and new IP.  I can't see what all the dynamic entries are or how to delete one.

5

19.1 Legacy Series / Re: WAN admin - Firewall Allow but Blocked

« on: April 18, 2019, 09:15:29 pm »

I'm not sure if this is normal, but I got it to work and I'll explain. 
My WAN was set with an IP of 10.x.x.1 and my LAN 192.168.x.1.  I disabled the option that would block private or bogon networks.  I allowed any any to access 10.x.x.1 any.  I was not able to connect to the web admin unless I went to the console and did a 'service pf onestop'.

I changed the WAN IP to a internet facing ip range and put it online.  Now it works without issue and I've tightened up the source ip and destination port in the rules.  Why would it not work with a 10.x.x.x assignment?  I was accessing it from that network.  Anyway.. figured I'd post in case others had a similar issue.

6

19.1 Legacy Series / WAN admin - Firewall Allow but Blocked

« on: April 17, 2019, 05:25:34 am »

I have a situation where I need to enable web administration on the WAN.  I've done this before without issues.  Go to console, shut down packet filter, set WAN firewall to allow my source IP to destination WAN address port 443.  Restart pf.

I just installed a new install of opnsense yesterday, but I can't get this to work.  I'm able to stop pf from a remote console and then access the WAN web admin, but after adding the WAN firewall rule (even to the point of ANY ANY), when pf restarts, I'm blocked by the default fw block rule.  Any thoughts why this would happen?

I know best practice is to vpn or something and access via the lan (and I'll get to that), but I need this to work on the wan first to set everything up properly.  Also, web admin is enabled for all interfaces.

7

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 23, 2019, 02:30:32 pm »

It is enabled when you enable HTTPS as well as you can configure it under security headers.

fabian, can you point me to what I need to select to disable HSTS under security headers?  I see a couple options, but they seem more like configurations for HSTS, not on enabling or disabling it.  It's not clear how to do this unless you're speaking of editing the nginx.cfg directly - thanks.

8

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 22, 2019, 02:43:54 pm »

Here is the error in the log for trying to delete the IP ACL.  Running 18.7.10_4

[20-Feb-2019 17:15:58 America/New_York] PHP Fatal error:  Uncaught Error: Call to undefined method OPNsense\Nginx\Nginx::find_ip_acl_entry_uuids() in /usr/local/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php:505
Stack trace:
#0 [internal function]: OPNsense\Nginx\Api\SettingsController->delipaclAction('575a2aad-e5ff-4...')
#1 [internal function]: Phalcon\Dispatcher->callActionMethod(Object(OPNsense\Nginx\Api\SettingsController), 'delipaclAction', Array)
#2 [internal function]: Phalcon\Dispatcher->dispatch()
#3 /usr/local/opnsense/www/api.php(26): Phalcon\Mvc\Application->handle()
#4 {main}
  thrown in /usr/local/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php on line 505

9

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 21, 2019, 11:46:07 pm »

It is not apparent that the little refresh icon is suppose to save the configuration.  If the button that says "Save changes" doesn't save the changes, why would a user click on a refresh icon that has no tooltip.  It would be really helpful if you made the Save changes button actually update the configuration.

Personally, I think HSTS should be off by default.  It's too easy to mess up when testing and you're unable to get yourself corrected without digging into your browser.  But if you're going to have it enabled, I think it would be very helpful to make it easy to disable.  It's clearly labeled in the System:Settings:Administration "Enable HTTP Strict Transport Security" but I can't find it in nginx.  There is a place in the Location that says "Force HTTPS" but disabling it doesn't appear to change HSTS, nor does the option in HTTP Server that says "HTTPS Only".  It makes sense that it might be in the Security Headers section, but I don't see where it's listed.  In fact, turning off the Security Policy has no effect on HSTS.  There is the option for "Strict Transport Security: Time" and "Strict Transport Security: Include Subdomains", but nothing to actually turn it off.  I guess I could set Time to 0?  I could manually edit the nginx.cfg, but I want this to be able to survive config changes via the gui and opnsense updates.

10

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 21, 2019, 05:07:23 pm »

fabian, how do you turn off HSTS Strict-Transport-Security for nginx?  I've tried several things, but can't seem to find the option to disable this.

11

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 20, 2019, 11:07:47 pm »

Seems you can't delete an IP ACL once it's created.  It would also be nice if the IP ACL could utilize the Firewall Alias groups.

12

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 20, 2019, 09:53:21 pm »

@fabian I figured out the issue and I'd suggest some changes to the plugin.

When you're on one of the settings, such as HTTP Server, and click "Save Changes" it doesn't actually save anything.  When you restart nginx, you still have the same settings.  This can be verified by looking at the nginx.cfg.  You have to go the General Settings and click Apply before they'll actually be saved.  This is why I was ripping my hair out as it is assumed that Save Changes and a service restart should apply the new settings - it does not.  Not until you click Apply on the General Settings.  If it requires an Apply afterward, it should do the banner like on the firewall or something or prompt the user if they want to apply the settings.

13

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 19, 2019, 11:48:15 pm »

I got http working using port 8888 on the "http server", but not 80.  Tried doing https on 4444, but it's not working either.  It doesn't seem to be restarting nginx properly as under Firewall Sockets, it still shows it bound to port 8888, even though I've changed it and added https.  Tried Stop / Start via the dashboard too.

14

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 19, 2019, 07:49:53 pm »

The location pattern got me some logging.   Almost there I think. Working on a log error.

15

General Discussion / Re: Web Server Instructions / Let's Encrypt / Nginx

« on: February 19, 2019, 05:02:48 pm »

Still not getting this to work.  I can see the firewall is letting it through on the external port, but I see no activity in the http logs in nginx.  Here are my settings using just strait http (externally port 8888 for testing) to avoid any complication until I get it figured out.