Messages

1

General Discussion / Re: HAPROXY : Multiple Public Services on same IP, PORT but mode TCP and SSL/HTTPS

« on: March 31, 2023, 07:47:44 pm »

hi
afaik there is no complains frOm haproxy if there is multiple frontends bindings to the same sockest. but this misconfig is on admin. it "works" because of SO_REUSEPORT using.
https://github.com/haproxy/haproxy/issues/868
https://github.com/haproxy/haproxy/issues/629

2

22.7 Legacy Series / Re: NGINX ReverseProxy - ACL ignored not updating.

« on: March 30, 2023, 10:06:20 pm »

Where to look?

Services: Nginx: Banned, access logs, error logs, nginx.conf ?

3

23.1 Production Series / Re: OPNSense, nginx and Home Assistant

« on: March 30, 2023, 10:04:26 pm »

Hi
i'm not using HomeAssistant but as I understand it requires an explicitly specified port in the Host header.
(https://github.com/opnsense/plugins/issues/3317)
So far, there is no way to do this in the nginx plugin gui (will need to use hooks).
although i haven't come across such a solution with quick qoogling, i would suggest (if possible) to add an external_url option with a standard port (like https://somerandomname.duckdns.org) in the application settings and use it to configure upstream in nginx.
might work

4

23.1 Production Series / Re: BUG: NGINX doesnt start

« on: March 30, 2023, 03:37:41 pm »

I'd extend setup.php to

sounds like a plan. already running on test vm )
thanks

5

23.1 Production Series / Re: BUG: NGINX doesnt start

« on: March 30, 2023, 03:20:04 pm »

is why the virtual IP is not there

yep, this is the most interesting for now

_precmd is implemented to do config checks in rc.d files sometimes

yes. but in nginx case it may return 1 for "reload" if config broken. but not for "start"..

which command should actually fail in setup script?

https://github.com/opnsense/plugins/blob/c08a2ea1771b8243f8f28de27c3f2286b2beb4af/www/nginx/src/opnsense/scripts/nginx/setup.php#L339 

because a badly written script wil wreck it

hm. understood

/var/run/nginx_status.sock is not unlinked after an unsuccessful start attempt and it prevents next runs. looks like it fixed at
https://trac.nginx.org/nginx/changeset/7cbf6389194b9170514e514ca7ee495369c9c8ac/nginx but it doesn't seem to be backported

6

23.1 Production Series / Re: BUG: NGINX doesnt start

« on: March 30, 2023, 02:51:11 pm »

@franco
how bad is idea to exit on _setup fail at
https://github.com/opnsense/src/blob/stable/23.1/libexec/rc/rc.subr#L1110
? (this should prevent start if config broken. sounds logical?)

7

23.1 Production Series / Re: BUG: NGINX doesnt start

« on: March 30, 2023, 10:17:55 am »

since it "Can't assign requested address" and not "48: Address already in use" i think its not a bind conflict (as i said earlier).its an address absence i think. so may be interface address is not ready when nginx tries to start at boot. but you did not provide more info.
/var/run/nginx_status.sock binding error is a consequence of the first error, because nginx leaves the sockets in this case

8

23.1 Production Series / Re: Gui showing Site2Site OpenVPN is not online

« on: March 28, 2023, 10:21:17 pm »

https://forum.opnsense.org/index.php?topic=33173.0 ?

9

23.1 Production Series / Re: Surricata blocks traffic on local allowed list

« on: March 28, 2023, 10:14:44 pm »

for the ref. false-drop records fixed in https://github.com/OISF/suricata/commit/517132b6ad0347c8402b3aace885d1b734609fec
although I still think it would be great to be able to disable drop-log on the OPN

10

23.1 Production Series / Re: Unable to add static ARP entry

« on: March 28, 2023, 10:09:49 pm »

@Berzerker
sorry for delay
i see three possible ways:
(1) Try to use syshook (https://docs.opnsense.org/development/backend/autorun.html):
add 'static_arp' file to /etc/rc.d.conf with:

Code: [Select]

static_arp_pairs="gw"
static_arp_gw="xxx.xxx.xxx.x 11:22:33:44:55:66"
and (for example) 30-static_arp file (dont forget permissions) to /usr/local/etc/rc.syshook.d/start with:

Code: [Select]

#!/bin/sh

# need my ONT staic arp somehow
/etc/rc.d/static_arp start
and reboot to test
BUT i dont think it survives a link cycle. may be /usr/local/etc/rc.syshook.d/config/ will work better?

(2) just use cron to "arp -S" every X min?
(3) dhcpd trick:
try to add a static lease do DHCP [WAN] (don't need to enable DHCP server though  ) with ONT MAC and IP and enable "ARP Table Static Entry" for this entry. this should force interfaces_staticarp_configure() function to add this arp record when needed. then reboot or "configctl interface reconfigure wan" to test

11

23.1 Production Series / Re: BUG: NGINX doesnt start

« on: March 28, 2023, 09:27:48 pm »

Hi
XXX.XX.XXX.XX is not there when nginx starts?
really need to bind to exact ip and not just "80"?

12

23.1 Production Series / Re: Unable to add static ARP entry

« on: March 24, 2023, 07:00:16 am »

What's the correct way to add a permanent static ARP entry besides running "arp -s"?

static_arp_pairs ?
https://man.freebsd.org/cgi/man.cgi?rc.conf(5)

13

23.1 Production Series / Re: API for DHCP Static Mapping?

« on: March 24, 2023, 06:54:17 am »

@tessus
at the moment there is no api endpoints for dhcp leases (legacy pages are used). but it looks like there are plans for MVC migration (https://github.com/opnsense/core/issues/6380) IIUC. then api endpoints will appear

14

General Discussion / Re: DNSCrypt-Proxy return nxdomain error

« on: March 23, 2023, 07:14:56 pm »

Oh, agree, this is a problem if there is no way to disable this search list on clients. In this case, I do not see options for the case of DNSCrypt.
Speaking of API: It seems to me that for unbound API is available: https://docs.opnsense.org/development/api/core/unbound.html

15

22.7 Legacy Series / Re: Update Alias with multible Host entries

« on: March 23, 2023, 05:43:05 pm »

use browser dev-console to view api request payload when do similar update via gui?