Topics

1

21.1 Legacy Series / need help on nextcloud-fpm

« on: July 07, 2021, 09:23:29 am »

Hi together,

i wanted to have nextcloud-fpm using nginx from nginx. I installed a usual Webserver on opnsense and configured "position"




Everything seems work, except that the webpage is delivered unformatted. What did i miss?

Thx,
Ruggerio

2

21.1 Legacy Series / 21.1.7: Problem with Freeradius

« on: June 17, 2021, 08:00:15 am »

Right after the upgrade, Freeradius does not start anymore:

Error: /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"   
2021-06-17T07:58:25       Error: rlm_eap (EAP): Failed to link rlm_eap_leap: Cannot open "/usr/local/lib/freeradius-3*/rlm_eap_leap.so"   
2021-06-17T07:58:25       Info: Debugger not attached   
2021-06-17T07:44:37       Error: /usr/local/etc/raddb/mods-enabled/eap[15]: Instantiation failed for module "eap"   
2021-06-17T07:44:37       Error: rlm_eap (EAP): Failed to link rlm_eap_leap: Cannot open "/usr/local/lib/freeradius-3*/rlm_eap_leap.so"   
2021-06-17T07:44:37       Info: Debugger not attached

Roger

3

German - Deutsch / Erfahrungen mit Intel Celeron CPU's mit IPS/IDP

« on: February 15, 2021, 10:14:22 am »

Hallo zusammen,

habe ne APU4, damit geht IPS nicht wirklich. Max. 80 mbit/s. Suche nach beserer Hardware und wollte nachfragen, ob jemand Erfahrungen mit den Celeron CPU's hat:

Intel Celeron N4100
Oder der J9100

Habe in Zukunft max. 400 mbit/s Download und würde gerne IPS mitlaufen lassen, damit aber möglichst den Durchsatz erreichen.

Gruss
Roger

4

Web Proxy Filtering and Caching / Signal App only working if SNI enabled

« on: February 01, 2021, 08:40:44 am »

Hello,

I have an old tablet, which i would like to have SSL Inspection enabled. But this will not work for Signal, even if .whispersystems.org and .signal.org are inserted into no ssl bump sites.

It still reclams the certificate, e.g.:
kid1| ERROR: negotiating TLS on FD 30: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (1/-1/0)

Does anybody know, how i can handle Signal having ssl inspection enabled? Btw. the proxy is not transparent.

5

20.7 Legacy Series / Proxy and Clam

« on: January 28, 2021, 10:20:50 am »

How far does it still make sense, checking for viruses on the proxy, as lots/most/whatever webservers already use hstsc if we just use SNI? In that case, the content cannot be checked, i think.

This traffic will not be checked, isn't it?

Just for comprehension.

6

21.1 Legacy Series / Squid SSL [Solved]

« on: January 27, 2021, 11:19:17 am »

Hi,

I tried for an old tablet having Squid using SSL Bump (without transparent proxy) - default listening is on port 3129.

On the tablet i get a reduced connection. Strange. On the sense, i see also not listening anything to port 3129 (which perhaps causes this).

And even more strange, the traffic gets - as it seems - inspected, as https://-download from eicar is recognized in c-icap...

usually i expected no inspection of traffic, as it is not listening on 3129 (SNI, btw. is disabled...)

Are there perhaps changes in squid, that could cause this?

7

21.1 Legacy Series / NGINX problem with https server

« on: January 20, 2021, 11:21:44 pm »

Since the upgrade to 21.1-rc...my https-reverse-proxy does no longer start.

Logs say:
SSL_CTX_load_verify_locations("/usr/local/etc/nginx/key/trust_upstream_4fa78829-e9c2-4d1b-b07d-3223d324f828.pem") failed (SSL: error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found)

in the mentionned path, i can find a pem. This error holds nginx from start. if i remove TLS-support from the server, the services starts again.

Somebody with a good idea?

8

21.1 Legacy Series / Update to 21.1 not possible

« on: January 14, 2021, 11:05:47 am »

Hello,

RC1 is not yet advised on my box. This according to the bug mentionned in the announcment. Will there be a fix (e.g. analogue to the update to 20.7., where first another update had to be done before the update to 20.7 was possible)?

9

20.7 Legacy Series / Double NAT - Provider Modem

« on: January 14, 2021, 09:29:06 am »

Hello,

I have a DOCSIS-Cablemodem, which was in bridged mode. Unfortunately, i had lots of packet losses in the last time. So i had to switch to router mode. The opnsense (where all traffic flows on it) is in dmz (i have mail- and webserver from the outside)

Since i changed the way, i get max 100mbps passing via opnsense. Before, it was up to 700 mbps without any problem. I think now, this is a problem of natting opnsense and the modem.

Easy, i disabled natting on the sense, nothing more worked. Of course, as the sense with nat got the ip from the isp-router, without natting all clients behind the sense come now up with their own ip instead of the natted from the wan-port of the sense.

I'm a little bit out of ideas. Does anybody have a "similar" installation? How did you solve this for you?

Thanks!

10

20.7 Legacy Series / [Solved, RFC needed?] NGINX as IMAP reverse proxy

« on: October 25, 2020, 01:21:34 pm »

i got nginx at 80% as reverse proxy for dovecot running. 80% because i don't get the external ip of the client transferred to the mailserver.

if i enable proxy protocol, the connection will not be accepted. Does anybody have an idea? Eventually i was searching false, but google did not reply that much on imap on reverse proxy

all i would need is having the external ip in the logs of dovecot.

Thx,
Ruggerio

11

20.7 Legacy Series / Suricata - Engine?

« on: August 03, 2020, 04:14:29 pm »

Hi,

When testing 20.7 from iso, i always used Aho Ken Steele, no problems with memory.

Now, in 20.7 Production, memory goes up nearly 70% for suricata and the system is swapping. This was not the case before. I changed for now to "reduced memory implementation", but still lots of memory used and swap.

thx!
Ruggerio

12

20.7 Legacy Series / Postfix not logging

« on: July 31, 2020, 11:06:01 am »

Hey,

Since upgrading to 20.7, Postfix shows no more logs.

Cheers,
Roger

13

20.7 Legacy Series / Squid/C-ICAP Error

« on: April 08, 2020, 08:14:04 am »

Since the upgrade, C-ICAP shows the following error:

Wed Apr 8 08:06:51 2020, 24221/803493376, ci_simple_file_new: Can not open temporary filename in directory:/var/tmp/

Shouldn't this be /tmp?

Comment: changed this in /usr/local/etc/c-icap/c-icap.conf from /var/tmp to /tmp and now it works.

Perhaps this has something to do, that i set a separate temp-directory in settings.

14

20.7 Legacy Series / [SOLVED] Postfix not logging

« on: April 02, 2020, 02:08:20 pm »

The postfix-logs are also after a few reboots empty (in GUI and shell).

15

19.7 Legacy Series / Postfix: Mails duplicating several times

« on: December 07, 2019, 07:43:52 pm »

Since the last update of postfix, i get some (not all) Mails duplicated or even multiplicated.  Somebody else having this issue?

The message-id btw. is always the same, on each messsage.