Topics

1

Web Proxy Filtering and Caching / NGINX error while reading response header from upstream

« on: March 26, 2022, 05:18:13 pm »

Hi,

After updating my OPNsense to the latest version, NGinx with the error:
 
Errors*1 upstream timed out (60: Operation timed out) while reading response header from upstream


I found this help -> https://ma.ttias.be/nginx-proxy-upstream-sent-big-header-reading-response-header-upstream/#:~:text=If%20the%20HTTP%20headers%20contain,configurations%20to%20your%20location%20block..

I changed the buffer option, but other errors occur and the service does not start.

This error in the > Services > Nginx > Logs > Global Error:
proxy_busy_buffers_size" must be smaller than the size of all "proxy_buffers" minus one buffer in /usr/local/etc/nginx/nginx.conf:656

Any configuration suggestions?

Cump.
Marchon
os-nginx 1.26
OPNsense 22.1.4_1-amd64
FreeBSD 13.0-STABLE
OpenSSL 1.1.1n 15 Mar 2022
Intel(R) Core(TM) i3-2120 CPU @ 3.30GHz (2 cores, 4 threads)

2

General Discussion / Help migrating TinyDNS to Unbound DNS.

« on: October 07, 2019, 06:56:53 pm »

Hello,

I would like a tip.

I need to migrate a TinyDNS to OPNsense Unbound DNS, but currently TinyDNS has 1,600 records.

Do you know a way to do some type of export/import or will I have to do all the records manually?

Thank you.

3

General Discussion / Nginx reverse proxy webdav status code 405 Method Not Allowed.

« on: October 02, 2019, 04:38:12 pm »

Hello,

I recently migrated my LINUX with POUND to OPNsense with NGINX. I now have a problem accessing webdav with status code 405 (Method Not Allowed). With POUND I decided to add the module "xHTTP 3", to allow extensions of MS WebDAV verbs (SUBSCRIBE, UNSUBSCRIBE, NOTIFY, BPROPFIND, BPROPPATCH, POLL, BMOVE, BCOPY, BDELETE, CONNECT).

How to modify it in Nginx in OPNsense?

4

General Discussion / Problem Nginx reverse proxy

« on: June 12, 2019, 05:06:27 pm »

Hello,

I have an OPNsense 18.7.10 running with Nginx 1.5 as a reverse proxy for 4 webservices that are on an internal server.

Internet -----> Nginx/OPNsense -----> IIS6.0

I do not know where I'm wrong that only a webservice is experiencing a problem. All items such as Upstream, Upstream Serve, Location, and HTTP Server have been configured in the same way with the same options. In short, I put the first one to work and the others are clones and only changed the addresses.

These webservices were running correctly on another Nginx Linux (CentOS 5.9).
All use the same certificate.

When I test the webservice through the browser the webservice page is displayed successfully and I see the packets entering my WAN interface and exiting the LAN interface towards the IIS server and I also see access logs in the successful Nginx.

But when access is done by the application, I only see the packets arrive on my WAN interface, I do not see them coming out through the LAN interface towards the IIS server and I also do not see any logs in Nginx, neither access log nor error log.

I already checked and also does not have a firewall block, I even did a test with "pfctl -F rules" and even then the behavior is the same.

Can anyone help me?

5

General Discussion / Captive Portal problem 802.1q

« on: March 19, 2019, 12:32:25 pm »

Hello,

I need help, I believe this is a bug!

I have a scenario where I use wpad for my LAN and I have a GUEST for my clients and I need Captive Portal to register these users.

My firewall

WAN (em0) - 200.199.199.100
LAN (em1) - 192.168.0.1/24
GUEST (vlan100_em1) - 192.168.100.1/24

It happens that when I have the Web GUI in HTTP to provide the wpad to LAN clients the Captive Portal page does not automatically load in the 802.1q tagg interface. If I use the same configuration on the LAN page loads automatically and enables authentication, when the clients of the 802.1q tagg interface the page does not load automatically, it is necessary to enter the URL address to be able to authenticate.

If I change my Web GUI settings to HTTPS Captive Portal works fine for all interfaces, but LAN clients can not get the wpad information because of the certificate error that is not valid.

I thought that disabling the "Disable web GUI redirect rule" redirection in System> Settings> Administration would solve my problem, but not. When HTTP redirection is disabled, HTTP is disabled.

Anyone have any ideas for workaround?

6

General Discussion / Blacklist and Remote ACL not working

« on: March 13, 2019, 07:25:11 pm »

Hello,

I have an Opensense 19.1.1 with Basic Proxy and no authentication.

I tried to block facebook through the conventional GUI blackslists in "Services > Web Proxy > Administration > Access Control List" but even added .facebook.com, ".facebook.com", facebook.com and "facebook.com" access is still allowed by the proxy. My ACL whitelist is empty.

Looking at the cli/bash configuration file "/usr/local/etc/squid/squid.conf" was as below;
# ACL - Blacklist - User defined (blackList)
acl blackList url_regex \.facebook\.com
acl blackList url_regex  "\.facebook\.com"
acl blackList url_regex facebook\.com
acl blackList url_regex "facebook\.com"

and I see in the logs the access being allowed
192.168.10.254 TCP_TUNNEL/200 370105 CONNECT www.facebook.com:443 - HIER_DIRECT/185.60.219.35 -

So I also added Remote ACL UT1 and selected only porn and social_network and I still see the access being allowed by the Proxy.

Log access
1552499817.222 28   192.168.10.254 TCP_TUNNEL/200 39 CONNECT staticxx.facebook.com:443 - HIER_DIRECT/185.60.219.16 -
1552499817.222 32   192.168.10.254 TCP_TUNNEL/200 39 CONNECT staticxx.facebook.com:443 - HIER_DIRECT/185.60.219.16 -
1552498763.181 270673   192.168.10.254 TCP_TUNNEL/200 249290 CONNECT www.facebook.com:443 - HIER_DIRECT/185.60.219.35 -
1552498744.174 248720   192.168.10.254 TCP_TUNNEL/200 1740 CONNECT facebook.com:443 - HIER_DIRECT/185.60.219.35 -

I checked the /usr/local/etc/squid/acl/UT1 file and it contains 1,968,784 lines and with facebook 494 and even then access is allowed.

# wc -l /usr/local/etc/squid/acl/UT1
1968784 /usr/local/etc/squid/acl/UT1

# grep facebook /usr/local/etc/squid/acl/UT1 | wc -l
494

Is there something I'm doing wrong?

Thanks

7

General Discussion / [SOLVED] Wrong disk space

« on: February 26, 2019, 03:31:25 pm »

Hello,

I have a recent Opensense 19.1.1 with basic settings and the following problem is occurring and I do not even know where to start verifying.

Since last Thursday I noticed a high consumption of disk by GUI interface (98%). I veirifiquei through cli (ssh) and with the df command also reported the same 98% usage.

Checking each directory and file, all added up to just over 3GB. I did this check with "# du-sh" on / and I have no other mount point.

I ran fsck, and no error is encountered.
When rebooting the system normalizes, but a few days later the information comes back and when it reaches 100% use, many services stop working complaining about lack of space and disk.

I was looking for a file to file and everything inside it came to a little more than 3GB.

# df -h
Filesystem         Size    Used   Avail Capacity  Mounted on
/dev/gpt/rootfs     49G    44G     5G     90%    /
devfs              1.0K    1.0K      0B   100%    /dev
devfs              1.0K    1.0K      0B   100%    /var/unbound/dev
devfs              1.0K    1.0K      0B   100%    /var/dhcpd/dev

# pwd
/
root@opnsense:/ # du -sh
3.6G    .

Thanks for all

8

General Discussion / how to get a crash report?

« on: February 26, 2019, 01:27:18 pm »

Hello,

How do I retrieve a crash report sent to the dev?

My client has access to the GUI, and when they saw a crash message they selected to submit. Now I have no idea of the problem that has occurred.

how to get a crash report?

9

General Discussion / pptps: mpd.conf:38: Unknown command

« on: October 19, 2018, 05:33:20 pm »

Hello everyone,

I have a challenge that is to migrate an iptables to OPNsense.

The challenge is to have students on the internal network have bandwidth control and usage quota.

In short;
Each student is entitled to access speed of bandwidth 10Mbps internet and per month he has a quota of 5G, when he reaches that consumption of 5G within the month he has his access blocked.

The current solution has a firewall with iptalbles and pptp server. All clients/student, which are internal, establish pptp connection with this firewall, this query the DaloRadius that does the AAA. And so it's been working for several years.

I configured OPNsense with Captive Portal, but it only controls bandwidth, which means it limits the speed.
I configured the FreeRadius plugin, but it also only controls speed. Even activating the ChilliSpot option only controls the speed (bandwidth).
I also tested the PPTP server (PPTP server based on MPD5) plugin, the connections are established and authenticated successfully using DaloRadius as a base, but OPNsense is not sending the statistics accounting to DaloRadius.

When I select the "Enable RADIUS accounting" option the following error occurs in the log "Oct 19 10:20:50 OPNsense pptps: mpd.conf: 38: Unknown command: 'set radius acct-update 300'.

In an initial troubleshooting I have already disabled the firewall rules, I have already done tcpdump on the firewall and DaloRadius interfaces and I do not see the accounting packets.

Plug-in os-pptp -> PPTP server based on MPD5
Firmware OPNsense 18.7 2018-07-31
I have already upgraded to the latest release and also to the OPNsense version 19.1.b_54-amd64.

Has anyone had this problem? Or would they have another way to solve this challenge?