Messages

1

22.1 Legacy Series / Re: [SOLVED] NGINX does'n start after update to 22.1.9

« on: July 12, 2022, 09:27:05 pm »

If you apply your nginx configuration it should work, otherwise it just keeps the old one until reboot.


Cheers,
Franco

Hi,

This is weird, I just loaded my snapshot (I run OPNsense in an ESXi VM) of my last test (faster then updating again from 22.1.8_1) and this time everyting booted and started fine. I could swear I did a reboot yesterday after I discoverd the problem...

2

22.1 Legacy Series / Re: [SOLVED] NGINX does'n start after update to 22.1.9

« on: July 12, 2022, 06:54:10 pm »

Yes so the latest version is 1.28_1 as you can see from the link:

http://mirror.ams1.nl.leaseweb.net/opnsense/FreeBSD%3A13%3Aamd64/22.1/latest/All/os-nginx-1.28_1.pkg

1.27 definitely doesn't work with the latest nginx software shipped.

Just updated again 22.1.10
NGINX won't start: os-nginx (installed)   1.28_1   908KiB   OPNsense   Nginx HTTP server and reverse proxy

same error: unknown directive "js_include" in /usr/local/etc/nginx/nginx.conf:40

3

22.1 Legacy Series / Re: [SOLVED] NGINX does'n start after update to 22.1.9

« on: July 12, 2022, 03:08:10 pm »

I mean the plugin os-nginx. Maybe you locked it.


Cheers,
Franco

This is now: os-nginx (installed)   1.27   902KiB   OPNsense   Nginx HTTP server and reverse proxy
You want to know what version it is when I've updated to 22.1.10 again?
If so, I think I can try again this evening.

4

22.1 Legacy Series / Re: [SOLVED] NGINX does'n start after update to 22.1.9

« on: July 12, 2022, 12:55:35 pm »

It looks ok to me. What version is your nginx plugin?

This is what I get (amongst the rest of the packages) when I open the update page:
nginx   1.20.2_9,2   1.22.0_6,2   upgrade   OPNsense

5

22.1 Legacy Series / Re: [SOLVED] NGINX does'n start after update to 22.1.9

« on: July 12, 2022, 12:36:38 pm »

Which mirror are you using or are you managing a mirror yourself? It was fixed in a hotfix update.


Cheers,
Franco

Hi,

I'm coming from OPNsense 22.1.8_1-amd64 using mirror OPNsense in Amsterdam.
When I check for update I only see 22.1.10, so I skipped 22.1.9 and 22.1.9_1.
Is there a 22.1.10_1?

6

22.1 Legacy Series / Re: [SOLVED] NGINX does'n start after update to 22.1.9

« on: July 11, 2022, 06:41:22 pm »

Just updated to 22.1.10 and can't start NGINX anymore...
unknown directive "js_include" in /usr/local/etc/nginx/nginx.conf:40

Restoring to older version of NGINX does not help (opnsense-revert -r 22.1.8 nginx):
SyntaxError: Illegal export statement in ngx_functions.js:51, included in /usr/local/etc/nginx/nginx.conf:40

7

20.7 Legacy Series / Re: Crash after update to 20.7 on xen 4.11(debian)

« on: March 06, 2022, 09:09:43 am »

I added a new physical nic with 4 ports and user passthrough. This way I can also manage the VLAN natively in OPNsense.

8

21.7 Legacy Series / Re: OPNsense NGINX reverse proxy A+ status in SSL test

« on: November 30, 2021, 04:21:50 pm »

So this is merged into version 21.7.6

Unfortunately I am unable to find a combination of cipher suites (with TLS 1.3) where I score 100 on every bar.
I chose this one finally: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

It has no weak ciphers (according to SSL labs) but It's not scoring 100% because of breaking compatibility with older devices.

If someone knows a better one...

PS. you can enter this in: Services > Nginx > Configuration > HTTP(S) > HTTP Server
Edit your HTTP server enable advanced and find the value: TLS Ciphers

9

21.7 Legacy Series / Re: /update_tables.py[58137] error fetching alias url https://bla.bla.com/support.tx

« on: October 21, 2021, 09:13:08 am »

The curl command went fine, no problems...

Figured it out though, it was a special char in the file, to bad OPNsense can't handle this or throws a usable error.
But the alias and the firewall rules It's used in is working fine again.

10

21.7 Legacy Series / /update_tables.py[58137] error fetching alias url https://bla.bla.com/support.tx

« on: October 18, 2021, 10:59:14 am »

Hi,

We use a URL table alias that refreshes every day to centrally manage a list of IP's that are used in firewall rules.
This worked great untill now.

I keep getting this error:
2021-10-17T18:50:01   /update_tables.py[58137]   error fetching alias url https://bla.bla.com/support.txt   
2021-10-17T18:50:01   /update_tables.py[58137]   fetch alias url https://bla.bla.com/support.txt (lines:

So it downloads the file as it knows it's 8 lines, but then throws an error. I can't seem to find why, is there any other log I can view to figure out why it throws an error?

11

21.7 Legacy Series / Re: OPNsense NGINX reverse proxy A+ status in SSL test

« on: October 16, 2021, 12:45:50 pm »

Ah great, now have A+!

I hope the pull request will get all four bars to 100%

12

21.7 Legacy Series / Re: IPv6 all static in DC

« on: October 15, 2021, 11:36:00 pm »

Hi,

I did not change my single gateway.
I changed the prefix on my WAN to 2a00:xxx:13x:0:0:0:0:5 /64
I changed my LAN to 2a00:xxx:13x:8000::5 /64

I can still ping to Google DNS from WAN but not from LAN.

13

21.7 Legacy Series / Re: OPNsense NGINX reverse proxy A+ status in SSL test

« on: October 15, 2021, 11:29:14 pm »

Hmm, so after some Googling I think I need to add a custom security header, but then I'm lost, so many options, none of them read HSTS, could you point me in the right direction?

14

21.7 Legacy Series / Re: OPNsense NGINX reverse proxy A+ status in SSL test

« on: October 15, 2021, 09:22:45 pm »

Aaah great another pull request that looks on track for merging, I subscribed to get notified, thnx!

PS. I'm aiming for an all green output of the test, I assumed only all green would provide A+, if less does, thats great, aiming for perfect

15

21.7 Legacy Series / OPNsense NGINX reverse proxy A+ status in SSL test

« on: October 15, 2021, 05:34:14 pm »

Hi,

I'm trying to get the hights score in the SSL test: https://www.ssllabs.com/ssltest/index.html
I have it to a A status and everyting is green except this:
Cipher Suites
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 (0xc077)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH x25519 (eq. 3072 bits RSA)   FS   WEAK   128

I Googled for solutions, and I found multiple requests and even a pull request on GitHub but no working solution. Can this be accomplished?

https://forum.opnsense.org/index.php?topic=19230.msg88253
https://forum.opnsense.org/index.php?topic=17151.msg86631
https://github.com/opnsense/plugins/commit/a694ac4cb65481df9abf7138c0eb7693a9e36d11
https://forum.opnsense.org/index.php?topic=15701.msg71853