1
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
2
Web Proxy Filtering and Caching / Re: Nginx Proxy - Real IP
« on: March 21, 2024, 08:26:42 pm »
yep, backend server should treat ip from XFF as a client IP )
settings depend on the server
settings depend on the server
3
23.7 Legacy Series / Re: system -> settings -> administration save fails
« on: March 21, 2024, 08:24:11 pm »Quote
what does "not intended for server use " even mean?https://www.ssl2buy.com/wiki/what-is-the-difference-between-client-and-server-certificates
when you hit Save button GUI cert key usage extension is checked
4
Web Proxy Filtering and Caching / Re: Nginx Proxy - Real IP
« on: March 21, 2024, 08:10:59 pm »
Hi
Reverse proxy uses XFF (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) header to pass this info to the backends.
traffic flow is not entirely clear in your case
Reverse proxy uses XFF (https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-For) header to pass this info to the backends.
traffic flow is not entirely clear in your case
5
Web Proxy Filtering and Caching / Re: Nginx proxy - grPC possible?
« on: March 21, 2024, 08:06:15 pm »
Hi
sorry, not yet possible via gui. i think you can try to create "empty" (specify URL Pattern only) Location in gui (and then add it to Server locations list). then add necessary grpc_* directives to location via _post-hook. directing grpc_pass to existing Upstream. Not tested but should work imo.
sorry, not yet possible via gui. i think you can try to create "empty" (specify URL Pattern only) Location in gui (and then add it to Server locations list). then add necessary grpc_* directives to location via _post-hook. directing grpc_pass to existing Upstream. Not tested but should work imo.
6
24.1 Production Series / Re: Unbound ignores blocklist
« on: March 19, 2024, 02:49:52 pm »Quote
What do they think they're getting by using a random IPnot random. it is possible to specify the desired ip address which, for example, will lead to a page explaining the reason for the blocking (and collect statistics )
7
24.1 Production Series / Re: Unbound ignores blocklist
« on: March 17, 2024, 09:08:05 pm »
tested with https://hole.cert.pl/domains/v2/domains.txt
works
works
8
24.1 Production Series / Re: HA Proxy - Startup Error
« on: March 17, 2024, 08:47:18 pm »
glad it worked )
The internal httpclient library needs resolvers to work.
By default, HAProxy tries to compile a "default" list of resolvers based on the resolv.conf file, which in your case does did not contain addresses.
It seems that at the moment the plugin does not allow to specify resolvers for the httpclient by ID
(so you will either have to use the system ones or make a request at Github)
The internal httpclient library needs resolvers to work.
By default, HAProxy tries to compile a "default" list of resolvers based on the resolv.conf file, which in your case does did not contain addresses.
It seems that at the moment the plugin does not allow to specify resolvers for the httpclient by ID
(so you will either have to use the system ones or make a request at Github)
9
24.1 Production Series / Re: HA Proxy - Startup Error
« on: March 17, 2024, 08:10:44 pm »
I’ll assume that you didn’t specify the DNS server addresses at SYSTEM: SETTINGS: GENERAL ->Networking
10
24.1 Production Series / Re: HA Proxy - Startup Error
« on: March 17, 2024, 04:12:46 pm »
can you share the Config Diff?
11
24.1 Production Series / Re: HA Proxy - Startup Error
« on: March 17, 2024, 04:07:12 pm »
syncCerts.py and socketCommand.py errors are not the cause, but a consequence of the HAProxy does not work (and it is not possible to establish a control connection)
can you try to make some config of real/backend servers and apply it?
can you try to make some config of real/backend servers and apply it?
12
24.1 Production Series / Re: HA Proxy - Startup Error
« on: March 17, 2024, 01:07:18 pm »
Hi
can you share the config?
can you share the config?
13
24.1 Production Series / Re: KEA dhcpv4 arp scan?
« on: March 16, 2024, 09:13:50 pm »
yes, i think there is 3 options:
-exclude ip from the scope(s)
-hope the client can handle it
-get "paid support contract" to get ping-check hook library from ISC
https://kea.readthedocs.io/en/latest/arm/hooks.html#libdhcp-ping-check-so-ping-check
-exclude ip from the scope(s)
-hope the client can handle it
-get "paid support contract" to get ping-check hook library from ISC
https://kea.readthedocs.io/en/latest/arm/hooks.html#libdhcp-ping-check-so-ping-check
14
24.1 Production Series / Re: KEA dhcpv4 arp scan?
« on: March 16, 2024, 06:25:17 pm »
Hi
I thought that the rfc involves the conflict detecting and DHCP DECLINE sending from the client side
Quote
KEA would ARP scan (as stated in their documentation)could you share the link on this please?
I thought that the rfc involves the conflict detecting and DHCP DECLINE sending from the client side
15
23.7 Legacy Series / Re: Nginx -> HTTP server -> Real IP Source
« on: March 12, 2024, 02:41:15 pm »
I’ll answer again in this thread so as not to interfere in a new one (https://forum.opnsense.org/index.php?topic=39391.0).
-in my opinion, this is an incorrect use of de-facto standard headers (and imho there are other ways to achieve the desired result without violating the standards)
-you could use your own headers for this setup
-a request for such changes has little chance of being merged imho
-you always have the option to use a completely hand-written Location (with the desired headers) and use it withe GUI-configured server via server _post-hook
-in my opinion, this is an incorrect use of de-facto standard headers (and imho there are other ways to achieve the desired result without violating the standards)
-you could use your own headers for this setup
-a request for such changes has little chance of being merged imho
-you always have the option to use a completely hand-written Location (with the desired headers) and use it withe GUI-configured server via server _post-hook