Messages

121

Web Proxy Filtering and Caching / Re: HOWTO insert custom headers - Nginx

« on: September 18, 2020, 01:26:51 am »

whats in log?

As I connect to this OPNsense instance over VPN I was afraid of having this system completely crashed and lost access - half of services were already halted. Therefore I quickly deleted that file and restarted system.  I could try to tail the log, but I wasn't sure of outcome of command on 30GB file...
Anyway, are there any size limits for error logs?

122

Web Proxy Filtering and Caching / Re: HOWTO insert custom headers - Nginx

« on: September 17, 2020, 10:18:35 pm »

Thanks, ultimately I've decided to go for 2 servers with root locations... It works :-)

BTW, today when logging in to opnsense I was welcomed with completely full drive - usage of 108%!
and the reason was:

Code: [Select]

root@OPNsense:~ # cd / && du -ma | sort -nr | head -n 20
50463   .
32519   ./var
31071   ./var/log
30435   ./var/log/nginx
30430   ./var/log/nginx/ds1.xxxxxx.xx.error.log
  Is it normal? Shall I simply disable Access Log Format in this particular HTTP server settings? Or can we set somewhere max. size of logs?

123

20.7 Legacy Series / Re: Call for testing: official netmap kernel

« on: September 16, 2020, 11:03:36 pm »

# opnsense-update -kr 20.7.2-netmap

Just one question, maybe a silly one, is this reversable in case of problems ?

And can I apply this update directly on 20.1.9 or it's better to wait for 20.7.3?

124

Web Proxy Filtering and Caching / Re: HOWTO insert custom headers - Nginx

« on: September 15, 2020, 05:21:45 pm »

I'll try to describe it to my best :-)
Onlyoffice server is available via https://onlyoffice.mydomain.com
Upstream server is configured 172.16.1.20:5443
Upstream to use TLS and LE cert.

Nextcloud server is available via http://next.mydomain.com
Upstream server is configured 172.16.1.2:80
Upstream to do not use TLS

As nextcloud doesn't have SSL certificate (and onlyoffice prefers it) I need to use reverse proxy to connect them.
Under one server name I cannot(?) have 2 root locations, so nextcloud was root location and onlyoffice in subfolder/URI.
And problem is/was that when proxying onlyoffice, its page was either not redirected at all (request went to root location) or redirected as 172.16.1.20:5443/onlyoffice (proxy hostname next.mydomain.com/onlyoffice) which doesn't exist. Request must goes to (location) root folder of onlyoffice server. I guessed I would need to use rewrite or redirection to achieve that but I couldn't find a solution..

125

Web Proxy Filtering and Caching / Re: HOWTO insert custom headers - Nginx

« on: September 15, 2020, 04:04:03 am »

it looks more like a nginx question than opnsense one.
but tell more detail what the user is typing, what the request to the upstream should be (perhaps url rewrite is required).
in first and second cases you use different server names..
details of 404 errors can be viewed in the "HTTP Error Logs"

I gave up because https://stackoverflow.com/questions/36120467/nginx-not-matching-location-i-think
Problem there was same as mine. When location's name was: /onlyoffice/ and proxy_pass ended or URL Path Prefix  with "/" it resulted with URI being added to server name (host) what caused error. Otherwise I ended up with other location /.
So I simply created another server and added location onlyoffice as "/" - root block.
BTW, is there any way/fancy redirections to achieve what I wanted initially? I mean one server with root location and other, "URI" locations being opened at their respective root folders...?

126

Web Proxy Filtering and Caching / Re: HOWTO insert custom headers - Nginx

« on: September 13, 2020, 11:03:10 pm »

You must be right, I'm not a pro!


Anyway I have problem with URI to location matching. For example I want to open page being behind proxy https://mysubdomain.mydomain.com/onlyoffice


HTTPS server name is mysubdomain.mydomain.com
Location URL Pattern is /onlyoffice
URL Path Prefix / or empty


I can't access page, error 404.


But once I change location to root folder
HTTPS server name is onlyoffice.mydomain.com
Location URL Pattern is /
URL Path Prefix /


I'm able to access it through proxy, what am I doing wrong?

127

Web Proxy Filtering and Caching / Re: HOWTO insert custom headers - Nginx

« on: September 13, 2020, 08:55:48 pm »

don't think so. ideally, there should be no "free" fields in GUI config
read "Safeguard user input"
https://docs.opnsense.org/development/guidelines/basics.html
so I highly doubt that such a request will not be declined

I have an idea about using hook and GUI, but I have a feeling that I have already tired the team with my requests and ideas)

Ok, understand it. Thus in perfect world we should have all in GUI named as headers are or alternatively, in their description 

128

Web Proxy Filtering and Caching / Re: HOWTO insert custom headers - Nginx

« on: September 13, 2020, 07:33:35 pm »

nope. upgrade of nginx plugin will overwrite location.conf. so it will need to be restored (but i hope that @fabian will include this hook in next version. and may be it will use same foldername syntax ))

If I'm right, there are already built-in hooks in "server's" section, so it might be the same for "location"?
But :-), wouldn't it have been better to have in web GUI, let's say in Advanced view (server and location), an option to add headers manually, by typing them in? As same as it is in OpenVPN server configuration... If I may suggest it.

129

Web Proxy Filtering and Caching / HOWTO insert custom headers - Nginx

« on: September 13, 2020, 05:48:13 pm »

As I've almost hijacked already solved thread (https://forum.opnsense.org/index.php?topic=16595.0) I'm copying over here the last and the most fruitful :-) answer:

Where to find location.conf, somewhere within "/usr/local/etc/nginx"?

/usr/local/opnsense/service/templates/OPNsense/Nginx/..

Still I'm not able to locate separate config file where I could enter missing headers and include in main config..

in the end of location.conf right before last brace insert new hook.
so before:

Code: [Select]

{% endif %}{# honeypot #}


}
after:

Code: [Select]

{% endif %}{# honeypot #}
    include {{ location['@uuid'] }}_post/*.conf;
}


go the GUI and apply nginx config (not reload, apply. so opnsense apply new location.conf)
go to the
/usr/local/etc/nginx/nginx.conf and be sure that at the end of location blocks there is a line like:
    include 248efebe-d2e2-401b-b93f-f4d9061bb18c_post/*.conf;


if so, you can create folder like "248efebe-d2e2-401b-b93f-f4d9061bb18c_post" in /usr/local/etc/enginx/,
place a file like "mylocationname.conf" with your directives and Apply nginx conf.
imo that shoud work, (I checked and replaced User-agent header via the hook. works:

Code: [Select]

set $new_user_agent "${http_user_agent} via nginx";
proxy_set_header User-Agent $new_user_agent;
)
at any step, something can go wrong. always make a backup

And now I have a few questions. Are all of these changes persistent across upgrades?


And in web UI, in location we can enable websocket (proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $proxy_connection;)
but if I need to have them in "overall" section as per recipe (https://www.onlyoffice.com/blog/2020/01/how-to-configure-reverse-proxy-for-nextcloud-and-onlyoffice-editors/):

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Forwarded-Host $http_host/editors;
server {
        listen 80;
        location / {
            proxy_pass_header Server;
            proxy_pass http://nextcloud/;
        }
        location /editors/ {
            proxy_pass http://onlyoffice/;
        }
}

Does it make practical difference whether they are in location section or above?

130

Web Proxy Filtering and Caching / Re: NGINX Custom Headers [SOLVED]

« on: September 12, 2020, 11:09:42 pm »

no. proxy_redirect not used by default afaik. sorry, what are you going to do with this header?

Thanks for reply! I've been trying to follow various guides of how to setup proxy for Nextcloud

proxy_set_header X-Forwarded-For
set to $proxy_add_x_forwarded_for by location.conf

Where to find location.conf, somewhere within "/usr/local/etc/nginx"?


EDIT:
Ok, more or less I've managed to run proxy for Nextcloud with use only of GUI. Now I'm facing a problem to connect Nextcloud with Onlyoffice (requires https). There's a way to achieve that described on https://www.onlyoffice.com/blog/2020/01/how-to-configure-reverse-proxy-for-nextcloud-and-onlyoffice-editors/
Long story short, to have following in Nginx conf:

Code: [Select]

proxy_set_header Upgrade $http_upgrade; <- GUI websocket
proxy_set_header Connection $proxy_connection; <- GUI websocket
proxy_set_header X-Forwarded-Host $http_host/editors; <- not in GUI
server {
        listen 80;
        location / {
            proxy_pass_header Server;
            proxy_pass http://nextcloud/;
        }
        location /editors/ {
            proxy_pass http://onlyoffice/;
        }
}How can I configure above? Still I'm not able to locate separate config file where I could enter missing headers and include in main config...

131

Web Proxy Filtering and Caching / Re: NGINX Custom Headers [SOLVED]

« on: September 11, 2020, 02:27:42 am »

Anybody, anything???



Could somebody please point me at direction where I can find documentation of built-in Nginx reverse proxy headers?
I would like to set a proxy for Nextcloud and I need to use following headers:

proxy_redirect http:// $scheme://; <- I believe set already by "Use https"
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr; <- option set in HTTP Server
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Forwarded-Proto $scheme;

GUI doesn't correspond directly to standard headers' names and without documentation it's almost mission impossible to get it set properly.
Thanks in advance!

132

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: September 10, 2020, 04:31:36 am »

Hi GreenMatter, I do not think this will be of help, since the problem is related to the kernel.

Are you able to start a new (test?) guest and see how the new test kernel is behaving?

No, I'm off premise and connect to Opnsense over VPN. I can't afford to demolish it    remotely...

133

Zenarmor (Sensei) / Re: Sensei on OPNsense - Application based filtering

« on: September 09, 2020, 09:35:40 pm »

Hi GreenMatter,  sensei heartbeat is unrelated to this.

Netmap error messages make me think this is related to netmap.

We had seen a lot of progress on netmap side for the past month. I expect vmx support will also perform better than 20.1.x

And again it happened again the same (on 20.1.9 - I'm waiting for final netmap version) within a few days from the first occurrence: lost access to all internal vlan networks.

2020-09-09T04:31:07   kernel: 667.875025 [1180] netmap_grab_packets bad pkt at 390 len 0
2020-09-09T04:31:07   kernel: 667.875016 [1180] netmap_grab_packets bad pkt at 389 len 0
2020-09-09T04:31:07   kernel: 667.875008 [1180] netmap_grab_packets bad pkt at 388 len 0
2020-09-09T04:31:07   kernel: 667.875001 [1180] netmap_grab_packets bad pkt at 387 len 0
2020-09-09T04:31:07   kernel: 667.874992 [1180] netmap_grab_packets bad pkt at 386 len 0
2020-09-09T04:31:07   kernel: 667.874306 [ 277] vmxnet3_netmap_rxsync 130 skipped! idx 46
2020-09-09T04:31:07   kernel: vmx1: watchdog timeout on queue 0
2020-09-09T04:31:02   eastpect[8308]: nm1::vmx1^: permanently promiscuous mode enabled
2020-09-09T04:31:02   eastpect[8308]: nm0::vmx1: permanently promiscuous mode enabled

What surprising me is that all has been working fine for months, I had done no changes in setup, no new packages were installed and all of sudden this problem appears. I know it's net map but could it be triggered somehow by Sensei which inspects parent interface vmx1?
Shall I reinstall Sensei, would it help?

134

20.1 Legacy Series / Re: Let’s Encrypt EAP-PEAP WiFi certificate

« on: September 09, 2020, 08:52:53 pm »

Guests should use WPA Personal or Open plus captive portal

Regardless guests, since users need to accept LE (untrusted) certificate every 2 months, so it is better to use untrusted, self signed certificate with much longer validity...

135

20.1 Legacy Series / Re: Let’s Encrypt EAP-PEAP WiFi certificate

« on: September 09, 2020, 07:35:40 pm »

One more thing, OSX based computers also show LE certificate as untrusted when is used for Freeradius WiFi validation.


Long story short, it’s better to use tailor made, self signed certificate with validity of let’s say, 2 years? 😄