"
Bei Nextcloud musst du in der config hinterlegen, dass der nginx ein vertrauenswürdiger Proxy ist und das Plugin setzt den Header nach Spezifikationen als Kette von Quell-IP-Adresse und allen Proxies dazwischen. Wenn damit nicht umgegangen werden kann, kannst du X-REAL-IP verwenden. Dann kriegst du nur den nächsten Client, der halt wieder ein Proxy sein kann.
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#17
General Discussion / Re: NGINX X-Forwarded-For not working
July 23, 2022, 08:47:31 AM
X-REAL-IP delivers the source IP address of the connection to nginx.
#18
German - Deutsch / Re: reverse proxy | nginx | host not found in upstream
July 15, 2022, 05:39:21 PM
DNS-Problem?
#19
Web Proxy Filtering and Caching / Re: Upstream Server for Nginx using a self-signed certificate
July 06, 2022, 05:32:37 PM
You can use a trusted one or you can open the advanced settings.
#20
General Discussion / Re: Dropbear SSH Server
July 03, 2022, 11:24:00 AM
You are likely not scanning OPNsense but some kind of an embedded device.
#21
Web Proxy Filtering and Caching / Re: transparent HTTPS-Proxy - Exclude Network-Members
July 01, 2022, 06:59:46 AM
You can use a port forwarding rule for exclusion.
#22
General Discussion / Re: Change Nginx Upstreamserver via API
June 29, 2022, 11:08:45 PM
Go to the user and generate a key.
#23
Web Proxy Filtering and Caching / Re: WAF nginx - add rules naxsi
June 29, 2022, 11:06:33 PM
There is an API in the background.
#24
Web Proxy Filtering and Caching / Re: Captive portal + transp.proxy + ICAP. credential data
June 22, 2022, 12:47:42 PM
In the portal solution or with a few hacks not supported on OPNsense
#25
German - Deutsch / Re: Verständnisfrage zu Benutzer Zertifikaten
June 22, 2022, 12:32:36 PM
Die Verknüpfung ist nicht für die Weboberfläche da, sondern zum Beispiel für OpenVPN.
Wenn du eines der beiden großen Proxy-Plugins installiert hast, kann das ein Zertifikat verlangen.
Wenn du eines der beiden großen Proxy-Plugins installiert hast, kann das ein Zertifikat verlangen.
#26
General Discussion / Re: Access to Web Server from Outside
June 12, 2022, 12:29:33 AM
The hosting capability is very restricted as the nginx plugin is running on a firewall appliance. For example, you may not get a database driver you need etc.
It can serve static files or PHP files with not that many PHP extension requirements. So the best thing is to forward the connection to your apache httpd you have already prepared using the nginx reverse proxy. Usually you have to set one or two values on a page and leave the rest at the defaults.
And yes, you could also use nginx on the backend server instead of apache httpd. But that is your application server, you are going to configure and does not matter from OPNsense's point of view.
If OPNsense cannot reach your apache httpd, then check the following:
* does the target host have its own firewall and is it properly configured (allows access from OPNsense to the target application) -> nftables / iptables on linux
* does the apache httpd listen on the correct IP address and port?
It can serve static files or PHP files with not that many PHP extension requirements. So the best thing is to forward the connection to your apache httpd you have already prepared using the nginx reverse proxy. Usually you have to set one or two values on a page and leave the rest at the defaults.
And yes, you could also use nginx on the backend server instead of apache httpd. But that is your application server, you are going to configure and does not matter from OPNsense's point of view.
If OPNsense cannot reach your apache httpd, then check the following:
* does the target host have its own firewall and is it properly configured (allows access from OPNsense to the target application) -> nftables / iptables on linux
* does the apache httpd listen on the correct IP address and port?
#27
Zenarmor (Sensei) / Re: Blacklisting youtube.com for Google Chrome
June 04, 2022, 08:43:23 PM
Sure you can use any port but QUIC is only used by HTTP 3 in the HTTP context which forces encryption using QUIC so it is HTTPS by default. Other ports for HTTPS than 443 are uncommon.
#28
Zenarmor (Sensei) / Re: Blacklisting youtube.com for Google Chrome
June 04, 2022, 06:33:08 PM
QUIC is only available via HTTPS, not with HTTP so only UDP/443.
#29
German - Deutsch / Re: interner FTP Server nicht erreichbar von aussen
May 28, 2022, 04:42:49 PM
os-ftp-proxy installieren und konfigurieren:
auf feste IP verbinden -> FTP server eintragen rest nach bedarf einstellen.
Dann DNAT regel auf WAN auf den FTP Proxy machen und die verbindung erlauben.
Das wars dann auch schon.
auf feste IP verbinden -> FTP server eintragen rest nach bedarf einstellen.
Dann DNAT regel auf WAN auf den FTP Proxy machen und die verbindung erlauben.
Das wars dann auch schon.
#30
Web Proxy Filtering and Caching / Re: NGINX Reverse Proxy - subdomains
May 28, 2022, 04:34:53 PM
not restart - that will *NOT* regenerate the config. It will do what service control is expected to do - restart only.
The reconfigure button is *ALWAYS* on the bottom of the pages or it will be done when clicking the apply button.
The reconfigure button is *ALWAYS* on the bottom of the pages or it will be done when clicking the apply button.
