"Recent posts
#21
25.7, 25.10 Series / Re: Dnsmasq stops after swap_p...
Last post by hina - December 11, 2025, 06:26:17 PMSome extra data points on my current system
/usr/local/etc/dnsmasq.conf
top:
ps -faxdvvv
/usr/local/etc/dnsmasq.conf
Code Select
# DO NOT EDIT THIS FILE -- OPNsense auto-generated file
#
rebind-localhost-ok
stop-dns-rebind
port=53053
# If you want dnsmasq to listen for DHCP and DNS requests only on
# specified interfaces (and the loopback) give the name of the
# interface (eg eth0) here.
# Repeat the line for more than one interface.
interface=cc1,cc0,wg0
dhcp-fqdn
domain=redacted.dev
# This tells dnsmasq that a domain is local and it may answer queries from /etc/hosts
# or DHCP but should never forward queries on that domain to any upstream servers.
local=/redacted.dev/
dhcp-authoritative
enable-ra
# Never forward addresses in the non-routed address spaces.
bogus-priv
server=/vpn.redacted.dev/9.9.9.9
rebind-domain-ok=/vpn.redacted.dev/
# host entries flushed via dnsmasq_watcher.py [isc] and a dump of the static reservations
addn-hosts=/var/etc/dnsmasq-hosts
addn-hosts=/var/etc/dnsmasq-leases
dns-forward-max=5000
cache-size=10000
local-ttl=1
conf-dir=/usr/local/etc/dnsmasq.conf.d,*.conf
dhcp-range=tag:cc1,192.168.1.20,192.168.1.254,255.255.255.0,86400
domain=redacted.dev,cc1
dhcp-range=tag:cc1,::,::ffff:ffff:ffff:ffff,constructor:cc1,slaac,ra-names,64,86400
domain=redacted.dev,cc1
ra-param=cc1,60,1200
dhcp-host=id:01:ff:ff:ff:ff:ff:ff,ff:ff:ff:ff:ff:ff,192.168.1.10,[::10],sx3206hpp
dhcp-host=id:01:ee:ee:ee:ee:ee:ee,ee:ee:ee:ee:ee:ee,192.168.1.11,[::11],sx3008f
dhcp-option=tag:cc1,option6:23,[::]
dhcp-option=42,0.0.0.0
dhcp-option=tag:cc1,option6:23,[fc00::ffff:ffff:ffff:ffff]
dhcp-option=option6:56,[fc00::ffff:ffff:ffff:ffff]
# default dns mapped to this server (0.0.0.0)
dhcp-option=6,0.0.0.0
no-ident
top:
Code Select
last pid: 91378; load averages: 0.27, 0.25, 0.24 up 14+15:07:47 01:19:47
88 processes: 1 running, 87 sleeping
CPU: 0.6% user, 0.0% nice, 1.0% system, 0.0% interrupt, 98.4% idle
Mem: 3285M Active, 3868M Inact, 1071M Laundry, 6049M Wired, 236K Buf, 1420M Free
ARC: 2832M Total, 821M MFU, 1754M MRU, 1034K Anon, 33M Header, 222M Other
2369M Compressed, 6794M Uncompressed, 2.87:1 Ratio
Swap: 8192M Total, 1802M Used, 6389M Free, 22% Inuse
PID USERNAME THR PRI NICE SIZE RES STATE C TIME WCPU COMMAND
93702 root 13 20 -20 15G 1278M nanslp 1 26.8H 4.95% eastpect
38891 unbound 6 20 0 1400M 1136M kqread 4 0:16 0.77% unbound
41424 root 1 20 0 79M 35M nanslp 4 125:38 0.65% php
648 elasticsea 102 68 0 8027M 3253M uwait 3 186:11 0.61% java
6572 root 14 68 -20 1268M 40M uwait 2 10:44 0.45% ipdrstreamer
5523 root 3 20 0 49M 12M kqread 5 19:28 0.11% syslog-ng
28181 nobody 1 20 0 2414M 2194M select 5 2:40 0.09% dnsmasq
85048 root 1 20 0 15M 3452K CPU4 4 0:00 0.08% top
51227 root 1 20 0 13M 1324K select 3 4:26 0.06% powerd
41303 root 1 20 0 14M 2332K bpf 2 1:19 0.05% filterlog
31704 _lldpd 1 20 0 87M 1632K kqread 4 2:40 0.03% lldpd
60850 root 1 20 0 28M 14M select 0 0:19 0.01% python3.11
60766 root 1 20 0 27M 13M select 3 0:18 0.01% python3.11
39442 root 7 20 0 276M 179M kqread 2 0:31 0.01% python3.11
37372 root 4 68 0 14M 2328K uwait 3 0:14 0.01% dpinger
80470 root 4 68 0 14M 1520K uwait 4 1:38 0.01% dpinger
94062 _flowd 1 20 0 13M 1700K select 2 1:01 0.01% flowd
78208 root 1 20 0 53M 32M nanslp 1 263:22 0.01% python3.11
16355 root 1 20 0 14M 1652K select 1 0:43 0.01% rtsold
82496 root 1 20 0 20M 7992K select 4 0:00 0.01% sshd-session
49305 root 17 68 0 98M 13M sigwai 3 0:28 0.01% charon
ps -faxdvvv
Code Select
PID STAT TIME SL RE PAGEIN VSZ RSS LIM TSIZ %CPU %MEM COMMAND
0 DLs 59:45.91 1 127 0 0 2176 - 0 0.0 0.0 [kernel]
1 ILs 0:00.11 127 127 36 12324 740 - 652 0.0 0.0 - /sbin/init
88920 S< 0:33.84 0 127 23 37428 8108 - 11968 0.0 0.0 |-- /usr/local/zenarmor//bin/eastpect -D
6555 I< 0:00.00 127 127 11 37428 8344 - 11968 0.0 0.1 | |-- eastpect: Eastpect Streamer Instanc
6572 I< 10:45.19 127 127 320 1298168 41252 - 13044 0.0 0.2 | | `-- ipdrstreamer /usr/local/zenarmor/
93702 S< 1607:46.27 0 127 98930 15861768 1308484 - 11968 41.8 7.9 | `-- eastpect: Eastpect Instance 0 (east
38891 Ss 0:16.97 5 127 0 1434064 1163380 - 1028 0.0 7.0 |-- /usr/local/sbin/unbound -c /var/unbou
20345 Is 0:00.03 127 127 68 20316 5712 - 312 0.0 0.0 |-- sshd: /usr/local/sbin/sshd [listener]
82287 Is 0:00.02 127 127 0 20868 7692 - 712 0.0 0.0 | `-- sshd-session: root [priv] (sshd-ses
82496 S 0:00.03 0 127 0 20868 7992 - 712 0.0 0.0 | `-- sshd-session: root@pts/0 (sshd-se
82599 Is 0:00.00 127 127 0 14312 2596 - 120 0.0 0.0 | `-- /bin/sh /usr/local/sbin/opnsens
84876 S 0:00.02 0 127 0 14792 3424 - 324 0.0 0.0 | `-- /bin/csh
82883 R+ 0:00.00 127 0 0 14384 2764 - 24 0.0 0.0 | `-- ps -faxdvvv
28181 S 2:40.19 0 127 0 2471776 2249864 - 312 0.0 13.6 |-- /usr/local/sbin/dnsmasq -x /var/run/d
79321 S 0:01.56 1 127 92 26684 2488 - 220 0.0 0.0 |-- /usr/local/sbin/chronyd -f /usr/local
79399 I 0:00.09 127 127 0 22200 348 - 220 0.0 0.0 | `-- /usr/local/sbin/chronyd -f /usr/loc
94896 S 0:06.28 0 127 0 23852 10128 - 220 0.0 0.1 |-- /usr/local/sbin/lighttpd -f /usr/loca
95033 Is 0:00.04 127 127 0 189040 30428 - 2928 0.0 0.2 | |-- /usr/local/bin/php-cgi
96080 I 0:00.63 127 127 0 197892 37992 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
96082 I 0:00.56 127 127 0 197380 37368 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
96424 I 0:00.00 127 127 0 189040 30428 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
96782 I 0:00.37 127 127 0 192688 37136 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
97148 I 0:00.00 127 127 0 189040 30428 - 2928 0.0 0.2 | | `-- /usr/local/bin/php-cgi
95159 Is 0:00.04 127 127 0 189040 30412 - 2928 0.0 0.2 | |-- /usr/local/bin/php-cgi
96276 I 0:00.63 127 127 0 192688 37432 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
96644 I 0:00.64 127 127 0 192688 37248 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
96869 I 0:00.63 127 127 0 201012 37724 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
97335 I 0:00.00 127 127 0 189040 30416 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
97568 I 0:00.00 127 127 0 189040 30416 - 2928 0.0 0.2 | | `-- /usr/local/bin/php-cgi
95208 Is 0:00.04 127 127 0 189040 30428 - 2928 0.0 0.2 | |-- /usr/local/bin/php-cgi
30187 I 0:00.62 127 127 0 197252 37536 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
60132 I 0:00.62 127 127 0 197252 37480 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
96858 I 0:00.00 127 127 0 189040 30432 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
97268 I 0:00.00 127 127 0 189040 30432 - 2928 0.0 0.2 | | |-- /usr/local/bin/php-cgi
97419 I 0:00.00 127 127 0 189040 30432 - 2928 0.0 0.2 | | `-- /usr/local/bin/php-cgi
95284 Is 0:00.04 127 127 0 189040 30420 - 2928 0.0 0.2 | `-- /usr/local/bin/php-cgi
24696 I 0:00.40 127 127 0 196784 37712 - 2928 0.0 0.2 | |-- /usr/local/bin/php-cgi
69250 I 0:00.59 127 127 0 196916 37620 - 2928 0.0 0.2 | |-- /usr/local/bin/php-cgi
83937 I 0:00.25 127 127 0 196916 37412 - 2928 0.0 0.2 | |-- /usr/local/bin/php-cgi
96325 I 0:00.01 127 127 0 192688 34200 - 2928 0.0 0.2 | |-- /usr/local/bin/php-cgi
97597 I 0:00.00 127 127 0 189040 30420 - 2928 0.0 0.2 | `-- /usr/local/bin/php-cgi
96675 S 0:28.55 0 127 0 15656 1892 - 220 0.0 0.0 |-- /usr/local/sbin/lighttpd -f /var/etc/
11809 Is 0:00.03 127 127 2 14076 1648 - 64 0.0 0.0 |-- dhclient: system.syslog (dhclient)
12798 Is 0:00.10 127 127 8 14076 1696 - 64 0.0 0.0 |-- dhclient: cc0 [priv] (dhclient)
15763 SCs 0:08.41 11 127 62 14080 1832 - 64 0.0 0.0 |-- dhclient: cc0 (dhclient)
31364 Is 0:00.55 54 127 1 38832 884 - 108 0.0 0.0 |-- lldpd: monitor. (lldpd)
31704 S 2:40.40 10 127 21 89008 1632 - 108 0.0 0.0 | `-- lldpd: no neighbor. (lldpd)
44021 Ss 3:32.87 2 127 0 14120 2712 - 116 0.0 0.0 |-- /usr/local/sbin/miniupnpd -f /var/etc
16651 Is 0:00.23 127 127 100 13800 1748 - 96 0.0 0.0 |-- /usr/local/sbin/dhcp6c -c /var/etc/dh
94031 Is 0:00.02 127 127 38 13748 264 - 76 0.0 0.0 |-- flowd: monitor (flowd)
94062 Ss 1:01.24 0 127 23 13748 1700 - 76 0.0 0.0 | `-- flowd: net (flowd)
1088 Ss 0:00.47 16 127 47 15340 2944 - 36 0.0 0.0 |-- /sbin/devd
16017 SCs 0:38.79 11 127 26 13924 916 - 28 0.0 0.0 |-- /usr/sbin/rtsold -aiu -p /var/run/rts
16144 Is 0:00.00 127 127 0 13924 1428 - 28 0.0 0.0 |-- rtsold: rtsold.llflags (rtsold)
16233 Is 0:00.00 127 127 0 13924 1428 - 28 0.0 0.0 |-- rtsold: rtsold.script (rtsold)
16339 Is 0:00.00 127 127 0 13924 1428 - 28 0.0 0.0 |-- rtsold: rtsold.sendmsg (rtsold)
16355 Ss 0:43.49 11 127 5 13924 1652 - 28 0.0 0.0 |-- rtsold: system.syslog (rtsold)
60251 Ss 0:03.38 1 127 0 13852 2248 - 28 0.0 0.0 |-- /usr/sbin/cron -s
77766 S 0:00.00 2 2 0 14108 2344 - 28 0.0 0.0 | `-- cron: running job (cron)
78035 Ss 0:00.00 2 2 0 14028 2224 - 24 0.0 0.0 | `-- /usr/local/bin/flock -n -E 0 -o /
78245 S 0:00.03 1 2 0 65780 36028 - 2944 0.2 0.2 | `-- /usr/local/bin/php /usr/local/o
80904 S 0:00.00 1 1 0 19876 6428 - 152 0.2 0.0 | `-- /usr/local/sbin/ntpq -c rv
64826 Is+ 0:00.00 127 127 0 13780 1272 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv0
64908 Is+ 0:00.00 127 127 0 13780 1268 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv1
64995 Is+ 0:00.00 127 127 0 13780 1268 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv2
65010 Is+ 0:00.00 127 127 0 13780 1268 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv3
65078 Is+ 0:00.00 127 127 0 13780 1268 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv4
65097 Is+ 0:00.00 127 127 0 13780 1268 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv5
65239 Is+ 0:00.00 127 127 0 13780 1268 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv6
65323 Is+ 0:00.00 127 127 0 13780 1272 - 20 0.0 0.0 |-- /usr/libexec/getty Pc ttyv7
37372 Is 0:14.51 127 127 0 14504 2328 - 16 0.0 0.0 |-- /usr/local/bin/dpinger -f -S -r 0 -i
80470 Is 1:37.91 127 127 0 14504 1520 - 16 0.0 0.0 |-- /usr/local/bin/dpinger -f -S -r 0 -i
5513 IW 0:00.00 127 127 0 24496 4 - 8 0.0 0.0 |-- /usr/local/sbin/syslog-ng -f /usr/loc
5523 Ss 19:28.05 1 127 211 50112 12524 - 8 0.0 0.1 | `-- /usr/local/sbin/syslog-ng -f /usr/l
60766 S 0:18.50 0 127 0 27368 13740 - 4 0.0 0.1 | |-- /usr/local/bin/python3 /usr/local
60850 S 0:18.86 0 127 0 28392 14120 - 4 0.0 0.1 | `-- /usr/local/bin/python3 /usr/local
39340 Is 0:00.00 127 127 0 13764 1960 - 8 0.0 0.0 |-- daemon: /usr/local/opnsense/scripts/u
39442 S 0:31.64 5 127 0 282372 182920 - 4 0.0 1.1 | `-- /usr/local/bin/python3 /usr/local/o
41303 Ss 1:18.80 0 127 2 14044 2332 - 8 0.0 0.0 |-- /usr/local/sbin/filterlog -i pflog0 -
41403 IWs 0:00.00 127 127 0 13764 4 - 8 0.0 0.0 |-- daemon: /usr/local/opnsense/scripts/r
41424 S 125:39.78 0 127 54 81144 35848 - 2944 0.1 0.2 | `-- /usr/local/bin/php /usr/local/opnse
49280 IWs 0:00.00 127 127 0 13764 4 - 8 0.0 0.0 |-- daemon: /usr/local/libexec/ipsec/char
49305 I 0:27.80 127 127 531 100264 13140 - 8 0.0 0.1 | `-- /usr/local/libexec/ipsec/charon --u
51227 Ss 4:26.29 0 127 0 13756 1324 - 12 0.0 0.0 |-- /usr/sbin/powerd -b hadp -a hadp -n h
68707 IWs 0:00.00 127 127 0 13764 4 - 8 0.0 0.0 |-- daemon: /usr/local/bin/samplicate[687
68788 S 0:19.82 0 127 0 13660 112 - 12 0.0 0.0 | `-- /usr/local/bin/samplicate -s 127.0.
44754 Is 0:00.34 127 127 0 40396 16488 - 4 0.0 0.1 |-- /usr/local/bin/python3 /usr/local/opn
44825 S 0:46.35 1 127 0 99512 44800 - 4 0.0 0.3 | `-- /usr/local/bin/python3 /usr/local/o
31478 I 0:00.00 127 127 0 14312 2476 - 120 0.0 0.0 | `-- /bin/sh /usr/local/opnsense/scrip
31668 I 0:00.00 127 127 0 14312 2508 - 120 0.0 0.0 | `-- /bin/sh /usr/local/opnsense/scr
32856 IC 0:00.00 127 127 0 13648 1824 - 8 0.0 0.0 | `-- sleep 41053
78208 Ss 263:23.79 0 127 49 53760 32660 - 4 0.2 0.2 |-- /usr/local/bin/python3 /usr/local/opn
80229 Ss 0:36.91 1 127 9 63136 8948 - 4 0.0 0.1 |-- /usr/local/bin/python3 /usr/local/opn
648 I 186:13.42 127 127 2075350 8219332 3328836 - 4 0.0 20.1 `-- /usr/local/openjdk17/bin/java -Des.ne
2 WL 242:10.55 127 127 0 0 96 - 0 0.0 0.0 - [clock]
3 DL 0:02.01 127 127 0 0 112 - 0 0.0 0.0 - [crypto]
4 DL 0:00.00 127 127 0 0 64 - 0 0.0 0.0 - [cam]
5 DL 0:00.00 127 127 0 0 16 - 0 0.0 0.0 - [busdma]
6 DL 2:46.17 0 127 0 0 1088 - 0 0.0 0.0 - [zfskern]
7 DL 7:31.24 0 127 0 0 16 - 0 0.0 0.0 - [pf purge]
8 DL 4:21.15 0 127 0 0 16 - 0 0.0 0.0 - [rand_harvestq]
9 DL 11:52.38 0 127 0 0 48 - 0 0.0 0.0 - [pagedaemon]
10 DL 0:00.00 127 127 0 0 16 - 0 0.0 0.0 - [audit]
11 RNL 122299:12.88 127 127 0 0 96 - 0 562.1 0.0 - [idle]
12 WL 259:18.92 127 127 0 0 624 - 0 1.4 0.0 - [intr]
13 DL 0:00.01 127 127 0 0 48 - 0 0.0 0.0 - [geom]
14 DL 0:00.00 127 127 0 0 16 - 0 0.0 0.0 - [sequencer 00]
15 DL 0:23.62 127 127 0 0 80 - 0 0.0 0.0 - [usb]
16 DL 0:16.59 1 127 0 0 16 - 0 0.0 0.0 - [acpi_thermal]
17 DL 0:01.36 127 127 0 0 16 - 0 0.0 0.0 - [vmdaemon]
18 DL 1:04.16 0 127 0 0 144 - 0 0.0 0.0 - [bufdaemon]
19 DL 0:06.17 0 127 0 0 16 - 0 0.0 0.0 - [vnlru]
20 DL 0:16.72 0 127 0 0 16 - 0 0.0 0.0 - [syncer]
32 DL 0:00.20 26 127 0 0 16 - 0 0.0 0.0 - [aiod1]
33 DL 0:00.19 27 127 0 0 16 - 0 0.0 0.0 - [aiod2]
34 DL 0:00.19 21 127 0 0 16 - 0 0.0 0.0 - [aiod3]
35 DL 0:00.19 20 127 0 0 16 - 0 0.0 0.0 - [aiod4]
65513 DL 0:10.74 11 127 0 0 96 - 0 0.0 0.0 - [ng_queue]
88414 DL 0:03.65 3 127 0 0 16 - 0 0.0 0.0 - [md43]
#22
German - Deutsch / Re: 10G Hardware Empfehlungen
Last post by Bob.Dig - December 11, 2025, 06:03:56 PM #23
General Discussion / Re: Best firewall solution for...
Last post by meyergru - December 11, 2025, 05:54:27 PMBy using a mechanism that "always" blocks known ad distributing sites, you will automatically trigger blocks on sites that rely on such ads. The only way of having the best of both worlds is to use ad-blocking mechanisms that fake the ads being displayed. Such mechanisms are available for many browsers, think of uBlock Origin.
A prominent example of a site that does not tolerate ad-blocking is Youtube.
On devices where those tools are not available, you can still use DNS-based ad blockers, e.g. by identifying your smartphones and using AdGuard DNS rules only for those devices.
A prominent example of a site that does not tolerate ad-blocking is Youtube.
On devices where those tools are not available, you can still use DNS-based ad blockers, e.g. by identifying your smartphones and using AdGuard DNS rules only for those devices.
#24
25.7, 25.10 Series / Unbound DNS, DoT - Priority Dn...
Last post by wallnas - December 11, 2025, 05:45:13 PMgood evening,
I entered 2 DNS addresses in "Unbound DNS: DNS over TLS" and I need them to be processed with priority, so elect the primary and secondary.
If the first doesn't respond because it doesn't work, pass the execution to the second: can it be done?
I entered 2 DNS addresses in "Unbound DNS: DNS over TLS" and I need them to be processed with priority, so elect the primary and secondary.
If the first doesn't respond because it doesn't work, pass the execution to the second: can it be done?
#25
General Discussion / Best firewall solution for gam...
Last post by mnhim001 - December 11, 2025, 05:42:35 PMI have 3 kids at home that are gamers and streamers. I have setup OPNsense and enabled Unbound DNS using the AdGuard List. This caused all their gaming sites to no longer work. I added a bunch of sites to the Allowlist Domains.
My question is, is this the best solution? or is there another solution? I was thinking of installing AdGuard Home plugin, but not sure if its just going to give me the same results.
What I am looking for is an ongoing Allow list that I don't have to come back up update manually.
My question is, is this the best solution? or is there another solution? I was thinking of installing AdGuard Home plugin, but not sure if its just going to give me the same results.
What I am looking for is an ongoing Allow list that I don't have to come back up update manually.
#26
General Discussion / Re: ISC DHCP seesm to keep res...
Last post by Oli_wachno - December 11, 2025, 05:27:02 PMTo add some more information:
All clients are connected to the FW via a LAG (two physical ports)
All clients are connected to the FW via a LAG (two physical ports)
#27
Q-Feeds (Threat intelligence) / Re: q-feeds feedback
Last post by dirtyfreebooter - December 11, 2025, 05:23:47 PMi would agree on 3, the new top level menu item is a bit much. annoyed that zenarmor does it, annoyed that qfeeds does it. just put your service/plugin in the services menu imo
#28
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by Monviech (Cedrik) - December 11, 2025, 04:57:49 PMSorry to be really specific but in the first virtual host you have
"LocatioN"
and in the second virtual host you dont have any location. Can you put the same location in there?
Could you fix that and retry just to be 100% sure?
------
A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).
"LocatioN"
and in the second virtual host you dont have any location. Can you put the same location in there?
Could you fix that and retry just to be 100% sure?
------
A tangent, I dont think the password input is relevant, I think it also work if you click the popup away without entering anything (I assume).
#29
25.7, 25.10 Series / Re: os-OPNWAF / Exchange 2019 ...
Last post by humnab - December 11, 2025, 04:51:40 PMHello,
no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:
no difference, I have to enter the Password 3 time after starting Outlook before I can read the body of a Mail:
Code Select
ServerName mail.example.com
Listen 443
<VirtualHost *:443>
ServerName mail.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.pem
SSLCertificateKeyFile /var/etc/apache_2dd88e9b-e1af-45c0-bbb9-b157bf809e66.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
<LocatioN />
SetEnv proxy-initial-not-pooled
SetEnv proxy-aside-c
ProxyPass https://10.10.10.5/ connectiontimeout=900
ProxyPassReverse https://10.10.10.5/
</Location>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
<VirtualHost *:443>
ServerName autodiscover.example.com
Options -FollowSymLinks
Options -Indexes
Options -ExecCGI
LogLevel warn
ProxyRequests Off
RequestHeader set X-Forwarded-Proto "https"
SSLProxyEngine On
SSLProxyCheckPeerName On
SSLProxyCheckPeerExpire On
SSLEngine on
Protocols http/1.1
SSLCertificateFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.pem
SSLCertificateKeyFile /var/etc/apache_d5ddeeb9-32c1-42a0-be53-f9b92602e492.key
# https://wiki.mozilla.org/Security/Server_Side_TLS
# TLS Intermediate configuration
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
SSLOptions +StrictRequire
SSLUseStapling On
# Start ExchangeHttps
OutlookAnywherePassthrough On
Header always set X-Frame-Options SAMEORIGIN
Header set Server Apache
Header unset X-AspNet-Version
Header unset X-OWA-Version
Header unset X-Powered-By
RequestHeader unset Expect early
ProxyRequests Off
ProxyPreserveHost On
ProxyVia Full
RequestHeader edit Transfer-Encoding Chunked chunked early
RequestHeader unset Accept-Encoding
TimeOut 1800
# Change Character set to allow umlaute
AddDefaultCharset ISO-8859-1
# Redirect to owa (Outlook Web Access)
# Redirect / /owa/
# Allow sending large files via attachement in Active Sync > 128KByte (new value 30MB)
<Directory /Microsoft-Server-ActiveSync>
SSLRenegBufferSize 31457280
</Directory>
# End ExchangeHttps
<Location "/__waf_errors__">
ProxyPass "!"
<RequireAny>
# error pages are allowed for all.
Require all granted
</RequireAny>
</Location>
Alias "/__waf_errors__" "/usr/local/opnsense/data/OPNWAF/errors/default"
ErrorDocument 400 /__waf_errors__/400.html
ErrorDocument 401 /__waf_errors__/401.html
ErrorDocument 403 /__waf_errors__/403.html
ErrorDocument 404 /__waf_errors__/404.html
ErrorDocument 408 /__waf_errors__/408.html
ErrorDocument 500 /__waf_errors__/500.html
ErrorDocument 502 /__waf_errors__/502.html
ErrorDocument 504 /__waf_errors__/504.html
</VirtualHost>
#30
General Discussion / Re: Some sites think I live in...
Last post by meyergru - December 11, 2025, 04:51:26 PMI did not see that one coming, nice one, Cedrik! There goes your next USA trip... ;-)
