Nginx Plugin :: Multiple locations

[ccesario]

Hi @fabian,

It seems the locations config has a BUG, but before open a ticket I would like to check it.

I was running the Nginx with a single Location, and it works as expected, now I needed add more 2 Locations, by GUI I can see the config, but nginx.conf does not have these 2 new locations.

I tried add manually these tw new locations into nginx.conf and restart it manually, and it works. It seems that exists any problem in process to generate the neginx.conf.

It its attached some screens and config to try explain better.

-------
Config generated - > https://pastebin.com/8dJVdfG5
Config working with add location manually - > https://pastebin.com/MDkhRFdf

[fabian]

Your locations are not there are three possible root causes:

* the config has not been regenerated (reload button)

* the location is not added to the HTTP server

* there is a bug in the template which prevents rendering it (try configctl template reload OPNsense/Nginx)

[ccesario]

Your locations are not there are three possible root causes:

* the config has not been regenerated (reload button)
  I apply reload button several times, other configs are applyed, but not locations

* the location is not added to the HTTP server
   If you look the images and codes, there are HTTP servers configured as first locations, and If add manually the config, and restart nginx by console, the "location" config it works.

* there is a bug in the template which prevents rendering it (try configctl template reload OPNsense/Nginx)
   Even running configctl template reload OPNsense/Nginx (result OK) the configs are not generated.

[fabian]

I just generated this host (nginx plugin v1.5):

Code: [Select]

server {
    listen  8080;
    listen  [::]:8080;
    server_name  satisfy;
    charset utf-8;
    access_log  /var/log/nginx/satisfy.access.log main;
    error_log  /var/log/nginx/satisfy.error.log;
    client_max_body_size 10m;
    client_body_buffer_size 19m;
    satisfy any;
    #include tls.conf;
    error_page 404 /opnsense_error_404.html;
    error_page 500 501 502 503 504 /opnsense_server_error.html;
    # location to ban the host permanently
    set $naxsi_extensive_log 0;
    location @permanentban {
        access_log /var/log/nginx/permanentban.access.log main;
        internal;
        add_header Content-Type text/plain;
        add_header Charset utf-8;
        return 403 "You got banned permanently from this server.";
    }
    error_page 418 = @permanentban;
    location /opnsense_server_error.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location /opnsense_error_404.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;
    }
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        root /var/etc/acme-client/challenges;
    }
    # block based on User Agents - stuff I have found over the years in my server log
    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|ltx71|zgrab|Ronin/2.0|Hakai/2.0) {
      return 418;
    }
        if ($http_user_agent ~ "Indy\sLibrary|Morfeus Fucking Scanner|MSIE [0-6]\.\d+")
    {
      return 418;
    }
    if ($http_user_agent ~ ^Mozilla/[\d\.]+$)
    {
      return 418;
    }

    location = /opnsense-report-csp-violation {
      include       fastcgi_params;
      fastcgi_param QUERY_STRING $query_string;
      fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/scripts/nginx/csp_report.php;
      fastcgi_param TLS-Cipher $ssl_cipher;
      fastcgi_param TLS-Protocol $ssl_protocol;
      fastcgi_param TLS-SNI-Host $ssl_server_name;
      fastcgi_param SERVER-UUID "2ff8ba8c-ea0f-444d-93dc-e5487d70cbbd";
      fastcgi_intercept_errors on;
      fastcgi_pass  unix:/var/run/php-webgui.socket;
    }
    location /opnsense-auth-request {
      internal;
      fastcgi_pass  unix:/var/run/php-webgui.socket;
      fastcgi_index index.php;
      fastcgi_param TLS-Cipher $ssl_cipher;
      fastcgi_param TLS-Protocol $ssl_protocol;
      fastcgi_param TLS-SNI-Host $ssl_server_name;
      fastcgi_param Original-URI $request_uri;
      fastcgi_param Original-HOST $host;
      fastcgi_param SERVER-UUID "2ff8ba8c-ea0f-444d-93dc-e5487d70cbbd";
      fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
      fastcgi_intercept_errors on;
      include        fastcgi_params;
    }


location  / {
    BasicRule wl:19;
    DeniedUrl "/waf_denied.html";
    client_max_body_size 1g;
    client_body_buffer_size 20m;
    satisfy all;
    index asdf askdfals sdfew4el4;
    autoindex off;
    http2_push_preload off;

}
location  /t1 {
    BasicRule wl:19;
    DeniedUrl "/waf_denied.html";
    autoindex off;
    http2_push_preload off;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-TLS-Cipher $ssl_cipher;
    proxy_set_header X-TLS-Protocol $ssl_protocol;
    proxy_set_header X-TLS-SNI-Host $ssl_server_name;
    # proxy headers for backend server
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://upstreamf59d112473994aa4a2a843ae4910cef2;
    proxy_hide_header X-Powered-By;

}
location  /t2 {
    BasicRule wl:19;
    DeniedUrl "/waf_denied.html";
    autoindex off;
    http2_push_preload off;
    proxy_set_header Host $host;
    proxy_set_header X-TLS-Cipher $ssl_cipher;
    proxy_set_header X-TLS-Protocol $ssl_protocol;
    proxy_set_header X-TLS-SNI-Host $ssl_server_name;
    # proxy headers for backend server
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_pass http://upstreamf59d112473994aa4a2a843ae4910cef2;
    proxy_hide_header X-Powered-By;

}
}So I do have both locations and it works fine.

[ccesario]

Well,
It is attached my env details.

[fabian]

I do still think you do have a misconfiguration in the http server setting "Locations".

[ccesario]

Hi @fabian, locations in http server setting is OK.

Well, after reboot appliance the config it was generated as expected.
I will investigate and try reproduce again the problem.

Thank you by great help.

Carlos

[Northguy]

Experiencing the same 'issue'. I had a location, but decided to edit and change it. applied the change, tried to restart NGINX but nothing worked. When entering the URL I ended up with a 404 error. I have the impression that the Stop - start - restart buttons do not restart NGINX.

Decided to reboot OPNsense and only after the reboot, the new location became active.

[fabian]

Do you talk about the buttons at the top right? They are not made to do this (service control only). You need to click the small reload button (orange) to reload the configuration and restart nginx.

[Northguy]

Hey Fabian,

Thanks for pointing that one out. I pressed the bigger reload button on the top (middle) multiple times. Even did a start/stop of the service. I did not even notice the small orange reload button on the bottom right  .

Tested it and works like a charm... need to keep my eyes more open next time.

Thanks!

[fabian]

It is the same in all my plugins. This way it does not need so much space than a dedicated button under the list and it looks better integrated.

The service control at the top is for example when the service crashes to restart it.