nginx reverse proxy - how to remove my ip from permanentban

[goonza]

Hi,

I am very new to opnsense ...

I have spent a crazy amount of time trying to get this plugin working.  First I realize that the plugin had issues, because navigating to the portal showed there were errors and generated a bug report.  So, I update opnsense and decided to start again. 

I had WAF enabled, initially, but my locations were not been added to the config file and there was no log file.  So, I rebooted, and the locations and log files materialized.  I have since seen (from another forum post) that what I assumed was the nginx reload button at the top was the wrong one, and that might have been why my locations were not generating.

Well my current problem was that on investigating why I am unable to make a good connection, and nothing was showing up in the logs, I realized that my attempts were all being logged to permanentban.access.log ... I also noticed the 'Banned' submenu and checked it to confirm that my IP was banned. 

I clicked the unlock button to get rid of the ban, and did 'cat /dev/null > permanentban.access.log' in case that file was consulted in banning.  But it doesn't matter what I do, all my access attempts are being blocked. 

I have even disabled WAF from the servers, but still the block remains in place ... and removing the WAF is not really being reflected in the config file.

So, my questions are:

* How do I remove a banned ip ?
* How do I ensure my changes (like disabling WAF) in the UI are reflected in the config file ?

Thank you

[goonza]

I have been testing from within the LAN on the external IP addresses.  I just tested from the dmz and can see that the firewall is blocking access. 

So, an additional confusion I have is what firewall rules I need to make the plugin work.  I assumed that having the reverse-proxy obviated the need for specific firewall or dnat settings to pass http traffic from the WAN to the LAN.  Is this assumption wrong ?

Also, it seems that accessing the external URL from inside the protected LAN is being flagged as illegal activity, hence the permanent bans.

sorry for all the questions, but there is hardly any documentation to be sure how this plugin is to be used, even from a conceptual point of view.  I would definitely like to add to the documentation, once I can figure things out.

[goonza]

I now have a good firewall rule passing traffic from my dmz, but now my dmz IP addresses get automatically banned, and nothing is reaching the http servers configured (ie, the logs for configured servers are all zero in size).

not sure what else to do ... maybe it's time to forget this and use an internal reverse proxy ... this is just way too much if a guessing game.

[fabian]

I had WAF enabled, initially, but my locations were not been added to the config file and there was no log file.  So, I rebooted, and the locations and log files materialized.  I have since seen (from another forum post) that what I assumed was the nginx reload button at the top was the wrong one, and that might have been why my locations were not generating.

The top one only restarts the service. It does not regenerate the configs. This is done by the bottom one.

I clicked the unlock button to get rid of the ban, and did 'cat /dev/null > permanentban.access.log' in case that file was consulted in banning.  But it doesn't matter what I do, all my access attempts are being blocked.

The file is used to the block of nginx to the firewall to entirely block the IP.

I have even disabled WAF from the servers, but still the block remains in place ... and removing the WAF is not really being reflected in the config file.

There is a advanced option: "Disable bot protection" which is used for banning hosts.

* How do I remove a banned ip ?

Banned menu (Main menu)

* How do I ensure my changes (like disabling WAF) in the UI are reflected in the config file ?

store and afterwards apply changes (reload button on the bottom of each page.

[fabian]

So, an additional confusion I have is what firewall rules I need to make the plugin work.  I assumed that having the reverse-proxy obviated the need for specific firewall or dnat settings to pass http traffic from the WAN to the LAN.  Is this assumption wrong ?

You only need a filter rule, no DNAT - as this is done by nginx.

Also, it seems that accessing the external URL from inside the protected LAN is being flagged as illegal activity, hence the permanent bans.

No, the bot protection looks at the user agent header. It does not match any IP addresses.

sorry for all the questions, but there is hardly any documentation to be sure how this plugin is to be used, even from a conceptual point of view.  I would definitely like to add to the documentation, once I can figure things out.

Most documentation I wrote is here:

https://docs.opnsense.org/plugins.html#web

[fabian]

I now have a good firewall rule passing traffic from my dmz, but now my dmz IP addresses get automatically banned, and nothing is reaching the http servers configured (ie, the logs for configured servers are all zero in size).

Again: If you have such hosts, disable the bot protection.

not sure what else to do ... maybe it's time to forget this and use an internal reverse proxy ... this is just way too much if a guessing game.

Or just read the config in /usr/local/etc/nginx

[goonza]

Hello Fabian, thanks a million ... your responses have cleared much of the cloud for me ...

Too busy right now to try and use the info you have provided to resolve things ... will come back to it in a couple of hours time, and will provide some feedback.

Thanks again.

[goonza]

I have now spent considerably more time on this, and I cannot remove my dmz or internal hosts from permanent bans, no matter what I try:

-- have enabled 'Disable bot protection' ... and regenerated the configs
-- removed the banned IPs in 'nginx --> banned' ... and regenerated the configs
-- reset states in 'firewall -> Diagnostics --> States Reset' ...
-- I have done the above several times ... and even rebooted several times too.

I have other troubling issues with opnsense:

-- bind is horribly broken and neither saves ACLs or zone data.  If one goes to the CLI and creates zone data, the db file gets reset to zero length anytime one saves zone info (or zone records).  Defines ACLs are also not successfully saved.
-- cannot get pfsense to allow dns traffic from my dmz (fails to default deny with autogenerated rules I am unable to edit) and any rules I define don't seem to matter

Frankly, after giving this many days, I am now considering moving on to something else.  So many things seem to be broken or not working as expected.

Thanks for all your support Fabian ...