[Solved, RFC needed?] NGINX as IMAP reverse proxy

Started by ruggerio, October 25, 2020, 01:21:34 PM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
October 27, 2020, 11:06:19 AM #15 Last Edit: October 27, 2020, 11:12:16 AM by Fright
don't think so
you can look at https://forum.opnsense.org/index.php?topic=16595.msg87573#msg87573
as an example of adding a hook
in "stream server" case its streams.conf template in /usr/local/opnsense/service/templates/opnsense/nginx/
at the end of the file before last brace you can insert hook for server post-conf. like
Code Select

{%   endif%}
    include {{ server['@uuid'] }}_post/*.conf;
    }
{% endfor %}
{% endif %}


October 27, 2020, 12:00:16 PM #16
Thx! Gonna read this!

Roger
October 27, 2020, 10:00:00 PM #17
OK, gave it a try, changed the template and reloaded, added the hook according the rtfm, having proxy_protocol = on; with in, then the following problem occured: The entry is double.

I then removed the proxy_protocol-entries within the streams.conf on the listen-lines. still the same. There must be somewhere else an entry for this. Do you have an idea? proxy_protocol will be written into the streams from other places than streams.conf from template-directory?

Or, is there a parameter to give to nginx to accept the last loaded parameter only?
October 28, 2020, 07:02:06 AM #18 Last Edit: October 28, 2020, 07:21:37 AM by Fright
im a little confused.
did you turn off PROXY in GUI?
proxy_protocol parameter in listen directive is set from gui
Code Select
{%   if server.listen_port is defined %}
        listen  {{ server.listen_port }}{% if server.udp is defined and server.udp == '1' %} udp{% endif %}{% if tls_enabled %} ssl{% endif %}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
        listen  [::]:{{ server.listen_port }}{% if server.udp is defined and server.udp == '1' %} udp{% endif %}{% if tls_enabled %} ssl{% endif %}{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %};
{%   endif %}

if you add "proxy_protocol on;" directive via hook you need to disable PROXY in GUI
also
you need to remove "proxy_protocol" string from template or (better imho) make this change:
before:
Code Select
        proxy_protocol {% if server.proxy_protocol == '1' %}on{% else %}off{% endif %};
after:
Code Select

{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %}
           proxy_protocol on;
{% endif %}

October 28, 2020, 09:41:36 AM #19
Hi Fright,

Confused? Right, so i was...

Those were the lines i modified (listen-directive) and commented (proxy_protocoll) - but still i got the message. I also thought to have forgotten to uncheck proxy_protocol. Looking at the the code, it seems, the directive is written in each case, if its on in GUI, it will be set to on, if not, then it will be set to off.

It seems, that i have to prepare manually a nginx.conf, having those lines corrected or to set the proxy_protocol=on; each time, i modified it.

Thx.
October 28, 2020, 10:22:53 AM #20 Last Edit: October 28, 2020, 10:36:18 AM by ruggerio
so for the interested ones (if somebody could verify, pls) a working config (mucho bricollagio):

Prerequiste: proxy protocol is not enabled in WebGUI for streams!

1) create in streams.conf under /usr/local/opnsense/service/templates/OPNsense/Nginx the following entry:
Code Select
include {{ server['@uuid'] }}_post/*.conf; right before the last } of the last %endfor - reload streams config in WebGUI

2) go to
Code Select
/usr/local/etc/enginx/nginx.conf and copy the uuid of the stream(s) which have been newly created. They begin as include as last line per stream, e.g.
Code Select
    server {
        listen  143;
        listen  [::]:143;

        access_log  /var/log/nginx/stream_1ef25291-7e82-4e66-a677-a4629270ff87.access.log main;
        error_log  /var/log/nginx/stream_1ef25291-7e82-4e66-a677-a4629270ff87.error.log info;


        proxy_ssl off;
        proxy_pass upstream3605708c54c0460ca656e8fbaeadabb9;
#        proxy_protocol off;
  include 1ef25291-7e82-4e66-a677-a4629270ff87_post/*.conf; ---> UUID here!





3) create manually a folder with the uuid copied from 2) under
Code Select
/usr/local/etc/enginx/

4) within the newly created directory from 3)  create a file e.g. proxy_protcol.conf, only content ist
Code Select
proxy_protocol on;

5) within the file streams.conf (the same as from 1)) search this line
Code Select
proxy_protocol {% if server.proxy_protocol == '1' %}on{% else %}off{% endif %}; and comment it.

6) copy this one here right below the commented line from 5)
Code Select
{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %}
           proxy_protocol on;
{% endif %}


apply configuration in WebGUI and reload service. You should be done.

Thx @Fright for you help!
Print
Go Up Pages 1 2
User actions