NGINX Redirect

[Junktroep]

I have a reverse nginx proxy running on an ubuntu box.
Running non standard ssl ports, an example of my config:

server {
    listen 9090 default_server ssl http2;
    server_name blabla;

    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
    add_header X-XSS-Protection "1; mode=block";

    ssl_certificate /etc/letsencrypt/live/blablafullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/blabla/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/blabla/chain.pem;
    include snippets/ssl.conf;
    error_page  497 https://$host:9090$request_uri;

    access_log /var/log/nginx/blabla.access.log apm;
    error_log /var/log/nginx/blabla.error.log warn;

    location / {
        proxy_pass        http://127.0.0.1:8080;
        proxy_set_header  X-Real-IP  $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_redirect off;
    }
}

I wanted to move this functionality to OPNsense, and it works nicely with the nginx plugin.

One thing I don't get to work the HTTP to HTTPS redirect.
In the example above I get this going with the: error_page  497 https://$host:9090$request_uri;
this redirects HTTP requests to HTTPS.

But I can't find this in the error pages overview in OPNsense, and no idea how I or even if this can be done.

Any tip or help is apreciated. Thanks.

[Fright]

"HTTPS Only" checkbox in Server config or "Force HTTPS" checkbox in Location config do the same with the

Code Select Expand


    if ($scheme != "https") {
        return 302 https://$host$request_uri;
    }


[Junktroep]

This checkbox does nothing for my config. Even after reboot.
On the opnsense reverse proxy server settings I have only specified a https port, just like in my example config.
It doesn't seem to like binding same port to https and http.

I still get: The plain HTTP request was sent to HTTPS port, error 400,
when connecting on http://mydomain.com:myport

[Fright]

yep, need to bind http also for this.
497 error_page is not in gui yet
so you need to use server hook for this imho (https://forum.opnsense.org/index.php?topic=31234.0)
there it will be possible to add a directive missing in the gui

[Junktroep]

The hook pointed me in the right direction
Creating the <uid>_post directory with a 497_error_page.conf in it.
Containing error_page  497 https://$host:9090$request_uri;
Makes http request to the https port redirect succesful.

Ps. adding the error_page 497 to the nginx.conf also makes it work.
But I guess this will not survive any modifications done in the GUI.
I hope this custom survives firmware upgrades.

Since this is a pretty nice way to redirect http to https I hope this will soon be added as defailt in GUI.