nginx service not starting after reboot

[psychofaktory]

Hi,


I have recently upgraded from OPNsense 24.7.10 to the current version 24.7.11_2.
No other changes were made to the nginx configuration.

Since a restart, the nginx service can no longer be started.

log says:

Code Select Expand

2024-12-20T10:44:37 Emergency nginx nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed
2024-12-20T10:44:37 Emergency nginx nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /usr/local/etc/nginx/nginx.conf:8175
2024-12-20T10:44:36 Debug nginx NGINX setup routine started.
The nginx.conf looks like this from the mentioned line 8175 onwards_

Code Select Expand

server {

    listen 80 default_server;
    listen [::]:80 default_server;


    sendfile On;
    server_name  example.com;

    client_header_buffer_size 1k;
    large_client_header_buffers 4 8k;
    charset utf-8;
    access_log  /var/log/nginx/example.com.access.log main;
    access_log  /var/log/nginx/tls_handshake.log handshake;
    error_log  /var/log/nginx/example.com.error.log error;
    #include tls.conf;
    error_page 403 /opnsense_error_403.html;
    error_page 404 /opnsense_error_404.html;
    error_page 405 /waf_denied.html;
    error_page 500 501 502 503 504 /opnsense_server_error.html;

    location = /opnsense_error_403.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_error_404.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    location = /opnsense_server_error.html {
        internal;
        root /usr/local/etc/nginx/views;
    }
    # location to ban the host permanently
    set $naxsi_extensive_log 0;
    location @permanentban {
        access_log /var/log/nginx/permanentban.access.log main;
        internal;
        add_header "Content-Type" "text/plain; charset=UTF-8" always;
        return 403 "You got banned permanently from this server.";
    }
    error_page 418 = @permanentban;
    location = /waf_denied.html {
        root /usr/local/etc/nginx/views;
        access_log /var/log/nginx/waf_denied.access.log main;
    }
    location ^~ /.well-known/acme-challenge/ {
        default_type "text/plain";
        proxy_pass http://127.0.0.1:43580;
    }
    # block based on User Agents defined in global http settings
    if ($http_user_agent ~* Python-urllib|Nmap|python-requests|libwww-perl|MJ12bot|Jorgee|fasthttp|libwww|Telesphoreo|A6-Indexer|ltx71|okhttp|ZmEu|sqlmap|LMAO/2.0|l9explore|l9tcpid|Masscan|zgrab|Ronin/2.0|Hakai/2.0|Indy\sLibrary|^Mozilla/[\d\.]+$|Morfeus\sFucking\sScanner|MSIE\s[0-6]\.\d+) {
        return 418;
    }
    location /opnsense-auth-request {
      internal;
      fastcgi_pass  unix:/var/run/php-webgui.socket;
      fastcgi_index index.php;
      fastcgi_param TLS-Cipher $ssl_cipher;
      fastcgi_param TLS-Protocol $ssl_protocol;
      fastcgi_param TLS-SNI-Host $ssl_server_name;
      fastcgi_param Original-URI $request_uri;
      fastcgi_param Original-HOST $host;
      fastcgi_param SERVER-UUID "337026df-317a-49d2-9526-172c5b38bcc4";
      fastcgi_param SCRIPT_FILENAME  /usr/local/opnsense/scripts/nginx/ngx_auth.php;
      fastcgi_param AUTH_SERVER "Local Database";
      fastcgi_intercept_errors on;
      include        fastcgi_params;
    }
    include 337026df-317a-49d2-9526-172c5b38bcc4_pre/*.conf;


location  / {
    BasicRule wl:19;
    DeniedUrl "/waf_denied.html";
    if ($scheme != "https") {
        return 302 https://$host$request_uri;
    }
    autoindex off;
    proxy_set_header Host $host;
    proxy_set_header X-TLS-Cipher $ssl_cipher;
    proxy_set_header X-TLS-Protocol $ssl_protocol;
    proxy_set_header X-TLS-SNI-Host $ssl_server_name;
    # proxy headers for backend server
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Port $server_port;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-TLS-Client-Intercepted $tls_intercepted;
    proxy_read_timeout 3600s;
    proxy_send_timeout 3600s;
    proxy_ignore_client_abort off;
    proxy_request_buffering off;
    proxy_max_temp_file_size 1024m;
    proxy_buffering off;
    proxy_pass https://upstreamb7b7de2accac4d758e74637ac2fd5380;
    proxy_ssl_server_name off;
    proxy_ssl_protocols TLSv1.2 TLSv1.3;
    proxy_ssl_session_reuse off;
    proxy_ssl_trusted_certificate /usr/local/etc/nginx/key/trust_upstream_b7b7de2a-ccac-4d75-8e74-637ac2fd5380.pem;
    proxy_ssl_verify off;
    proxy_ssl_verify_depth 1;
    proxy_store off;
    proxy_hide_header X-Powered-By;
    include 0b649b16-f937-41e3-8518-27b394057e1a_post/*.conf;
}
    include 337026df-317a-49d2-9526-172c5b38bcc4_post/*.conf;

Where is the mistake here?

[psychofaktory]

There was obviously something wrong with the configuration.

Unfortunately, even after intensive searching and reconfiguring, I couldn't find out exactly where the error was.


I have now reset OPNsense to version 24.7.10 and restored a configuration from 3 days ago.

nginx could then be started again. I then carried out the update to version 24.7.11_2 again.


Now everything works again.