NGINX Naxsi and Nextcloud Webdav

[moe]

Hi,
I have made a setup with a reverse proxy based on nginx and not on ha-proxy because i would use the naxsi features.
But whats happen now is, that the bot-protection ban every smartphone client with davx running.
As seen in the davx log it uses okhttp for the sync and as far as I know nginx detect this as bot.

So is there any way to made an expection for the okhttp or better for the client-subnet?

Thanks for your answer.

kind regards

[fabian]

No, but you can disable it entirely using a checkbox (advanced settings).

[RamSense]

maybe as some workaround: give the smartphones a static ip and when away from the (local)network using vpn with static ip per smartphone opnvpn / wireguard vpn.
than in nginx - http server - advanced settings - Naxsi Trusted Source IPs -> fill the static ip addresses of the smartphones and smartphones vpn IP's

[moe]

@fabian
Im asking because I found an old Thread where you Post the Info that it would be able with OID, but I didn't understand how to solve this.
Do I need to create a local configuration on the cli? You have written there to use the plugin...
May you remember?

@Ramsense, I belive Naxsi Trusted Source would not help, because the problem exists without Naxsi enabled, it depends on the bot-protection.

Kind regards

[fabian]

This is not naxsi, but the plugin itself. Just enable the advanced options to make the setting visible.

[moe]

hi fabian,
thats what I mean:
https://forum.opnsense.org/index.php?topic=11505.msg56331#msg56331

In this thread you have descriped a way to exclude okhttp from the bot-protection. Can you give some more details?

THanks

[fabian]

The UUID is used to create a directory to create a custom configuration include. With that you can customize the generated config with the risk of breaking it. You can find it in the config.xml.

[moe]

Thanks for your answer, but its still not really clear for me, in the config.xml I found many UUIDs. Do you mean the UUID from the API?
And where do I need to create the Folder? Root/Home/nginx config folder?

Please share more details, I would think a lot people would be interessted in that funktionality.

Thanks!

[fabian]

the nginx configuration directory.

[moe]

@fabian
Thanks, but why you would not like to share more information about that?
Isn't it possible to get an config example?

[fabian]

Example include:

https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L359

You cannot get a config example because you have to write your custom include by yourself. This is functionality is hidden and intended for people who know what they are doing - especially when they look at the generated nginx.conf.

Every typo, Syntax error or logic error can break the entire plugin as there is no validation.

[akif5561]

@fabian
Same problem here
Not many posts about the Bot Protection of the nginx Plugin.  Is it possible
to implement it to the Plugin GUI to make exclusions for User Agents instead of disabling it?
Would be a nice feature.

[Fright]

https://github.com/opnsense/plugins/pull/3678 ?

[akif5561]

Thank you @Fright !

Didn't look up the upcoming Pull requests on Github

[Layer8]

I cant contribue a solution, but I think my problem fits in here.

We are using Keepass2Android on our mobile phones. We noticed some time ago, that its not longer possible to access the keepass databate which is located on a nextcloud server, which is behind a nginx on a opnsense.

I just found out, that the problem was the Bot Protection of the nginx. I disabled it and now we can access the nextcloud server with Keepass2Android again.

The strange thing was, that it was possible to access nextcloud with the nextcloud android app and other webdav clients all the time.

Hope this info will help some people who are looking for a solution.

I am also interested in a solution to enable the Bot protection again.

Edit: Keepass2Android has thrown this error message: protocol=h2, code=403