Home
Help
Search
Login
Register
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
nginx - "Limit Networks" setting
« previous
next »
Print
Pages: [
1
]
Author
Topic: nginx - "Limit Networks" setting (Read 638 times)
kurusii
Newbie
Posts: 1
Karma: 0
nginx - "Limit Networks" setting
«
on:
October 02, 2023, 05:26:34 am »
Hi,
I'm using Opnsense version:
OPNsense 23.7.5-amd64
FreeBSD 13.2-RELEASE-p3
OpenSSL 1.1.1w 11 Sep 2023
I use opnsense as my firewall and router between the WAN and my LAN, and have a number of (internal) VLAN interfaces also set up.
I have a server on my LAN that I've been using NAT port forwarding to expose ports 80 and 443 to the WAN interface. I wanted to use opnsense's nginx to do this instead for its WAF capabilities, so I configured it just now.
I configured my upstream server, listening ports and locations. I added the appropriate firewall rules to my WAN interface and it works right away. My question is about the option under
General Settings
->
GUI Settings
->
Limit Networks
. I see that this option puts ACLs in
/usr/local/etc/nginx/nginx_web.conf
to only let networks directly connected to the opnsense box to connect to nginx, and in the web UI it says
"Enabling this option is recommended if your nginx instance is reachable via the internet to prevent remote access to the web interface for security reasons."
Now, my opnsense box is connected to the Internet directly via the WAN interface, and I have just added firewall rules directly allowing tcp/80 and 443 to the firewall. I tried various URLs (/ui/, /api/, /index.php, /ui/index.php, etc.) from an external IP and they all give me errors as expected, but before I put this in production: is there any way that by exposing nginx directly to the Internet that I somehow make my opnsense admin interface accessible to the Internet as well? Because I'm exposing nginx to the Internet, I found I have to disable
Limit Networks
in order to access the proxied host outside of my LAN.
Some more details: Under
System
->
Settings
->
Administration
, I have
Listen Interfaces
for the admin interface set to strictly internal (V)LAN subnets, and in the nginx configuration, I only have the one location set that I was previously NAT-port-forwarding to the WAN interface.
It looks like the only thing this
Limit Networks
option does is turn on some (future) local-network filters in
/usr/local/etc/nginx/nginx_web.conf
, which is currently commented out in the main
nginx.conf
with the comment
# TODO add when core is ready for allowing nginx to serve the web interface
Am I correct in that this option does nothing for the time being, and only will take effect when/if you switch to using nginx for proxying the main opnsense web UI, and it is safe to disable
Limit Networks
in the meantime?
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
Archive
»
23.7 Legacy Series
»
nginx - "Limit Networks" setting