[SOLVED] opnsense-nginx-opnsense redirection

[maoz]

Hi!
I have a basic setup:
home network as WAN 192.168.1.0 - LAN 10.10.10.0
Behind firewall sits NGINX rev proxy.
And I forward 80 and 443 from WAN to NGINX

So I want to enter Opnsense via LAN 10.10.10.1.

So my current scheme is:
192.168.1.101 (opnsense WAN)-to-10.10.10.2(NGINX REV. PROXY)-to-10.10.10.1(Opnsense LAN address)

But I faced with problems that NGINX change HTTP to HTTPS while reversing to Opnsense. Other services work fine line NGINX static web page etc.

How to solve it?

Code: [Select]

C:\Users\artem>curl -Lvk http://10.10.10.1
*   Trying 10.10.10.1:80...
^C
C:\Users\artem>curl -Lvk http://192.168.1.101
*   Trying 192.168.1.101:80...
* Connected to 192.168.1.101 (192.168.1.101) port 80
> GET / HTTP/1.1
> Host: 192.168.1.101
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sun, 20 Oct 2024 16:26:29 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://192.168.1.101/
< Test_header: test
<
* Ignoring the response-body
* Connection #0 to host 192.168.1.101 left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://192.168.1.101/'
*   Trying 192.168.1.101:443...
* connect to 192.168.1.101 port 443 from 0.0.0.0 port 62405 failed: Connection refused
* Failed to connect to 192.168.1.101 port 443 after 2076 ms: Couldn't connect to server
* Closing connection
curl: (7) Failed to connect to 192.168.1.101 port 443 after 2076 ms: Couldn't connect to server

C:\Users\artem>curl -Lvk http://192.168.1.101
*   Trying 192.168.1.101:80...
* Connected to 192.168.1.101 (192.168.1.101) port 80
> GET / HTTP/1.1
> Host: 192.168.1.101
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sun, 20 Oct 2024 16:27:46 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://10.10.10.1/
< Test_header: test
<
* Ignoring the response-body
* Connection #0 to host 192.168.1.101 left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://10.10.10.1/'
*   Trying 10.10.10.1:443...
* connect to 10.10.10.1 port 443 from 0.0.0.0 port 62434 failed: Timed out
* Failed to connect to 10.10.10.1 port 443 after 21048 ms: Couldn't connect to server
* Closing connection
curl: (28) Failed to connect to 10.10.10.1 port 443 after 21048 ms: Couldn't connect to server

From LAN Opnsense is reachable:

Code: [Select]

root@nginx:/etc/nginx/conf.d# curl -kLv 10.10.10.1
*   Trying 10.10.10.1:80...
* Connected to 10.10.10.1 (10.10.10.1) port 80 (#0)
> GET / HTTP/1.1
> Host: 10.10.10.1
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Location: https://10.10.10.1/
< Content-Length: 0
< Date: Sun, 20 Oct 2024 16:38:40 GMT
< Server: OPNsense
<
* Connection #0 to host 10.10.10.1 left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://10.10.10.1/'
*   Trying 10.10.10.1:443...
* Connected to 10.10.10.1 (10.10.10.1) port 443 (#1)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN: server accepted h2
* Server certificate:
*  subject: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  start date: Oct  4 15:09:55 2024 GMT
*  expire date: Nov  5 15:09:55 2025 GMT
*  issuer: CN=OPNsense.localdomain; C=NL; ST=Zuid-Holland; L=Middelharnis; O=OPNsense self-signed web certificate
*  SSL certificate verify result: self-signed certificate (18), continuing anyway.
* using HTTP/2
* h2h3 [:method: GET]
* h2h3 [:path: /]
* h2h3 [:scheme: https]
* h2h3 [:authority: 10.10.10.1]
* h2h3 [user-agent: curl/7.88.1]
* h2h3 [accept: */*]
* Using Stream ID: 1 (easy handle 0x55aeebbbc7f0)
> GET / HTTP/2
> Host: 10.10.10.1
> user-agent: curl/7.88.1
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< HTTP/2 200
< set-cookie: PHPSESSID=a1c528aef7da098b20163db04128c8e7; path=/; secure; HttpOnly; SameSite=Lax
< set-cookie: PHPSESSID=a1c528aef7da098b20163db04128c8e7; path=/; secure; HttpOnly
< set-cookie: cookie_test=34e933bad01e167f8fbc1b3521de218a; expires=Sun, 20 Oct 2024 17:38:40 GMT; Max-Age=3600; path=/; secure; HttpOnly
< expires: Thu, 19 Nov 1981 08:52:00 GMT
< cache-control: no-store, no-cache, must-revalidate
< pragma: no-cache
< content-security-policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' 'unsafe-eval';
< x-frame-options: SAMEORIGIN
< x-content-type-options: nosniff
< x-xss-protection: 1; mode=block
< referrer-policy: same-origin
< content-type: text/html; charset=UTF-8
< accept-ranges: bytes
< content-length: 2787
< date: Sun, 20 Oct 2024 16:38:40 GMT
< server: OPNsense
<
<!doctype html>
<html lang="en-US" class="no-js">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge">

    <meta name="robots" content="noindex, nofollow" />
    <meta name="keywords" content="" />
    <meta name="description" content="" />
    <meta name="copyright" content="" />
    <meta name="viewport" content="width=device-width, initial-scale=1, minimum-scale=1" />
    <meta name="mobile-web-app-capable" content="yes">
    <meta name="apple-mobile-web-app-capable" content="yes">

    <title>Login | OPNsense</title>



And my NGINX config:

Code: [Select]

server {
    listen 80;
#    server_name *.test-laba.duckdns.org;

    access_log /var/log/nginx/test-access-logs.log custom_log;

    location / {
        proxy_pass http://10.10.10.1:80;  # Location from the map
#        proxy_set_header Host $host; - just to see a filal address at output
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Test_header test;
    }
}



Also tried a 'proper' config but only got looping.

Code: [Select]

# Define a custom log format
log_format custom_log '"Request: $request\n Status: $status\n Request_URI: $request_uri\n Host: $host\n Client_IP: $remote_addr\n Proxy_IP(s): $proxy_add_x_forwarded_for\n Proxy_Host: $proxy_host\n"';


# HTTP server block to handle port 80 and redirect to HTTPS
server {
    listen 80;
    server_name *.test-laba.duckdns.org;


    # Redirect all HTTP requests to HTTPS
    location / {
        return 301 https://$host$request_uri;
    }
}

# Map для определения backend по серверному имени
map $host $backend {
    opnsense.test-laba.duckdns.org http://10.10.10.1:80;
}


# Основной SSL серверный блок для всех доменов
server {
    listen 443 ssl;
    server_name *.test-laba.duckdns.org;

    # SSL configuration for wildcard certificate
    ssl_certificate /etc/letsencrypt/live/test-laba.duckdns.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/test-laba.duckdns.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/log/nginx/test-access-logs.log custom_log;

    # Proxy to backend service for all subdomains
    location / {
        proxy_pass $backend;  # Location from the map
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Test_header jay;
    }
}



Code: [Select]

C:\Users\artem>curl -Lv http://opnsense.test-laba.duckdns.org --max-redirs 1
* Host opnsense.test-laba.duckdns.org:80 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.101
*   Trying 192.168.1.101:80...
* Connected to opnsense.test-laba.duckdns.org (192.168.1.101) port 80
> GET / HTTP/1.1
> Host: opnsense.test-laba.duckdns.org
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sat, 19 Oct 2024 19:38:39 GMT
< Content-Type: text/html
< Content-Length: 169
< Connection: keep-alive
< Location: https://opnsense.test-laba.duckdns.org/
<
* Ignoring the response-body
* Connection #0 to host opnsense.test-laba.duckdns.org left intact
* Clear auth, redirects to port from 80 to 443
* Issue another request to this URL: 'https://opnsense.test-laba.duckdns.org/'
* Host opnsense.test-laba.duckdns.org:443 was resolved.
* IPv6: (none)
* IPv4: 192.168.1.101
*   Trying 192.168.1.101:443...
* Connected to opnsense.test-laba.duckdns.org (192.168.1.101) port 443
* schannel: disabled automatic use of client certificate
* ALPN: curl offers http/1.1
* ALPN: server accepted http/1.1
* using HTTP/1.x
> GET / HTTP/1.1
> Host: opnsense.test-laba.duckdns.org
> User-Agent: curl/8.8.0
> Accept: */*
>
* Request completely sent off
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
* schannel: remote party requests renegotiation
* schannel: renegotiating SSL/TLS connection
* schannel: SSL/TLS connection renegotiated
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.22.1
< Date: Sat, 19 Oct 2024 19:38:40 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://10.10.10.1/
< Test_header: jay
<
* Ignoring the response-body
* Connection #1 to host opnsense.test-laba.duckdns.org left intact
* Maximum (1) redirects followed
curl: (47) Maximum (1) redirects followed


Thanks!

[maoz]

Possibly the problem is here, but a browser works with no problem directly with the Opnsense. So I thought there should be no problem. To solve it I tried to use HTTP instead of HTTPS after redirection.

Code: [Select]

root@nginx:/etc/nginx/conf.d# curl -Iv https://10.10.10.1
*   Trying 10.10.10.1:443...
* Connected to 10.10.10.1 (10.10.10.1) port 443 (#0)
* ALPN: offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self-signed certificate
* Closing connection 0
curl: (60) SSL certificate problem: self-signed certificate
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.


[maoz]

Changed System>Settings>HTTPS to HTTP.
Kept the last NGINX config with wildcard cert for the domain.
So it works that way HTTP>Opnsense>NGINX(forced redirect to HTTPS)>proxied to HTTP Opnsense

Weird, but works for home only, I think cause I don't have to mess with certs in the local network (even if any domain + cloudflare solves it).