nginx plugin

Started by fabian, June 10, 2018, 12:35:30 PM

Previous topic - Next topic
Print
Go Down Pages 1 ... 4 5 6
User actions
February 12, 2019, 06:46:31 PM #75
My bad,

Yes, it's in there, but only available in "Advanced Mode" in Location definition.
Soekris net6501-70, APU 2C4, Soekris net5501-70, ...
February 12, 2019, 06:54:58 PM #76
That's a problem of the interface of nginx: it has so many settings that many of them must be advanced to prevent flooding the common interface.
February 13, 2019, 09:24:33 PM #77 Last Edit: February 13, 2019, 09:31:16 PM by Alphakilo
Hi fabian!

Thanks for the awesome plugin, love it! One less machine in the network to tend to.
I have a couple of questions / requests though:

Is it possible to define a listening interface?
In my case nginx is a reverse proxy. That's it's only job. The only interface it should be accessible from is WAN.
Also I don't want it to combat the existing listeners on 80,443/tcp.

Could we get to define snippets that we can include per server?
This will help to use advanced features of nginx without further cluttering the web interface.
And also help me to limit the amount of code re usage I have to do per server :P

Can we use existing lists (pf aliases / nginx ACLs) as httpserver.trusted_proxies?
I run behind Cloudflare. And manually adding and maintaining all Cloudflare IPv4 and v6 ranges is a royal pain the buttox.

Is it possible to disable / enable httpservers?
I'm thinking the way we're able to enable / disable, say, firewall rules.

I might check if I can hack the first two together when time allows. The other are beyond my skills.

Love this solid piece of advise btw:


Applies to so many things.
February 13, 2019, 10:17:48 PM #78
since my session got killed and I don't want to write the long text again:
(1)
no, that is hard to implement in a stable way (interface status changes, ip address changes,...)
(2)
no but maybe an include directive can be added if it causes no problem when no file matches: https://nginx.org/en/docs/ngx_core_module.html#include
(3)
maybe since the PF aliases have been moved to MVC, they should be possible to refer in MVC models.
(4)
no but it would be just a boolean to add to the form and the model as well as an "if" to the template around the server block

---
for the advice: You probably know why I've written that into this help text ;)
February 16, 2019, 11:14:21 AM #79
@Alphakilo: See https://github.com/opnsense/plugins/pull/1198 - some are now implemented.
February 17, 2019, 04:44:19 PM #80
🥳 Thank you very much!
February 28, 2019, 10:52:52 PM #81
With the Naxsi plugin, how do I enable the core rules that are located in the /usr/local/etc/nginx folder? Also, I tried to recreate those rules, but when I attempt to create the policy, it won't let me select any operator except "=" (error: option not in list), and then I get this:
Incorrect line CheckRule $policy8f40a781e34045c193b56a9e5d37b585 = 4 (/usr/obj/usr/ports/www/nginx/work/naxsi-0.56/naxsi_src/naxsi_skeleton.c/646)... in /usr/local/etc/nginx/nginx.conf:229
March 01, 2019, 06:58:45 AM #82
this should be already fixed (was a bug in OPNsense core)
March 11, 2019, 09:46:45 PM #83
Yes, you are correct. Upgrading did fix the issue. However, I can't figure out how to use the whitelist feature via the GUI. I know that in the config file for nginx, "basic rule wl:11;" would whitelist rule 11. How do I do that via the GUI? I've tried creating a separate policy and attaching a basic rule with id 11 selecting a URL value, but nginx throws an error in the log:

2019/03/11 20:42:09 [emerg] 18627#100242: matchzone doesn't target an actual zone. in /usr/local/etc/nginx/nginx.conf:301
2019/03/11 20:42:09 [emerg] 18627#100242: Naxsi-Config : Incorrect line BasicRule id:11 (/usr/obj/usr/ports/www/nginx/work/naxsi-0.56/naxsi_src/naxsi_skeleton.c/474)... in /usr/local/etc/nginx/nginx.conf:301
March 11, 2019, 09:50:56 PM #84
it should be wl:11 not id:11
Print
Go Up Pages 1 ... 4 5 6
User actions