plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

www/nginx: Feature: Inclusion of a specified config file inclusion into location/server blocks

Open waffshappen opened this issue 3 years ago • 1 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [x] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [x] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [x] When the request is meant for an existing plugin, I've added its name to the title.

Is your feature request related to a problem? Please describe. Right now if you want to add synchronized changes to multiple vhosts you have to add a folder on the firewall over ssh for each, symlink a config from there and then put your changes into that.

(Why?: Ex:

  • Safari denies connection if a downstream server on http sends a Upgrade header which nginx carries to the https frontend so that header needs to be stripped
  • Rate Limiting bots by networks/user agent across all vhosts
  • Allowing to import config sets from either an admin with bans or adding https://github.com/mitchellkrogza/nginx-ultimate-bad-bot-blocker to specific hosts )

Describe the solution you'd like Either a way to toggle a known include (opnsense-locations-post-addon.conf/-server-pre/post-addons.conf?) or a input for a file to be included in server or location block per upstream. Or possibly even both.

Describe alternatives you've considered Currently it is doable by grepping the uuids out of the nginx config, creating a folder for each server pre and location post and symlinking a file for all of them - resulting in n*2 folders for n server entries in the nginx config directory

waffshappen avatar Mar 02 '22 23:03 waffshappen

Examples:

A) If Safari is not compliant with HTTP it is broken and Apple needs to fix that. Handling this workaround should be done by the backend application (not requesting an upgrade to whatever - usually websocket) and/or the user agent (example: javascript should not request a websocket if the implementation is insuefficient) but not by any middle box. BTW: did you forget to enable HTTP/1 upgrade (websocket) support? B) Afaik the plugin has rate limit support C) Actually those directories are intended to allow plugins on top of the nginx plugin. So you can build an os-nginx-ultimate-bad-bot-blocker plugin and instruct configd to create those includes for you.

fabianfrz avatar May 26 '22 08:05 fabianfrz

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository, please read https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue, just let us know, so we can reopen the issue and assign an owner to it.

OPNsense-bot avatar Aug 29 '22 22:08 OPNsense-bot