-
Notifications
You must be signed in to change notification settings - Fork 647
/
webgui.conf
206 lines (190 loc) · 7.39 KB
/
webgui.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
server {
keepalive_requests 15;
keepalive_timeout 30;
root /usr/local/www/;
{% if system.webgui.protocol is defined and system.webgui.protocol == 'https' %}
if ($scheme != "https") {
return 302 https://$host$request_uri;
}
listen 80 default_server; # if redirect is enabled
listen {% if system.webgui.port is defined and system.webgui.port != '' %}{{ system.webgui.port }}{% else %}443{% endif %} ssl default_server;
http2 on;
## TLS configuration
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
ssl_ecdh_curve secp384r1;
ssl_certificate /var/etc/cert.pem;
ssl_certificate_key /var/etc/cert.pem;
ssl_client_certificate /var/etc/ca.pem;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
{% if system.webgui['ssl-ciphers'] is defined and system.webgui['ssl-ciphers'] != '' %}
ssl_ciphers {{ system.webgui['ssl-ciphers'] }}
{% else %}
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
{% endif %}
{% else %}
listen {% if system.webgui.port is defined and system.webgui.port != '' %}{{ system.webgui.port }}{% else %}80{% endif %};
{% endif %}
autoindex off;
# gzip compression
gzip_static on;
{% if system.webgui.compression is defined and system.webgui.compression != '' %}
gzip on;
gzip_comp_level {{ system.webgui.compression }};
{% else %}
gzip off;
{% endif %}
#compress.cache-dir = "/tmp/lighttpdcompress/"
gzip_types text/plain text/css text/xml text/javascript;
#server.upload-dirs = ( "/root/", "/tmp/", "/var/" )
# server.max-request-size = 2097152
expires 50h;
# Maximum idle time with nothing being written (php downloading)
#fastcgi_read_timeout = 999
## where to send error/access-messages to
access_log syslog:server=127.0.0.1,facility=daemon;
access_log /var/log/nginx/webgui.access.log;
error_log syslog:server=127.0.0.1,facility=daemon;
error_log /var/log/nginx/webgui.error.log debug;
index index.php index.html index.htm default.htm;
# mimetype mapping
types {
application/x-ns-proxy-autoconfig pad.dat;
application/pdf pdf;
application/pgp-signature sig;
application/futuresplash spl;
application/octet-stream class;
application/postscript ps;
application/x-bittorrent torrent;
application/x-dvi dvi;
application/x-gzip gz;
application/x-ns-proxy-autoconfig pac;
application/x-shockwave-flash swf;
application/x-tgz tar.gz tgz;
application/x-tar tar;
application/zip zip;
audio/mpeg mp3;
audio/x-mpegurl m3u;
audio/x-ms-wma wma;
audio/x-ms-wax wax;
audio/x-wav ogg;
audio/x-wav wav;
image/gif gif;
image/jpeg jpg jpeg;
image/png png;
image/svg+xml svg;
image/x-xbitmap xbm;
image/x-xpixmap xpm;
image/x-xwindowdump xwd;
text/css css;
text/html html htm;
text/javascript js;
text/plain asc;
text/plain c;
text/plain conf;
text/plain text txt;
text/xml dtd;
text/xml xml;
video/mpeg mpeg;
video/mpeg mpg;
video/quicktime mov qt;
video/x-msvideo avi;
video/x-ms-asf asf asx;
video/x-ms-wmv wmv;
application/x-bzip bz2;
application/x-bzip-compressed-tar tbz tar.bz2;
}
# Use the "Content-Type" extended attribute to obtain mime type if possible
#mimetypes.use-xattr = "enable"
## deny access the file-extensions
#
# ~ is for backupfiles from vi, emacs, joe, ...
# .inc is often used for code includes which should in general not be part
# of the document-root
location ~* "(~|.inc)$" {
return 403;
}
{% if helpers.exists('OPNsense.Nginx.webgui.limitnetworks') and OPNsense.Nginx.webgui.limitnetworks == '1' %}
# whitelist only directly connected networks to prevent attacks over the internet to the web interface
# we cannot block everything except RFC 1918 because this does not work with IPv6
{% set whitelisted_networks = [] %}
{% for interface_name in interfaces %}
{% set interface = interfaces[interface_name] %}
{% if interface.ipaddr is defined and interface.ipaddr != '' and '.' in interface.ipaddr %}
{% if interface.subnet is defined and interface.subnet != '' %}
{% set cidr = interface.ipaddr + '/' + interface.subnet %}
{% else %}
{% set cidr = interface.ipaddr %}
{% endif %}
{% if cidr not in whitelisted_networks %}
{% do whitelisted_networks.append(cidr) %}
allow {{ cidr }};
{% endif %}
{% endif %}
{% if interface.ipaddrv6 is defined and interface.ipaddrv6 != '' and ':' in interface.ipaddrv6 %}
{% if interface.subnetv6 is defined and interface.subnetv6 != '' %}
{% set cidr = interface.ipaddrv6 + '/' + interface.subnetv6 %}
{% else %}
{% set cidr = interface.ipaddrv6 %}
{% endif %}
{% if cidr not in whitelisted_networks %}
{% do whitelisted_networks.append(cidr) %}
allow {{ cidr }};
{% endif %}
{% endif %}
{% endfor %}
{% if helpers.exists('virtualip') %}
{% for intf_item in helpers.toList('virtualip.vip') %}
{% if intf_item.mode in ['carp', 'ipalias'] %}
{% set cidr = intf_item.subnet + '/' + intf_item.subnet_bits %}
{% if cidr not in whitelisted_networks %}
allow {{ cidr }};
{% do whitelisted_networks.append(cidr) %}
{% endif %}
{% endif %}
{% endfor %}
{% endif %}
deny all;
{% endif %}
location ~ \.php$ {
fastcgi_pass unix:/var/run/php-webgui.socket;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_intercept_errors on;
include fastcgi_params;
}
# Phalcon ui and api routing
location @apirequest {
root /usr/local/opnsense/www;
include fastcgi_params;
fastcgi_param QUERY_STRING &$query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/www/api.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_intercept_errors off;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location @guirequest {
root /usr/local/opnsense/www;
include fastcgi_params;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/www/index.php;
fastcgi_param TLS-Cipher $ssl_cipher;
fastcgi_param TLS-Protocol $ssl_protocol;
fastcgi_param TLS-SNI-Host $ssl_server_name;
fastcgi_intercept_errors off;
fastcgi_pass unix:/var/run/php-webgui.socket;
}
location ~ ^/ui/(?<path>[^\?]+)(?<query>\?(.*))? {
root /usr/local/opnsense/www;
try_files /$path @guirequest;
}
location ~ ^/api/(?<path>[^\?]+)(?<query>\?(.*))?{
root /usr/local/opnsense/www;
try_files /$path @apirequest;
}
}