Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[www/nginx] Add url and urltable to trusted-proxy-alias dropdown #1680

Closed
wants to merge 1 commit into from
Closed

[www/nginx] Add url and urltable to trusted-proxy-alias dropdown #1680

wants to merge 1 commit into from

Conversation

PrivatePuffin
Copy link
Contributor

Quick fix adding the url and urltable alias types to the dropdown selecting trusted-proxy firewall aliasses in NGINX.

As discussed here:
https://forum.opnsense.org/index.php?topic=14617.msg71645#msg71645

Signed-off-by: Kjeld Schouten-Lebbing kjeld@schouten-lebbing.nl

Add url and urltable to accepted trusted-proxy-firewall alias dro…
c128d37 
…pdown

Signed-off-by: Kjeld Schouten-Lebbing <kjeld@schouten-lebbing.nl>
@fabianfrz
Copy link
Member

This is likely not possible because nginx cannot handle this types. The aliases of host and network are stored in the config.xml while the table types are external and need to be fetched first. The nginx template cannot fetch such tables and for that reason, it is likely not going to work - even if you can select it by the model.

@fabianfrz fabianfrz changed the title [nginx] Add url and urltable to trusted-proxy-alias dropdown [www/nginx] Add url and urltable to trusted-proxy-alias dropdown Jan 30, 2020
@fabianfrz
Copy link
Member

Please have a look at the backend template as well:

https://github.com/opnsense/plugins/blob/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf#L139

@PrivatePuffin
Copy link
Contributor Author

PrivatePuffin commented Jan 30, 2020
edited
Loading

It might sound harsh, but that makes it totally useless with most reverse proxy providers...
Because those often use iplists that might change

Closing because i don't have the time to do a refactor of this.

@PrivatePuffin
Copy link
Contributor Author

I don't get why it doesn't use the API to grab the alias.

Assuming my alias is named "proxy_trusted_ips", I can just grab it like this:
https://router.local/api/firewall/alias_util/list/proxy_trusted_ips

Which gives me:
{"total":21,"rowCount":9999,"current":1,"rows":[{"ip":"103.21.244.0\/22"},{"ip":"103.22.200.0\/22"},{"ip":"103.31.4.0\/22"},{"ip":"104.16.0.0\/12"},{"ip":"108.162.192.0\/18"},{"ip":"131.0.72.0\/22"},{"ip":"141.101.64.0\/18"},{"ip":"162.158.0.0\/15"},{"ip":"172.64.0.0\/13"},{"ip":"173.245.48.0\/20"},{"ip":"188.114.96.0\/20"},{"ip":"190.93.240.0\/20"},{"ip":"197.234.240.0\/22"},{"ip":"198.41.128.0\/17"},{"ip":"2400:cb00::\/32"},{"ip":"2405:8100::\/32"},{"ip":"2405:b500::\/32"},{"ip":"2606:4700::\/32"},{"ip":"2803:f800::\/32"},{"ip":"2a06:98c0::\/29"},{"ip":"2c0f:f248::\/32"}]}

Which is type independent and pretty well parseable... So why has someone somehow made a choice to grab it from config.xml in the damn first place? This seems like a very dirty hack to me.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PrivatePuffin @fabianfrz