net/sslh: Initial plugin version #2729
Conversation
net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/forms/settings.xml
Outdated
Show resolved
Hide resolved
agh1467
force-pushed
the
sslh
branch
2 times, most recently
from
dd0e0da
to
435766b
Compare
net/sslh/Makefile
Outdated
| PLUGIN_VERSION= 1.21c | ||
| PLUGIN_REVISION= 1 |
There was a problem hiding this comment.
| PLUGIN_VERSION= 1.21c | |
| PLUGIN_REVISION= 1 | |
| PLUGIN_VERSION= 0.1 | |
| PLUGIN_DEVEL= yes |
We do have separate versioning for software and actual plugin since both a different entities that can receive updates independently.
There was a problem hiding this comment.
I've changed it as you've put here.
I thought about the versioning for a while with respect to dnscrypt-proxy as well. That application has phased out configuration settings, renamed settings, and introduced new settings throughout the versions. Keeping the plugin version in lock step with the application version seemed like the most practical approach since it makes it clear to the user which version of the application is either being installed, or which version the plugin is compatible with, and eliminates the need to have a separate versioning schema for the plugin. Utilizing PLUGIN_REVISION would allow a simpler incremental versioning which could reset with each major version or increment forever, and there wouldn't be any trouble with defining a versioning schema.
Is there any guidance on this? A quick search only netted me the Hello World plugin example which doesn't detail versioning. With some guidance I think I could wrap my head around when each component should be versioned and which component gets versioned under which conditions.
There was a problem hiding this comment.
The problem is you can't be there for any update of dnscrypt-proxy which will make these versions differ and having a separate versioning for both plugin and dependent software makes it easier to see what people talk about. Sometimes people forget to name the revision, too. That being said if you have more than one software dependency how would you decide which software dependency gets to be the authoritative version number? ;)
Besides, revision is used as a means to not tamper with the version number, but you can't increment it "forever" as it makes no sense for hotfixing annotation. Yes, the idea comes from FreeBSD ports where you package a software and can't control the version number, but it's still clearer than not having a revision. The difference at the end of the day is 1.1.1 vs 1.1_1.
There's no document for the versioning aspects in our case. The unwritten rules are 0.x for development, 1.x and up for releases. Usually 2.x denotes a rewrite and some maintainers prefer 1.x.y and when we make quick bugfixes / hotfixes we use the revision instead to sort of denote that the fix may or may not be handled by the maintainer. More often than not, however, hotfixes are proper versions served by maintainers (hello @fraenki 😄). Revisions are cleared when the version changes.
One more thing to keep in mind here is that the makefile denotes the versioning and upgrade behaviour. We don't have any automatic means to update a plugin if this information wasn't modified (either version or revision in case version should stay the same). A year ago we did not even have a commit hash in the packaged plugin. But more on this in another comment here.
There was a problem hiding this comment.
Thanks for the explanation on versioning. Is there a place in the OPNsense docs this info could go? I could give a shot at writing something up. Maybe in the hello world example? https://docs.opnsense.org/development/examples/helloworld.html
| // Create an array to be processed by www/status_services.php | ||
| $service = array(); | ||
| // Load the plugin configuraiton file as an array for use below. | ||
| $conf = parse_ini_file('/usr/local/opnsense/service/conf/sslh.conf', true); |
There was a problem hiding this comment.
Oh wait you mean to add a generic configuration... the question would be is this used somehwere else? That directory may not be the best place for it since no relation to configd then. Apologies for doing a linear review from file to file...
There was a problem hiding this comment.
Yup, that's exactly it. The intent here is to define pseudo-"super globals." I provide a broader explanation on the comment of the conf file itself.
An example of how this could be useful is, this file can be copied wholesale, change the file name, and only have to change this line, and the function name to adapt to a new service. I'd guess, it could be reduced further and eliminate the need for this file at all if this information can just be derived from the conf file. For simple services the three actions are probably enough.
Less changing values after copying/pasting the code to stand up a new plugin.
There was a problem hiding this comment.
Ok in any case the file needs to be moved. A more fitting location would be either /usr/local/etc/inc/plugins.inc.d/sshl/sshl.conf or /usr/local/opnsense/data/sshl/sshl.conf.
That being said we already have a plugin-bound meta information file that would be most fitting for these types of values, e.g.:
# cat /usr/local/opnsense/version/ddclient
{
"product_abi": "22.1",
"product_arch": "amd64",
"product_email": "ad@opnsense.org",
"product_flavour": "LibreSSL",
"product_hash": "be8192b82",
"product_id": "os-ddclient-devel",
"product_name": "ddclient",
"product_version": "0.1",
"product_website": "https://opnsense.org/"
}
I don't mind extending the opnsense-version utility to read manual values from it as long as we can avoid too much clutter. What I don't think is a great idea is to read this file on each file load of a model or plugin invoke, however. And I think @AdSchellevis will agree. For configuration purposes it's fine but for runtime always bouncing through the file or shell command is a performance killer.
There was a problem hiding this comment.
Since the practicality for this isn't represented in this small plugin I've decided to remove it and replace with hard coded strings.
| // and displays service state in status column. If undefined, | ||
| // the 'name' as defined above is used in is_process_running() | ||
| // which must match the process name of the service in order to be found. | ||
| 'pidfile' => $conf['plugin']['pidfile'], |
There was a problem hiding this comment.
All things considered the question is if it's worth it. The pid file is usually also defined in the rc.d file of the service that comes with the port. Softcoding it in a second place seems less favourable than hardcoding it once here.
There was a problem hiding this comment.
I happened across this by accident since I copied this file from the dnscrypt-proxy plugin which uses pid as the key name for this value.
https://github.com/opnsense/plugins/blob/master/dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc#L51
Since for dnscrypt-proxy, it happens that the service name and the process name actually match, everything works without issue. However, with sslh, the process names are one of either sslh-fork or sslh-select which doesn't match the 'name' value in the array, and thus it's not able to find the process by name. It only shows the service as stopped in the status column. So, for this case, the pidfile value is how is_process_running() is able to find the process and properly detect if it's running or not.
For this case, the pid file is a command line option/configuration option, and is explicitly defined in the configuration file. It's also defined in the conf for reference here. I also looked in the /usr/local/etc/rc.d/sslh but for sslh it didn't look like one was defined as I've seen in other services.
There was a problem hiding this comment.
It seems that is a bug worth fixing?
# git grep "'pid'"
dns/dnscrypt-proxy/src/etc/inc/plugins.inc.d/dnscryptproxy.inc: 'pid' => '/var/run/dnscrypt-proxy.pid'
net-mgmt/nrpe/src/etc/inc/plugins.inc.d/nrpe.inc: 'pid' => '/var/run/nrpe.pid'
net/ntopng/src/etc/inc/plugins.inc.d/ntopng.inc: 'pid' => '/var/run/ntopng/ntopng.pid'
Well, the 'name' value should match the process name (binary), at least that what is being used if no PID file is given. In the example you give it seems perfectly fine except for the key not being proper. Especially for plugins.inc/d content the file is always bound to be adapted by plugin maintainer.
There was a problem hiding this comment.
I'll take a look at the other plugins and submit PRs for those as well.
net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/SettingsController.php
Outdated
Show resolved
Hide resolved
net/sslh/src/opnsense/mvc/app/controllers/OPNsense/Sslh/forms/settings.xml
Outdated
Show resolved
Hide resolved
| <id>settings.listen_addresses</id> | ||
| <label>Listen Addresses</label> | ||
| <help><
|
Thanks all for the review and comments! I resolved the comments that were straight forward and changes were made. I left the others open which I thought there might be more to say. |
|
FYI, I'm planning on revisiting this soon, and re-working parts to address the topics brought up. |
* Includes setting listen addresses, and protocol targets. * Includes some other advanced settings * Service start/stop/restart control
* Documentation reports this as a "Linux only" feature, remove since there is no provision for using this on FreeBSD.
* Rename file to be correct * Add sslh pkg description * Add change log content
Updating year, and adding email address.
* Swap tabs for spaces * Set plugin version to 0.1 * Remove PLUGIN_REVISION * Set devel flag * Set maintainer email address
* Remove unecessary || exit 0's
* Set model version to 0.0.1
* Remove redundant VisibleName attribute * Re-style to be first letter caps
* Remove styling for help * Try to make due without
* pkg-descr * Minor cosmetic updates * src/etc/inc/plugins.inc.d/sslh.inc * Replace ini file usage with hard coded strings. * src/opnsense/mvc/app/controllers/OPNsense/Sslh/forms/settings.xml * Changes to help text * Remove hint for listen_addresses * src/opnsense/mvc/app/models/OPNsense/Sslh/Settings.xml * Fix typo in validation message * Add default value * src/opnsense/mvc/app/views/OPNsense/Sslh/settings.volt * Remove not so useful comment * src/opnsense/service/conf/sslh.conf * Deleted as it's not used anymore. * src/opnsense/service/templates/OPNsense/Sslh/sslh.conf.jinja * Add copyright banner * Minor style changes, and correcting formatting. * net/sslh/DEVELOPMENT.md * Minor update to developers notes.
agh1467
force-pushed
the
sslh
branch
2 times, most recently
from
ee1ae7f
to
0c6ca96
Compare
| PLUGIN_NAME= sslh | ||
| PLUGIN_VERSION= 0.1 | ||
| PLUGIN_DEVEL= yes | ||
| PLUGIN_COMMENT= sslh configuration front-end |
There was a problem hiding this comment.
most plugins are frontends. the opportunity here is to describe the software being configured in a nutshell :)
There was a problem hiding this comment.
I'll update the comment to describe the sslh service.
| */ | ||
| public function indexAction() | ||
| { | ||
| return array('status' => 'ok'); |
There was a problem hiding this comment.
can leave this in but doesn't look like functional addition. less is often more
| <listen_addresses type="CSVListField"> | ||
| <required>Y</required> | ||
| <default>localhost:443</default> | ||
| <validationmessage>Please enter at least one hostname/IP:port combination.</validationmessage> |
There was a problem hiding this comment.
validation message here but no special validation of individual values?
There was a problem hiding this comment.
localhost:443 is probably already bound to web GUI btw
There was a problem hiding this comment.
For this, I considered the options that I'm aware of and can understand, but I'm having a challenge understanding the best approach. I could use something like a regular expression, but the fact that this supports a hostname and IP address will make this complicated to do in single mask.
I thought about a custom FieldType with a new validator using the CallbackValidator, the challenges would be similar, but I could at least split each CSV and explode on the colon (only reliable for IPv4), and evaluate each half of each entry separately. I feel that's still re-inventing the wheel when there exists HostValidator, and PortField already has a validator (though hard coded in the FieldType itself).
I think an option might be to re-factor the field into an ArrayField, and specify the hostname/IP, and port separately and validate each according to each field type. However, I'd prefer not to do that as it would require building the interface(s) to support the user input. I wasn't planning on going down that route until the next version of the plugin.
I'm not strong in the validators area, and I left this alone due to the complexity of specifying a single mask to handle the entire thing. Let me know how this could be approached in a reasonable manner.
|
@agh1467 if you ping again I will merge, up to you if you want to change something now or merge first |
|
Super interested 3rd party here who runs OPNSense & REALLY wants this feature. What is the state of this? If I'm reading/understanding this correctly, this change was approved but is not in the current build & is awaiting minor comments? As an (overly) excited 3rd party, having this capability in OPNSense would be huge and I'm super thankful that it seems to be so close! I'm just making sure it's not lost just before the finish line! |
|
Merged, thanks! |
|
I know I'm a few days late to the party, but regarding the removal of transparent mode: The official docs have a section for FreeBSD here, so it's not entirely impossible. Unfortunately it involves ipfw instead of pf. Maybe it can be added on top of pf or adapted. |
|
@haarp Thanks for citing that. I'll have to see if there is an equivalent functionality, and translate it accordingly. It could be added back in then. |
|
Any news on the transparent option? It's necessary for things like fail2ban to work properly to be able to resolve the remote IP |
There was a problem hiding this comment.
You wrote that the documentation reports this as a "Linux only" feature and that there is no provision for using this on FreeBSD.
I am wondering about this, because the documentation of sslh states for the Transparent Proxy "On Linux and FreeBSD you can use the --transparent option to request transparent proxying." (Source: https://github.com/yrutschle/sslh/blob/master/doc/tproxy.md).
This is to address the discussion about a plugin for sslh and resolves #1630. This is such a plugin.