-
Notifications
You must be signed in to change notification settings - Fork 621
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
www/nginx: new features #828
Conversation
@fichtner please check the use of the alias class especially since I don not know it yet and it lacks some documentation. |
@fichtner review? |
$blacklist_element = null; | ||
foreach ($model->aliases->alias->__items as $alias) { | ||
if ((string)$alias->name == $autoblock_alias_name) { | ||
if ((string)$alias->type != 'network') { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fabianfrz you better manage the contents of the list from within your plugin, using the internal type
https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.xml#L33
Now you have two processes managing the same table, which is likely resulting in issues somewhere along the line. Only question is if the entries should survive a reboot, in which case you need to store some data in your own model (or parse logs on clean startup)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@AdSchellevis can you explain the external field? It seems to have no validations and the current one works. I want the user to be able to delete an entry if it detected an incorrect one.
The script runs once per minute and appends new findings to the alias and updates the alias by itself when done. The log is purged automatically but the IP addresses keep being stored in the alias.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fabianfrz external means that it’s managed elsewhere (in this case in your plugin), the alias system won’t touch the contents and trusts the provider to manage it accordingly. With the current construction you created two systems, which try to update the table. The pfct in your code and the regular alias system updating the contents to its configuration at given intervals, which causes a race and can lead to removal of entries just inserted by your tool.
For better separation of concerns it’s highly advisable to keep the blacklist in your plugin or ask the alias system to sync it’s contents, my advise is to keep the blacklist in the plugin since it causes less overhead. People can always drop entries manually using the table tool, same as for ssh an web ui lockout construction.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
so external will do nothing except adding a table entry to pf.conf and make it available to the UI?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, that’s it
@AdSchellevis I changed the alias functionality and it is now completely handled by the plugin. I've also created an view and unlock page, so the user can unlock an IP address or IPv6 network again if it got banned "by accident". |
@fichtner did you forget this for 18.7.3? |
I did not forget. There was no time. |
Ok, then I may add new features until next release to this branch. |
Sure, I'll be reviewing later this week. |
now we have a simple cache for upstreams ;) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
generally: ok!
'description' => gettext('nginx Load Balancer, WAF, Reverse Proxy and Web Server'), | ||
'configd' => array( | ||
'restart' => array('nginx restart'), | ||
'start' => array('nginx start') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no stop?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The original implementation was intended to run the web interface too which obviously should not be stopped.
|
||
return array( | ||
array( | ||
'description' => gettext('nginx Load Balancer, WAF, Reverse Proxy and Web Server'), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
too long ;)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
what would you like to have as an alternative?
{ | ||
return array( | ||
array( | ||
'autocron' => array('/usr/local/opnsense/scripts/nginx/ngx_autoblock.php', '*') |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
can't we have a conditional here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
conditional for what? nginx runs always
{ | ||
static protected $internalModelClass = '\OPNsense\Nginx\Nginx'; | ||
static protected $internalModelName = 'nginx'; | ||
public function searchbanAction() |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
line spacing is whacky. I've held back a larger style update for 1.0 already to not mess with this PR. You could run and fix it yourself (requires plugin os-debug):
# cd /usr/plugins/www/nging && make style-fix
@@ -48,6 +48,7 @@ | |||
<id>httpserver.verify_client</id> | |||
<label>Verify Client Certificate</label> | |||
<type>dropdown</type> | |||
<advanced>true</advanced> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
just a note: nice! advanced is good, happy users due to simpler UI
@@ -3,6 +3,7 @@ | |||
<Nginx cssClass="fa fa-shield fa-fw"> | |||
<Configuration url="/ui/nginx" /> | |||
<Logs url="/ui/nginx/index/logs" /> | |||
<Banned url="/ui/nginx/index/ban" /> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"Banned" feels misplaced. Logs should be visible as "Log File" and probably go last...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ban is really a ban - it is a list of banned IPs in a special alias which can be referenced by PF rules. This page does not handle log files.
<script src="/ui/js/nginx/lib/lodash.min.js"></script> | ||
<script src="/ui/js/nginx/lib/backbone-min.js"></script> | ||
<script src="/ui/js/nginx/dist/bundle.js"></script> | ||
<script src="{{ cache_safe('/ui/js/nginx/lib/lodash.min.js') }}"></script> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thanks!
@@ -0,0 +1,145 @@ | |||
#!/usr/local/bin/php |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
does this have to be prefixed "ngx_" ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
no, it does not. Is it a problem? It is just the file name of my cron job which must run as often as possible which means every minute.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it depends on whether you want csp_ ngx_ and so on to have a special meaning for different call context? I was only suggesting name simplification because "nginx" is implied by the parent directory, but I don't know enough about inner workings of nginx to know if "ngx" is something inside the process or something that you want explicitly separated for a specific reason. :)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
csp_report: API endpoint for CSP violation reports
ngx_auth: API endpoint for authentication request (checkbox advanced authentication)
ngx_autoblock: cron job which looks for bad IPs and sends them to PF
read_log: configd call to read the logs for the frontend (logs view)
setup: create files, chmod, export certs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
the first one is generic, the 2-3 depend on how nginx or the plugin is working, 4 is generic (would probably also work for other servers), 5 is plugin code
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ok, thanks. to the original point read_log is perfectly clear so no need to change that
<?php | ||
|
||
/* | ||
* Copyright (C) 2018 Fabian Franz |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
thank you for using proper copyright layout here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
most of the time I am just copying the copyright block from my older plugins except some files which I am boilerplate using my rake task.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm trying to make all of them one PHP style when I can:
/*
* Copyright...
*
* [...]
*/
@fabianfrz I ask you to reconsider your recent comments and responses which have been growing rougher and unfriendlier. I don't like cleaning up bugs for work that you consider "done" or reworking style that does not meet project standards because you don't think it's interesting enough. If that trend continues have no reason to continue reviewing your work. |
found stuff is sent to a special log and can be parsed periodically via a Cron job to update the alias automatically.