www/nginx: new features #828
Conversation
|
@fichtner please check the use of the alias class especially since I don not know it yet and it lacks some documentation. |
fabianfrz
changed the title
fabianfrz
changed the title
fabianfrz
changed the title
|
@fichtner review? |
| $blacklist_element = null; | ||
| foreach ($model->aliases->alias->__items as $alias) { | ||
| if ((string)$alias->name == $autoblock_alias_name) { | ||
| if ((string)$alias->type != 'network') { |
There was a problem hiding this comment.
@fabianfrz you better manage the contents of the list from within your plugin, using the internal type
https://github.com/opnsense/core/blob/master/src/opnsense/mvc/app/models/OPNsense/Firewall/Alias.xml#L33
Now you have two processes managing the same table, which is likely resulting in issues somewhere along the line. Only question is if the entries should survive a reboot, in which case you need to store some data in your own model (or parse logs on clean startup)
There was a problem hiding this comment.
@AdSchellevis can you explain the external field? It seems to have no validations and the current one works. I want the user to be able to delete an entry if it detected an incorrect one.
The script runs once per minute and appends new findings to the alias and updates the alias by itself when done. The log is purged automatically but the IP addresses keep being stored in the alias.
There was a problem hiding this comment.
@fabianfrz external means that it’s managed elsewhere (in this case in your plugin), the alias system won’t touch the contents and trusts the provider to manage it accordingly. With the current construction you created two systems, which try to update the table. The pfct in your code and the regular alias system updating the contents to its configuration at given intervals, which causes a race and can lead to removal of entries just inserted by your tool.
For better separation of concerns it’s highly advisable to keep the blacklist in your plugin or ask the alias system to sync it’s contents, my advise is to keep the blacklist in the plugin since it causes less overhead. People can always drop entries manually using the table tool, same as for ssh an web ui lockout construction.
There was a problem hiding this comment.
so external will do nothing except adding a table entry to pf.conf and make it available to the UI?
|
@AdSchellevis I changed the alias functionality and it is now completely handled by the plugin. I've also created an view and unlock page, so the user can unlock an IP address or IPv6 network again if it got banned "by accident". |
|
@fichtner did you forget this for 18.7.3? |
|
I did not forget. There was no time. |
|
Ok, then I may add new features until next release to this branch. |
|
Sure, I'll be reviewing later this week. |
|
now we have a simple cache for upstreams ;) |
fabianfrz
changed the title
| 'description' => gettext('nginx Load Balancer, WAF, Reverse Proxy and Web Server'), | ||
| 'configd' => array( | ||
| 'restart' => array('nginx restart'), | ||
| 'start' => array('nginx start') |
There was a problem hiding this comment.
The original implementation was intended to run the web interface too which obviously should not be stopped.
|
|
||
| return array( | ||
| array( | ||
| 'description' => gettext('nginx Load Balancer, WAF, Reverse Proxy and Web Server'), |
There was a problem hiding this comment.
what would you like to have as an alternative?
| { | ||
| return array( | ||
| array( | ||
| 'autocron' => array('/usr/local/opnsense/scripts/nginx/ngx_autoblock.php', '*') |
There was a problem hiding this comment.
can't we have a conditional here?
There was a problem hiding this comment.
conditional for what? nginx runs always
| { | ||
| static protected $internalModelClass = '\OPNsense\Nginx\Nginx'; | ||
| static protected $internalModelName = 'nginx'; | ||
| public function searchbanAction() |
There was a problem hiding this comment.
line spacing is whacky. I've held back a larger style update for 1.0 already to not mess with this PR. You could run and fix it yourself (requires plugin os-debug):
# cd /usr/plugins/www/nging && make style-fix
| @@ -48,6 +48,7 @@ | |||
| <id>httpserver.verify_client</id> | |||
| <label>Verify Client Certificate</label> | |||
| <type>dropdown</type> | |||
| <advanced>true</advanced> | |||
There was a problem hiding this comment.
just a note: nice! advanced is good, happy users due to simpler UI
| @@ -3,6 +3,7 @@ | |||
| <Nginx cssClass="fa fa-shield fa-fw"> | |||
| <Configuration url="/ui/nginx" /> | |||
| <Logs url="/ui/nginx/index/logs" /> | |||
| <Banned url="/ui/nginx/index/ban" /> | |||
There was a problem hiding this comment.
"Banned" feels misplaced. Logs should be visible as "Log File" and probably go last...
There was a problem hiding this comment.
ban is really a ban - it is a list of banned IPs in a special alias which can be referenced by PF rules. This page does not handle log files.
| <script src="/ui/js/nginx/lib/lodash.min.js"></script> | ||
| <script src="/ui/js/nginx/lib/backbone-min.js"></script> | ||
| <script src="/ui/js/nginx/dist/bundle.js"></script> | ||
| <script src="{{ cache_safe('/ui/js/nginx/lib/lodash.min.js') }}"></script> |
| @@ -0,0 +1,145 @@ | |||
| #!/usr/local/bin/php | |||
There was a problem hiding this comment.
does this have to be prefixed "ngx_" ?
There was a problem hiding this comment.
no, it does not. Is it a problem? It is just the file name of my cron job which must run as often as possible which means every minute.
There was a problem hiding this comment.
Wouldn't it be better to rename the fourth one?
the first one is for header handling, the second and the third one nginx related and the fifth one is the standard setup routine which is called setup in any plugin.
There was a problem hiding this comment.
it depends on whether you want csp_ ngx_ and so on to have a special meaning for different call context? I was only suggesting name simplification because "nginx" is implied by the parent directory, but I don't know enough about inner workings of nginx to know if "ngx" is something inside the process or something that you want explicitly separated for a specific reason. :)
There was a problem hiding this comment.
csp_report: API endpoint for CSP violation reports
ngx_auth: API endpoint for authentication request (checkbox advanced authentication)
ngx_autoblock: cron job which looks for bad IPs and sends them to PF
read_log: configd call to read the logs for the frontend (logs view)
setup: create files, chmod, export certs
There was a problem hiding this comment.
the first one is generic, the 2-3 depend on how nginx or the plugin is working, 4 is generic (would probably also work for other servers), 5 is plugin code
There was a problem hiding this comment.
ok, thanks. to the original point read_log is perfectly clear so no need to change that
| <?php | ||
|
|
||
| /* | ||
| * Copyright (C) 2018 Fabian Franz |
There was a problem hiding this comment.
thank you for using proper copyright layout here
There was a problem hiding this comment.
most of the time I am just copying the copyright block from my older plugins except some files which I am boilerplate using my rake task.
There was a problem hiding this comment.
I'm trying to make all of them one PHP style when I can:
/*
* Copyright...
*
* [...]
*/
|
@fabianfrz I ask you to reconsider your recent comments and responses which have been growing rougher and unfriendlier. I don't like cleaning up bugs for work that you consider "done" or reworking style that does not meet project standards because you don't think it's interesting enough. If that trend continues have no reason to continue reviewing your work. |
found stuff is sent to a special log and can be parsed periodically via a Cron job to update the alias automatically.