nginx 1.35

multiple client auth CA support (opnsense#4421) HTTP/2 server checkbox (opnsense#4272) sendfile form typo (opnsense#4436)
kulikov-a · Jan 12, 2025 · 7da8880 · 7da8880
1 parent 15cec3f
commit 7da8880
Show file tree

Hide file tree

Showing 5 changed files with 34 additions and 11 deletions.
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -113,7 +113,8 @@
   <field>
     <id>httpserver.ca</id>
     <label>Client CA Certificate</label>
-    <type>dropdown</type>
+    <type>select_multiple</type>
+    <help>Trusted CA certificates</help>
   </field>
   <field>
     <id>httpserver.verify_client</id>
@@ -165,6 +166,13 @@
     <type>checkbox</type>
     <help>If the request scheme is not HTTPS, redirect to use HTTPS for this server.</help>
   </field>
+  <field>
+    <id>httpserver.http2</id>
+    <label>HTTP/2</label>
+    <type>checkbox</type>
+    <help>Enable the HTTP/2 protocol.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.tls_protocols</id>
     <label>TLS Protocols</label>

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -31,7 +31,7 @@
                 <advanced>true</advanced>
             </field>
             <field>
-                <id>nginx.http.enabled</id>
+                <id>nginx.http.sendfile</id>
                 <label>Enable sendfile</label>
                 <type>checkbox</type>
                 <help>Enable sendfile support (faster).</help>

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.34</version>
+  <version>1.35</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -824,6 +824,7 @@
       <ca type="CertificateField">
         <Type>ca</Type>
         <Required>N</Required>
+        <multiple>Y</multiple>
       </ca>
       <verify_client type="OptionField">
         <default>Off</default>
@@ -878,6 +879,10 @@
         <default>0</default>
         <Required>Y</Required>
       </https_only>
+      <http2 type="BooleanField">
+        <default>1</default>
+        <Required>Y</Required>
+      </http2>
       <tls_protocols type="OptionField">
         <multiple>Y</multiple>
         <Sorted>Y</Sorted>

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -120,15 +120,25 @@ function find_ca($refid)
                 $cert['prv']
             );
             if (!empty($http_server['ca'])) {
-                foreach ($http_server['ca'] as $caref) {
-                    $ca = find_ca($caref);
-                    if (isset($ca)) {
-                        export_pem_file(
-                            KEY_DIRECTORY . $hostname . '_ca.pem',
-                            $ca['crt']
-                        );
+                syslog(LOG_DEBUG, "NGINX setup: Setting up the CA certs for {$hostname}.");
+                $ca_certs = [];
+                foreach ($http_server['ca'] as $carefs) {
+                    foreach(explode(',', $carefs) as $caref) {
+                        syslog(LOG_DEBUG, "NGINX setup: Searching for {$caref} CA data");
+                        $ca = find_ca($caref);
+                        if (isset($ca)) {
+                            syslog(LOG_DEBUG, "NGINX setup: client auth CA found. Adding to the list");
+                            $ca_certs[] = base64_decode($ca['crt']);
+                        }
                     }
                 }
+                if (count($ca_certs) > 0) {
+                    export_pem_file(
+                        KEY_DIRECTORY . $hostname . '_ca.pem',
+                        '',
+                        implode("\n", $ca_certs)
+                    );
+                }
             }
         }
     }

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -117,7 +117,7 @@ server {
 {%     for listen_address in server.listen_https_address.split(',') %}
     listen {{ listen_address }} ssl{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
 {%     endfor %}
-    http2 on;
+    http2 {% if server.http2|default("1") == "1" %}on{% else %}off{% endif %};
 {%     if server.tls_reject_handshake is defined and server.tls_reject_handshake == '1'%}
     ssl_reject_handshake on;
 {%     endif %}