nginx_1.35

proxy_intercept_errors support (opnsense#4224) multiple client auth CA support (opnsense#4421) HTTP/2 server checkbox (opnsense#4272) sendfile form typo (opnsense#4436) variables hashes (opnsense#4360)
kulikov-a · Jan 13, 2025 · bd5c805 · bd5c805
1 parent 15cec3f
commit bd5c805
Show file tree

Hide file tree

Showing 9 changed files with 102 additions and 14 deletions.
diff --git a/www/nginx/Makefile b/www/nginx/Makefile
@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	5
+PLUGIN_VERSION=		1.35
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	[email protected]

diff --git a/www/nginx/pkg-descr b/www/nginx/pkg-descr
@@ -10,6 +10,14 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.35
+
+* Global options sendfile directive typo fix
+* Add HTTP/2 option to GUI
+* Add multiple client authentication trusted CA support
+* Add proxy_intercept_errors directive support
+* Add Variables hashes size support
+
 1.34
 
 * Add the option to not log TLS handshakes

diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml
@@ -113,7 +113,8 @@
   <field>
     <id>httpserver.ca</id>
     <label>Client CA Certificate</label>
-    <type>dropdown</type>
+    <type>select_multiple</type>
+    <help>Trusted CA certificates</help>
   </field>
   <field>
     <id>httpserver.verify_client</id>
@@ -165,6 +166,13 @@
     <type>checkbox</type>
     <help>If the request scheme is not HTTPS, redirect to use HTTPS for this server.</help>
   </field>
+  <field>
+    <id>httpserver.http2</id>
+    <label>HTTP/2</label>
+    <type>checkbox</type>
+    <help>Enable the HTTP/2 protocol.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.tls_protocols</id>
     <label>TLS Protocols</label>
@@ -320,4 +328,11 @@
     <type>select_multiple</type>
     <help>Select custom error pages to display instead of the default builtin error pages. If at least one error page is selected here, all default error pages will be disabled.</help>
   </field>
+  <field>
+    <id>httpserver.proxy_intercept_errors</id>
+    <label>Intercept errors</label>
+    <type>checkbox</type>
+    <help>Intercept responses with codes greater than or equal to 300 and redirect to processing with custom error pages.</help>
+    <advanced>true</advanced>
+  </field>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml
@@ -328,4 +328,12 @@
     <type>select_multiple</type>
     <help>Select custom error pages to display instead of the default builtin error pages. Selection will override error pages configured on HTTP server.</help>
   </field>
+  <field>
+    <id>location.proxy_intercept_errors</id>
+    <label>Intercept errors</label>
+    <type>dropdown</type>
+    <style>selectpicker</style>
+    <help>Intercept responses with codes greater than or equal to 300 and redirect to processing with custom error pages.</help>
+    <advanced>true</advanced>
+  </field>
 </form>
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml
@@ -31,7 +31,7 @@
                 <advanced>true</advanced>
             </field>
             <field>
-                <id>nginx.http.enabled</id>
+                <id>nginx.http.sendfile</id>
                 <label>Enable sendfile</label>
                 <type>checkbox</type>
                 <help>Enable sendfile support (faster).</help>
@@ -56,7 +56,7 @@
             </field>
             <field>
                 <id>nginx.http.server_names_hash_bucket_size</id>
-                <label>Hash Bucket Size</label>
+                <label>Server Names Hash Bucket Size</label>
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
@@ -66,6 +66,18 @@
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>nginx.http.variables_hash_bucket_size</id>
+                <label>Variables Hash Bucket Size</label>
+                <type>text</type>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>nginx.http.variables_hash_max_size</id>
+                <label>Variables Hash Max Size</label>
+                <type>text</type>
+                <advanced>true</advanced>
+            </field>
             <field>
                 <id>nginx.http.bots_ua</id>
                 <label>Bots User Agents</label>

diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.34</version>
+  <version>1.35</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -56,6 +56,14 @@
         <Required>N</Required>
         <MinimumValue>1</MinimumValue>
       </server_names_hash_max_size>
+      <variables_hash_max_size type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>1</MinimumValue>
+      </variables_hash_max_size>
+      <variables_hash_bucket_size type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>1</MinimumValue>
+      </variables_hash_bucket_size>
       <ban_response type="OptionField">
         <multiple>N</multiple>
         <OptionValues>
@@ -554,6 +562,15 @@
         <Required>N</Required>
         <multiple>Y</multiple>
       </errorpages>
+      <proxy_intercept_errors type="OptionField">
+        <default>Inherit</default>
+        <Required>Y</Required>
+        <OptionValues>
+          <Inherit>Inherit</Inherit>
+          <on>On</on>
+          <off>Off</off>
+        </OptionValues>
+      </proxy_intercept_errors>
     </location>
 
     <custom_policy type="ArrayField">
@@ -824,6 +841,7 @@
       <ca type="CertificateField">
         <Type>ca</Type>
         <Required>N</Required>
+        <multiple>Y</multiple>
       </ca>
       <verify_client type="OptionField">
         <default>Off</default>
@@ -878,6 +896,10 @@
         <default>0</default>
         <Required>Y</Required>
       </https_only>
+      <http2 type="BooleanField">
+        <default>1</default>
+        <Required>Y</Required>
+      </http2>
       <tls_protocols type="OptionField">
         <multiple>Y</multiple>
         <Sorted>Y</Sorted>
@@ -1035,6 +1057,10 @@
         <Required>N</Required>
         <multiple>Y</multiple>
       </errorpages>
+      <proxy_intercept_errors type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </proxy_intercept_errors>
     </http_server>
 
     <stream_server type="ArrayField">

diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -120,15 +120,25 @@ function find_ca($refid)
                 $cert['prv']
             );
             if (!empty($http_server['ca'])) {
-                foreach ($http_server['ca'] as $caref) {
-                    $ca = find_ca($caref);
-                    if (isset($ca)) {
-                        export_pem_file(
-                            KEY_DIRECTORY . $hostname . '_ca.pem',
-                            $ca['crt']
-                        );
+                syslog(LOG_DEBUG, "NGINX setup: Setting up the CA certs for {$hostname}.");
+                $ca_certs = [];
+                foreach ($http_server['ca'] as $carefs) {
+                    foreach(explode(',', $carefs) as $caref) {
+                        syslog(LOG_DEBUG, "NGINX setup: Searching for {$caref} CA data");
+                        $ca = find_ca($caref);
+                        if (isset($ca)) {
+                            syslog(LOG_DEBUG, "NGINX setup: client auth CA found. Adding to the list");
+                            $ca_certs[] = base64_decode($ca['crt']);
+                        }
                     }
                 }
+                if (count($ca_certs) > 0) {
+                    export_pem_file(
+                        KEY_DIRECTORY . $hostname . '_ca.pem',
+                        '',
+                        implode("\n", $ca_certs)
+                    );
+                }
             }
         }
     }

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/http.conf
@@ -48,6 +48,12 @@ server_names_hash_max_size {{ OPNsense.Nginx.http.server_names_hash_max_size }};
 {% if OPNsense.Nginx.http.server_names_hash_bucket_size is defined and OPNsense.Nginx.http.server_names_hash_bucket_size != '' %}
 server_names_hash_bucket_size {{ OPNsense.Nginx.http.server_names_hash_bucket_size }};
 {% endif %}
+{% if OPNsense.Nginx.http.variables_hash_max_size is defined and OPNsense.Nginx.http.variables_hash_max_size != '' %}
+variables_hash_max_size {{ OPNsense.Nginx.http.variables_hash_max_size }};
+{% endif %}
+{% if OPNsense.Nginx.http.variables_hash_bucket_size is defined and OPNsense.Nginx.http.variables_hash_bucket_size != '' %}
+variables_hash_bucket_size {{ OPNsense.Nginx.http.variables_hash_bucket_size }};
+{% endif %}
 {% if OPNsense.Nginx.http.keepalive_timeout is defined and OPNsense.Nginx.http.keepalive_timeout != '' %}
 keepalive_timeout {{ OPNsense.Nginx.http.keepalive_timeout }};
 {% endif %}
@@ -117,7 +123,7 @@ server {
 {%     for listen_address in server.listen_https_address.split(',') %}
     listen {{ listen_address }} ssl{% if server.proxy_protocol is defined and server.proxy_protocol == '1' %} proxy_protocol{% endif %}{% if server.default_server is defined and server.default_server == '1' %} default_server{% endif %};
 {%     endfor %}
-    http2 on;
+    http2 {% if server.http2|default("1") == "1" %}on{% else %}off{% endif %};
 {%     if server.tls_reject_handshake is defined and server.tls_reject_handshake == '1'%}
     ssl_reject_handshake on;
 {%     endif %}
@@ -246,6 +252,7 @@ server {
         root /usr/local/etc/nginx/views;
     }
 {% endif %}
+    proxy_intercept_errors {% if server.proxy_intercept_errors|default("0") == "1" %}on{% else %}off{% endif %};
 {% if server.security_header is defined and server.security_header != '' %}
 {% set security_rule = helpers.getUUID(server.security_header) %}
 {%   if security_rule is defined %}

diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -47,6 +47,9 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
     error_page {{ errorpage.statuscodes.replace(',', ' ') }} {% if errorpage.response is defined and errorpage.response != '' %}={{ errorpage.response }} {% endif %}{% if errorpage.redirect is defined and errorpage.redirect != '' %}{{ errorpage.redirect }}{% else %}/error_{{ errorpage_uuid.replace('-', '') }}.html{% endif %};
 {%    endfor %}
 {% endif %}
+{% if location.proxy_intercept_errors is defined and location.proxy_intercept_errors != 'Inherit' %}
+    proxy_intercept_errors {{ location.proxy_intercept_errors }};
+{% endif %}
 {% if location.force_https is defined and location.force_https == '1' %}
     if ($scheme != "https") {
         return 302 https://$host$request_uri;