You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
High availability synchronization for nginx is only synchronizing additions or when there is an addition, but not when there is a deletion.
Example
Two firewalls, fw-a and fw-b, in HA configuration using nginx as a reverse proxy. fw-a is the primary. When configuring nginx on the primary and a setting is added, the HA synchronization pushes the added config over to the secondary firewall, fw-b.
However, if that setting is removed and nothing else added, it will not push that update or removing the setting to fw-b when synchronizing again.
Example
Add a Nginx Credential "test" to fw-a, then synchronize the firewalls. The "test" user is added to fw-b. Then remove the "test" user under nginx credentials on fw-a and synchronize again, the "test" user is gone on fw-a, but still remains on fw-b. Now, on fw-a, and a new user, "test2" (different username) to nginx credentials and synchronize again, fw-b will have removed the original "test" user and have only the "test2" user.
Thus it appears to only by synchronizing sections with an addition or some data at all (i.e. not an empty section).
To Reproduce
Steps to reproduce the behavior:
Add a credential to fw-a
On fw-a (primary) click Service->Nginx
Select the https dropdown tab, and select credentials
Add a credential "test" and make up a password (it will not be used, no need to retain password)
Move to high availability status screen: Click System->High Availability->Status
Click on the "Synchronize" button under the status label (button has a cloud with an upward facing arrow on it)
Check settings on FW-B
On fw-b, click Service->Nginx
Select the https dropdown tab, and select credentials
The credential for "test" user will be present
Remove nginx credential on fw-a and perform another HA synchronization
On fw-a (primary) click Service->Nginx
Select the https dropdown tab, and select credentials
Delete the "test" user credential
Move to high availability status screen: Click System->High Availability->Status
Click on the "Synchronize" button under the status label (button has a cloud with an upward facing arrow on it)
Check fw-b nginx credentials
Refresh the fw-b nginx credential screen or follow the instructions in "Check settings on FW-B"
You will see that the "test" user is still present even though it is not on fw-a.
Add another Credential to fw-a
At this point, there are no nginx credentials on fw-a but the "test" user is still on fw-b.
On fw-a, follow the "Add credential to fw-a instructions, but change the username to "test2"
Synchronize the the HA system from fw-a again.
Check fw-b nginx credentials and you will see that "test2" has been synchronized, and the"test" user has been removed.
Expected behavior
When a change is made to the nginx configuration, addition or deletion, it should be synchronized to the backup firewall so that they are always in synchronization.
Describe alternatives you considered
None
Screenshots
Not Applicable
Relevant log files
From fw-a when credential is deleted
audit 94210 - [meta sequenceId="295"] user [email protected] changed configuration to /conf/backup/config-1737032456.5349.xml in /api/nginx/settings/delcredential/0854d875-b8db-4556-aca9-75696bc1ec11 /api/nginx/settings/delcredential/0854d875-b8db-4556-aca9-75696bc1ec11 made changes
on fw-b directly after that log
configd.py 321 - [meta sequenceId="461"] generate template container OPNsense/Nginx
audit 46588 - [meta sequenceId="532"] user [email protected] changed configuration to /conf/backup/config-1737032486.6708.xml in /api/nginx/settings/delcredential/0854d875-b8db-4556-aca9-75696bc1ec11 /api/nginx/settings/delcredential/0854d875-b8db-4556-aca9-75696bc1ec11 made changes
Additional context
Synchronization seems to be working for everything else I am using it with.
Environment
Software version used and hardware type if relevant, e.g.:
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
High availability synchronization for nginx is only synchronizing additions or when there is an addition, but not when there is a deletion.
Example
Two firewalls, fw-a and fw-b, in HA configuration using nginx as a reverse proxy. fw-a is the primary. When configuring nginx on the primary and a setting is added, the HA synchronization pushes the added config over to the secondary firewall, fw-b.
However, if that setting is removed and nothing else added, it will not push that update or removing the setting to fw-b when synchronizing again.
Example
Add a Nginx Credential "test" to fw-a, then synchronize the firewalls. The "test" user is added to fw-b. Then remove the "test" user under nginx credentials on fw-a and synchronize again, the "test" user is gone on fw-a, but still remains on fw-b. Now, on fw-a, and a new user, "test2" (different username) to nginx credentials and synchronize again, fw-b will have removed the original "test" user and have only the "test2" user.
Thus it appears to only by synchronizing sections with an addition or some data at all (i.e. not an empty section).
To Reproduce
Steps to reproduce the behavior:
Add a credential to fw-a
Check settings on FW-B
Remove nginx credential on fw-a and perform another HA synchronization
Check fw-b nginx credentials
Add another Credential to fw-a
Expected behavior
When a change is made to the nginx configuration, addition or deletion, it should be synchronized to the backup firewall so that they are always in synchronization.
Describe alternatives you considered
None
Screenshots
Not Applicable
Relevant log files
From fw-a when credential is deleted
on fw-b directly after that log
Additional context
Synchronization seems to be working for everything else I am using it with.
Environment
Software version used and hardware type if relevant, e.g.:
Both systems are:
OPNsense 24.7.11_1 (amd64)
Intel(R) Xeon(R) Platinum 8168 CPU @ 2.70GHz (48 cores, 96 threads)
FreeBSD fw-b.umbracorp.io 14.1-RELEASE-p6 FreeBSD 14.1-RELEASE-p6 stable/24.7-n267981-8375762712f SMP amd64
The text was updated successfully, but these errors were encountered: