207 lines
7.4 KiB
Plaintext
207 lines
7.4 KiB
Plaintext
server {
|
|
|
|
keepalive_requests 15;
|
|
keepalive_timeout 30;
|
|
|
|
root /usr/local/www/;
|
|
{% if system.webgui.protocol is defined and system.webgui.protocol == 'https' %}
|
|
if ($scheme != "https") {
|
|
return 302 https://$host$request_uri;
|
|
}
|
|
listen 80 default_server; # if redirect is enabled
|
|
listen {% if system.webgui.port is defined and system.webgui.port != '' %}{{ system.webgui.port }}{% else %}443{% endif %} ssl http2 default_server;
|
|
## TLS configuration
|
|
ssl_dhparam /usr/local/opnsense/data/OPNsense/Nginx/dh-parameters.4096.rfc7919;
|
|
ssl_ecdh_curve secp384r1;
|
|
ssl_certificate /var/etc/cert.pem;
|
|
ssl_certificate_key /var/etc/cert.pem;
|
|
ssl_client_certificate /var/etc/ca.pem;
|
|
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
|
|
{% if system.webgui['ssl-ciphers'] is defined and system.webgui['ssl-ciphers'] != '' %}
|
|
ssl_ciphers {{ system.webgui['ssl-ciphers'] }}
|
|
{% else %}
|
|
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
|
|
{% endif %}
|
|
{% else %}
|
|
listen {% if system.webgui.port is defined and system.webgui.port != '' %}{{ system.webgui.port }}{% else %}80{% endif %};
|
|
{% endif %}
|
|
|
|
autoindex off;
|
|
http2_push_preload on;
|
|
|
|
# gzip compression
|
|
gzip_static on;
|
|
{% if system.webgui.compression is defined and system.webgui.compression != '' %}
|
|
gzip on;
|
|
gzip_comp_level {{ system.webgui.compression }};
|
|
{% else %}
|
|
gzip off;
|
|
{% endif %}
|
|
#compress.cache-dir = "/tmp/lighttpdcompress/"
|
|
gzip_types text/plain text/css text/xml text/javascript;
|
|
|
|
#server.upload-dirs = ( "/root/", "/tmp/", "/var/" )
|
|
# server.max-request-size = 2097152
|
|
|
|
expires 50h;
|
|
|
|
# Maximum idle time with nothing being written (php downloading)
|
|
#fastcgi_read_timeout = 999
|
|
|
|
## where to send error/access-messages to
|
|
access_log syslog:server=127.0.0.1,facility=daemon;
|
|
access_log /var/log/nginx/webgui.access.log;
|
|
error_log syslog:server=127.0.0.1,facility=daemon;
|
|
error_log /var/log/nginx/webgui.error.log debug;
|
|
|
|
index index.php index.html index.htm default.htm;
|
|
|
|
# mimetype mapping
|
|
types {
|
|
application/x-ns-proxy-autoconfig pad.dat;
|
|
application/pdf pdf;
|
|
application/pgp-signature sig;
|
|
application/futuresplash spl;
|
|
application/octet-stream class;
|
|
application/postscript ps;
|
|
application/x-bittorrent torrent;
|
|
application/x-dvi dvi;
|
|
application/x-gzip gz;
|
|
application/x-ns-proxy-autoconfig pac;
|
|
application/x-shockwave-flash swf;
|
|
application/x-tgz tar.gz tgz;
|
|
application/x-tar tar;
|
|
application/zip zip;
|
|
audio/mpeg mp3;
|
|
audio/x-mpegurl m3u;
|
|
audio/x-ms-wma wma;
|
|
audio/x-ms-wax wax;
|
|
audio/x-wav ogg;
|
|
audio/x-wav wav;
|
|
image/gif gif;
|
|
image/jpeg jpg jpeg;
|
|
image/png png;
|
|
image/svg+xml svg;
|
|
image/x-xbitmap xbm;
|
|
image/x-xpixmap xpm;
|
|
image/x-xwindowdump xwd;
|
|
text/css css;
|
|
text/html html htm;
|
|
text/javascript js;
|
|
text/plain asc;
|
|
text/plain c;
|
|
text/plain conf;
|
|
text/plain text txt;
|
|
text/xml dtd;
|
|
text/xml xml;
|
|
video/mpeg mpeg;
|
|
video/mpeg mpg;
|
|
video/quicktime mov qt;
|
|
video/x-msvideo avi;
|
|
video/x-ms-asf asf asx;
|
|
video/x-ms-wmv wmv;
|
|
application/x-bzip bz2;
|
|
application/x-bzip-compressed-tar tbz tar.bz2;
|
|
}
|
|
|
|
# Use the "Content-Type" extended attribute to obtain mime type if possible
|
|
#mimetypes.use-xattr = "enable"
|
|
|
|
## deny access the file-extensions
|
|
#
|
|
# ~ is for backupfiles from vi, emacs, joe, ...
|
|
# .inc is often used for code includes which should in general not be part
|
|
# of the document-root
|
|
location ~* "(~|.inc)$" {
|
|
return 403;
|
|
}
|
|
|
|
{% if helpers.exists('OPNsense.Nginx.webgui.limitnetworks') and OPNsense.Nginx.webgui.limitnetworks == '1' %}
|
|
# whitelist only directly connected networks to prevent attacks over the internet to the web interface
|
|
# we cannot block everything except RFC 1918 because this does not work with IPv6
|
|
{% set whitelisted_networks = [] %}
|
|
{% for interface_name in interfaces %}
|
|
{% set interface = interfaces[interface_name] %}
|
|
{% if interface.ipaddr is defined and interface.ipaddr != '' and '.' in interface.ipaddr %}
|
|
{% if interface.subnet is defined and interface.subnet != '' %}
|
|
{% set cidr = interface.ipaddr + '/' + interface.subnet %}
|
|
{% else %}
|
|
{% set cidr = interface.ipaddr %}
|
|
{% endif %}
|
|
{% if cidr not in whitelisted_networks %}
|
|
{% do whitelisted_networks.append(cidr) %}
|
|
allow {{ cidr }};
|
|
{% endif %}
|
|
{% endif %}
|
|
{% if interface.ipaddrv6 is defined and interface.ipaddrv6 != '' and ':' in interface.ipaddrv6 %}
|
|
{% if interface.subnetv6 is defined and interface.subnetv6 != '' %}
|
|
{% set cidr = interface.ipaddrv6 + '/' + interface.subnetv6 %}
|
|
{% else %}
|
|
{% set cidr = interface.ipaddrv6 %}
|
|
{% endif %}
|
|
{% if cidr not in whitelisted_networks %}
|
|
{% do whitelisted_networks.append(cidr) %}
|
|
allow {{ cidr }};
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% if helpers.exists('virtualip') %}
|
|
{% for intf_item in helpers.toList('virtualip.vip') %}
|
|
{% if intf_item.mode in ['carp', 'ipalias'] %}
|
|
{% set cidr = intf_item.subnet + '/' + intf_item.subnet_bits %}
|
|
{% if cidr not in whitelisted_networks %}
|
|
allow {{ cidr }};
|
|
{% do whitelisted_networks.append(cidr) %}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endfor %}
|
|
{% endif %}
|
|
deny all;
|
|
{% endif %}
|
|
|
|
location ~ \.php$ {
|
|
fastcgi_pass unix:/var/run/php-webgui.socket;
|
|
fastcgi_split_path_info ^(.+\.php)(/.+)$;
|
|
fastcgi_index index.php;
|
|
fastcgi_param TLS-Cipher $ssl_cipher;
|
|
fastcgi_param TLS-Protocol $ssl_protocol;
|
|
fastcgi_param TLS-SNI-Host $ssl_server_name;
|
|
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
|
|
fastcgi_intercept_errors on;
|
|
include fastcgi_params;
|
|
}
|
|
|
|
# Phalcon ui and api routing
|
|
|
|
location @apirequest {
|
|
root /usr/local/opnsense/www;
|
|
include fastcgi_params;
|
|
fastcgi_param QUERY_STRING &$query_string;
|
|
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/www/api.php;
|
|
fastcgi_param TLS-Cipher $ssl_cipher;
|
|
fastcgi_param TLS-Protocol $ssl_protocol;
|
|
fastcgi_param TLS-SNI-Host $ssl_server_name;
|
|
fastcgi_intercept_errors off;
|
|
fastcgi_pass unix:/var/run/php-webgui.socket;
|
|
}
|
|
location @guirequest {
|
|
root /usr/local/opnsense/www;
|
|
include fastcgi_params;
|
|
fastcgi_param QUERY_STRING $query_string;
|
|
fastcgi_param SCRIPT_FILENAME /usr/local/opnsense/www/index.php;
|
|
fastcgi_param TLS-Cipher $ssl_cipher;
|
|
fastcgi_param TLS-Protocol $ssl_protocol;
|
|
fastcgi_param TLS-SNI-Host $ssl_server_name;
|
|
fastcgi_intercept_errors off;
|
|
fastcgi_pass unix:/var/run/php-webgui.socket;
|
|
}
|
|
location ~ ^/ui/(?<path>[^\?]+)(?<query>\?(.*))? {
|
|
root /usr/local/opnsense/www;
|
|
try_files /$path @guirequest;
|
|
}
|
|
location ~ ^/api/(?<path>[^\?]+)(?<query>\?(.*))?{
|
|
root /usr/local/opnsense/www;
|
|
try_files /$path @apirequest;
|
|
}
|
|
}
|