need some help on nginx / bug in omv-nginx

    • OMV 4.x
    • Resolved

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • need some help on nginx

      I need some help or advice configuring nginx. i know apache2 configs but nginx is new to me.

      My setup:
      ISP--<dsl>--Fritzbox with ddns--switch--nas(omv) and other clients
      the fritzbox may route ipv4 and ipv6 ports to nas.

      my nginx on omv-nas (default server) shoud be accessible via http and https only from internal net.
      but it shoud serve webpages for some external access (via namebased servers?) too.
      so we have different scenarios for different Sites.
      These are possible urls against nginx

      nas -> intern
      nas.local -> intern
      192.168.178.111 -> intern
      my sqlmanager site -> intern
      my bittorrent manager site -> intern
      78.1.2.3 which may be my ip4 adress -> extern error page
      my.ddns.host -> extern Site
      2001:4312:.... which may be my ip6 adress -> extern error page
      even blind port access without a hostname routed by fritzbox -> extern error page
      the webdav page... -> intern & extern accessible

      i have installed the omv-nginx plugin too and able to config additional namebased sites prepeared with letsencypt..
      i think this config depends on the "default server" and i need to config omv site on a namebased server.
      but there is no way to config that. the omv-site seem to be always the default, plus additionaly configured Sites in nginx plugin.

      But i dont want to show omv loginpage on all not-namebase-fitting web requests from outside... i want to send those brutforce clients to a error page.

      On apache i would config a default server with a error Page and 2 namebased servers as nas and my.ddns.host.

      Does someone have a hint or a howto link?
      Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.

      When solving problems, dig at the root instead of hacking at the leaves.

      The post was edited 1 time, last by Rd65 ().

    • Ok.. i found the next bug in omv... :) exactly omv-nginx.

      2 sites on one port without name support is not possible , they are only port driven. thats clear.

      2 sites as different virtual server names on the same port are usual... but omv-nginx complain about previously used ports if you try to save the second virtual server name. there is an extra switch in the configweb to change from port to virtual name support... so he has no reason to complain if the servernames is different... but... he complains.
      thats wrong behavior.

      additionaly i try ipbased virtual server (means eht0:1 and eth0:2 with differen Adresses) but in the omv-nginx you can't setup ip adresses for servers... but this is not a bug, more something like a "missing feature".

      i am realy wondering that nobody else complain about that. This bug means - no native virtual webservers on omv... this makes the omv-nginx plugin worthless. but please.... dont treat me again with... use docker, use webmin, use whatever...
      Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.

      When solving problems, dig at the root instead of hacking at the leaves.
    • i found a solution ... the problem depends on a misconfig of omv web itself.
      1. we disable the omv-nginx plugin.
      2. we enable the default web page with: #nginx_ensite default
      this will cach up all web request not fitting a virtual host name.
      its webroot is /var/www/html so we can place a empty index.html or use the default nginx webpage with a short greeting.
      if we now restart nginx with #service nginx restart the server will fail.
      this depends on a wrong config in /etc/nginx/sites-available/openmediavault-webgui
      this is the omv admin webpage. we will fix em.
      3. we rename server_name openmediavault-webgui; to the name of the server as defined in hostname. in my case nas.

      Source Code

      1. # server_name openmediavault-webgui;
      2. server_name nas;



      now the Server will listen on name nas. means a nas show us the omv page.
      nex part to fix is the port definition.
      the virtual server nas uses:

      Source Code

      1. listen [::]:80 ipv6only=off;
      2. listen [::]:443 ipv6only=off ssl deferred;
      4. this breaks the rules for virtual server definitions. we change that to:

      Source Code

      1. listen 80;
      2. listen [::]:80;
      3. #listen [::]:80 ipv6only=off;
      4. listen 443 ssl deferred;
      5. listen [::]:443 ssl deferred;
      6. #listen [::]:443 ipv6only=off ssl deferred;
      it looks like the same but is different.
      now you can start/restart the server with a cachall default site and a virtual server omv page on the same ip with name nas.
      #service nginx restart
      now you can add more virtual websites with ddns servernames, other names and so on.
      would the web plugin work, it would now possible to adjust web pages with virtualnames . But omv-nginx can't handle multiple sites on the same port. but now its possible to do it by hand like this.

      Source Code

      1. server {
      2. listen 80;
      3. server_name my.ddns.server www.my.ddns.server;
      4. ...
      5. }
      to protect these change against updates and wrong modifications, you can fix this by setting the immutable-bit:
      #chattr +i /etc/nginx/sites-available/openmediavault-webgui
      if you want allow changes, remove it by #chattr -i /etc/nginx/sites-available/openmediavault-webgui

      read carefuly omv update anouncements if they fix this problem.
      always backup old states and your changes. maybe omv-firtsaid will reset your web config.
      so doublecheck your webconfig if you save things depend on nginx.
      hope that will help to fix this issue for others.

      i think it is a real bad idea to run a webserver with php7 maybe exposed via ddns without a cachall site!
      this invites bruteforce hackers and scriptkiddies.

      and if someone is able to review or fix omv-nginx portcheck, please do it... now it is it worth. maybe its working now with these modifications but the thrown errors looks (to me) like a problem in omv-nginx too.

      a last tip, if you want use https with default server via ddns, place the snakeoil cert in the default server.
      there are scripts outside reading cert info and use emails and hostnames as startpoint gathering infos about you.
      Use your letsencypt cert only in virtual server_name wich is signed for. someone who didn't know your ddns name is not able to ask the ddns server something.
      Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.

      When solving problems, dig at the root instead of hacking at the leaves.

      The post was edited 3 times, last by Rd65 ().

    • Rd65 wrote:

      i am realy wondering that nobody else complain about that. This bug means - no native virtual webservers on omv... this makes the omv-nginx plugin worthless. but please.... dont treat me again with... use docker, use webmin, use whatever...
      I have used the nginx plugin for multiple, name-based virtual webservers on the same port (80) since the plugin was written (almost 6 years ago) and with the apache version before that. It works very well and is definitely possible. The port check is correct based on the abilities of the plugin. What the plugin can't do is create virtual web servers on the same port as the OMV web interface. Move the omv web interface to a different port if you need port 80 for your name-based virtual servers. That is because the plugin doesn't control the OMV config. So, no way to change the plugin to help with that.

      And I will only mention docker because I am not porting the nginx plugin to OMV 5.x... I moved my own sites to docker with an nginx proxy in front of them. Works flawlessly.

      Rd65 wrote:

      additionaly i try ipbased virtual server (means eht0:1 and eth0:2 with differen Adresses) but in the omv-nginx you can't setup ip adresses for servers... but this is not a bug, more something like a "missing feature".
      OMV has never supported services on select NICs/virtual NICs. That would be a substantial OMV code and philosophy change.
      Images
      • name-based.jpg

        14.03 kB, 1,079×78, viewed 5 times
      omv 5.1.2 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.1.9
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!
    • hm.. ok i will try the omv-nginx plugin again with my fix to the omv-webgui site. As you told, it may work like expectet. i don't test that till now.

      yes docker may be easy to handle... but i don't download and execute code that is unproven, depending on unknown people and complicated to overview. its worthless to use docker for things which i can manage easily native. lots of people may do that... but not me. This is more a philosophic thing, we will not find a common Opinion about that.

      We talked about the development and designrules of omv... unplesant.
      Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.

      When solving problems, dig at the root instead of hacking at the leaves.
    • Rd65 wrote:

      yes docker may be easy to handle... but i don't download and execute code that is unproven, depending on unknown people and complicated to overview. its worthless to use docker for things which i can manage easily native. lots of people may do that... but not me. This is more a philosophic thing, we will not find a common Opinion about that.
      If you looked at my docker server, all of my containers are using custom written dockerfiles and the images are built on my server. The only image I download is the base Debian or Ubuntu image. If you can't trust those images or the packages that are downloaded from the Ubuntu or Debian repo, then you probably shouldn't use Ubuntu and Debian. Hell, you could even build those base images from their dockerfiles and you would be downloading NO images from unknown people. By maintaining the dockerfile, I am managing things natively. It allows me to use change control and have things documented. And if things go badly, it is very easy and fast to build the exact same setup that I created initially. Using docker for me is like automating something with a script. I spent years doing things completely manual (lots of years using Gentoo). While that is still something I do from time to time, other times I don't have enough time. I used to think I had no uses for Docker. Once I started using it at home and at work, my eyes were opened to many uses.
      omv 5.1.2 usul | 64 bit | 5.3 proxmox kernel | omvextrasorg 5.1.9
      omv-extras.org plugins source code and issue tracker - github

      Please read this before posting a question and this and this for docker questions.
      Please don't PM for support... Too many PMs!