need some help on nginx / bug in omv-nginx

  • I need some help or advice configuring nginx. i know apache2 configs but nginx is new to me.


    My setup:
    ISP--<dsl>--Fritzbox with ddns--switch--nas(omv) and other clients
    the fritzbox may route ipv4 and ipv6 ports to nas.


    my nginx on omv-nas (default server) shoud be accessible via http and https only from internal net.
    but it shoud serve webpages for some external access (via namebased servers?) too.
    so we have different scenarios for different Sites.
    These are possible urls against nginx


    nas -> intern
    nas.local -> intern
    192.168.178.111 -> intern
    my sqlmanager site -> intern
    my bittorrent manager site -> intern
    78.1.2.3 which may be my ip4 adress -> extern error page
    my.ddns.host -> extern Site
    2001:4312:.... which may be my ip6 adress -> extern error page
    even blind port access without a hostname routed by fritzbox -> extern error page
    the webdav page... -> intern & extern accessible


    i have installed the omv-nginx plugin too and able to config additional namebased sites prepeared with letsencypt..
    i think this config depends on the "default server" and i need to config omv site on a namebased server.
    but there is no way to config that. the omv-site seem to be always the default, plus additionaly configured Sites in nginx plugin.


    But i dont want to show omv loginpage on all not-namebase-fitting web requests from outside... i want to send those brutforce clients to a error page.


    On apache i would config a default server with a error Page and 2 namebased servers as nas and my.ddns.host.


    Does someone have a hint or a howto link?

    Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.


    When solving problems, dig at the root instead of hacking at the leaves.

    Einmal editiert, zuletzt von Rd65 ()

  • Ok.. i found the next bug in omv... :) exactly omv-nginx.


    2 sites on one port without name support is not possible , they are only port driven. thats clear.


    2 sites as different virtual server names on the same port are usual... but omv-nginx complain about previously used ports if you try to save the second virtual server name. there is an extra switch in the configweb to change from port to virtual name support... so he has no reason to complain if the servernames is different... but... he complains.
    thats wrong behavior.


    additionaly i try ipbased virtual server (means eht0:1 and eth0:2 with differen Adresses) but in the omv-nginx you can't setup ip adresses for servers... but this is not a bug, more something like a "missing feature".


    i am realy wondering that nobody else complain about that. This bug means - no native virtual webservers on omv... this makes the omv-nginx plugin worthless. but please.... dont treat me again with... use docker, use webmin, use whatever...

    Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.


    When solving problems, dig at the root instead of hacking at the leaves.

  • i found a solution ... the problem depends on a misconfig of omv web itself.
    1. we disable the omv-nginx plugin.
    2. we enable the default web page with: #nginx_ensite default
    this will cach up all web request not fitting a virtual host name.
    its webroot is /var/www/html so we can place a empty index.html or use the default nginx webpage with a short greeting.
    if we now restart nginx with #service nginx restart the server will fail.
    this depends on a wrong config in /etc/nginx/sites-available/openmediavault-webgui
    this is the omv admin webpage. we will fix em.
    3. we rename server_name openmediavault-webgui; to the name of the server as defined in hostname. in my case nas.

    Code
    #    server_name openmediavault-webgui;
        server_name nas;



    now the Server will listen on name nas. means a http://nas show us the omv page.
    nex part to fix is the port definition.
    the virtual server nas uses:


    Code
    listen [::]:80 ipv6only=off;
    listen [::]:443 ipv6only=off ssl deferred;

    4. this breaks the rules for virtual server definitions. we change that to:

    Code
    listen 80;
    listen [::]:80;
    #listen [::]:80 ipv6only=off;
    listen 443 ssl deferred;
    listen [::]:443 ssl deferred;
    #listen [::]:443 ipv6only=off ssl deferred;

    it looks like the same but is different.
    now you can start/restart the server with a cachall default site and a virtual server omv page on the same ip with name nas.
    #service nginx restart
    now you can add more virtual websites with ddns servernames, other names and so on.
    would the web plugin work, it would now possible to adjust web pages with virtualnames . But omv-nginx can't handle multiple sites on the same port. but now its possible to do it by hand like this.

    Code
    server {
        listen       80;
        server_name  my.ddns.server www.my.ddns.server;
    ...
    }

    to protect these change against updates and wrong modifications, you can fix this by setting the immutable-bit:
    #chattr +i /etc/nginx/sites-available/openmediavault-webgui
    if you want allow changes, remove it by #chattr -i /etc/nginx/sites-available/openmediavault-webgui


    read carefuly omv update anouncements if they fix this problem.
    always backup old states and your changes. maybe omv-firtsaid will reset your web config.
    so doublecheck your webconfig if you save things depend on nginx.
    hope that will help to fix this issue for others.


    i think it is a real bad idea to run a webserver with php7 maybe exposed via ddns without a cachall site!
    this invites bruteforce hackers and scriptkiddies.


    and if someone is able to review or fix omv-nginx portcheck, please do it... now it is it worth. maybe its working now with these modifications but the thrown errors looks (to me) like a problem in omv-nginx too.


    a last tip, if you want use https with default server via ddns, place the snakeoil cert in the default server.
    there are scripts outside reading cert info and use emails and hostnames as startpoint gathering infos about you.
    Use your letsencypt cert only in virtual server_name wich is signed for. someone who didn't know your ddns name is not able to ask the ddns server something.

    Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.


    When solving problems, dig at the root instead of hacking at the leaves.

    3 Mal editiert, zuletzt von Rd65 ()

    • Offizieller Beitrag

    i am realy wondering that nobody else complain about that. This bug means - no native virtual webservers on omv... this makes the omv-nginx plugin worthless. but please.... dont treat me again with... use docker, use webmin, use whatever...

    I have used the nginx plugin for multiple, name-based virtual webservers on the same port (80) since the plugin was written (almost 6 years ago) and with the apache version before that. It works very well and is definitely possible. The port check is correct based on the abilities of the plugin. What the plugin can't do is create virtual web servers on the same port as the OMV web interface. Move the omv web interface to a different port if you need port 80 for your name-based virtual servers. That is because the plugin doesn't control the OMV config. So, no way to change the plugin to help with that.


    And I will only mention docker because I am not porting the nginx plugin to OMV 5.x... I moved my own sites to docker with an nginx proxy in front of them. Works flawlessly.


    additionaly i try ipbased virtual server (means eht0:1 and eth0:2 with differen Adresses) but in the omv-nginx you can't setup ip adresses for servers... but this is not a bug, more something like a "missing feature".

    OMV has never supported services on select NICs/virtual NICs. That would be a substantial OMV code and philosophy change.

  • hm.. ok i will try the omv-nginx plugin again with my fix to the omv-webgui site. As you told, it may work like expectet. i don't test that till now.


    yes docker may be easy to handle... but i don't download and execute code that is unproven, depending on unknown people and complicated to overview. its worthless to use docker for things which i can manage easily native. lots of people may do that... but not me. This is more a philosophic thing, we will not find a common Opinion about that.


    We talked about the development and designrules of omv... unplesant.

    Equipment: a few Computers, lot's of waste heat, little time and a Pile of work.


    When solving problems, dig at the root instead of hacking at the leaves.

    • Offizieller Beitrag

    yes docker may be easy to handle... but i don't download and execute code that is unproven, depending on unknown people and complicated to overview. its worthless to use docker for things which i can manage easily native. lots of people may do that... but not me. This is more a philosophic thing, we will not find a common Opinion about that.

    If you looked at my docker server, all of my containers are using custom written dockerfiles and the images are built on my server. The only image I download is the base Debian or Ubuntu image. If you can't trust those images or the packages that are downloaded from the Ubuntu or Debian repo, then you probably shouldn't use Ubuntu and Debian. Hell, you could even build those base images from their dockerfiles and you would be downloading NO images from unknown people. By maintaining the dockerfile, I am managing things natively. It allows me to use change control and have things documented. And if things go badly, it is very easy and fast to build the exact same setup that I created initially. Using docker for me is like automating something with a script. I spent years doing things completely manual (lots of years using Gentoo). While that is still something I do from time to time, other times I don't have enough time. I used to think I had no uses for Docker. Once I started using it at home and at work, my eyes were opened to many uses.

    omv 7.0-32 sandworm | 64 bit | 6.5 proxmox kernel

    plugins :: omvextrasorg 7.0 | kvm 7.0.9 | compose 7.0.9 | cputemp 7.0 | mergerfs 7.0.3


    omv-extras.org plugins source code and issue tracker - github


    Please try ctrl-shift-R and read this before posting a question.

    Please put your OMV system details in your signature.
    Please don't PM for support... Too many PMs!

Jetzt mitmachen!

Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!