nginx_1.35

proxy_intercept_errors support (opnsense#4224)
multiple client auth CA support (opnsense#4421)
HTTP/2 server checkbox (opnsense#4272)
sendfile form typo (opnsense#4436)
variables  hashes (opnsense#4360)
proxy_cache_valid (opnsense#4481)

Author: kulikov-a

www/nginx/Makefile

@@ -1,6 +1,5 @@
 PLUGIN_NAME=		nginx
-PLUGIN_VERSION=		1.34
-PLUGIN_REVISION=	6
+PLUGIN_VERSION=		1.35
 PLUGIN_COMMENT=		Nginx HTTP server and reverse proxy
 PLUGIN_DEPENDS=		nginx
 PLUGIN_MAINTAINER=	[email protected]

www/nginx/pkg-descr

@@ -10,6 +10,15 @@ WWW: https://nginx.org/
 Plugin Changelog
 ================
 
+1.35
+
+* Global options sendfile directive typo fix
+* Add HTTP/2 option to GUI
+* Add multiple client authentication trusted CA support
+* Add proxy_intercept_errors directive support
+* Add Variables hashes size support
+* Add proxy_cache_valid directive support with response codes and multiple selection options
+
 1.34
 
 * Add the option to not log TLS handshakes

www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/Api/SettingsController.php

@@ -249,6 +249,32 @@ public function setresolverAction($uuid)
         return $this->setBase('resolver', 'resolver', $uuid);
     }
 
+    // proxy_cache_valid
+    public function searchproxyCacheValidAction()
+    {
+        return $this->searchBase('proxy_cache_valid', array('uuid', 'description', 'code', 'valid'));
+    }
+
+    public function getproxyCacheValidAction($uuid = null)
+    {
+        return $this->getBase('proxy_cache_valid', 'proxy_cache_valid', $uuid);
+    }
+
+    public function addproxyCacheValidAction()
+    {
+        return $this->addBase('proxy_cache_valid', 'proxy_cache_valid');
+    }
+
+    public function delproxyCacheValidAction($uuid)
+    {
+        return $this->delBase('proxy_cache_valid', $uuid);
+    }
+
+    public function setproxyCacheValidAction($uuid)
+    {
+        return $this->setBase('proxy_cache_valid', 'proxy_cache_valid', $uuid);
+    }
+
     // http server
     public function searchhttpserverAction()
     {

www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/IndexController.php

@@ -64,6 +64,7 @@ public function indexAction()
         $this->view->errorpage = $this->getForm("errorpage");
         $this->view->tls_fingerprint = $this->getForm("tls_fingerprint");
         $this->view->resolver = $this->getForm("resolver");
+        $this->view->proxy_cache_valid = $this->getForm("proxy_cache_valid");
         $this->view->syslog_target = $this->getForm("syslog_target");
         $nginx = new Nginx();
         $this->view->show_naxsi_download_button =

www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/httpserver.xml

@@ -113,7 +113,8 @@
   <field>
     <id>httpserver.ca</id>
     <label>Client CA Certificate</label>
-    <type>dropdown</type>
+    <type>select_multiple</type>
+    <help>Trusted CA certificates</help>
   </field>
   <field>
     <id>httpserver.verify_client</id>
@@ -165,6 +166,13 @@
     <type>checkbox</type>
     <help>If the request scheme is not HTTPS, redirect to use HTTPS for this server.</help>
   </field>
+  <field>
+    <id>httpserver.http2</id>
+    <label>HTTP/2</label>
+    <type>checkbox</type>
+    <help>Enable the HTTP/2 protocol.</help>
+    <advanced>true</advanced>
+  </field>
   <field>
     <id>httpserver.tls_protocols</id>
     <label>TLS Protocols</label>
@@ -320,4 +328,11 @@
     <type>select_multiple</type>
     <help>Select custom error pages to display instead of the default builtin error pages. If at least one error page is selected here, all default error pages will be disabled.</help>
   </field>
+  <field>
+    <id>httpserver.proxy_intercept_errors</id>
+    <label>Intercept errors</label>
+    <type>checkbox</type>
+    <help>Intercept responses with codes greater than or equal to 300 and redirect to processing with custom error pages.</help>
+    <advanced>true</advanced>
+  </field>
 </form>

www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/location.xml

@@ -98,11 +98,19 @@
   </field>
   <field>
     <id>location.cache_valid</id>
-    <label>Cache: Force caching time</label>
+    <label>Cache: Force basic caching time</label>
     <type>text</type>
     <advanced>true</advanced>
     <help>Force caching of 200, 301 and 302 responses according to the request methods enabled for caching. Given in minutes; leave empty to rely on request/response headers from client and upstream.</help>
   </field>
+  <field>
+    <id>location.proxy_cache_valid</id>
+    <label>Cache: Force custom caching times</label>
+    <type>select_multiple</type>
+    <style>selectpicker</style>
+    <advanced>true</advanced>
+    <help>Force caching of response codes specified at Response Code Caching page.</help>
+  </field>
   <field>
     <id>location.cache_background_update</id>
     <label>Cache: Background Update</label>
@@ -335,4 +343,12 @@
     <type>select_multiple</type>
     <help>Select custom error pages to display instead of the default builtin error pages. Selection will override error pages configured on HTTP server.</help>
   </field>
+  <field>
+    <id>location.proxy_intercept_errors</id>
+    <label>Intercept errors</label>
+    <type>dropdown</type>
+    <style>selectpicker</style>
+    <help>Intercept responses with codes greater than or equal to 300 and redirect to processing with custom error pages.</help>
+    <advanced>true</advanced>
+  </field>
 </form>

www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/proxy_cache_valid.xml

@@ -0,0 +1,22 @@
+<form>
+  <field>
+    <id>proxy_cache_valid.description</id>
+    <label>Description</label>
+    <type>text</type>
+    <help>Brief description for reference.</help>
+  </field>
+  <field>
+    <id>proxy_cache_valid.code</id>
+    <label>Code(s)</label>
+    <allownew>true</allownew>
+    <style>tokenize</style>
+    <type>select_multiple</type>
+    <help>Enter a Respone codes or use "any" to cache any responses.</help>
+  </field>
+  <field>
+    <id>proxy_cache_valid.valid</id>
+    <label>Caching Time</label>
+    <type>text</type>
+    <help>Specify caching time in minutes.</help>
+  </field>
+</form>

www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/settings.xml

@@ -31,7 +31,7 @@
                 <advanced>true</advanced>
             </field>
             <field>
-                <id>nginx.http.enabled</id>
+                <id>nginx.http.sendfile</id>
                 <label>Enable sendfile</label>
                 <type>checkbox</type>
                 <help>Enable sendfile support (faster).</help>
@@ -56,7 +56,7 @@
             </field>
             <field>
                 <id>nginx.http.server_names_hash_bucket_size</id>
-                <label>Hash Bucket Size</label>
+                <label>Server Names Hash Bucket Size</label>
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
@@ -66,6 +66,18 @@
                 <type>text</type>
                 <advanced>true</advanced>
             </field>
+            <field>
+                <id>nginx.http.variables_hash_bucket_size</id>
+                <label>Variables Hash Bucket Size</label>
+                <type>text</type>
+                <advanced>true</advanced>
+            </field>
+            <field>
+                <id>nginx.http.variables_hash_max_size</id>
+                <label>Variables Hash Max Size</label>
+                <type>text</type>
+                <advanced>true</advanced>
+            </field>
             <field>
                 <id>nginx.http.bots_ua</id>
                 <label>Bots User Agents</label>

www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml

@@ -1,6 +1,6 @@
 <model>
   <mount>//OPNsense/Nginx</mount>
-  <version>1.34</version>
+  <version>1.35</version>
   <description>nginx web server, reverse proxy and waf</description>
   <items>
     <general>
@@ -56,6 +56,14 @@
         <Required>N</Required>
         <MinimumValue>1</MinimumValue>
       </server_names_hash_max_size>
+      <variables_hash_max_size type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>1</MinimumValue>
+      </variables_hash_max_size>
+      <variables_hash_bucket_size type="IntegerField">
+        <Required>N</Required>
+        <MinimumValue>1</MinimumValue>
+      </variables_hash_bucket_size>
       <ban_response type="OptionField">
         <multiple>N</multiple>
         <OptionValues>
@@ -352,6 +360,18 @@
       <cache_valid type="IntegerField">
         <Required>N</Required>
       </cache_valid>
+      <proxy_cache_valid type="ModelRelationField">
+        <Model>
+          <template>
+            <source>OPNsense.Nginx.Nginx</source>
+            <items>proxy_cache_valid</items>
+            <display>description</display>
+          </template>
+        </Model>
+        <ValidationMessage>Selected caching time settings not found</ValidationMessage>
+        <Required>N</Required>
+        <multiple>Y</multiple>
+      </proxy_cache_valid>
       <cache_background_update type="BooleanField">
         <Required>Y</Required>
         <default>0</default>
@@ -557,6 +577,15 @@
         <Required>N</Required>
         <multiple>Y</multiple>
       </errorpages>
+      <proxy_intercept_errors type="OptionField">
+        <default>Inherit</default>
+        <Required>Y</Required>
+        <OptionValues>
+          <Inherit>Inherit</Inherit>
+          <on>On</on>
+          <off>Off</off>
+        </OptionValues>
+      </proxy_intercept_errors>
     </location>
 
     <custom_policy type="ArrayField">
@@ -827,6 +856,7 @@
       <ca type="CertificateField">
         <Type>ca</Type>
         <Required>N</Required>
+        <multiple>Y</multiple>
       </ca>
       <verify_client type="OptionField">
         <default>Off</default>
@@ -881,6 +911,10 @@
         <default>0</default>
         <Required>Y</Required>
       </https_only>
+      <http2 type="BooleanField">
+        <default>1</default>
+        <Required>Y</Required>
+      </http2>
       <tls_protocols type="OptionField">
         <multiple>Y</multiple>
         <Sorted>Y</Sorted>
@@ -1038,6 +1072,10 @@
         <Required>N</Required>
         <multiple>Y</multiple>
       </errorpages>
+      <proxy_intercept_errors type="BooleanField">
+        <default>0</default>
+        <Required>Y</Required>
+      </proxy_intercept_errors>
     </http_server>
 
     <stream_server type="ArrayField">
@@ -1955,6 +1993,24 @@
       </max_size>
     </cache_path>
 
+    <proxy_cache_valid type="ArrayField">
+      <description type="TextField">
+        <Required>Y</Required>
+        <mask>/^[^" \t]+$/i</mask>
+      </description>
+      <code type="CSVListField">
+        <Required>Y</Required>
+        <default>any</default>
+        <multiple>Y</multiple>
+        <mask>/(^\d{3}(,\d{3})*$)|(^any$)/</mask>
+        <ValidationMessage>Please use three digit response code(s) or use "any" word.</ValidationMessage>
+      </code>
+      <valid type="IntegerField">
+        <MinimumValue>1</MinimumValue>
+        <Required>Y</Required>
+      </valid>
+    </proxy_cache_valid>
+
     <syslog_target type="ArrayField">
       <description type="TextField">
         <Required>Y</Required>

www/nginx/src/opnsense/mvc/app/views/OPNsense/Nginx/index.volt

@@ -193,6 +193,9 @@
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-http-cache_path" href="#subtab_nginx-http-cache_path">{{ lang._('Cache Path')}}</a>
             </li>
+            <li>
+                <a data-toggle="tab" id="subtab_item_nginx-http-proxy_cache_valid" href="#subtab_nginx-http-proxy_cache_valid">{{ lang._('Response Code Caching')}}</a>
+            </li>
             <li>
                 <a data-toggle="tab" id="subtab_item_nginx-http-errorpages" href="#subtab_nginx-http-errorpages">{{ lang._('Error Pages')}}</a>
             </li>
@@ -603,6 +606,30 @@
             </tfoot>
         </table>
     </div>
+    <div id="subtab_nginx-http-proxy_cache_valid" class="tab-pane fade">
+        <table id="grid-proxy_cache_valid" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="proxy_cache_validdlg">
+            <thead>
+                <tr>
+                    <th data-column-id="uuid" data-type="string" data-sortable="true" data-visible="false">{{ lang._('ID') }}</th>
+                    <th data-column-id="description" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Description') }}</th>
+                    <th data-column-id="code" data-type="string" data-sortable="true" data-visible="true">{{ lang._('Codes') }}</th>
+                    <th data-column-id="valid" data-type="numeric" data-sortable="true" data-visible="true">{{ lang._('Time') }}</th>
+                    <th data-column-id="commands" data-width="10em" data-formatter="commands" data-sortable="false">{{ lang._('Commands') }}</th>
+                </tr>
+            </thead>
+            <tbody>
+            </tbody>
+            <tfoot>
+            <tr>
+                <td></td>
+                <td>
+                    <button data-action="add" type="button" class="btn btn-xs btn-default"><span class="fa fa-plus"></span></button>
+                    <button type="button" class="btn btn-xs reload_btn btn-primary"><span class="fa fa-refresh reloadAct_progress"></span></button>
+                </td>
+            </tr>
+            </tfoot>
+        </table>
+    </div>
     <div id="subtab_nginx-access-request-limit" class="tab-pane fade">
         <table id="grid-limit_zone" class="table table-condensed table-hover table-striped table-responsive" data-editDialog="limit_zonedlg">
             <thead>
@@ -825,6 +852,7 @@
 {{ partial("layout_partials/base_dialog",['fields': limit_request_connection,'id':'limit_request_connectiondlg', 'label':lang._('Edit Request Connection Limit')]) }}
 {{ partial("layout_partials/base_dialog",['fields': limit_zone,'id':'limit_zonedlg', 'label':lang._('Edit Limit Zone')]) }}
 {{ partial("layout_partials/base_dialog",['fields': cache_path,'id':'cache_pathdlg', 'label':lang._('Edit Cache Path')]) }}
+{{ partial("layout_partials/base_dialog",['fields': proxy_cache_valid,'id':'proxy_cache_validdlg', 'label':lang._('Edit Response Code Caching')]) }}
 {{ partial("layout_partials/base_dialog",['fields': sni_hostname_map,'id':'sni_hostname_mapdlg', 'label':lang._('Edit SNI Hostname Mapping')]) }}
 {{ partial("layout_partials/base_dialog",['fields': ipacl,'id':'ipacl_dlg', 'label':lang._('Edit IP ACL')]) }}
 {{ partial("layout_partials/base_dialog",['fields': errorpage,'id':'errorpage_dlg', 'label':lang._('Edit Error Page')]) }}

www/nginx/src/opnsense/scripts/nginx/setup.php

@@ -120,15 +120,25 @@ function find_ca($refid)
                 $cert['prv']
             );
             if (!empty($http_server['ca'])) {
-                foreach ($http_server['ca'] as $caref) {
-                    $ca = find_ca($caref);
-                    if (isset($ca)) {
-                        export_pem_file(
-                            KEY_DIRECTORY . $hostname . '_ca.pem',
-                            $ca['crt']
-                        );
+                syslog(LOG_DEBUG, "NGINX setup: Setting up the CA certs for {$hostname}.");
+                $ca_certs = [];
+                foreach ($http_server['ca'] as $carefs) {
+                    foreach(explode(',', $carefs) as $caref) {
+                        syslog(LOG_DEBUG, "NGINX setup: Searching for {$caref} CA data");
+                        $ca = find_ca($caref);
+                        if (isset($ca)) {
+                            syslog(LOG_DEBUG, "NGINX setup: client auth CA found. Adding to the list");
+                            $ca_certs[] = base64_decode($ca['crt']);
+                        }
                     }
                 }
+                if (count($ca_certs) > 0) {
+                    export_pem_file(
+                        KEY_DIRECTORY . $hostname . '_ca.pem',
+                        '',
+                        implode("\n", $ca_certs)
+                    );
+                }
             }
         }
     }