upstream/opnsense-plugins
1
0
Fork 0
mirror of https://github.com/opnsense/plugins.git synced 2026-05-28 04:34:15 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge 56e2cabb72 into cb9a5d6d69

Browse source
This commit is contained in:
Peter Gerber 2026-05-25 09:39:50 +08:00 committed by GitHub
commit 78c6878467
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
3 changed files with 72 additions and 37 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

49
security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/HttpOpnsense.php
View file

@ -28,6 +28,8 @@
namespace OPNsense\AcmeClient\LeValidation;
require_once('util.inc');
use OPNsense\AcmeClient\LeValidationInterface;
use OPNsense\AcmeClient\LeUtils;
use OPNsense\Core\Config;
@ -77,21 +79,38 @@ class HttpOpnsense extends Base implements LeValidationInterface
$backend = new \OPNsense\Core\Backend();
$interface = (string)$this->config->http_opn_interface;
$response = json_decode($backend->configdpRun('interface address', [$interface]));
// XXX Returns both IPv4 and IPv6 now. While "[0]" and
// "[1]" should remain in this order it would make sense
// to ensure "family" matches "inet" or "inet6" and/or
// pull both addresses for missing IPv6 support depending
// on how this should work.
if (!empty($response->$interface[0]->address)) {
$iplist[] = $response->$interface[0]->address;
}
foreach ($response->$interface as $if) {
if (!empty($if->address)) {
$iplist[] = $if->address;
}
}
}
// Check if IPv6 support is enabled
if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == '1')) {
$_ipv6_enabled = true;
} else {
$_ipv6_enabled = false;
// Find redirect target for IPv6
//
// Needed because redirecting to ::1 isn't allowed [1].
//
// [1]: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568
$ipv6_redirect_addr = null;
if (is_ipv6_allowed()) {
$backend = new \OPNsense\Core\Backend();
$interface = "wan";
$response = json_decode($backend->configdpRun('interface address', [$interface]));
if (isset($response->$interface)) {
foreach ($response->$interface as $if) {
if (!empty($if->address) && $if->family == "inet6") {
$ipv6_redirect_addr = $if->address;
break;
}
}
}
if ($ipv6_redirect_addr != null) {
LeUtils::log("found IPv6 on WAN interface, will redirect traffic there ({$ipv6_redirect_addr})");
} else {
LeUtils::log("failed to find IPv6 on WAN interface ($interface), will not rewrite target address");
}
}
// Generate rules for all IP addresses
@ -105,9 +124,9 @@ class HttpOpnsense extends Base implements LeValidationInterface
$_dst = '127.0.0.1';
$_family = 'inet';
LeUtils::log("using IPv4 address: {$ip}");
} elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
} elseif (is_ipv6_allowed() && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
// IPv6
$_dst = '::1';
$_dst = $ipv6_redirect_addr != null ? $ipv6_redirect_addr : $ip;
$_family = 'inet6';
LeUtils::log("using IPv6 address: {$ip}");
} else {

49
security/acme-client/src/opnsense/mvc/app/library/OPNsense/AcmeClient/LeValidation/TlsalpnAcme.php
View file

@ -28,6 +28,8 @@
namespace OPNsense\AcmeClient\LeValidation;
require_once('util.inc');
use OPNsense\AcmeClient\LeValidationInterface;
use OPNsense\AcmeClient\LeUtils;
use OPNsense\Core\Config;
@ -78,21 +80,38 @@ class TlsalpnAcme extends Base implements LeValidationInterface
$backend = new \OPNsense\Core\Backend();
$interface = (string)$this->config->tlsalpn_acme_interface;
$response = json_decode($backend->configdpRun('interface address', [$interface]));
// XXX Returns both IPv4 and IPv6 now. While "[0]" and
// "[1]" should remain in this order it would make sense
// to ensure "family" matches "inet" or "inet6" and/or
// pull both addresses for missing IPv6 support depending
// on how this should work.
if (!empty($response->$interface[0]->address)) {
$iplist[] = $response->$interface[0]->address;
}
foreach ($response->$interface as $if) {
if (!empty($if->address)) {
$iplist[] = $if->address;
}
}
}
// Check if IPv6 support is enabled
if (isset($configObj->system->ipv6allow) && ($configObj->system->ipv6allow == '1')) {
$_ipv6_enabled = true;
} else {
$_ipv6_enabled = false;
// Find redirect target for IPv6
//
// Needed because redirecting to ::1 isn't allowed [1].
//
// [1]: https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568
$ipv6_redirect_addr = null;
if (is_ipv6_allowed()) {
$backend = new \OPNsense\Core\Backend();
$interface = "wan";
$response = json_decode($backend->configdpRun('interface address', [$interface]));
if (isset($response->$interface)) {
foreach ($response->$interface as $if) {
if (!empty($if->address) && $if->family == "inet6") {
$ipv6_redirect_addr = $if->address;
break;
}
}
}
if ($ipv6_redirect_addr != null) {
LeUtils::log("found IPv6 on WAN interface, will redirect traffic there ({$ipv6_redirect_addr})");
} else {
LeUtils::log("failed to find IPv6 on WAN interface ($interface), will not rewrite target address");
}
}
// Generate rules for all IP addresses
@ -106,9 +125,9 @@ class TlsalpnAcme extends Base implements LeValidationInterface
$_dst = '127.0.0.1';
$_family = 'inet';
LeUtils::log("using IPv4 address: {$ip}");
} elseif (($_ipv6_enabled == true) && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
} elseif (is_ipv6_allowed() && (filter_var($ip, FILTER_VALIDATE_IP, FILTER_FLAG_IPV6))) {
// IPv6
$_dst = '::1';
$_dst = $ipv6_redirect_addr != null ? $ipv6_redirect_addr : $ip;
$_family = 'inet6';
LeUtils::log("using IPv6 address: {$ip}");
} else {

11
security/acme-client/src/opnsense/service/templates/OPNsense/AcmeClient/lighttpd-acme-challenge.conf
View file

@ -7,7 +7,7 @@
# FreeBSD!
server.event-handler = "freebsd-kqueue"
server.network-backend = "writev"
#server.use-ipv6 = "enable"
server.use-ipv6 = "{{ 'enable' if OPNsense.Interfaces.settings.disableipv6 == "0" else 'disable' }}"
# modules to load
server.modules = ( "mod_access", "mod_expire", "mod_deflate", "mod_redirect",
@ -60,13 +60,10 @@ mimetype.assign = (
url.access-deny = ( "~", ".inc" )
# bind to port
server.bind = "127.0.0.1"
server.port = {{OPNsense.AcmeClient.settings.challengePort}}
$SERVER["socket"] == "127.0.0.1:{{OPNsense.AcmeClient.settings.challengePort}}" { }
{% if helpers.exists('system.ipv6allow') and system.ipv6allow|default("0") == "1" %}
# IPv6
$SERVER["socket"] == "[::1]:{{OPNsense.AcmeClient.settings.challengePort}}" { }
$SERVER["socket"] == "0.0.0.0:{{OPNsense.AcmeClient.settings.challengePort}}" { }
{% if OPNsense.Interfaces.settings.disableipv6 == "1" %}
$SERVER["socket"] == "[::]:{{OPNsense.AcmeClient.settings.challengePort}}" { }
{% endif %}
# to help the rc.scripts