diff --git a/www/nginx/Makefile b/www/nginx/Makefile
index c4529bdc5..87191c8e4 100644
--- a/www/nginx/Makefile
+++ b/www/nginx/Makefile
@@ -1,5 +1,5 @@
PLUGIN_NAME= nginx
-PLUGIN_VERSION= 0.3
+PLUGIN_VERSION= 0.4
PLUGIN_COMMENT= Nginx HTTP server and reverse proxy
PLUGIN_DEPENDS= nginx
PLUGIN_MAINTAINER= franz.fabian.94@gmail.com
diff --git a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
index 4b8092077..722bc6339 100644
--- a/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
+++ b/www/nginx/src/opnsense/mvc/app/controllers/OPNsense/Nginx/forms/upstream.xml
@@ -10,4 +10,58 @@
select_multiple
+
+ upstream.tls_enable
+
+ Authenticate on the Server using a client certificate.
+ checkbox
+
+
+ upstream.tls_client_certificate
+
+ Authenticate on the Server using a client certificate.
+
+ dropdown
+
+
+ upstream.tls_name_override
+
+ Use another hostname for SNI and certificate validation.
+ text
+
+
+ upstream.tls_protocol_versions
+
+
+ select_multiple
+
+
+ upstream.tls_session_reuse
+
+ checkbox
+
+
+ upstream.tls_trusted_certificate
+
+
+ select_multiple
+
+
+ upstream.tls_verify
+
+ checkbox
+ Don't turn it off unless you really know what you are doing! Never do it because a random website tells you to do.
+
+
+ upstream.tls_verify_depth
+
+ text
+ Choose how many sub-CAs can be between the server certificate and a trusted CA. 1 means the certificate has to be signed directly by a CA.
+
+
+ upstream.store
+
+ checkbox
+ Store the response on the local storage.
+
diff --git a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
index cdb43e7de..8ef5a9098 100644
--- a/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
+++ b/www/nginx/src/opnsense/mvc/app/models/OPNsense/Nginx/Nginx.xml
@@ -73,6 +73,49 @@
Y
Y
+
+ Y
+ 0
+
+
+ Y
+ 0
+
+
+ cert
+ N
+
+
+ N
+
+
+ Y
+
+ TLSv1
+ TLSv1.1
+ TLSv1.2
+ TLSv1.3
+
+ N
+
+
+ Y
+ 1
+
+
+ ca
+ Y
+ N
+
+
+ Y
+ 1
+
+
+ N
+ 1
+ 1
+
diff --git a/www/nginx/src/opnsense/scripts/nginx/setup.php b/www/nginx/src/opnsense/scripts/nginx/setup.php
index 7cb8592ae..d5ce17511 100755
--- a/www/nginx/src/opnsense/scripts/nginx/setup.php
+++ b/www/nginx/src/opnsense/scripts/nginx/setup.php
@@ -33,7 +33,7 @@ function find_ca($refid) {
}
}
-// export certificates
+// export server certificates
if (!isset($config['OPNsense']['Nginx'])) {
die("nginx is not configured");
}
@@ -78,7 +78,52 @@ foreach ($http_servers as $http_server) {
}
}
}
-// end export certificates
+// end export server certificates
+
+// begin export client and upstream trust certificates
+if (isset($nginx['upstream'])) {
+ if (is_array($nginx['upstream']) && !isset($nginx['upstream']['description'])) {
+ $upstreams = $nginx['upstream'];
+ } else {
+ $upstreams = array($nginx['upstream']);
+ }
+
+ foreach ($upstreams as $upstream) {
+ $upstream_uuid = $upstream['@attributes']['uuid'];
+ if (!empty($upstream['tls_enable']) && $upstream['tls_enable'] == '1')
+ {
+ // try to find the reference
+ if (!empty($upstream['tls_client_certificate'])) {
+ $cert = find_cert($upstream['tls_client_certificate']);
+ if (isset($cert)) {
+ $hostname = explode(',', $http_server['servername'])[0];
+ export_pem_file(
+ '/usr/local/etc/nginx/key/' . $upstream['tls_client_certificate'] . '.pem',
+ $cert['crt']
+ );
+ export_pem_file(
+ '/usr/local/etc/nginx/key/' . $upstream['tls_client_certificate'] . '.key',
+ $cert['prv']
+ );
+ }
+ }
+ if (!empty($upstream['tls_trusted_certificate'])) {
+ $cas = array();
+ foreach ($http_server['ca'] as $caref) {
+ $ca = find_ca($caref);
+ if (isset($ca)) {
+ $cas[] = $ca;
+ }
+ }
+ export_pem_file(
+ '/usr/local/etc/nginx/key/trust_upstream_' . $upstream_uuid . '.pem',
+ implode("\n", $cas)
+ );
+ }
+ }
+ }
+}
+// end export client and upstream trust certificates
// export users
$nginx = new Nginx();
diff --git a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
index 80401f2c7..1f5a6c407 100644
--- a/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
+++ b/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/location.conf
@@ -56,7 +56,34 @@ location {{ location.matchtype }} {{ location.urlpattern }} {
{% endif %}
{% endif %}
{% if location.upstream is defined %}
- proxy_pass http://upstream{{ location.upstream.replace('-','') }};
+{% set upstream = helpers.getUUID(location.upstream) %}
+ proxy_pass http{% if upstream.tls_enable == '1' %}s{% endif %}://upstream{{ location.upstream.replace('-','') }};
+{% if upstream.tls_enable == '1' %}
+{% if upstream.tls_client_certificate is defined and upstream.tls_client_certificate != '' %}
+ proxy_ssl_certificate_key /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.key;
+ proxy_ssl_certificate /usr/local/etc/nginx/key/{{ upstream.tls_client_certificate }}.pem;
+{% endif %}
+{% if upstream.tls_name_override is defined and upstream.tls_name_override != '' %}
+ proxy_ssl_name {{ upstream.tls_name_override }};
+{% endif %}
+{% if upstream.tls_protocol_versions is defined and upstream.tls_protocol_versions != '' %}
+ proxy_ssl_protocols {{ upstream.tls_protocol_versions.replace(',', ' ') }};
+{% endif %}
+{% if upstream.tls_name_override is defined %}
+ proxy_ssl_session_reuse {% if upstream.tls_name_override != '0' %}off{% else %}on{% endif %};
+{% endif %}
+{% if upstream.tls_trusted_certificate is defined and upstream.tls_trusted_certificate != '' %}
+ proxy_ssl_trusted_certificate /usr/local/etc/nginx/key/trust_upstream_{{ location.upstream }}.pem;
+{% else %}
+ proxy_ssl_trusted_certificate /etc/ssl/cert.pem;
+{% endif %}
+{% if upstream.tls_verify_depth is defined and upstream.tls_verify_depth != '' %}
+ proxy_ssl_verify_depth {{ upstream.tls_verify_depth }};
+{% endif %}
+{% if upstream.store is defined and upstream.store != '' %}
+ proxy_store {% if upstream.store == '1' %}on{% else %}off{% endif %};
+{% endif %}
+{% endif %}
{% endif %}
}