how to "legally" adapt nginx.conf?

[klapperp]

Hi,

I am using a FreeNAS server version FreeNAS-11.1-U4 which is connected to multiple vlan interfaces:

# ifconfig -a | grep vl | grep -v inet6
vlan120: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
vlan: 120 vlanpcp: 0 parent interface: lagg0
groups: vlan
vlan89: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
vlan: 89 vlanpcp: 0 parent interface: lagg0
groups: vlan
vlan90: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
vlan: 90 vlanpcp: 0 parent interface: lagg0
groups: vlan
vlan521: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
vlan: 521 vlanpcp: 0 parent interface: lagg0
groups: vlan

Everything works perfect, except the fact that I need to restrict the web gui to listen only on 2 vlans on their IPv4 addresses. With the integrated FreeNAS configuration tools I can only select either all IPv4 or IPv6 addresses for the web gui or one IPv4 or IPv6 address but I need two IPv4 addresses and no IPv6 address. It is very simple to reach this by editing the file /usr/local/etc/nginx/nginx.conf as follows:

server {
server_name localhost;
listen 172.x.y.z:80;
listen 192.X.Y.Z:80;
#listen [::]:80;

Although this works for a reboot but it does not work for an upgrade. Is there any way to make this change permanent to the configuation database?

Thanks in advance for your help!

 

[kdragon75]

Sounds like an idea for a feature request. I know some people have also asked for basic firewall functionality to do the same kind things.

 

[mpfusion]

+1

Please file a request. I wanted to report this feature for a while but intended to check out the new 11.2 GUI first. I'd rephrase it as “More fine-grained control of GUI listen interface”. Currently it's one interface or all.

 

[kdragon75]

I still think a simple implementation of pf would be great. We could have a default deny and as services are enabled, automatically add rules with descriptions, have whitelists of networks that we can "attach" to each service, block lists, etc...

I may want to use the tftp server for pxe boot my esxi host for auto deploy but I want to restrict that to the auto deploy subnet/vlan.

 

[klapperp]

FreeBSD's PF is generally a good idea when you have a FreeNAS in the public internet but my request to select, more than one, but not all interfaces for the web gui is more basic. Because it is made right after the installation during the basic setup on the console, and it is one of the first steps before you even decide what services will run on your FreeNAS. I think it is not a big deal to implement this but I don't want to unofficially patch my FreeNAS to keep it consistent.

Is there a mechanism in FreeNAS, to make such manual changes via console permanent, even when you update FreeNAS?

 

[kdragon75]

Nope. The middleware will always rewrite the config file based on its config db. This needs to be implemented in the config db.

 

[klapperp]

So the only way to get this implemented is a feature request, right? What do I need to do, to officially request a feature?

Thanks again for your help!

 

[MrToddsFriends]

So the only way to get this implemented is a feature request, right? What do I need to do, to officially request a feature?

See http://doc.freenas.org/11/system.html#support.

 

[klapperp]

Thanks a lot! My feature request has been submitted, hopefully somebody finds it worth to implement it ;)