diff --git a/src/etc/inc/plugins.inc.d/webgui.inc b/src/etc/inc/plugins.inc.d/webgui.inc index 23b1dfbe5..624ede9d5 100644 --- a/src/etc/inc/plugins.inc.d/webgui.inc +++ b/src/etc/inc/plugins.inc.d/webgui.inc @@ -261,9 +261,12 @@ EOD; ## modules to load server.modules = ( "mod_access", "mod_expire", "mod_deflate", "mod_redirect", "mod_setenv", - "mod_cgi", "mod_fastcgi","mod_alias", "mod_rewrite", "mod_openssl" {$lighty_modules} + "mod_cgi", "mod_fastcgi", "mod_alias", "mod_rewrite", "mod_openssl" {$lighty_modules} ) +## additional optional modules to load or additional module configurations +$lighty_config .= "include \"/usr/local/etc/lighttpd_webgui/conf.d/*.conf\"\n"; + server.max-keep-alive-requests = 15 server.max-keep-alive-idle = 30 diff --git a/src/etc/lighttpd_webgui/conf.d/README b/src/etc/lighttpd_webgui/conf.d/README new file mode 100644 index 000000000..75e7dfbec --- /dev/null +++ b/src/etc/lighttpd_webgui/conf.d/README @@ -0,0 +1,28 @@ +This directory allows the user to enable and configure additional lighttpd modules for the OPNsense webgui, or +specify additional configurations for modules that are enabled already in /usr/local/etc/inc/plugins.d/webgui.inc + +Relevant lighttpd modules available: https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs#Modules + +The user can create and configure their own configuration files in this directory, or copy, rename and adapt example +configurations already included in this directory + +To use the functionality of this directory: + +- create a suitably named file with the extension .conf in this directory, either by copying and renaming an example already included, + or creating your own + +- if necessary, enable the applicable lighttpd module in that file by including: + + server.modules += ( "mod_[NAME]" ) + + (for example: server.modules += ( "mod_extforward" ) + +- specify the relevant configurations for the module, according to the lighttpd documentation + +In some cases, the order in which modules are enabled by lighttpd is important. Modules which gate requests +(eg mod_access, mod_auth) or modify requests (eg mod_alias, mod_setenv) should be listed before modules which +complete requests (eg mod_redirect, mod_rewrite), and which, in turn, should be listed before dynamic handlers +(eg mod_cgi, mod_fastcgi, mod_proxy, mod_scgi, ...) + +To address this, you will need to ensure that the relevant configuration files appear in this directory in the +right order. Begin the files with appropriate numbering (such as 01- and 02-) to achieve that diff --git a/src/etc/lighttpd_webgui/conf.d/extforward.conf.example b/src/etc/lighttpd_webgui/conf.d/extforward.conf.example new file mode 100644 index 000000000..0f21d4627 --- /dev/null +++ b/src/etc/lighttpd_webgui/conf.d/extforward.conf.example @@ -0,0 +1,35 @@ +####################################################################### +## +## This is an example configuration file for enabling and configuring +## the mod_extforward module +## +## This module will extract the client's "real" IP from the relevant +## header which is added by Squid or other proxies. It is useful for +## logging the "real" IP of clients connecting to the OPNsense webgui +## behind reverse proxy servers +## +## Options: https://redmine.lighttpd.net/projects/1/wiki/Docs_ModExtForward +## + +## +## Enable the mod_extforward module +## +server.modules += ( "mod_extforward" ) + +## +## Specify the headers to check. Default if not specified are +## Forwarded-For and X-Forwarded-For headers +## +extforward.headers = ( "X-Forwarded-For", "Forwarded-For", "X-Real-IP" ) + +## +## Specify the trusted IPs of the reverse proxy server, comma separated +## For example, to trust the IPs 10.0.0.1 and fd00:1234:abcd:efgh::1 +## +extforward.forwarder = ( + "10.0.0.1" => "trust", + "fd00:1234:abcd:efgh::1" => "trust" +) + +## +#######################################################################