ps ax | grep -i "nginx: master"

JonathanLee

Hello fellow Netgate community members,

Can you please help?

Is this the standard output for checking on what nginix servers are running?

I was doing some testing and I just want to check. I was testing WPADs got it to work and decided to disable the WPAD server for port 80.

ref:
https://nguvu.org/pfsense/pfSense-WPAD-PAC-proxy-configuration/

Worked great however it only works with iMac products Windows 11 will not let me use it

27411  -  S     0:00.01 sh -c ps ax | grep -i "nginx: master" 2>&1
27694  -  R     0:00.00 grep -i nginx: master (sh)
61755  -  Is    0:00.00 nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)

JonathanLee

Is there anyway to disable the server on opt1 and just have it run on a specific interface

stephenw10

Not in the pfSense config. nginx always listens on all available interfaces.

If you're doing something custom it probably is though. But that could be lost at upgrade etc.

JonathanLee

@stephenw10 thanks for the reply. that output is normalized with opt1 lan OpenVPN is that pretty standard for what is displayed above? No custom anything I removed the custom one it did work but Microsoft does not like wpad on version 11 iMac fine all day

stephenw10

Yes.

[24.11-RELEASE][admin@5100.stevew.lan]/root: ps -auxwwd | grep nginx
root    10482   0.0  2.0 163488 83304  -  I    Thu20       1:39.92 | |-- php-fpm: pool nginx (php-fpm)
root    27994   0.0  2.1 165536 83984  -  I    Thu20       2:04.28 | |-- php-fpm: pool nginx (php-fpm)
root    47298   0.0  2.0 161440 81076  -  I    Thu20      11:27.20 | |-- php-fpm: pool nginx (php-fpm)
root    51208   0.0  2.1 169632 87592  -  I    Thu20      11:38.63 | |-- php-fpm: pool nginx (php-fpm)
root    54824   0.0  2.0 163488 82900  -  I    Thu20       1:54.40 | |-- php-fpm: pool nginx (php-fpm)
root    56575   0.0  2.0 165668 79712  -  I    Thu20       1:52.89 | |-- php-fpm: pool nginx (php-fpm)
root    97620   0.0  2.2 173860 90260  -  I    Thu20       2:01.78 | `-- php-fpm: pool nginx (php-fpm)
root    14185   0.0  0.3  31820 10256  -  Is   22Nov24     0:00.00 |-- nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-test_zone-CaptivePortal.conf (nginx)
root    14486   0.0  0.3  31820 10836  -  I    22Nov24     0:00.00 | |-- nginx: worker process (nginx)
root    14716   0.0  0.3  31820 10836  -  I    22Nov24     0:00.00 | |-- nginx: worker process (nginx)
root    15046   0.0  0.3  31820 10836  -  I    22Nov24     0:00.00 | |-- nginx: worker process (nginx)
root    15152   0.0  0.3  31820 10836  -  I    22Nov24     0:00.00 | |-- nginx: worker process (nginx)
root    15247   0.0  0.3  31820 10836  -  I    22Nov24     0:00.00 | |-- nginx: worker process (nginx)
root    15514   0.0  0.3  31820 10836  -  I    22Nov24     0:00.00 | `-- nginx: worker process (nginx)
root    43130   0.0  0.1  13040  2824  0  S+   21:46       0:00.00 |       `-- grep nginx
root    62866   0.0  0.3  31820 10360  -  Is   22Nov24     0:00.00 |-- nginx: master process /usr/local/sbin/nginx -c /var/etc/nginx-webConfigurator.conf (nginx)
root    62968   0.0  0.3  34380 13004  -  I    22Nov24     0:48.36 | |-- nginx: worker process (nginx)
root    63265   0.0  0.3  34380 13248  -  I    22Nov24     2:05.52 | `-- nginx: worker process (nginx)

JonathanLee

@stephenw10 Thanks for the reply. I also noticed that it looks like pfSense uses a linked folder for the nginx server. Is that a security thing to keep the web configurator secure while still providing an area for customization?

/usr/local/www/nginx

is auto linkied to

/usr/local/www/nginx-dist

Is this normal also?
Screenshot 2024-12-02 at 14.02.55.png

Shell Output - ls -l /usr/local/www/nginx
lrwxr-xr-x  1 root  wheel  25 Jun 27  2023 /usr/local/www/nginx -> /usr/local/www/nginx-dist


Shell Output - ls -l /usr/local/www/nginx-dist
total 19
-rw-r--r--  1 root  wheel  497 Oct 19  2022 50x.html
-rw-r--r--  1 root  wheel    0 Jun 20  2023 EXAMPLE_DIRECTORY-DONT_ADD_OR_TOUCH_ANYTHING
-rw-r--r--  1 root  wheel  615 Oct 19  2022 index.html

JonathanLee

@stephenw10 Thanks again. The reason to my endless questions is I want to know the normalized values before I go and start up a 2nd http server with nginx. This way I 100% know if something goes wrong. I got the second server to run and work yesterday, and it was https web configurator plus the http wpad and it worked perfectly, again it is not recommended to run a wpad on the physical firewall, so I disabled it. Yet, that was the first time it worked with auto proxy, everything but my Windows 11 machine worked. Windows 11 worked with the script but not the auto proxy wpad files. Again, the reason for this was for the Widows 11 system, I found that if the script is not available, it will ignore it and turn off the proxy, thus that works for my back and forth with the University. I want the wpad ability but not the http web configuration. This is a way to do both, I also thought about a pi zero just to be my wpad, but that seems to be too much for a single device just so it can auto configure. I do understand it can be done if I turn on http for the web gui, but that makes it less secure. I feel that wpad itself should be upgraded to pure https but that is a huge undertaking that has nothing to do with pfSense. Long story short the firewall protects work and school stuff, so I do not really want to leave it in experimental mode. I want it in the everything bagel mode when my wife is working from home, so it is back to no wpad again will all the changes set back. I keep wondering why vendors keep saying WPAD is a security issue but no one in Big tech has taken any steps to making something like wpad 2.0

stephenw10

Mmm, I can't really answer that TBH! Not something I've run in vanilla FreeBSD. I'm sure there are many guides for doing so out there though.

JonathanLee

its pfsense plus /usr/local/www/nginx-dist you don't have it on your 2100 23.05.01?

stephenw10

Oh I thought you meant as part of a FreeBSD install. I can get you the defaults from 24.03 or 24.11:

[24.11-RELEASE][admin@2100-2.stevew.lan]/root: ls -l /usr/local/www/nginx
lrwxr-xr-x  1 root wheel 25 Nov 23 17:00 /usr/local/www/nginx -> /usr/local/www/nginx-dist
[24.11-RELEASE][admin@2100-2.stevew.lan]/root: ls -l /usr/local/www/nginx-dist/
total 10
-rw-r--r--  1 root wheel 497 Aug 12 15:28 50x.html
-rw-r--r--  1 root wheel   0 Nov 12 07:19 EXAMPLE_DIRECTORY-DONT_ADD_OR_TOUCH_ANYTHING
-rw-r--r--  1 root wheel 615 Aug 12 15:28 index.html

Gertjan

@JonathanLee

the nginx GUI web server doesn't use "/usr/local/www/nginx-dist" or "/usr/local/www/nginx" which links to the first.

It still works, though : https://pfsense.yourlocaldoimain.tld/nginx :

These were the initial html files that come with a basic install of ngins, like apache2.
A simple html index file to demonstrate that the server works.
These files have been put out of the way 'somewhere'.

The nginx config file is here : /var/etc/nginx-webConfigurator.conf

You'll find this :

	server {
		listen 443 ssl http2;
		listen [::]:443 ssl http2;

so it's actually simple to do this :

	server {
		listen 192.168.1.1:443 ssl http2;
		listen [::]:443 ssl http2;

(maybe you should also add the IPv6 of your LAN)

to make it listening only on LAN (nad localhost) and no where else.

Do not edit this config file.
Edit the file that edits the config file : /etc/inc/system.inc, look for the function system_generate_nginx_config(), you'll get the picture