PfBlockerNG - DNSBL web server doesn't start
-
The rest of the package converted so quickly the DNSBL part must use a function that nginx doesn't have\different method. Does anyone know if it would have to be a whole rewrite to use nginx or if its not even possible to use nginx in the same way lighttpd was used?
-
With the change to NGINX from Lighttpd, it caused some issues with how HTTPS rejected domains are being logged, or not logged to be exact…
I am working with the devs on the possibility of compiling LUA in NGINX, which should allow for reporting the SNI domain name to the dnsbl.log.
Will keep you updated on my progress to get DNSBL working again in 2.3....
Thanks!
-
Thanks! I can't wait for pfblocker to work on 2.3. It's literally the only thing that stops me from upgrading!
-
With the change to NGINX from Lighttpd, it caused some issues with how HTTPS rejected domains are being logged, or not logged to be exact…
I am working with the devs on the possibility of compiling LUA in NGINX, which should allow for reporting the SNI domain name to the dnsbl.log.
Will keep you updated on my progress to get DNSBL working again in 2.3....
Thanks!
Which dev(s) are you working with?
-
@jwt:
Which dev(s) are you working with?
Renato sent me a message this morning that he was going to verify if there are any issues with adding LUA dependencies to NGINX…
-
@jwt:
Which dev(s) are you working with?
Renato sent me a message this morning that he was going to verify if there are any issues with adding LUA dependencies to NGINX…
You will know soon enough, once there is a build after this commit https://github.com/pfsense/pfsense/commit/0f75670b32b03f12362f230083e33e0b3177fc4d
-
https://github.com/pfsense/FreeBSD-ports/commit/14c8df8f024950c4d68e54ae3be8a9d8cd84da7b
-
NGINX has been updated to the latest version, however, to use the new LUA directive ssl_certificate_by_lua_block will require updating openssl to v1.0.2e or above… This looks to be the only LUA directive that can read the pre-SSL-handshake and allow logging of blocked HTTPS domains for DNSBL...
There are some complications with that, so I will wait for the devs to review and advise a path forward...
-
Devs:
Would you consider adding the python module to Unbound?
https://unbound.net/documentation/pythonmod/examples/example0.html#how-to-enable-python-moduleThis could potentially allow for DNS Filtering by ACL, and the logging of DNSBL rejected domains could be done for both http/https DNS requests without any of the SSL issues. The DNSBL web server would still be required to timeout the browser, or it could just be set to NXDOMAIN the requests and eliminate the web server completely as the logging etc is being achieved by the python script…
-
I'm unlikely to add python
