PfBlockerNG - DNSBL web server doesn't start

MikeV7896 · Jan 9, 2016, 4:22 PM

Possible issue with the change of pfSense from lighttpd to nginx? Or is something else used as the web server?

I ran into this both on a VM I was running temporarily, as well as the bare metal (my Celeron J1900 box) that I'm running it on now.

grandrivers · Jan 9, 2016, 4:24 PM

yes know by developer he is working on it, yes it was switch to nginx

f34rinc · Jan 12, 2016, 5:08 AM

The rest of the package converted so quickly the DNSBL part must use a function that nginx doesn't have\different method. Does anyone know if it would have to be a whole rewrite to use nginx or if its not even possible to use nginx in the same way lighttpd was used?

BBcan177 · Jan 12, 2016, 4:00 PM

With the change to NGINX from Lighttpd, it caused some issues with how HTTPS rejected domains are being logged, or not logged to be exact…

I am working with the devs on the possibility of compiling LUA in NGINX, which should allow for reporting the SNI domain name to the dnsbl.log.

Will keep you updated on my progress to get DNSBL working again in 2.3....

Thanks!

bluepr0 · Jan 12, 2016, 9:22 PM

Thanks! I can't wait for pfblocker to work on 2.3. It's literally the only thing that stops me from upgrading!

jwt · Jan 12, 2016, 11:59 PM

@BBcan177:

With the change to NGINX from Lighttpd, it caused some issues with how HTTPS rejected domains are being logged, or not logged to be exact…

I am working with the devs on the possibility of compiling LUA in NGINX, which should allow for reporting the SNI domain name to the dnsbl.log.

Will keep you updated on my progress to get DNSBL working again in 2.3....

Thanks!

Which dev(s) are you working with?

BBcan177 · Jan 13, 2016, 12:26 AM

@jwt:

Which dev(s) are you working with?

Renato sent me a message this morning that he was going to verify if there are any issues with adding LUA dependencies to NGINX…

phil.davis · Jan 13, 2016, 3:04 AM

@BBcan177:

@jwt:

Which dev(s) are you working with?

Renato sent me a message this morning that he was going to verify if there are any issues with adding LUA dependencies to NGINX…

You will know soon enough, once there is a build after this commit https://github.com/pfsense/pfsense/commit/0f75670b32b03f12362f230083e33e0b3177fc4d

jwt · Jan 13, 2016, 2:37 PM

https://github.com/pfsense/FreeBSD-ports/commit/14c8df8f024950c4d68e54ae3be8a9d8cd84da7b

BBcan177 · Jan 17, 2016, 4:12 PM

NGINX has been updated to the latest version, however, to use the new LUA directive ssl_certificate_by_lua_block will require updating openssl to v1.0.2e or above… This looks to be the only LUA directive that can read the pre-SSL-handshake and allow logging of blocked HTTPS domains for DNSBL...

There are some complications with that, so I will wait for the devs to review and advise a path forward...

BBcan177 · Jan 17, 2016, 4:24 PM

Devs:

Would you consider adding the python module to Unbound?
https://unbound.net/documentation/pythonmod/examples/example0.html#how-to-enable-python-module

This could potentially allow for DNS Filtering by ACL, and the logging of DNSBL rejected domains could be done for both http/https DNS requests without any of the SSL issues. The DNSBL web server would still be required to timeout the browser, or it could just be set to NXDOMAIN the requests and eliminate the web server completely as the logging etc is being achieved by the python script…

jwt · Jan 22, 2016, 5:16 AM

I'm unlikely to add python