Hi there, I am pretty new to OpenWrt, and I have caused my self a bit of an issue.
I was successfully running Nginx on my device as a load balancing reverse proxy. The service behind my device (gitlab) uses a lets encrypt certificate and the router was simply passing the TLS connection to the service. However I was getting weird session issues, and I put it down to the fact that because the router could not unencrypt the traffic it was using the IP hash method for session management, and so could not tell the difference between a web request and a git push. Which ever I tried first would work.
I decided that a solution might be to install a certificate on the router and then send the traffic back out over TLS allowing the router to inspect the session in more detail.
I already had letsencrypt installed on the router but is was disabled, and the Luci UI was using a self signed certificate which fist appeared some weeks ago when I first installed nginx I believe.
I went to the letsencrypt/acme section of the Luci UI and changed the values on the page. I added 2 domain names, checked enabled at the top, I unchecked use for uhttpd and checked use for nginx. I did not add anything in the DNS API and I did not check to use the staging server. I then clicked save and apply.
I then said that it failed to apply and was rolling back and it hung there. After a refresh I am unable to access the Luci UI. I still have shell access.
Here is my current niginx config:
user root;
worker_processes 2;
#error_log logs/error.log;
#error_log logs/error.log notice;
#error_log logs/error.log info;
pid /var/run/nginx.pid;
events {
worker_connections 1024;
}
http {
server_names_hash_bucket_size 128;
include mime.types;
default_type application/octet-stream;
sendfile on;
keepalive_timeout 0;
client_body_buffer_size 10K;
client_header_buffer_size 1k;
client_max_body_size 1G;
large_client_header_buffers 2 1k;
gzip on;
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 1;
gzip_proxied any;
gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript application/javascript image/svg+xml;
root /www;
upstream cluster {
server 10.1.0.21;
server 10.1.0.22;
server 10.1.0.23;
server 10.1.0.24;
}
server {
listen 192.168.1.1:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 192.168.1.1:443 ssl default_server;
server_name localhost;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:DHE+AESGCM:DHE:!RSA!aNULL:!eNULL:!LOW:!RC4:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!CAMELLIA:!SEED";
ssl_session_tickets off;
ssl_certificate /etc/nginx/nginx.cer;
ssl_certificate_key /etc/nginx/nginx.key;
location ~* .(jpg|jpeg|png|gif|ico|css|js)$ {
expires 365d;
}
include luci_uwsgi.conf;
}
include /etc/nginx/conf.d/*.conf;
}
How can I begin to unpick this, perhaps remove the cert for Luci and go back to just port 80 for now?