Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
The os-nginx plugin GUI states for upstream Keepalive:
Leave blank or set to 0 to disable.
However, the current upstream template only renders the keepalive directive when the value is greater than 0:
https://raw.githubusercontent.com/opnsense/plugins/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/upstream.conf
{% if upstream.keepalive is defined and upstream.keepalive|int > 0 %}
keepalive {{ upstream.keepalive }};
With nginx >= 1.29.7 this no longer disables upstream keepalive. According to nginx documentation, upstream keepalive is now enabled by default:
https://blog.nginx.org/blog/keep-alive-to-upstreams-is-now-default-in-nginx-1-29-7
But keepalive 0; is required to explicitly disable upstream keepalive.
To Reproduce
- Create an upstream in os-nginx.
- Set Keepalive to
0 or leave it blank.
- Apply the configuration.
- Check
/usr/local/etc/nginx/nginx.conf.
Actual result:
upstream upstream<uuid> {
server 10.0.0.2:443;
}
Expected behavior
Expected result when Keepalive is 0:
upstream upstream<uuid> {
keepalive 0;
server 10.0.0.2:443;
}
Impact
For IIS backends using Windows Authentication, nginx upstream keepalive can leak the authenticated backend connection context between different clients. This results in users seeing the previous user's authenticated session, even without sending credentials.
Manually adding:
to the generated upstream block fixes the issue.
Suggested fix
Render keepalive 0; when the GUI value is explicitly 0. Alternatively, change the plugin semantics to distinguish between:
- blank = nginx default / auto
- 0 = explicitly disabled
Environment
OPNsense 26.4.1 (amd64).
business edition
DEC3960
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Describe the bug
The os-nginx plugin GUI states for upstream
Keepalive:However, the current upstream template only renders the
keepalivedirective when the value is greater than 0:https://raw.githubusercontent.com/opnsense/plugins/master/www/nginx/src/opnsense/service/templates/OPNsense/Nginx/upstream.conf
With nginx >= 1.29.7 this no longer disables upstream keepalive. According to nginx documentation, upstream keepalive is now enabled by default:
https://blog.nginx.org/blog/keep-alive-to-upstreams-is-now-default-in-nginx-1-29-7
But
keepalive 0;is required to explicitly disable upstream keepalive.To Reproduce
0or leave it blank./usr/local/etc/nginx/nginx.conf.Actual result:
Expected behavior
Expected result when Keepalive is
0:Impact
For IIS backends using Windows Authentication, nginx upstream keepalive can leak the authenticated backend connection context between different clients. This results in users seeing the previous user's authenticated session, even without sending credentials.
Manually adding:
to the generated upstream block fixes the issue.
Suggested fix
Render
keepalive 0;when the GUI value is explicitly0. Alternatively, change the plugin semantics to distinguish between:Environment
OPNsense 26.4.1 (amd64).
business edition
DEC3960