Hosting a Custom Opnsense Package Repository on RHEL/CentOS/Rocky/Fedora

Written by

user

in

This guide walks you through hosting a custom FreeBSD build repository using Nginx on any RHEL-based Linux distribution (RHEL, CentOS, Rocky, Fedora, or derivatives). The setup involves configuring Nginx, SSL/TLS, SELinux policies, and secure DNS, tailored for secure firewall hosting.

1. Environment Preparation

Start by downloading and installing your preferred RHEL-based distribution. This can be a VM, cloud instance, or even a non-standard setup — it’s up to you.

2. Install and Configure Nginx

We will use Nginx to serve our repository.

Follow the official Red Hat documentation to install and verify Nginx:

Red Hat: Setting up and Configuring Nginx

After installation, ensure Nginx is serving the default test page.

3. SSL/TLS Configuration

This site is custom-built for bsdwalon. You’ll need to issue a certificate using either Certbot or acme.sh.

SELinux Configuration:

Apply appropriate SELinux contexts:

chcon -Rt httpd_sys_content_t /path/to/web/root
chcon -t cert_t /path/to/your/certificate/files

Enable OCSP Stapling Support:

semanage boolean -m --on httpd_graceful_shutdown

This is necessary for OCSP stapling to work properly, allowing Nginx to connect to port 80 internally.

4. SELinux Debugging Best Practices

  • Temporarily set SELinux to permissive mode only for debugging.
  • Do not leave it in permissive mode permanently — fix issues from the audit logs and return to enforcing mode.
  • Avoid overly broad permissions. Grant only what is necessary.

Do not fall into the trap of blindly disabling SELinux. Stay disciplined. As bsdwalon teaches: fix it properly, or don’t fix it at all.

5. Network Interface Binding

For enhanced security on cloud or bare-metal VM deployments:

  1. Allocate two local addresses with distinct public IPs.
  2. Bind one local IP to your SSH daemon.
  3. Bind the other to Nginx.
  4. Configure your DNS records to point to the public IP associated with Nginx.

6. Hardened SSL Configuration

Use the Mozilla SSL Configuration Generator to generate a hardened TLS configuration for Nginx:

https://ssl-config.mozilla.org

7. DNS Security Notes

To ensure DNS privacy and integrity:

  • Use your own DNS-over-TLS or DNS-over-HTTPS resolver, or rely on systemd-resolved.
  • Important caveat: Akamai CDN (used by RHEL update servers) currently does not support DNSSEC, causing update failures if DNSSEC validation is enforced.

As a workaround:

  • Set a DNS resolver IP in your Nginx configuration.
  • Disable DNSSEC checking for RHEL update repositories — they use package signing keys which should be verified instead.
  • Avoid automated updates while DNS caching is unreliable. Instead, wait until resolvectl caches a working response before performing updates.

8. Enable Directory Listings

Edit nginx.conf to allow directory autoindexing:

autoindex on;

9. Upload Your Build Artifacts

Once your Nginx server is up and secured, upload your build artifacts. You can use FTP, SCP, or pull files from GitHub. Place your packages in the designated HTTP-serving directory.

You should now see the file listings in your browser via Nginx autoindex.

10. Repository Directory Structure

FreeBSD:14:aarch64/{Version-Major}/MINT/{version-minor}/latest

Extract your package tarball here. Then copy the corresponding sets into:

FreeBSD:14:aarch64/{Version-Major}/sets/

Final Symlink:

Link the latest MINT version to the version root:

FreeBSD:14:aarch64/{Version-Major}/latest -> MINT/{version-minor}/latest

11. Build Fingerprint

Create a plain text file in the web root using vim or nano and paste the fingerprint that was generated earlier using opnsense/tools.

This file serves as a simple authenticity reference for your custom builds.

More posts