Jump to content

adoucette

Members
  • Content Count

    72
  • Joined

  • Last visited

Community Reputation

3 Neutral

About adoucette

  • Rank
    Advanced Member

Converted

  • Gender
    Undisclosed

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

  1. adoucette

    [Support] Linuxserver.io - Letsencrypt (Nginx)

    Has anyone found a way (and a how-to guide!) for modsecurity, or another WAF, for hardening a Nextcloud docker install on unRAID?
  2. I'm on COX residential as well. Please refer to these posts as to how I was able to get it set up (per aptalca's excellent dockers and documentation!) and Hope it helps!
  3. adoucette

    Request: Collabora Online

    That could be really helpful. I thing that the Nextcloud docker for unRAID has been exceptionally popular in the forums here, and including a how-to for Collabora could be useful to a lot of people. (points two thumbs at self)
  4. adoucette

    Request: Collabora Online

    +1 on this. Have you found any working guides for integrating collabora with nextcloud on unraid?
  5. adoucette

    Minio + duplicati (Crashplan Home replacement)

    Resurrecting an old thread here. I had a morning to work on this recently and wanted to post the steps I took to get a couple Minio dockers up and running on unRAID and accessible over https from the internet to allow family members to back up to them using Duplicati. First, I followed the excellent video guides for setting up Nextcloud and LetsEncrypt with reverse proxy from Spaceinvader One: How to Setup Nextcloud on unRAID for your Own Personal Cloud Storage and then How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX Of course, during this setup I forwarded the ports in my router to the unRAID box. In my particular case, my internet provider, (the aptly named) COX blocks port 80, so I had to use DNS validation for Certbot (using the DNS plugin described here) to get LetsEncrypt certificates by buying a domain name (through a registrar like namecheap), pointing it to CloudFlares name servers, setting up all of my subdomains as CNAMEs in CloudFlare's DNS settings for my domain, and using a dynamic DNS service (dns-o-matic) to point CloudFlare to my IP. So, after following those two videos above, I had my own domain name, it and subdomains at CloudFlare pointing to my home cable modem's IP, my home router's external 443 port forwarded internally to a port on my unRAID box, LetsEncrypt set up for certificates, LetsEncrypt reverse proxy set up to serve me Nextcloud on a subdomain, and NextCloud (and MariaDB) running. Great. Now to configure a couple Minio dockers, all I had to do was: Install Minio docker (instructions above in this thread) Set the Minio docker onto the custom subnet I had defined using the video instructions referenced above, entering the key and secret key, and defining the port. Then I go into unRAID's mnt/user/appdata/letsencrypt/ngnix/proxy-confs and copy the configuration file I made for nextcloud using the videos above, and save it as a new subdomain for the minio docker. Note: 1) the subdomain should already be defined by your DNS host (in my case, CloudFlare), 2) should already be listed in the LetsEncrypt settings so that a certificate is generated for it, 3) should be unique, so you could have a few different Minio servers running if you wanted (like one for each family member if you don't want them to see each other's (encrypted) files. What I end up with is a file named mysubdomain.mydomain.conf that looks like this: server { listen 443 ssl; #Set this to the subdomain you want to run this Minio app from server_name mysubdomain.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; proxy_max_temp_file_size 2048m; #Here you set the IP to your unRAID box and to the port this Minio app is on proxy_pass http://192.168.100.100:9011; } } For some reason, I wasn't able to get it to work with "proxy_pass https://" such as works with Nextcloud, but rather had to change that to just http to get it to work for Minio. That said, I still get valid certs to Minio over https from the WAN. I repeated this by setting up a new subdomain and a new Minio instance for each family member I wanted to allow to back up to my server, so they wouldn't be able to see or delete files from each other's buckets (not that the would). Then I just configure Duplicati as normal to point to the Minio instance as described in previous posts above. Hopefully that helps someone.
  6. adoucette

    [REQUEST] Traefik reverse proxy

    Hmm. Thank you for pointing that out and then for clarifying. Will remove Traefik from my system for this reason.
  7. adoucette

    [REQUEST] Traefik reverse proxy

    Should we imply then that letsencrypt (and the other containers above mentioned like nextcloud, plex, and sickbeard) do not activate the docker socket and so do not share the risk of breakout from the containers to host root access?
  8. adoucette

    [REQUEST] Traefik reverse proxy

    If that is the case, then doesn't this apply broadly/generally to all docker containers? So the letsencrypt container would suffer same inherent possibility of rooting as traefik, and so would any other containers accessed through their reverse proxies like nextcloud or plex? So I have to think we're depending on the containers to be free of exploits. I had assumed that docker was like a sandbox in that containers could not break out of what's provided them (e.g. the app data and any other data storage paths). Is there a way to run docker more securely on unRAID?
  9. adoucette

    [REQUEST] Traefik reverse proxy

    There is a good number of users here who appear to be using traefik (or letsencerypt) docker containers as a reverse proxy to expose other docker containers to the WAN through SSL. (e.g. nextcloud, sickbeard, plex, etc) Does the linked page about dockers having access through the docker socket to the host root - and thus potential breakout of container to root access - imply that this is a security hole for these users? (I ask because I genuinely do not know.)
  10. adoucette

    [Support] Linuxserver.io - Letsencrypt (Nginx)

    The instructions for setting this up at https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/ have the following: ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; But the file in the letsencrypt docker distro at /ngnix/site-confs/default has this in it: # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; So I went ahead and used that include statement in each of the ngnix reverse proxy server blocks. Then in the above-named ssl.conf file I have: # session settings ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE cipher suites ssl_dhparam /config/nginx/dhparams.pem; # ssl certs #ssl_certificate /config/keys/letsencrypt/fullchain.pem; #ssl_certificate_key /config/keys/letsencrypt/privkey.pem; # the letsencrypt docker has pointers that go to the above files, which should work, but the hardcoded path is below ssl_certificate /config/etc/letsencrypt/live/mydomain.com/fullchain.pem; ssl_certificate_key /config/etc/letsencrypt/live/mydomain.com/privkey.pem; # protocols ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # HSTS, remove # from the line below to enable HSTS add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; # OCSP Stapling ssl_stapling on; ssl_stapling_verify on; Is this pointing to the correct cert? Or to the wrong cert (such as in the ngnix base image)? Or is there some other problem I'm not seeing? Thank you for the great help @aptalca FWIW, I actually also get that same error at blog.linuxserver.io (but not at the base linuxserver.io page).
  11. adoucette

    [Support] Linuxserver.io - Letsencrypt (Nginx)

    I have been getting a certificate error from the letsencrypt docker. The cert appears to be self-signed, but shows as verified by linuxserver.io. I have purchased my own domain name, and it is running through cloudflare (caching off) so that I can use DNS domain validation with letsencrypt because my ISP (COX) blocks port 80 so I can't do http validation. Here's my letsencrypt output: ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donations/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/New_York URL=mydomain.com SUBDOMAINS=www,ftp,nc,ari43dou,minio-ari,minio-marty,testing EXTRA_DOMAINS= ONLY_SUBDOMAINS=false DHLEVEL=2048 VALIDATION=dns DNSPLUGIN=cloudflare EMAIL=myemail@email.com STAGING= Backwards compatibility check. . . No compatibility action needed 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d www.mydomain.com -d ftp.mydomain.com -d nc.mydomain.com -d ari43dou.mydomain.com -d minio-ari.mydomain.com -d minio-marty.mydomain.com -d testing.mydomain.com E-mail address entered: myemail@email.com dns validation via cloudflare plugin is selected Certificate exists; parameters unchanged; attempting renewal <-------------------------------------------------> <-------------------------------------------------> cronjob running on Sat May 19 14:04:49 EDT 2018 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log ------------------------------------------------------------------------------- Processing /etc/letsencrypt/renewal/mydomain.com.conf ------------------------------------------------------------------------------- Cert not yet due for renewal ------------------------------------------------------------------------------- The following certs are not due for renewal yet: /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2018-08-17 (skipped) No renewals were attempted. No hooks were run. ------------------------------------------------------------------------------- [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready How can I resolve this so the certs are good? Thanks, Ari
  12. adoucette

    Minio + duplicati (Crashplan Home replacement)

    Apps --> CA Settings --> Docker Hub Searching \ Enable additional search results from dockerHub? [set to Yes] --> Apply Search again
  13. adoucette

    Minio + duplicati (Crashplan Home replacement)

    OK, try searching community apps for "minio unraid" and then click on the "Click here to get more results from Docker Hub" link in the results page.
  14. adoucette

    Minio + duplicati (Crashplan Home replacement)

    Here's how I installed it. Hope this helps. Ari
  15. adoucette

    CrashPlan Home Ending

    OK, I found another client_max_body_size entry in appdata/letsencrypt/nginx/proxy.conf, set that to "0" and problem solved. Ari