[Request/Done] Let's Encrypt Container


rix

Recommended Posts

 

 

Hi all. First I want to say thanks for creating this - it has made my life so much easier.

 

I have everything set up and working, I am reverse proxying various services (deluge, nzbget, sonarr, couch, etc) and I have basic auth set up for them using htpasswd. All is working fine.

 

There are currently 4 locations that I don't have auth on: /request/, /web/, /plex/ (which just proxies to /web/), and / (which displays index.html).

 

I want to use basic auth on the / location, because I want to create a list of URLs that I can easily access in index.html (instead of having to remember them all), but I only want authenticated users to see this. The problem is, when I put basic auth on the / location, it interferes with my Plex login.

 

Here are the relevant location entries:

 

location / {
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location /web/ {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.XXX.XXX:XXXX/web/;
}
location /plex/ {
proxy_pass http://127.0.0.1/web/;
}

 

Whenever I go to example.mydomain.url/plex or example.mydomain.url/web it begins to load plex, but it will then pause the loading and ask me for the auth (see screenshot). If I put in the correct creds, it will continue loading. I can also click cancel (twice) and it will continue loading. But I don't want to have the auth dialog pop up at all. If I remove the basic auth from / then no auth dialog pops up.

 

The other service that I am not using with basic auth is plex requests. But it does not get affected whether or not / has auth. It will never prompt me to auth (unless I include auth in the location for /request/). Here is it's entry:

 

location /request/ {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.XXX.XXX:XXXX/request/;
}

 

The only difference that I can see between them is that Plex uses a host connection, whereas plex requests uses a bridged connection; but I'm not sure if that's relevant.

 

The workaround that I thought of is to use /home and create www/home/index.html and serve that when I type example.mydomain.url/home, but that is rather inelegant, and I would like to try to make the page appear (with auth) with just using example.mydomain.url

 

Any help is greatly appreciated!

 

Your plex proxy address is incorrect. 127.0.0.1 is inside the nginx-letsencrypt container. It needs to point to the plex container. Use http://localunraidip:32400/web

 

The /plex/ proxies to the /web/ location (just above it in my code snippet), which proxies to the plex container, so local for that entry is correct. The reason that is there is so that I can use /plex instead of /web.

 

Even if I navigate to /web (which proxies direct to the plex container), I still have the same problem - so you can pretty much ignore the /plex location entry.

Link to comment

try adding

auth_basic off;

to the subpages

ie

location /plex {
  auth_basic off;
  proxy ...
}

 

Refer to http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html for more details

 

No joy! I was really hoping that would work. I added 'auth_basic off;' to both /plex and /web and both still ask me for auth.

 

The strange thing is that plex begins to load before it asks for the auth credentials - whereas the other locations protected with auth will be white and not loaded until the credentials are entered.

Link to comment

Hi,

 

I just installed this container to use with nextcloud and it seems to be working fine.

 

The only difference I made was removing port 80 from the container settings page.

I couldn't find anything why I would have to use this port next to port 443.

So what's the reason behind port 80 and should I add it back?

 

I also don't know why I have to add my email adress?

I thought I would receive a message maybe from letsencrypt or something.

So what's happening when I just leave it blank?

Port 80 is optional, you don't even have to map it.

 

Email is for letsencrypt registration. You will get an email if your certs are about to expire.

Link to comment

Thank you for clarifying.

 

Yesterday I got it all working for Nextcloud. But I'm still curious about one thing.

 

When I'm trying to access Nextcloud from my external dynamic dns domain via https everyhing is fine.

But when I'm trying to access it locally via https://192.168.179.1:444/nextcloud my browser still tells me that it's an unsecure connection.

If I accept this I get forwarded to my dymanic dns domain https://mydomain.ddns.de/nextcloud and then it is working of course.

 

So my question is if this is the normal behavior or if there should be a secure connection already when trying to access Nextcloud locally without being forwared to the external domain.

And if I get forwared to my external domain am I actually acessing it locally regardless?

 

Here is my config:

 

 

/mnt/user/appdata/nginx-letsencrypt/nginx/site-confs/default

 

server {

listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name mydomain.ddns.de;

ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'xxxxx';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

location / {

	try_files $uri $uri/ /index.html /index.php?$args =404;
}
location /nextcloud {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.179.1:444/nextcloud;
}
}

 

 

/mnt/user/appdata/nextcloud/www/nextcloud/config/config.php

 

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxxxx,
  'passwordsalt' => 'xxxxx',
  'secret' => 'xxxxx',
  'trusted_domains' => 
  array (
    0 => '192.168.179.1:444',
    1 => 'mydomain.ddns.de',
  ),
  'trusted_proxies' => 
  array (
    0 => '192.168.179.1:443',
  ),
  'overwritewebroot' => '/nextcloud',
  'overwritehost' => 'mydomain.ddns.de',
  'overwrite.cli.url' => 'https://192.168.179.1:444',
  'overwriteprotocol' => 'https',

  'dbtype' => 'mysql',
  'version' => '9.0.51.0',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.x.xxx:3306',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxxxxxx',
  'dbpassword' => 'xxxxxxxxxxxxxxxxxxxxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
  'mail_smtpmode' => 'smtp',
  'ldapIgnoreNamingRules' => false,
);

Link to comment

I can report a successful implementation of both dockers: NextCloud & Nginx-letsencrypt  :D (..you might remember the cumbersome start a while ago. You were helping so much but finally I was giving up. I guess that the build in dns server of my router was the culprit). Two remaining questions:

 

Can you confirm that that Nginx-letsencrypt will handle the certificates for NextCloud too so that I don't have to worry about any security and SSL related stuff moving forward?

 

Second question: have I understood correctly (..don't recall where I have read it as I was trying to read all that material around reverse proxy here  :-\) that I could use the landing page of your docker (by modifying /appdata/Nginx-letsencrypt/www/index.html) for accessing other web enabled dockers (by modifying /appdata/Nginx-letsencrypt/nginx/site-confs/default)?

 

In my case it would be cadvisor, EmbyServer, Handbrake, MakeMKV, RDP-Calibre and TVHeadend.

 

Is that really doable?

Link to comment

You likely defined self signed certs with Nextcloud and that's probably why you're getting the insecure notice when you try to open its local page directly

 

Your nextcloud config defines overwrite host so I'm guessing it forwards all incoming requests to that

 

so can I do something to get rid of the insecure notice or is this how it has to be?

I used the guide by kamhighway from here to set it all up. http://lime-technology.com/forum/index.php?topic=51466.0

 

Sorry for the noob question. Just wanting to make sure I did everything right :)

Link to comment

You likely defined self signed certs with Nextcloud and that's probably why you're getting the insecure notice when you try to open its local page directly

 

Your nextcloud config defines overwrite host so I'm guessing it forwards all incoming requests to that

 

so can I do something to get rid of the insecure notice or is this how it has to be?

I used the guide by kamhighway from here to set it all up. http://lime-technology.com/forum/index.php?topic=51466.0

 

Sorry for the noob question. Just wanting to make sure I did everything right :)

Use the domain name to access it, not the ip (even at home), and you won't get the insecure notice

Link to comment

So I'm stuck. I've got the container installed and reachable over my domain name and it serves us up the default landing page. I've got basic authentication enabled. But how do I get it to redirect to subdomains? so that cloud.mydomain.com goes to one docker and cp.mydomain.com goes to another? Everything just goes to the same default page. Also, any help with doing this with owncloud or nextcloud would be greatly appreciated (as it's the primary point for me).

 

here's my default config

server {

        listen 443 ssl default_server;

        ssl_certificate /config/keys/fullchain.pem;
        ssl_certificate_key /config/keys/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers 'idontknowifishouldpublishthisnumber$
        ssl_prefer_server_ciphers on;

        client_max_body_size 0;

    location / {
        root /config/www;
        index index.html index.htm index.php;
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        }

    location /router {
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.x.xxx:80/router;
        }

    location /cloud {
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.x.xxx:8008/cloud;
        }

}

Link to comment

 

 

I can report a successful implementation of both dockers: NextCloud & Nginx-letsencrypt  :D (..you might remember the cumbersome start a while ago. You were helping so much but finally I was giving up. I guess that the build in dns server of my router was the culprit). Two remaining questions:

 

Can you confirm that that Nginx-letsencrypt will handle the certificates for NextCloud too so that I don't have to worry about any security and SSL related stuff moving forward?

 

Second question: have I understood correctly (..don't recall where I have read it as I was trying to read all that material around reverse proxy here  :-\) that I could use the landing page of your docker (by modifying /appdata/Nginx-letsencrypt/www/index.html) for accessing other web enabled dockers (by modifying /appdata/Nginx-letsencrypt/nginx/site-confs/default)?

 

In my case it would be cadvisor, EmbyServer, Handbrake, MakeMKV, RDP-Calibre and TVHeadend.

 

Is that really doable?

 

When configured properly via reverse proxy, nginx will handle the ssl cert for it through the domain name.

 

Feel free to modify the index.html

I have a very basic html site (that uses htpasswd for security) and it links to the different containers through the domain name and their url prefixes

Link to comment

@ barakthecat I have both docker configured like so: http://lime-technology.com/forum/index.php?topic=51466.0

 

So hopefully that's the way to do it related to aptalcas reply to my previous post: "When configured properly via reverse proxy, nginx will handle the ssl cert for it through the domain name. "

 

@aptalca, that sounds great. Would you mind sharing your index.html?  :D

 

Thanks a lot.

Link to comment

I don't know what's the reason but I noticed that when I have the Nginex-letsencrypt container with Nextcloud started my parity drive and disk 1 does not stop spinning.

I have /data from Nextcloud mapped to /mnt/user/Nextcloud on disk 1 and it seems something is happening there all the time.

Does anyone else experience this?

Link to comment

@ barakthecat I have both docker configured like so: http://lime-technology.com/forum/index.php?topic=51466.0

 

So hopefully that's the way to do it related to aptalcas reply to my previous post: "When configured properly via reverse proxy, nginx will handle the ssl cert for it through the domain name. "

 

@aptalca, that sounds great. Would you mind sharing your index.html?  :D

 

Thanks a lot.

I'm using a template from here: html5up.net

 

Just download one and modify the index.html

 

The guy is super talented and these are really easy to customize

Link to comment

try adding

auth_basic off;

to the subpages

ie

location /plex {
  auth_basic off;
  proxy ...
}

 

Refer to http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html for more details

 

No joy! I was really hoping that would work. I added 'auth_basic off;' to both /plex and /web and both still ask me for auth.

 

The strange thing is that plex begins to load before it asks for the auth credentials - whereas the other locations protected with auth will be white and not loaded until the credentials are entered.

 

Does anyone else have Plex set up via reverse proxy? Can they test if adding basic auth to the / location will also prompt auth for the Plex proxy if it does NOT have basic auth?

Link to comment

Anyone have plex working under nginx reverse proxy? I can't get it to work for the life of me >:(

 

Yup! You need to make sure the location is /web/. Here is the location entry for my plex:

 

location /web/ {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.XXX.XXX:XXXX/web/;
}

 

And if you want to use /plex, then you can refer the plex location back to nginx with the following:

 

location /plex/ {
proxy_pass http://127.0.0.1/web/;
}

 

So then both /plex/ and /web/ will redirect to Plex.

 

When you have done this, can you do me a favour? Can you put basic auth on your root location like below and let me know if /plex/ (or /web/) then ask you for a username/pass? I'm having this issue and can't get a fix going. (For reference, the problem I have is detailed here with screenshot: https://lime-technology.com/forum/index.php?topic=43696.msg502493#msg502493)

 

location / {
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
....... (Whatever else you have in your root)
}

Link to comment

@cglatot

 

What is "include /config/nginx/proxy.conf; " for? I don't have that file inside my nginx folder. Also, once I add the code below my nginx server stops responding.

 

location /web/ {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.148:32400/web/;
}

location /plex/ {
proxy_pass http://127.0.0.1/web/;
}

 

I'll try the basic auth once I get this sorted out.

Link to comment

@cglatot

 

What is "include /config/nginx/proxy.conf; " for? I don't have that file inside my nginx folder. Also, once I add the code below my nginx server stops responding.

 

location /web/ {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.148:32400/web/;
}

location /plex/ {
proxy_pass http://127.0.0.1/web/;
}

 

I'll try the basic auth once I get this sorted out.

 

Are you using nginx, or nginx-letsencrypt? If using the latter (I.E. Aptalca's entry) then it should be in the nginx folder. It contains the following:

 

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

Link to comment

@cglatot

 

I'm using nginx-letsencrypt. I changed the file name because it was different but it still doesn't load.

 

Can you give more information? What is happening? What URL is being resolved? Do you have the reverse proxy working for other services (sonarr, CP, etc)?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.