CHBMB Posted May 14, 2017 Share Posted May 14, 2017 1 minute ago, phoanglong said: Using my domain, not direct IP Check your ports here then. Quote Link to comment
phoanglong Posted May 14, 2017 Share Posted May 14, 2017 just a quick question though, if i connect from local machine to letsencrypt container using port 81:80 and 443:443, should i see any nginx default webpage? or i should see nothing at all, because at the moment, Chrome, Edge and Firefox said connection refused. Many thanks Quote Link to comment
CHBMB Posted May 14, 2017 Share Posted May 14, 2017 I'm not sure if the letsencrypt bit isn't working whether nginx will come up tbh. Quote Link to comment
phoanglong Posted May 14, 2017 Share Posted May 14, 2017 many thanks for your help @CHBMB, i have completely no idea what happened but it seems letsencrypt container is working.. Don't even know how, checked the log and it just worked.. Quote Link to comment
planetwilson Posted July 23, 2017 Share Posted July 23, 2017 On 08/05/2017 at 5:42 PM, jfrancais said: So I have my image passing my web traffic appropriately to my servers. Now I'm trying to get fail2ban implemented to protect them, but I'm a bit confused how to do so. For example, my one webserver sits behind the letsencrypt proxy on https and is secured with http auth. I'd like to get fail2ban to block too many bad attempts to this server, but I'm unsure how. I nginx-http-auth in the jail fail but I get errors when enabling. And even with it on, I don't see the login fails showing up in the error logs anyways, since the auth is done on the backend server. Does the auth have to be done on the proxy? Any suggestions on how to accomplish this? I'd also like to set up fail2ban to block auth failures for my nextcloud server. Thanks in advance, Jared Any chance you can share how you configured your nginx config with the stream module? I am looking to do something similar (VPN traffic -> OpenVPN and everything else to appropriate containers) Quote Link to comment
planetwilson Posted July 25, 2017 Share Posted July 25, 2017 (edited) Okay I got mine working the way I wanted and thought I would share here just in case anyone else wanted to do the same. Background: I want to host an OpenVPN server and a bunch of websites but all over normal TCP/443 due to restrictions in various places I travel to for work where they block usual VPN ports. I had previously set it up like this:- Incoming traffic -> OpenVPN -> nginx -> backend web sites as OpenVPN can be configured to pass on requests which are not VPN traffic. This is pretty slow though and I would get really bad performance on my web sites. Using the stream module in nginx and SNI we can configure nginx to do the inspection and determine where traffic should end up instead Incoming traffic -> nginx -> backend web sites -> OpenVPN Anything not specified in the stream map section is assumed to be VPN and passed on to the OpenVPN server (sitting on port 4443 in my case) Seems to work pretty well and my sites are now really quick and my VPN works just fine. (sample nginx config attached) All based off a blog post here:- http://blog.le-vert.net/?p=224 nginx.conf Edited July 25, 2017 by planetwilson Quote Link to comment
Jessie Posted July 26, 2017 Share Posted July 26, 2017 Has anyone shared letsencrypt on the same network as a small business server? The issue is that both systems need port 443. I'm thinking you might be able to config letsencrypt to redirect to the sbs server but not sure how to do it. Quote Link to comment
izarkhin Posted October 17, 2017 Share Posted October 17, 2017 Hi guys, If anyone here uses Nginx as reverse proxy for dockerized Krusader or DokuWiki, can you please share your config? For Krusader I have the following: location /krusader { include /config/nginx/proxy.conf; rewrite ^/krusader$ /krusader/ redirect; proxy_pass http://XXX.XXX.XX.XXX:8084/; } and all I get is a page with a rolling gear For DokuWIki I have: location /dokuwiki/ { index doku.php; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; include /config/nginx/proxy.conf; proxy_pass http://XXX.XXX.XX.XXX:8087/; } I see the landing page (doku.php), but there is no CSS and none of the links work Please help! Quote Link to comment
aptalca Posted October 17, 2017 Share Posted October 17, 2017 5 hours ago, izarkhin said: Hi guys, If anyone here uses Nginx as reverse proxy for dockerized Krusader or DokuWiki, can you please share your config? For Krusader I have the following: location /krusader { include /config/nginx/proxy.conf; rewrite ^/krusader$ /krusader/ redirect; proxy_pass http://XXX.XXX.XX.XXX:8084/; } and all I get is a page with a rolling gear For DokuWIki I have: location /dokuwiki/ { index doku.php; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; include /config/nginx/proxy.conf; proxy_pass http://XXX.XXX.XX.XXX:8087/; } I see the landing page (doku.php), but there is no CSS and none of the links work Please help! Using the subfolder method with no base url often causes issues like the no css one you mentioned. I recommend setting a base url for the apps you are reverse proxying, if not then use a subdomain Quote Link to comment
greg2895 Posted January 17, 2018 Share Posted January 17, 2018 After the last 2 updates I have not been able to get my container to run. Nothing else has changed to my knowledge besides the update. I am getting the following from my log: cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingOnly subdomains, no URL in certSub-domains processed are: -d xxxxxxxxx.comE-mail address entered: xxxxxxxxx.comDifferent sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecertificate.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NoneObtaining a new certificatePerforming the following challenges:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.IMPORTANT NOTES:- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Quote Link to comment
aptalca Posted January 17, 2018 Share Posted January 17, 2018 1 hour ago, greg2895 said: After the last 2 updates I have not been able to get my container to run. Nothing else has changed to my knowledge besides the update. I am getting the following from my log: cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingOnly subdomains, no URL in certSub-domains processed are: -d xxxxxxxxx.comE-mail address entered: xxxxxxxxx.comDifferent sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecertificate.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logPlugins selected: Authenticator standalone, Installer NoneObtaining a new certificatePerforming the following challenges:Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.IMPORTANT NOTES:- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal.ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Check the linuxserver letsencrypt thread Quote Link to comment
NoobSpy Posted January 25, 2018 Share Posted January 25, 2018 Question. Is it any way possible to have Domain A and B to point to the same server with letsencrypt? For instance I want domain A to have acces to nextcloud etc. But want domain B to point to only seafile for instance. https://domainA.com/nexcloud and https://domainB.com/seafile I you can tell me where I can read about that that would be great thx. Quote Link to comment
CHBMB Posted January 25, 2018 Share Posted January 25, 2018 https://github.com/linuxserver/docker-letsencrypt#parameters Extra_Domains is what you're referring to, and there's a complete support thread for that container on this board. Quote Link to comment
NoobSpy Posted January 25, 2018 Share Posted January 25, 2018 6 minutes ago, CHBMB said: https://github.com/linuxserver/docker-letsencrypt#parameters Extra_Domains is what you're referring to, and there's a complete support thread for that container on this board. Thx Quote Link to comment
planetwilson Posted January 26, 2018 Share Posted January 26, 2018 On 26/07/2017 at 6:05 AM, Jessie said: Has anyone shared letsencrypt on the same network as a small business server? The issue is that both systems need port 443. I'm thinking you might be able to config letsencrypt to redirect to the sbs server but not sure how to do it. Yes I have done this. I have a bunch of subdomains all coming in over https and getting routed to different dockers or VMs. In addition I have an Open VPN server that is serving over 443 as many places block the standard VPN ports. So the question is how do you handle both incoming VPN traffic as well as a bunch of sub-domains? Some of the incoming traffic is for a Windows server setup and federation with ADFS so might be similar to SBS? There are two ways this can be achieved. The first is to have OpenVPN in front of nginx and use the ability for it to pass on non-VPN traffic. I had this setup for a few months but the performance was erratic and unstable. It worked but I would get timeouts sometimes on various websites I was hosting The second way is to do the routing in nginx using an nginx module called stream and that is what I have settled on and it works rather well although it sounds like your situation might be a little easier and the other thread more helpful Attached my config.... nginx_sample.conf Quote Link to comment
tcarlsson90 Posted January 27, 2018 Share Posted January 27, 2018 Hello! Im having some trouble getting letsencypt to work. I got so far to the Welcome page, but in the log im getting following error: e":"No such container: 5896c2bd3ac6"} Anyone have an idea why this is? Thanks Quote Link to comment
CHBMB Posted January 27, 2018 Share Posted January 27, 2018 1 minute ago, tcarlsson90 said: Hello! Im having some trouble getting letsencypt to work. I got so far to the Welcome page, but in the log im getting following error: e":"No such container: 5896c2bd3ac6"} Anyone have an idea why this is? Thanks Close that browser window and open a new one. That error means there's no such container anymore, probably because of an update. Quote Link to comment
tcarlsson90 Posted January 27, 2018 Share Posted January 27, 2018 9 minutes ago, CHBMB said: Close that browser window and open a new one. That error means there's no such container anymore, probably because of an update. Thanks! Worked like a charm Quote Link to comment
vortexrap Posted January 29, 2018 Share Posted January 29, 2018 In case anyone is having cert renewal issues, such as this post below: I didn't find a resolution on the unraid forums, so here is the link and resolution from the linuxserver.io forums: https://www.linuxserver.io/2018/01/11/psa-changes-to-our-lets-encrypt-container/ Quote Following a very recent announcement by the Let's Encrypt team regarding a vulnerability that has surfaced relating to the use of the TLS-SNI-01 challenge when validating certificates, we have had to make an emergency change to our image. In short, they have disabled that method of verification until they can properly mitigate the issue. This means that our Let's Encrypt container will not work as we only make use of the TLS-SNI method of certificate validation. With this in mind, we have made the decision to (hopefully) lessen the impact of this issue to our users by making a change to our image which allows certificate validation via HTTP (port 80). We're just awaiting final peer review before we push these changes through our pipeline, so in the mean time, we stress that our users try their best not to restart their Let's Encrypt container until we have pushed this change up. We will update you once the new image is available, and what you need to do to enable HTTP validation. Update: The changes to our image have now been merged. In order to get certificate validation working, you'll need to add the following environment variable to your docker create/run command: -e HTTPVAL=true In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true' Quote Link to comment
CHBMB Posted January 29, 2018 Share Posted January 29, 2018 5 minutes ago, vortexrap said: In case anyone is having cert renewal issues, such as this post below: I didn't find a resolution on the unraid forums, so here is the link and resolution from the linuxserver.io forums: https://www.linuxserver.io/2018/01/11/psa-changes-to-our-lets-encrypt-container/ In the unraid GUI, select 'Edit' in the Lets Encrypt container, and expand 'Advanced Settings' change HTTPVAL variable from 'false' to 'true' Mate, there's a whole support thread dedicated to our Letsencrypt container in these forums, and countless posts about this issue. No need to bump needless threads about it. Quote Link to comment
CreZo Posted February 2, 2018 Share Posted February 2, 2018 I can't connect with the desktop client to my nextcloud :/. I can connect via URL in the browser but not with my nextcloud client with the same url. I get an error "...nextcloud/owncloud/status.php not found". I followed this example: https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ Can you help me out? Quote Link to comment
CHBMB Posted February 2, 2018 Share Posted February 2, 2018 I can't connect with the desktop client to my nextcloud . I can connect via URL in the browser but not with my nextcloud client with the same url. I get an error "...nextcloud/owncloud/status.php not found". I followed this example: https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ Can you help me out?We don't support that tutorial, you'd have to ask the author of it for support.There is a completely different tutorial on the linuxserver website that I can vouch for as I wrote it.Sent from my LG-H815 using Tapatalk Quote Link to comment
CreZo Posted February 2, 2018 Share Posted February 2, 2018 Yeah I found it, thank you! I will give it a try tomorrow Quote Link to comment
dazzathewiz Posted March 6, 2018 Share Posted March 6, 2018 On 10/18/2017 at 2:50 AM, izarkhin said: Hi guys, If anyone here uses Nginx as reverse proxy for dockerized Krusader or DokuWiki, can you please share your config? For Krusader I have the following: location /krusader { include /config/nginx/proxy.conf; rewrite ^/krusader$ /krusader/ redirect; proxy_pass http://XXX.XXX.XX.XXX:8084/; } and all I get is a page with a rolling gear For DokuWIki I have: location /dokuwiki/ { index doku.php; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Proxy ""; include /config/nginx/proxy.conf; proxy_pass http://XXX.XXX.XX.XXX:8087/; } I see the landing page (doku.php), but there is no CSS and none of the links work Please help! So for Krusader - I got it to work (fixed the rolling gear) copying the settings under Nginx section in https://guacamole.apache.org/doc/gug/proxying-guacamole.html (Note the docker runs guacamole) location /guacamole/ { proxy_pass http://HOSTNAME:8080/guacamole/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; access_log off; } 1 Quote Link to comment
izarkhin Posted March 8, 2018 Share Posted March 8, 2018 On 3/6/2018 at 2:01 AM, dazzathewiz said: So for Krusader - I got it to work (fixed the rolling gear) copying the settings under Nginx section in https://guacamole.apache.org/doc/gug/proxying-guacamole.html (Note the docker runs guacamole) location /guacamole/ { proxy_pass http://HOSTNAME:8080/guacamole/; proxy_buffering off; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; access_log off; } Wow, it worked! Thank you SO MUCH! 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.