kamhighway Posted July 4, 2016 Share Posted July 4, 2016 @aptalca, Thank you for your message. You hit the nail on the head. I've got the green lock now. Thanks for your efforts on this docker. Quote Link to comment
richowen Posted July 11, 2016 Share Posted July 11, 2016 Hi, loving the docker. I run a small website on it atm and was doing some speed checks and came across this https://developers.google.com/speed/pagespeed/module/ was wondering if there was anyway you could use that with the docker? Doubt it would be worth your time but might be a nice extra. Or it might be impossible, just thought I'd ask. Quote Link to comment
aptalca Posted July 11, 2016 Share Posted July 11, 2016 Hi, loving the docker. I run a small website on it atm and was doing some speed checks and came across this https://developers.google.com/speed/pagespeed/module/ was wondering if there was anyway you could use that with the docker? Doubt it would be worth your time but might be a nice extra. Or it might be impossible, just thought I'd ask. I looked into it, and it seems you have to build nginx with support for pagespeed. I'm afraid it would be too much work to maintain it, as I would have to rebuild it every time nginx is updated. Currently, nginx is updated with a simple push to the docker hub (literally a single click) Quote Link to comment
richowen Posted July 12, 2016 Share Posted July 12, 2016 Ah, thought it might be something like that, np, thanks for the reply. Quote Link to comment
Wob76 Posted July 14, 2016 Share Posted July 14, 2016 Hi, First off thanks to aptalca for the container, I installed yesterday and it's working a treat. I replaced the apache reverse proxy I was using, having it auto handle SSL is great. I have it doing reverse proxy for a few things, I had a bit of a mission getting it to talk to binhex's rutorrnetvpn docker, so thought I would add my config here to save anyone else the time doing it later. I used aptalca's config examples as my starting point, and I also had to disable php for rutorrent (like aptalca mentioned for plexwatch). I didn't want to modify the rutorrent config, so I have this docker doing a url rewrite. I am also using a different username in rutorrent, so I added a auth setting to authenticate between this docker and rutorrent, so I only need to authenticate with this docker using it's username and password. This is the entry in the site-confs/default location /rutorrent { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; proxy_set_header Authorization "Basic ####INSERT BASE64 HASH####"; rewrite ^/rutorrent(/.*)$ $1 break; include /config/nginx/proxy.conf; proxy_pass http://192.168.0.250:9080/; } Oh, to generate your BASE64 Hash you can use an online encoders such as (https://www.base64encode.org/) So take username:passoword (using your username and password as defined in rutorrent) and encore and you will get something like "dXNlcm5hbWU6cGFzc3dvcmQ=" and that line will look like; proxy_set_header Authorization "Basic dXNlcm5hbWU6cGFzc3dvcmQ="; Personally I would ensure the password is unique, if someone gets your hash they can decode it. Hope that helps someone. Wob Quote Link to comment
Kukielka Posted July 14, 2016 Share Posted July 14, 2016 Every time I start up the docker container the nginx server seems to fail. I only have a free dns from no-ip. Using existing nginx.conf Using existing nginx-fpm.conf Using existing site config Using existing landing page Using existing jail.local Using existing fail2ban filters No subdomains defined Using existing DH parameters <-------------------------------------------------> <-------------------------------------------------> cronjob running at Thu Jul 14 08:01:32 CEST 2016 Updating certbot script. It will display help info, which you can ignore certbot-auto [sUBCOMMAND] [options] [-d domain] [-d domain] ... Certbot can obtain and install HTTPS/TLS/SSL certificates. By default, it will attempt to use a webserver both for obtaining and installing the cert. Major SUBCOMMANDS are: (default) run Obtain & install a cert in your current webserver certonly Obtain cert, but do not install it (aka "auth") install Install a previously obtained cert in a server renew Renew previously obtained certs that are near expiry revoke Revoke a previously obtained certificate register Perform tasks related to registering with the CA rollback Rollback server configuration changes made during install config_changes Show changes made to server config during installation plugins Display information about installed plugins Choice of server plugins for obtaining and installing cert: --apache Use the Apache plugin for authentication & installation --standalone Run a standalone webserver for authentication (nginx support is experimental, buggy, and not installed by default) --webroot Place files in a server's webroot folder for authentication OR use different plugins to obtain (authenticate) the cert and then install it: --authenticator standalone --installer apache More detailed help: -h, --help [topic] print this message, or detailed help on a topic; the available topics are: all, automation, paths, security, testing, or any of the subcommands or plugins (certonly, install, register, nginx, apache, standalone, webroot, etc.) URL is ***.ddns.net Subdomains are deciding whether to renew the cert(s) Preparing to generate server certificate for the first time Temporarily stopping Nginx * Stopping nginx nginx ...done. Generating/Renewing certificate Restarting web server * Starting nginx nginx ...fail! * Starting nginx nginx ...fail! * Starting authentication failure monitor fail2ban ...fail! Jul 14 08:01:41 b7459a9ee1c4 syslog-ng[171]: syslog-ng starting up; version='3.5.3' Any solutions? Quote Link to comment
Kukielka Posted July 14, 2016 Share Posted July 14, 2016 After further investigation it seems like the nginx server cannot access /config/keys. Letsencrypt seems to be the problem here... Quote Link to comment
aptalca Posted July 14, 2016 Share Posted July 14, 2016 After further investigation it seems like the nginx server cannot access /config/keys. Letsencrypt seems to be the problem here... Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah If that wasn't the issue, post a screenshot of your container settings Quote Link to comment
Kukielka Posted July 15, 2016 Share Posted July 15, 2016 Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah If that wasn't the issue, post a screenshot of your container settings Doesnt storing something under /mnt/disk and not under /mnt/user break the parity? greetings Quote Link to comment
aptalca Posted July 15, 2016 Share Posted July 15, 2016 Make sure that your config folder location is defined as /mnt/cache/blah or /mnt/disk/blah and not /mnt/user/blah If that wasn't the issue, post a screenshot of your container settings Doesnt storing something under /mnt/disk and not under /mnt/user break the parity? greetings Writing to /mnt/disk does not break parity. It just specifies which disk unraid writes the information to. Doing a move operation between a user share and a disk share can create issues where data can disappear (but still not break parity) Unraid won't let you break parity under normal circumstances. I believe that only if there's a write error to a disk, parity may get broken (or if you mount a disk in a different os or machine and write to it outside of unraid) Quote Link to comment
trope Posted July 18, 2016 Share Posted July 18, 2016 So I've managed to get the container working initially, as in it generates a cert and I can reach the default nginx index page via https://my.url.com however when I go to add a location entry for Seafile, nginx fails to start upon restarting the container.. am I doing something wrong? The problem is that I can't seem to replicate somebody's config entirely because I have the Nginx container running on Unraid @ 192.168.1.200 and Seafile is running in a VM @ 192.168.1.201:8000 Below is my current /config/nginx/sites-conf/default file server { listen 80; listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/fullchain.pem; ssl_certificate_key /config/keys/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'xxxxxx'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; include fastcgi_params; } location /seafile { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.201:8000; } } Any ideas what the problem could be? It's probably something stupidly simple however I've been struggling to just get Seafile working all day and I think my brain is fried at this point.Thanks! Quote Link to comment
Kewjoe Posted July 26, 2016 Share Posted July 26, 2016 Hi Everyone, So I've read every single post in this thread (yay me!). The reverse proxy stuff and configurations all make sense to me. I have two other use cases that I'm wondering about. 1. Can I use the certs created by LE for my VPN Server on my router (OpenVPN)? 2. Can I use the certs created by LE for use in Emby Server? This wouldn't be a reverse proxy, it asks for a certificate in the settings, I'm hoping i can just point the setting to the cert folder, or something along those lines. Thanks! Quote Link to comment
aptalca Posted July 26, 2016 Share Posted July 26, 2016 Hi Everyone, So I've read every single post in this thread (yay me!). The reverse proxy stuff and configurations all make sense to me. I have two other use cases that I'm wondering about. 1. Can I use the certs created by LE for my VPN Server on my router (OpenVPN)? 2. Can I use the certs created by LE for use in Emby Server? This wouldn't be a reverse proxy, it asks for a certificate in the settings, I'm hoping i can just point the setting to the cert folder, or something along those lines. Thanks! For emby server it should be relatively easy. Since you just enter the path of the certs, you can map the location of the le certs in the emby container and point to them (I'm assuming it uses the certs in place rather than importing them). When the certs are renewed, the path should still be valid and should keep pointing to the active certs. For openvpn, I believe you have to upload them. So you would have to upload the new certs every 60 days following renewal. In le, you can find the certs in the following location: Configfolder/etc/letsencrypt/live/your.domain/fullchain.pem Quote Link to comment
Kewjoe Posted July 26, 2016 Share Posted July 26, 2016 Got it installed and working. But can't use the path for Emby. Only the root user can get passed the live directory, when i try to browse to that location from within Emby, it doesn't let me get passed. Do I have to make Emby privileged? Would that be dangerous to do? Emby is also looking for a .pfx file, instead of a .pem file. Quote Link to comment
aptalca Posted July 26, 2016 Share Posted July 26, 2016 Got it installed and working. But can't use the path for Emby. Only the root user can get passed the live directory, when i try to browse to that location from within Emby, it doesn't let me get passed. Do I have to make Emby privileged? Would that be dangerous to do? Emby is also looking for a .pfx file, instead of a .pem file. Not sure about the permissions to be honest. What happens if you directly map the folder the keys are in? So in container settings, you would map /keys to /mnt/cache/appdata/Nginx-letsencrypt/etc/letsencrypt/live/your.domain/ (fix the path for your case), so within emby you would just browse to /keys and the certs would be there. In terms of pfx vs pem, I found this through google: http://emby.media/community/index.php?/topic/34004-server-access/ Quote Link to comment
Kewjoe Posted July 26, 2016 Share Posted July 26, 2016 oh, nice link. that worked. I guess i'll just have to manually do this every 3 months. not the end of the world. I'll have to do it for my VPN anyway, so no big loss. Thanks! this is awesome! Quote Link to comment
rdubs Posted August 1, 2016 Share Posted August 1, 2016 First off, thanks for the docker! Working great. One semi issue though - where are the fail2ban config files? I see the jail.local but the other configs? I have it working with a htpasswd but it doesn't log anything. I've tried changing the log level with ssh + docker exec but it's not generating a file. There's the access log from nginx but I'd like to be able to see fail2bans stuff directly, like banned ips. I checked iptables -L to see if I could check banned ips, but not seeing there either. Although it is definitely working, I've tested the functionality Quote Link to comment
aptalca Posted August 1, 2016 Share Posted August 1, 2016 First off, thanks for the docker! Working great. One semi issue though - where are the fail2ban config files? I see the jail.local but the other configs? I have it working with a htpasswd but it doesn't log anything. I've tried changing the log level with ssh + docker exec but it's not generating a file. There's the access log from nginx but I'd like to be able to see fail2bans stuff directly, like banned ips. I checked iptables -L to see if I could check banned ips, but not seeing there either. Although it is definitely working, I've tested the functionality I did not separate out and save the fail2ban logs to the config folder. Mainly because there is a better way to check its status. Fail2ban-client is the way to go. In the unraid console, running the following will show you the active jails: docker exec -it Nginx-letsencrypt fail2ban-client status And the following will show you the details of a specific jail activity, including the IPs that are currently banned: docker exec -it Nginx-letsencrypt fail2ban-client status nginx-http-auth The main config file for fail2ban is inside the container at /etc/fail2ban and its logs are at /var/logs Quote Link to comment
rdubs Posted August 1, 2016 Share Posted August 1, 2016 Hmm, something is odd on my end then. My etc folder only has a letsencrypt folder inside it, nothing for fail2ban. Also not in the root /etc directory with the cron data in case you meant that one. Edit: I did get the status command working though, thanks! Quote Link to comment
aptalca Posted August 1, 2016 Share Posted August 1, 2016 Hmm, something is odd on my end then. My etc folder only has a letsencrypt folder inside it, nothing for fail2ban. Also not in the root /etc directory with the cron data in case you meant that one. Edit: I did get the status command working though, thanks! I meant under root /etc not the one under the config folder. If you do docker exec -it Nginx-letsencrypt bash to exec into the container, go into /etc/fail2ban and you'll see the rest of the files Quote Link to comment
rdubs Posted August 3, 2016 Share Posted August 3, 2016 Ah ok thanks for all your help! I really appreciate it Quote Link to comment
korpo53 Posted August 6, 2016 Share Posted August 6, 2016 This is great! It let me get rid of my nginx/LE VM I was using, and it saved me trying to learn to do it with haproxy on my pfSense router . Here's my config, which is shamelessly stolen and modified from posts here in addition to what I was already running, and which might be of some help to people trying to piece one together. default server { listen 80; listen 443 ssl http2; server_name mysecretdomain.com www.mysecretdomain.com; include /config/nginx/proxy.conf; include /config/nginx/auth.conf; ssl_certificate /config/keys/fullchain.pem; ssl_certificate_key /config/keys/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; location / { proxy_pass http://192.168.100.50/; proxy_buffering off; } location /nzbget { proxy_pass http://192.168.100.50:6789; } location /couchpotato { proxy_pass http://192.168.100.50:5050/couchpotato; } location /sonarr { proxy_pass http://192.168.100.50:8989/sonarr; } location /plexpy { proxy_pass http://192.168.100.50:8181/plexpy; } } auth.conf satisfy any; allow 192.168.100.0/24; deny all; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; proxy.conf client_max_body_size 0; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; Quote Link to comment
benwaynet Posted August 10, 2016 Share Posted August 10, 2016 I've read through all the pages of this post. I can't get the cert to generate. I'm trying to use duckdns.org for DDNS The log shows it failed connecting to 443 on the duckdns.org domain. I of course don't own that URL is duckdns.org Subdomains are xxx deciding whether to renew the cert(s) Preparing to generate server certificate for the first time Temporarily stopping Nginx * Stopping nginx nginx ...done. Generating/Renewing certificate IMPORTANT NOTES: - The following errors were reported by the server: Domain: duckdns.org Type: connection Detail: Failed to connect to 54.187.92.222:443 for TLS-SNI-01 challenge I have the router forwarding 443 to 443 of the host to 443 of the container. thanks,jb Quote Link to comment
roland Posted August 10, 2016 Share Posted August 10, 2016 I am using this with duckdns.org and it works. From memory you need to put your subdomain into the domain field and leave subdomain blank. (exactly because you don't own duckdns.org) xxxxx.duckdns.org I am at work at the moment but I can check my config when I get home tonight. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.