EdgarWallace Posted April 6, 2016 Share Posted April 6, 2016 Thanks six, I can't reach this docker - all other docker are fine but this one I don't know. https://192.168.178.28 simply doesn't work. Quote Link to comment
aptalca Posted April 6, 2016 Share Posted April 6, 2016 What do the logs say? If letsencrypt didn't like your url and failed, then the webserver won't come up Quote Link to comment
EdgarWallace Posted April 7, 2016 Share Posted April 7, 2016 .....here is what I experienced since yesterday: I removed all port forward settings from my router I rebooted router as well as unRAID server I added the port forward settings into the router again and it reported: MyFritz address unknown (this is my DNS provider) After a few minutes the router accepted the port forward settings and provided the address I started the container ... and surprise surprise without modifying any settings from yesterday I saw the Default Landing page (I guess that is the one I want to see, no? Pls. see picture attached) from Nginx. Here is the part of the log reporting success: - Congratulations! Your certificate and chain have been saved at /etc /letsencrypt/live/unraid.ip.myfritz.net /fullchain.pe m. Your cert will expire on 2016-07-06. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting web server * Starting authentication failure monitor fail2ban ...done. Apr 7 09:18:40 2ca1994f4fd8 syslog-ng[6269]: syslog-ng starting up; version='3.5.3' I guess that I can now start with what I really want which is the implementation of the reverse proxy for ownCloud in order to get https access to Bungy's container. Anyone who had success with this who can give some advise where to start? Quote Link to comment
aptalca Posted April 7, 2016 Share Posted April 7, 2016 .....here is what I experienced since yesterday: I removed all port forward settings from my router I rebooted router as well as unRAID server I added the port forward settings into the router again and it reported: MyFritz address unknown (this is my DNS provider) After a few minutes the router accepted the port forward settings and provided the address I started the container ... and surprise surprise without modifying any settings from yesterday I saw the Default Landing page (I guess that is the one I want to see, no? Pls. see picture attached) from Nginx. Here is the part of the log reporting success: - Congratulations! Your certificate and chain have been saved at /etc /letsencrypt/live/unraid.ip.myfritz.net /fullchain.pe m. Your cert will expire on 2016-07-06. To obtain a new version of the certificate in the future, simply run Let's Encrypt again. - If you like Let's Encrypt, please consider supporting our work by: Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate Donating to EFF: https://eff.org/donate-le Restarting web server * Starting authentication failure monitor fail2ban ...done. Apr 7 09:18:40 2ca1994f4fd8 syslog-ng[6269]: syslog-ng starting up; version='3.5.3' I guess that I can now start with what I really want which is the implementation of the reverse proxy for ownCloud in order to get https access to Bungy's container. Anyone who had success with this who can give some advise where to start? Yup, that's it I posted sample reverse proxy configs a few pages back. You can use those as a starting point Quote Link to comment
EdgarWallace Posted April 7, 2016 Share Posted April 7, 2016 Sorry for having wasted your time.....think that was caused by the router. Anyhow, I saw your "templates" so thanks for sharing. Here is my first try: server { listen 443 ssl default_server; server_name _; ssl_certificate /config/keys/fullchain.pem; ssl_certificate_key /config/keys/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers '.......................'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { root /config/www; index index.html index.htm index.php; try_files $uri $uri/ /index.html /index.php?$args =404; } location /owncloud/ { include /config/nginx/proxy.conf; proxy_pass http://192.168.178.28:8000/; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; # With php5-cgi alone: fastcgi_pass 127.0.0.1:9000; # With php5-fpm: #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } } I have /mnt/cache/.Docker/appdata/nginx/nginx/site-confs/default as well as /mnt/cache/.Docker/appdata/nginx/site-confs/default. I have chosen to modify the first file....which had much more content. This line caused troubles and hindered the web server from starting: ssl_protocols TLSv1 TLSv1.1 TLSv1.2; This is why I haven't tried to add: auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; I don't see any other difference between your file and the one above. ownCloud not yet starting. I will try some more things tomorrow. Ah, here is my /mnt/cache/.Docker/appdata/nginx/proxy.conf: client_max_body_size 10m; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; Quote Link to comment
aptalca Posted April 7, 2016 Share Posted April 7, 2016 You might have to remove the php redirecting because it might cause issues with external sites that do their own php processing (I had to remove that our plexwatch had issues) And you might have to use a url prefix for owncloud. Now that you set up the secure Web server, I recommend googling owncloud and nginx proxy and following codes to accomplish that Quote Link to comment
EdgarWallace Posted April 7, 2016 Share Posted April 7, 2016 Thanks a lot aptalca, I will follow your advise. Can you just let me know, which "default" file is the correct one as I have two of them (pls. see my question in the previous post). Quote Link to comment
aptalca Posted April 8, 2016 Share Posted April 8, 2016 Thanks a lot aptalca, I will follow your advise. Can you just let me know, which "default" file is the correct one as I have two of them (pls. see my question in the previous post). It seems you changed the folder path when you reinstalled, or installed this on top of a different nginx container. The one being used should be under /config/nginx/site-confs (replace config with your config folder location from the container settings) Quote Link to comment
rix Posted April 8, 2016 Author Share Posted April 8, 2016 I have just taken the liberty to create a pull that should allow me to use 4096 Bit keys. I have manually replaced my dhparam file but would rather not do manual tinkering with letsencrypt. Would you be as kind as to add this option to increase the 2048 value? Thanks (find attached the reason of my messing with your setup.. the 2048bit key is the only thing keeping me from a 100/100/100/100 score. unneccessary though that might be) Quote Link to comment
peter_sm Posted April 8, 2016 Share Posted April 8, 2016 Do we also have a firewall in the container ? https://www.digitalocean.com/community/tutorials/how-to-set-up-an-iptables-firewall-to-protect-traffic-between-your-servers Quote Link to comment
aptalca Posted April 8, 2016 Share Posted April 8, 2016 I have just taken the liberty to create a pull that should allow me to use 4096 Bit keys. I have manually replaced my dhparam file but would rather not do manual tinkering with letsencrypt. Would you be as kind as to add this option to increase the 2048 value? Thanks (find attached the reason of my messing with your setup.. the 2048bit key is the only thing keeping me from a 100/100/100/100 score. unneccessary though that might be) That's on my list of things to do as well. Like you mentioned, dhparams is easy, just replace the local file yourself and you're good to go. But for certs, I'll have to make that change Quote Link to comment
aptalca Posted April 8, 2016 Share Posted April 8, 2016 Do we also have a firewall in the container ? https://www.digitalocean.com/community/tutorials/how-to-set-up-an-iptables-firewall-to-protect-traffic-between-your-servers This container only allows inbound access on two ports, 80 and 443 And for those ports, you have fail2ban that bans abusers through iptables Quote Link to comment
dAigo Posted April 10, 2016 Share Posted April 10, 2016 I have just taken the liberty to create a pull that should allow me to use 4096 Bit keys. I have manually replaced my dhparam file but would rather not do manual tinkering with letsencrypt. Would you be as kind as to add this option to increase the 2048 value? Thanks (find attached the reason of my messing with your setup.. the 2048bit key is the only thing keeping me from a 100/100/100/100 score. unneccessary though that might be) I went into the docker and modified the key generation to 4096bit. (changed /defaults/letsentcrypt.sh) Still "only" 100/100/90/100, I think the issue ist, that the keychain includes the 2048bit keys from the LE CA itself, but I could be wrong. *EDIT: never mind, I was missing "ssl_ecdh_curve" settings für 384bit+ setting. Addes that and got 100/100/100/100 with 4096bit keys. Quote Link to comment
hunter69 Posted April 12, 2016 Share Posted April 12, 2016 I am having problems with the nginx container with Let's encrypt. The problem: I setup the container to install mnt/cache/nginx/config (is the path I set). I set port 81 for http port and 943 for https. When I click create it does not do anything. I have left it for at least 30 min and nothing occurred. I can install the apache container and also own cloud with no issues. I have forwards port 443 to my server. Any ideas why this would happen? I really appreciate you taking time to help me Bill Quote Link to comment
aptalca Posted April 12, 2016 Share Posted April 12, 2016 I am having problems with the nginx container with Let's encrypt. The problem: I setup the container to install mnt/cache/nginx/config (is the path I set). I set port 81 for http port and 943 for https. When I click create it does not do anything. I have left it for at least 30 min and nothing occurred. I can install the apache container and also own cloud with no issues. I have forwards port 443 to my server. Any ideas why this would happen? I really appreciate you taking time to help me Bill Did you forward outside port 443 to the container's port 943 on your router? If so what do the logs say? Quote Link to comment
In0cenT Posted April 12, 2016 Share Posted April 12, 2016 Hello aptalca, sorry for disturbing your peace again... How am I supposed to update my domains? I had these domains in my list when I've created the docker: www,plexpy,headphones,sonarr,couchpotato,nzbget,cloud,request Today I wanted to add the subdomain "esports" and I've restarted the docker. After the docker restarded I got a ssl error when accesing the url esports.domain.ch. Is there anything special I have to do, to add a subdomain? Here are the logs: http://pastebin.com/aTdnx3TV An other question is if I cant have multiple config files in the site-confs folder? I'm used to have a single config file for each subdomain. "cloud.domain.ch.conf / esports.domain.ch.conf" and would load them by having it include everything in the said folder. As soon I put a 2nd config file in the site-confs folder, I cant acces neither site I was able before. Cheers for your support! Quote Link to comment
aptalca Posted April 12, 2016 Share Posted April 12, 2016 Hello aptalca, sorry for disturbing your peace again... How am I supposed to update my domains? I had these domains in my list when I've created the docker: www,plexpy,headphones,sonarr,couchpotato,nzbget,cloud,request Today I wanted to add the subdomain "esports" and I've restarted the docker. After the docker restarded I got a ssl error when accesing the url esports.domain.ch. Is there anything special I have to do, to add a subdomain? Here are the logs: http://pastebin.com/aTdnx3TV An other question is if I cant have multiple config files in the site-confs folder? I'm used to have a single config file for each subdomain. "cloud.domain.ch.conf / esports.domain.ch.conf" and would load them by having it include everything in the said folder. As soon I put a 2nd config file in the site-confs folder, I cant acces neither site I was able before. Cheers for your support! Unfortunately, letsencrypt does not handle adding or removing urls graciously (yet). So this container does not support it (in fact, if you modify the variables later on and let it renew through cron, it might break the whole thing). What you can do is, delete the etc/letsencrypt folder in your config location (it contains the keys) and then restart the container with the new url settings. The old certs will simply be discarded. You will still get e-mail notifications about them expiring (You can optionally revoke them in command line before deleting them but it's complicated). Or, better yet, delete the whole config folder and reinstall from fresh to be sure. Keep in mind that if you do it too many times, letsencrypt may block future cert retrievals/renewals for a certain period of time (which makes testing this container a real pain from a development perspective). site-confs directory should handle multiple configs. The nginx.conf is set to include all configs in that folder. There must be an error in one of the configs that prevents nginx from starting. The nginx log might tell you what it is. Quote Link to comment
rix Posted April 13, 2016 Author Share Posted April 13, 2016 Thank you very much for the last (giant & awesome) update. I am deeply satisfied looking at this: Quote Link to comment
In0cenT Posted April 13, 2016 Share Posted April 13, 2016 I've added multiple subdomains at one point, that probably wrecked my docker then, haha. I've reinstalled the docker and I'm struggling to get my subdomains running. I'm keeping your "default" file and I've created new SUBDOMAIN.DOMAIN.CH.conf files for each subdomain. For some reason it fails to start after just one config, which used to work fine on my old installation on a raspberrypi. subdomain conf: http://pastebin.com/22JvZBW1 I'm trying to get a fresh install of koken (photography CMS). I've placed the installer file called index.php in the "/www/koken" folder. What am I missing, that my config wont work? I'm not getting any error logs at all. Quote Link to comment
aptalca Posted April 13, 2016 Share Posted April 13, 2016 I've added multiple subdomains at one point, that probably wrecked my docker then, haha. I've reinstalled the docker and I'm struggling to get my subdomains running. I'm keeping your "default" file and I've created new SUBDOMAIN.DOMAIN.CH.conf files for each subdomain. For some reason it fails to start after just one config, which used to work fine on my old installation on a raspberrypi. subdomain conf: http://pastebin.com/22JvZBW1 I'm trying to get a fresh install of koken (photography CMS). I've placed the installer file called index.php in the "/www/koken" folder. What am I missing, that my config wont work? I'm not getting any error logs at all. Well, for one, I don't think nginx likes it if you have more than one "default" server defined for the same port. You have multiple configs with that. That's likely the issue. Quote Link to comment
In0cenT Posted April 13, 2016 Share Posted April 13, 2016 Doesn't nginx also check with what url you're accessing your server? I have port 80 open for all my subdomains, but they direct to a different address internaly. have I been using nginx wrong the whole time? How will I get it running for the subdomain esports.DOMAIN.ch? Thanks for your help! Quote Link to comment
aptalca Posted April 13, 2016 Share Posted April 13, 2016 Doesn't nginx also check with what url you're accessing your server? I have port 80 open for all my subdomains, but they direct to a different address internaly. have I been using nginx wrong the whole time? How will I get it running for the subdomain esports.DOMAIN.ch? Thanks for your help! Oh no, you can do what you propose, but you have a bug in your config currently. Let's say you set up 2 subdomains, sd1 and sd2. You create two server blocks in nginx, one for each, both listening on port 443 and they point to different root folders. When the request comes in, nginx looks at the destination address, if it's sd1.domain.url, it sends it to the first server block. But if a request comes in at port 443 and the destination address is neither sd1.domain.url or sd2.domain.url (it could be just the ip address XXX.XXX.XXX.XXX), in that case nginx needs to decide where to send that request. The "default_server" setting, which you have in your config file in the line "listen 443 ssl default_server;" means that any request that comes in on port 443, that doesn't match any of the listed server blocks by destination address, should be sent to that default block. In your case, you have two blocks designated as default, your esports.DOMAIN.ch block contains it, and the default site config contains it. That's the reason nginx is not starting. Delete one of the two "default_server" settings, and nginx should start, considering there aren't any other issues with your config. You can just modify that line to "listen 443 ssl;" I would recommend starting with a single very basic site config that works (like the default one I included) and start modifying it step by step with container restarts in between. That way, if nginx is no longer starting, you'll know that your last change broke something. Quote Link to comment
In0cenT Posted April 14, 2016 Share Posted April 14, 2016 Thanks for the detailed explanation! Works perfectly now thanks to you. Quote Link to comment
pinion Posted April 15, 2016 Share Posted April 15, 2016 I feel dumb but... I keep getting connection refused in Chrome. I would expect even without the letsencrypt part I should be able to access the webserver internally. Externally, of course, letsencrypt give me failed to connect. This is after a default install to my cache drive without changing any configs. Quote Link to comment
aptalca Posted April 15, 2016 Share Posted April 15, 2016 I feel dumb but... I keep getting connection refused in Chrome. I would expect even without the letsencrypt part I should be able to access the webserver internally. Externally, of course, letsencrypt give me failed to connect. This is after a default install to my cache drive without changing any configs. Webserver is probably not running. If the settings are incorrect and the certs were never retrieved the webserver won't come up Check the logs Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.