Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Request/Done] Let's Encrypt Container

Featured Replies

For anyone who would rather stick to Apache but still use Lets Encrypt you can reverse proxy nginx to your existing Apache webserver.

 

    location / {

        proxy_pass http://myapacheip; # my existing apache container
        proxy_set_header Host $host;

        # re-write redirects to http as to https
        proxy_redirect http:// https://;
    }

 

After that you just have to edit any hardcoded urls to https.

 

Note, doesn't work if you are routing through Cloudflare, browsers will say there are too many redirects.

  • Replies 576
  • Views 112.7k
  • Created
  • Last Reply

For anyone who would rather stick to Apache but still use Lets Encrypt you can reverse proxy nginx to your existing Apache webserver.

 

    location / {

        proxy_pass http://myapacheip; # my existing apache container
        proxy_set_header Host $host;

        # re-write redirects to http as to https
        proxy_redirect http:// https://;
    }

 

After that you just have to edit any hardcoded urls to https.

 

Note, doesn't work if you are routing through Cloudflare, browsers will say there are too many redirects.

Neat. I hadn't thought of that but a great idea

Hello,

I recently build my machine for unraid and it was quite some work to set it up, but everything worked really well in the end. Unraid really is great. So now I ran into a problem with some of the other dockers interfaces. mineOS and nextcloud for example are reachable via https only, which is nice. However, I always have to confirm in my browsers that I trust the certificate. I guess I need to generate new certs for those dockers, so the browsers stop complaining ? I tried some stuff with the Nginx-letsencrypt docker, but it didnt work out for me. I'm fairly sure I did it wrong anyway

If anyone got a simple guide on how to generate or renew certs with this docker, I'd really appreciate it. I usually google my way to success, but it didnt work out this time and its frustrating. I bet its very easy once you know how to do it.

 

Note that I do not necessarily need this to work external but mainly on the intranet, for example 192.168.178.111. You get the idea. I assume its the same way for both of this though.

 

I'd be really thankful if someone could help a noob here out.

I'm on a docker learning curve.

Had issues making owncloud work with maria or MySQL. Upgraded to unraid 6.2 and everything broke.

Almost gave up on dockers, then I disabled docker in unraid, deleted the docker image file and started again.

EVERYTHING WORKED :)

What I am trying to achieve now is to get the letsencrypt docker working with nextcloud.

If I knew what I was doing, it would help.

I am not sure what the syntax of the fields should be in the unraid docker.

Basically I want letsencrypt to create an SSL certificate and point to the nextcloud instance.

I have pasted a screen shot below showing what I think should be there, except it doesn't work.

 

Can anyone give me a worked example of what I should be entering into these fields?

 

I have cloud.mydomain.com.au pointing to the unraid server.  The nextcloud is configured to port 444.

Nextcloud works if I goto the internal ip address:444

letsencrypt.JPG.6d92e58295714aef972d718e9f42579a.JPG

I'm on a docker learning curve.

Had issues making owncloud work with maria or MySQL. Upgraded to unraid 6.2 and everything broke.

Almost gave up on dockers, then I disabled docker in unraid, deleted the docker image file and started again.

EVERYTHING WORKED :)

What I am trying to achieve now is to get the letsencrypt docker working with nextcloud.

If I knew what I was doing, it would help.

I am not sure what the syntax of the fields should be in the unraid docker.

Basically I want letsencrypt to create an SSL certificate and point to the nextcloud instance.

I have pasted a screen shot below showing what I think should be there, except it doesn't work.

 

Can anyone give me a worked example of what I should be entering into these fields?

 

I have cloud.mydomain.com.au pointing to the unraid server.  The nextcloud is configured to port 444.

Nextcloud works if I goto the internal ip address:444

 

Just have mydomain.com.au no need for 444 that is a port not part of your url... 

For anyone who would rather stick to Apache but still use Lets Encrypt you can reverse proxy nginx to your existing Apache webserver.

 

Absurdly, this worked for a couple of days and now it has stopped working. Weird thing is, it still works on Android Chrome but not on Windows Chrome.

 

 

Just have mydomain.com.au no need for 444 that is a port not part of your url...

 

How does the nginx part of it know how to find the nextcloud docker?  or do you have to configure that bit in a config file?

Correct.

 

Edit:

Does anyone have Transmission working?

 

Thanks. Will check it out..

Hello, can someone please help me get this container up and running? I forwarded port 443 on my router to unRAID's IP and went with the default config first, entering my email address, [myname].mynetgear.com as URL and www as subdomain. When I looked at the logs, it said that certificates couldn't be generated because it can't reach www.[myname].mynetgear.com. Then I removed the subdomain variable from the template and tried again. Now it says "Too many certificates already issued for: mynetgear.com". What am I doing wrong?

You don't own mynetgear.com is my guess.  Is it some sort of domain name you've got with some netgear equipment?  I'm not sure how that would work so I'll leave someone else to answer that one.

You don't own mynetgear.com is my guess.  Is it some sort of domain name you've got with some netgear equipment?  I'm not sure how that would work so I'll leave someone else to answer that one.

Yes, it comes with Netgear router and is hosted by no-ip.com. I would expect it to work the same way as any other free dynamic dns service, such as duckdns. I'm NOT entering URL as mynetgear.com, I'm entering it as [myname].netgear.com, which is the domain I presumably own. Am I wrong?

Sorry missed the myname bit.  You'll definitely need something in the subdomain variable, so I'd definitely stick with that.  I've got a Asus router myself, with a similar function, so I might have a play and see what I can figure out. 

Sorry missed the myname bit.  You'll definitely need something in the subdomain variable, so I'd definitely stick with that.  I've got a Asus router myself, with a similar function, so I might have a play and see what I can figure out.

Apparently, it had something to do with the mynetgear.com domain. I registered another subdomain using some other noip.com's free domain name and it worked just fine. Problem solved, I'm up and running.

Most of the domains hosting ddns services through subdomains are whitelisted by letsencrypt (ie. duckdns and no-ip). However they may have missed the mynetgear domain and if too many people got certs for those subdomains, letsencrypt may have throttled it

Hi all,

Trying to get this going, however am running into the following problem. I have port 443 forwarded in my router. However something tells me it may not be working.

 

Any ideas?

 

 

 

*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...

*** Running /etc/my_init.d/firstrun.sh...

Using existing nginx.conf

Using existing nginx-fpm.conf

Using existing site config

Using existing landing page

Using existing jail.local

Using existing fail2ban filters

SUBDOMAINS entered, processing

Sub-domains processed are: -d www.XXXXXXXXX.duckdns.org

2048 bit DH parameters present

Generating new certificate

WARNING: The standalone specific supported challenges flag is deprecated.

 

Please use the --preferred-challenges flag instead.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Obtaining a new certificate

An unexpected error occurred:

 

The server experienced an internal error

 

Please see the logfiles in /var/log/letsencrypt for more details.

/etc/my_init.d/firstrun.sh: line 138: cd: /config/keys: No such file or directory

Error opening input file cert.pem

 

cert.pem: No such file or directory

* Starting nginx nginx

...fail!

* Starting authentication failure monitor fail2ban

ERROR No file(s) found for glob /config/log/nginx/error.log

 

ERROR Failed during configuration: Have not found any log file for nginx-http-auth jail

 

...fail!

*** Running /etc/rc.local...

*** Booting runit daemon...

*** Runit started as PID 105

Oct 31 18:16:02 3e2758b2dd51 syslog-ng[112]: syslog-ng starting up; version='3.5.3'

 

Oct 31 18:17:01 3e2758b2dd51 /USR/SBIN/CRON[124]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

Hi all,

Trying to get this going, however am running into the following problem. I have port 443 forwarded in my router. However something tells me it may not be working.

 

Any ideas?

 

 

 

*** Running /etc/my_init.d/00_regen_ssh_host_keys.sh...

*** Running /etc/my_init.d/firstrun.sh...

Using existing nginx.conf

Using existing nginx-fpm.conf

Using existing site config

Using existing landing page

Using existing jail.local

Using existing fail2ban filters

SUBDOMAINS entered, processing

Sub-domains processed are: -d www.XXXXXXXXX.duckdns.org

2048 bit DH parameters present

Generating new certificate

WARNING: The standalone specific supported challenges flag is deprecated.

 

Please use the --preferred-challenges flag instead.

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org

Obtaining a new certificate

An unexpected error occurred:

 

The server experienced an internal error

 

Please see the logfiles in /var/log/letsencrypt for more details.

/etc/my_init.d/firstrun.sh: line 138: cd: /config/keys: No such file or directory

Error opening input file cert.pem

 

cert.pem: No such file or directory

* Starting nginx nginx

...fail!

* Starting authentication failure monitor fail2ban

ERROR No file(s) found for glob /config/log/nginx/error.log

 

ERROR Failed during configuration: Have not found any log file for nginx-http-auth jail

 

...fail!

*** Running /etc/rc.local...

*** Booting runit daemon...

*** Runit started as PID 105

Oct 31 18:16:02 3e2758b2dd51 syslog-ng[112]: syslog-ng starting up; version='3.5.3'

 

Oct 31 18:17:01 3e2758b2dd51 /USR/SBIN/CRON[124]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly)

Their servers are having issues. I can't get any certs either

 

http://letsencrypt.status.io

 

EDIT: The issue seems to be fixed now. I am able to get certs again

For reference, below are my config files for reverse proxy with this container (all personal info X'ed out)

 

/config/nginx/site-confs/default

server {

listen 443 ssl default_server;


ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

    location / {
root /config/www;
index index.html index.htm index.php;
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
}

    location /sabnzbd {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/sabnzbd;
}

    location /cp {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/cp;
}

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/sonarr;
}

    location /plexwatch {
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/plexWatch;
}

    location /htpc {
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/htpc;
}

}

 

 

/config/nginx/nginx.conf

user nobody users;
worker_processes 4;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

client_max_body_size 0;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

}

 

 

/config/nginx/proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

 

All my containers are using url prefixes. At the root, I am using a basic html5 webpage (protected with htpasswd) which just links to all the proxies.

 

Note that I removed the lines for php, because it interfered with plexWatch. I guess it was routing the php scripts meant to be run in the plexWatch container to nginx's internal php. Since I didn't need any php support for my main webpage (all html5) I removed php altogether.

 

Hope this helps

 

I followed the config here.

 

The reverse proxy is working for SAB.

With Sonarr I get this on the page:

Sonarr Ver.

With CouchPotato, when I enter https://domain/cp, the URL changes to https://domain/#cp and I see nginx's default landing page.

 

Can someone help me out? Does this have something to do with URL base for Sonarr and CouchPotato?

 

I had a look in Sonarr but it said to leave that empty for reverse proxy.

 

 

 

 

 

 

For reference, below are my config files for reverse proxy with this container (all personal info X'ed out)

 

/config/nginx/site-confs/default

server {

listen 443 ssl default_server;


ssl_certificate /config/keys/fullchain.pem;
ssl_certificate_key /config/keys/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

    location / {
root /config/www;
index index.html index.htm index.php;
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
}

    location /sabnzbd {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/sabnzbd;
}

    location /cp {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/cp;
}

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/sonarr;
}

    location /plexwatch {
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/plexWatch;
}

    location /htpc {
        auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.X.X:XXXX/htpc;
}

}

 

 

/config/nginx/nginx.conf

user nobody users;
worker_processes 4;
pid /run/nginx.pid;

events {
worker_connections 768;
# multi_accept on;
}

http {

##
# Basic Settings
##

sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
# server_tokens off;

# server_names_hash_bucket_size 64;
# server_name_in_redirect off;

client_max_body_size 0;

include /etc/nginx/mime.types;
default_type application/octet-stream;

##
# Logging Settings
##

access_log /config/log/nginx/access.log;
error_log /config/log/nginx/error.log;

##
# Gzip Settings
##

gzip on;
gzip_disable "msie6";

# gzip_vary on;
# gzip_proxied any;
# gzip_comp_level 6;
# gzip_buffers 16 8k;
# gzip_http_version 1.1;
# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

include /etc/nginx/conf.d/*.conf;
include /config/nginx/site-confs/*;
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;
add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
ssl_stapling on; # Requires nginx >= 1.3.7
ssl_stapling_verify on; # Requires nginx => 1.3.7

}

 

 

/config/nginx/proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

 

All my containers are using url prefixes. At the root, I am using a basic html5 webpage (protected with htpasswd) which just links to all the proxies.

 

Note that I removed the lines for php, because it interfered with plexWatch. I guess it was routing the php scripts meant to be run in the plexWatch container to nginx's internal php. Since I didn't need any php support for my main webpage (all html5) I removed php altogether.

 

Hope this helps

 

I followed the config here.

 

The reverse proxy is working for SAB.

With Sonarr I get this on the page:

Sonarr Ver.

With CouchPotato, when I enter https://domain/cp, the URL changes to https://domain/#cp and I see nginx's default landing page.

 

Can someone help me out? Does this have something to do with URL base for Sonarr and CouchPotato?

 

I had a look in Sonarr but it said to leave that empty for reverse proxy.

 

That config assumes that couchpotato is set to use cp as the base url and sonarr is set to use sonarr. You have to set those in each app's settings.

 

Sabnzbd is a unique case here because by default it works with sabnzbd as the base url and also without it at the same time.

Thank you! That worked this time. I thought I made the setting changes to CP and Sonarr before but must've forgotten to reboot each of them.

 

Thanks for the great work on the docker. I've been reading up on setting this up with Apache and getting SSL certificates sounded so convoluted, yours was shockingly easy for a newbie like me who know nothing!

Thank you! That worked this time. I thought I made the setting changes to CP and Sonarr before but must've forgotten to reboot each of them.

 

Thanks for the great work on the docker. I've been reading up on setting this up with Apache and getting SSL certificates sounded so convoluted, yours was shockingly easy for a newbie like me who know nothing!

No problem. That's great to hear it worked.

Testing it at work. Looks like company firewall blocks access to dynamic DNS! (I can access my domain on my phone).

 

Is there anything else I can do, or should I try a VPN?

I'm also trying to reverse proxy linuxserver.io's ruTorrent docker but it's not working. Maybe something to do with not being able to set a URL base?

 

This is the config I'm trying:

 

    location /ru {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.252:88/ru;
}

 

What actually happens when you try to visit /ru?

Archived

This topic is now archived and is closed to further replies.

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.