Shamalamadindong Posted October 21, 2016 Share Posted October 21, 2016 For anyone who would rather stick to Apache but still use Lets Encrypt you can reverse proxy nginx to your existing Apache webserver. location / { proxy_pass http://myapacheip; # my existing apache container proxy_set_header Host $host; # re-write redirects to http as to https proxy_redirect http:// https://; } After that you just have to edit any hardcoded urls to https. Note, doesn't work if you are routing through Cloudflare, browsers will say there are too many redirects. Quote Link to comment
aptalca Posted October 21, 2016 Share Posted October 21, 2016 For anyone who would rather stick to Apache but still use Lets Encrypt you can reverse proxy nginx to your existing Apache webserver. location / { proxy_pass http://myapacheip; # my existing apache container proxy_set_header Host $host; # re-write redirects to http as to https proxy_redirect http:// https://; } After that you just have to edit any hardcoded urls to https. Note, doesn't work if you are routing through Cloudflare, browsers will say there are too many redirects. Neat. I hadn't thought of that but a great idea Quote Link to comment
blacky89 Posted October 24, 2016 Share Posted October 24, 2016 Hello, I recently build my machine for unraid and it was quite some work to set it up, but everything worked really well in the end. Unraid really is great. So now I ran into a problem with some of the other dockers interfaces. mineOS and nextcloud for example are reachable via https only, which is nice. However, I always have to confirm in my browsers that I trust the certificate. I guess I need to generate new certs for those dockers, so the browsers stop complaining ? I tried some stuff with the Nginx-letsencrypt docker, but it didnt work out for me. I'm fairly sure I did it wrong anyway If anyone got a simple guide on how to generate or renew certs with this docker, I'd really appreciate it. I usually google my way to success, but it didnt work out this time and its frustrating. I bet its very easy once you know how to do it. Note that I do not necessarily need this to work external but mainly on the intranet, for example 192.168.178.111. You get the idea. I assume its the same way for both of this though. I'd be really thankful if someone could help a noob here out. Quote Link to comment
Jessie Posted October 25, 2016 Share Posted October 25, 2016 I'm on a docker learning curve. Had issues making owncloud work with maria or MySQL. Upgraded to unraid 6.2 and everything broke. Almost gave up on dockers, then I disabled docker in unraid, deleted the docker image file and started again. EVERYTHING WORKED What I am trying to achieve now is to get the letsencrypt docker working with nextcloud. If I knew what I was doing, it would help. I am not sure what the syntax of the fields should be in the unraid docker. Basically I want letsencrypt to create an SSL certificate and point to the nextcloud instance. I have pasted a screen shot below showing what I think should be there, except it doesn't work. Can anyone give me a worked example of what I should be entering into these fields? I have cloud.mydomain.com.au pointing to the unraid server. The nextcloud is configured to port 444. Nextcloud works if I goto the internal ip address:444 Quote Link to comment
Shamalamadindong Posted October 25, 2016 Share Posted October 25, 2016 What I am trying to achieve now is to get the letsencrypt docker working with nextcloud. This should help, http://lime-technology.com/forum/index.php?topic=51466.0 Quote Link to comment
CHBMB Posted October 25, 2016 Share Posted October 25, 2016 I'm on a docker learning curve. Had issues making owncloud work with maria or MySQL. Upgraded to unraid 6.2 and everything broke. Almost gave up on dockers, then I disabled docker in unraid, deleted the docker image file and started again. EVERYTHING WORKED What I am trying to achieve now is to get the letsencrypt docker working with nextcloud. If I knew what I was doing, it would help. I am not sure what the syntax of the fields should be in the unraid docker. Basically I want letsencrypt to create an SSL certificate and point to the nextcloud instance. I have pasted a screen shot below showing what I think should be there, except it doesn't work. Can anyone give me a worked example of what I should be entering into these fields? I have cloud.mydomain.com.au pointing to the unraid server. The nextcloud is configured to port 444. Nextcloud works if I goto the internal ip address:444 Just have mydomain.com.au no need for 444 that is a port not part of your url... Quote Link to comment
Shamalamadindong Posted October 25, 2016 Share Posted October 25, 2016 For anyone who would rather stick to Apache but still use Lets Encrypt you can reverse proxy nginx to your existing Apache webserver. Absurdly, this worked for a couple of days and now it has stopped working. Weird thing is, it still works on Android Chrome but not on Windows Chrome. Quote Link to comment
Jessie Posted October 25, 2016 Share Posted October 25, 2016 Just have mydomain.com.au no need for 444 that is a port not part of your url... How does the nginx part of it know how to find the nextcloud docker? or do you have to configure that bit in a config file? Quote Link to comment
Shamalamadindong Posted October 25, 2016 Share Posted October 25, 2016 Correct. Edit: Does anyone have Transmission working? Quote Link to comment
Jessie Posted October 26, 2016 Share Posted October 26, 2016 Thanks. Will check it out.. Quote Link to comment
izarkhin Posted October 30, 2016 Share Posted October 30, 2016 Hello, can someone please help me get this container up and running? I forwarded port 443 on my router to unRAID's IP and went with the default config first, entering my email address, [myname].mynetgear.com as URL and www as subdomain. When I looked at the logs, it said that certificates couldn't be generated because it can't reach www.[myname].mynetgear.com. Then I removed the subdomain variable from the template and tried again. Now it says "Too many certificates already issued for: mynetgear.com". What am I doing wrong? Quote Link to comment
CHBMB Posted October 30, 2016 Share Posted October 30, 2016 You don't own mynetgear.com is my guess. Is it some sort of domain name you've got with some netgear equipment? I'm not sure how that would work so I'll leave someone else to answer that one. Quote Link to comment
izarkhin Posted October 30, 2016 Share Posted October 30, 2016 You don't own mynetgear.com is my guess. Is it some sort of domain name you've got with some netgear equipment? I'm not sure how that would work so I'll leave someone else to answer that one. Yes, it comes with Netgear router and is hosted by no-ip.com. I would expect it to work the same way as any other free dynamic dns service, such as duckdns. I'm NOT entering URL as mynetgear.com, I'm entering it as [myname].netgear.com, which is the domain I presumably own. Am I wrong? Quote Link to comment
CHBMB Posted October 30, 2016 Share Posted October 30, 2016 Sorry missed the myname bit. You'll definitely need something in the subdomain variable, so I'd definitely stick with that. I've got a Asus router myself, with a similar function, so I might have a play and see what I can figure out. Quote Link to comment
izarkhin Posted October 30, 2016 Share Posted October 30, 2016 Sorry missed the myname bit. You'll definitely need something in the subdomain variable, so I'd definitely stick with that. I've got a Asus router myself, with a similar function, so I might have a play and see what I can figure out. Apparently, it had something to do with the mynetgear.com domain. I registered another subdomain using some other noip.com's free domain name and it worked just fine. Problem solved, I'm up and running. Quote Link to comment
aptalca Posted October 31, 2016 Share Posted October 31, 2016 Most of the domains hosting ddns services through subdomains are whitelisted by letsencrypt (ie. duckdns and no-ip). However they may have missed the mynetgear domain and if too many people got certs for those subdomains, letsencrypt may have throttled it Quote Link to comment
Brettv Posted October 31, 2016 Share Posted October 31, 2016 Hi all, Trying to get this going, however am running into the following problem. I have port 443 forwarded in my router. However something tells me it may not be working. Any ideas? *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... *** Running /etc/my_init.d/firstrun.sh... Using existing nginx.conf Using existing nginx-fpm.conf Using existing site config Using existing landing page Using existing jail.local Using existing fail2ban filters SUBDOMAINS entered, processing Sub-domains processed are: -d www.XXXXXXXXX.duckdns.org 2048 bit DH parameters present Generating new certificate WARNING: The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead. Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate An unexpected error occurred: The server experienced an internal error Please see the logfiles in /var/log/letsencrypt for more details. /etc/my_init.d/firstrun.sh: line 138: cd: /config/keys: No such file or directory Error opening input file cert.pem cert.pem: No such file or directory * Starting nginx nginx ...fail! * Starting authentication failure monitor fail2ban ERROR No file(s) found for glob /config/log/nginx/error.log ERROR Failed during configuration: Have not found any log file for nginx-http-auth jail ...fail! *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 105 Oct 31 18:16:02 3e2758b2dd51 syslog-ng[112]: syslog-ng starting up; version='3.5.3' Oct 31 18:17:01 3e2758b2dd51 /USR/SBIN/CRON[124]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Quote Link to comment
aptalca Posted October 31, 2016 Share Posted October 31, 2016 Hi all, Trying to get this going, however am running into the following problem. I have port 443 forwarded in my router. However something tells me it may not be working. Any ideas? *** Running /etc/my_init.d/00_regen_ssh_host_keys.sh... *** Running /etc/my_init.d/firstrun.sh... Using existing nginx.conf Using existing nginx-fpm.conf Using existing site config Using existing landing page Using existing jail.local Using existing fail2ban filters SUBDOMAINS entered, processing Sub-domains processed are: -d www.XXXXXXXXX.duckdns.org 2048 bit DH parameters present Generating new certificate WARNING: The standalone specific supported challenges flag is deprecated. Please use the --preferred-challenges flag instead. Saving debug log to /var/log/letsencrypt/letsencrypt.log Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org Obtaining a new certificate An unexpected error occurred: The server experienced an internal error Please see the logfiles in /var/log/letsencrypt for more details. /etc/my_init.d/firstrun.sh: line 138: cd: /config/keys: No such file or directory Error opening input file cert.pem cert.pem: No such file or directory * Starting nginx nginx ...fail! * Starting authentication failure monitor fail2ban ERROR No file(s) found for glob /config/log/nginx/error.log ERROR Failed during configuration: Have not found any log file for nginx-http-auth jail ...fail! *** Running /etc/rc.local... *** Booting runit daemon... *** Runit started as PID 105 Oct 31 18:16:02 3e2758b2dd51 syslog-ng[112]: syslog-ng starting up; version='3.5.3' Oct 31 18:17:01 3e2758b2dd51 /USR/SBIN/CRON[124]: (root) CMD ( cd / && run-parts --report /etc/cron.hourly) Their servers are having issues. I can't get any certs either http://letsencrypt.status.io EDIT: The issue seems to be fixed now. I am able to get certs again Quote Link to comment
vurt Posted November 4, 2016 Share Posted November 4, 2016 For reference, below are my config files for reverse proxy with this container (all personal info X'ed out) /config/nginx/site-confs/default server { listen 443 ssl default_server; ssl_certificate /config/keys/fullchain.pem; ssl_certificate_key /config/keys/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { root /config/www; index index.html index.htm index.php; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; } location /sabnzbd { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/sabnzbd; } location /cp { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/cp; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/sonarr; } location /plexwatch { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/plexWatch; } location /htpc { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/htpc; } } /config/nginx/nginx.conf user nobody users; worker_processes 4; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 } /config/nginx/proxy.conf client_max_body_size 10m; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; All my containers are using url prefixes. At the root, I am using a basic html5 webpage (protected with htpasswd) which just links to all the proxies. Note that I removed the lines for php, because it interfered with plexWatch. I guess it was routing the php scripts meant to be run in the plexWatch container to nginx's internal php. Since I didn't need any php support for my main webpage (all html5) I removed php altogether. Hope this helps I followed the config here. The reverse proxy is working for SAB. With Sonarr I get this on the page: Sonarr Ver. With CouchPotato, when I enter https://domain/cp, the URL changes to https://domain/#cp and I see nginx's default landing page. Can someone help me out? Does this have something to do with URL base for Sonarr and CouchPotato? I had a look in Sonarr but it said to leave that empty for reverse proxy. Quote Link to comment
aptalca Posted November 4, 2016 Share Posted November 4, 2016 For reference, below are my config files for reverse proxy with this container (all personal info X'ed out) /config/nginx/site-confs/default server { listen 443 ssl default_server; ssl_certificate /config/keys/fullchain.pem; ssl_certificate_key /config/keys/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { root /config/www; index index.html index.htm index.php; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; } location /sabnzbd { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/sabnzbd; } location /cp { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/cp; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/sonarr; } location /plexwatch { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/plexWatch; } location /htpc { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.X.X:XXXX/htpc; } } /config/nginx/nginx.conf user nobody users; worker_processes 4; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 } /config/nginx/proxy.conf client_max_body_size 10m; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; All my containers are using url prefixes. At the root, I am using a basic html5 webpage (protected with htpasswd) which just links to all the proxies. Note that I removed the lines for php, because it interfered with plexWatch. I guess it was routing the php scripts meant to be run in the plexWatch container to nginx's internal php. Since I didn't need any php support for my main webpage (all html5) I removed php altogether. Hope this helps I followed the config here. The reverse proxy is working for SAB. With Sonarr I get this on the page: Sonarr Ver. With CouchPotato, when I enter https://domain/cp, the URL changes to https://domain/#cp and I see nginx's default landing page. Can someone help me out? Does this have something to do with URL base for Sonarr and CouchPotato? I had a look in Sonarr but it said to leave that empty for reverse proxy. That config assumes that couchpotato is set to use cp as the base url and sonarr is set to use sonarr. You have to set those in each app's settings. Sabnzbd is a unique case here because by default it works with sabnzbd as the base url and also without it at the same time. Quote Link to comment
vurt Posted November 4, 2016 Share Posted November 4, 2016 Thank you! That worked this time. I thought I made the setting changes to CP and Sonarr before but must've forgotten to reboot each of them. Thanks for the great work on the docker. I've been reading up on setting this up with Apache and getting SSL certificates sounded so convoluted, yours was shockingly easy for a newbie like me who know nothing! Quote Link to comment
aptalca Posted November 4, 2016 Share Posted November 4, 2016 Thank you! That worked this time. I thought I made the setting changes to CP and Sonarr before but must've forgotten to reboot each of them. Thanks for the great work on the docker. I've been reading up on setting this up with Apache and getting SSL certificates sounded so convoluted, yours was shockingly easy for a newbie like me who know nothing! No problem. That's great to hear it worked. Quote Link to comment
vurt Posted November 4, 2016 Share Posted November 4, 2016 Testing it at work. Looks like company firewall blocks access to dynamic DNS! (I can access my domain on my phone). Is there anything else I can do, or should I try a VPN? Quote Link to comment
vurt Posted November 4, 2016 Share Posted November 4, 2016 I'm also trying to reverse proxy linuxserver.io's ruTorrent docker but it's not working. Maybe something to do with not being able to set a URL base? This is the config I'm trying: location /ru { include /config/nginx/proxy.conf; proxy_pass http://192.168.1.252:88/ru; } Quote Link to comment
Shamalamadindong Posted November 4, 2016 Share Posted November 4, 2016 What actually happens when you try to visit /ru? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.