[Support] Linuxserver.io - Apache


Recommended Posts

At the time of writing we don't have any plans to do an apache-letsencrypt container for what it's worth.

Why?!?  :-\

 

Because we have a few other containers to worry about, I suspect that nobody really realises quite how much time it takes to maintain & support everything.  Also it would appear that most people are using nginx these days.  So if we were to do a letsencrypt container it almost certainly would be nginx based.

Link to comment

How I got LetsEncrypt (LE) Working

 

So I gave Nginx-LE docker a really good try. While I was very easily able to get all the certificates, I had too many issues with various reverse-proxy entries. I got frustrated and gave it up. I have been using Apache for a while now, and decided to give that a try.

 

From the old guides on setting up the SSL certificates, from smbdion, it seems like once they expire, I have to re-learn how to obtain them again. Its not a pretty or easy process. The promise of LE is a very appealing one.

 

One nice thing about the Nginx-LE docker, is that once it creates the certificates for you for the first time, this folder you can copy to other places. So basically you have to properly have the N-LE docker running with the certificates created.

Could you just not copy the let's encrypt folder from N-LE docker to apache with the user scripts plugin? Then use a rsync command so it only copy changes (which result in no changes if there is no change to the certificate).

Then have both N-LE and Apache running, I doubt they will take alot of resources..

 

Link to comment

Only problem with that will be ports as far as I can tell.  nginx will need 443 to get certs (at router level) which means Apache can't have it.  Which means traffic won't hit Apache.... Kind of flawed.

 

I did wonder whether you could do something similar but just fire up nginx once every three months to renew the certs instead.  But I haven't read enough about it to know if it'll work.

 

Personally I still think the easiest option is to learn nginx....

 

Wasn't as difficult as I thought.

Link to comment

With my steps earlier, you can still renew the certificates using Apache and cron.  There is no need to run N-LE after initially creating the certificates. Even when re-installing the apache docket will continue working.

 

My one excuse for not switching to nginx is that I have personal web site that among many things, every 30 minutes it parses a bunch of RSS feeds and stores the data in a Maria db table (the Linuxserver docker). This is a php script that runs fine in the apache docker via cron. For some reason, the php script will not run even when it is installed as a cron job in nginx.

 

 

 

 

Sent from my iPad using Tapatalk

Link to comment

Only problem with that will be ports as far as I can tell.  nginx will need 443 to get certs (at router level) which means Apache can't have it.  Which means traffic won't hit Apache.... Kind of flawed.

 

I did wonder whether you could do something similar but just fire up nginx once every three months to renew the certs instead.  But I haven't read enough about it to know if it'll work.

 

Personally I still think the easiest option is to learn nginx....

 

Wasn't as difficult as I thought.

Yeah, did not think of that..  :-[

 

You could make it so it stops apache -> start N-LE, then wait 60 seconds -> copy the files over -> stop N-Le and start Apache again every month (or just start the script yourself when you need it).

It would work, but not so good as using N-LE, or using the way hernandito described, but alot easier to figure out and setup ;)

Link to comment

 

Also it would appear that most people are using nginx these days.  So if we were to do a letsencrypt container it almost certainly would be nginx based.

 

If that is the case might i suggest rewriting this and/or deprecating the reverse proxy Apache container, https://www.linuxserver.io/2015/11/10/overview-reverse-proxy-with-docker/

 

It is just about the first thing you run in to when you start looking at reverse proxying on Unraid.

Link to comment

 

Also it would appear that most people are using nginx these days.  So if we were to do a letsencrypt container it almost certainly would be nginx based.

 

If that is the case might i suggest rewriting this and/or deprecating the reverse proxy Apache container, https://www.linuxserver.io/2015/11/10/overview-reverse-proxy-with-docker/

 

It is just about the first thing you run in to when you start looking at reverse proxying on Unraid.

 

Bit premature.  Besides, it still has relevance for those that do run Apache.

Link to comment

I understand that however it creates pointless extra work for people wanting to run a reverse proxy and use Lets Encrypt. You either have to switch over to nginx or macgyver a solution to get Lets Enrypt working with the reverse proxy apache docker.

 

That said, the reason i wanted to try Lets Encrypt was because the StartSSL guide you wrote for the reverse proxy Apache container is giving me some problems, StartSSL doesn't pick up the right email adres to validate my domain with, all it gives me as options is [email protected], [email protected] or [email protected], not my own email which is in the whois records.

Link to comment

I understand that however it creates pointless extra work for people wanting to run a reverse proxy and use Lets Encrypt. You either have to switch over to nginx or macgyver a solution to get Lets Enrypt working with the reverse proxy apache docker.

 

That said, the reason i wanted to try Lets Encrypt was because the StartSSL guide you wrote for the reverse proxy Apache container is giving me some problems, StartSSL doesn't pick up the right email adres to validate my domain with, all it gives me as options is [email protected], [email protected] or [email protected], not my own email which is in the whois records.

 

Let me get this straight, you're moaning because a guide we wrote creates pointless extra work for you, because you need to look at it?  Because it appears in your search results?  This was never advertised as a LE container, you don't like it, don't use it.  You don't like nginx? Don't use it. 

 

I don't understand how a guide which clearly doesn't state it uses nginx or Let's Encrypt creates extra work.  The guide is useful for those that need some information on how to setup a reverse proxy.  Seeing as we don't actually have a Let's Encrypt container, you want us to rewrite a guide so it works for you.

 

As docker container maintainers, we support getting the container up and running, not configuring a webserver or any other app.  If you're having a problem with StartSSL then contact them,  I've used them twice to produce SSL certs myself and have not had any problems getting my domain validated.  For what it's worth it sounds like you have some sort of spam protection on your domain to prevent your email address being public.

 

Believe it or not, some people may not want to use LE, and may want to configure an Apache reverse proxy.  So I see no reason to deprecate this container.  Choice is a good thing.

 

I'm really not clear what your point it, but it sounds like you think it's our job to write a guide and/or rewrite a container because you're having issues configuring it?

Link to comment

Hold on, relax. Give me a moment to explain my train of thought.

 

Linuxserver.io - Apache reverse proxy container, there's a guide on how to set this up. However, the maintainers of said container appear to have switched over to a different container also maintained by them based on nginx.

 

Linuxserver.io - Nginx container, there is no guide on how to set this up and the container is seemingly not preconfigured to use as a reverse proxy. (i don't know anything about nginx so forgive me if its a very simple matter)

 

aptalca - Lets Encrypt container, based on nginx and based on posts in the support thread, ready to use as a reverse proxy. Maintainer has seemingly joined Linuxserver.io but the container has not been ported over yet. (correct me if i'm wrong on that bit)

 

My suggestion to rewrite the guide and/or deprecate the apache container was based on the fact that at some point novice users like myself run in to problems, we then head to the support thread for the container and here we learn the maintainers are using an alternative but there's no guide for it. You then have a third option in the lets encrypt container for which there do exist some instructions in the support thread.

 

Point is, it gets confusing on what is the best option for novice users. When you first start looking in to setting up a reverse proxy you come across your guide first and start trying that. When problems arise however support is made more difficult by the fact the maintainers are no longer using it themselves. As a novice one will naturally drift to the apparently best long term supported option which at the moment in my mind does not appear to be the Apache docker.

 

Which is why i suggested rewriting the guide to reflect that situation and/or deprecating the apache container.

 

Please understand, i have a lot of respect for the work you guys do. My suggestion was based entirely in the hopes of making things less complicated for everyone in the long run by preventing people from picking apache today so they aren't faced with a situation where the best option is to switch over and have to redo everything in the future.

 

I'm really not clear what your point it, but it sounds like you think it's our job to write a guide and/or rewrite a container because you're having issues configuring it?

 

As i hope i've made clear, my configuration problems are not why i made the suggestion.

 

Edit: apologies but now that i happen to have your attention, any plans on a Guacamole container?

Link to comment

The point is, it's not our job to support people through configuring all these apps, it's an impossible task and one that isn't up to us. What we do is create a docker container for people to use and we support getting the container up and running only.  Occasionally we write a guide, but that is above and beyond what we normally do.  If you need to learn how to use Apache or Nginx then there are many places on the web to do so.

 

Configuring webservers is not straightforward, I've worked my way through IIS, Apache & Nginx, it's a pain in the arse.

 

The fact I chose to migrate to Nginx from Apache does not affect my ability to support the Apache container, it was a personal choice because I wanted to learn how to use nginx.  In fact I still have my Apache config and container installed and can switch between the two within a couple of minutes.  I end up supporting a lot of containers I don't use myself.

 

You're defining "ready to use" as whether custom SSL certs are created for you or not, that's an incorrect assumption, although LE has made creating SSL certs much easier there are still many valid reasons for creating and using your own certs.  Some people prefer Apache, some prefer Nginx, personally after using both I have no real preference in terms of configuring, although if forced to pick, I'd probably choose Apache as I'm still more familiar with it than Nginx.  The ls.io version of Nginx is perfectly serviceable as a reverse proxy, indeed that was what I set up and what I am running.

 

You've got to bear in mind configuring and maintaining a webserver probably isn't a novice suitable task in all honesty.  It requires a fair bit of work and continued monioring of any security issues (and I'm not necessarily talking just about the SSL certs here)

 

Part of the issue is drawing the line between what we support and what we don't.  I personally have an interest in the webservers, I like learning, configuring and using them, but that doesn't necessarily mean I want to sit down and write a guide.  I'll support and try and help where I can but seeing as your first post in this thread was telling us to deprecate the container and rewrite a guide and you've never posted asking for support in our nginx thread either forgive me for reacting to your post somewhat negatively.  Perhaps a question in either would have helped?

 

EDIT: No plans on creating a Guacamole container.  There is an official version from the application author.

Link to comment

cut

 

I've been agonizing over a response to specific parts of your reply for the last half hour but i think that is going to waste both our times. Suffice to say i did not intent my post to be received in the way it was.

 

Regarding the Startssl thing, i've been in contact with the live chat however they were unable to help me, they are pointing to my registrar which they say has to "build" my email in to the whois info even though my domains whois states my email as the administrative and technical contact and my registrar is likely to point me at their paid ssl package.

 

From the way things look right now i think i'm just going to set up a VM and get Apache and Lets Encrypt going manually.

Link to comment
Regarding the Startssl thing, i've been in contact with the live chat however they were unable to help me, they are pointing to my registrar which they say has to "build" my email in to the whois info even though my domains whois states my email as the administrative and technical contact and my registrar is likely to point me at their paid ssl package.
I guess I'm not getting the issue. If they insist on using a specific email, why don't you just create it for them? When I did my StartSSL, they would only send to a specific (currently non-existent) address, which I assumed was their way of making me prove I own the domain. I logged into my control panel, created the address they wanted, and presto, everything worked.

 

Do you not have the ability to create and destroy email addresses at will on your own domain?

Link to comment

cut

 

I've been agonizing over a response to specific parts of your reply for the last half hour but i think that is going to waste both our times. Suffice to say i did not intent my post to be received in the way it was.

 

Regarding the Startssl thing, i've been in contact with the live chat however they were unable to help me, they are pointing to my registrar which they say has to "build" my email in to the whois info even though my domains whois states my email as the administrative and technical contact and my registrar is likely to point me at their paid ssl package.

 

From the way things look right now i think i'm just going to set up a VM and get Apache and Lets Encrypt going manually.

 

Fair enough, and if that wasn't your intent then I apologise. 

 

I found that StartSSL required me to use the email address I had registered with my domain name supplier, I don't remember inputting it, but they parsed if iirc from the WHOIS record.  However as my domain name suppler has a spam guard feature, StartSSL couldn't do so, I just turned the feature off at my domain name supplier for five minutes, created my certs then turned it back on.  It seemed to make sense to verify my identify as the domain owner.

Link to comment

Yea i have been looking for something like that but i can't really find anything that looks like it. I've just emailed my registrar so i guess i will know more tomorrow.

 

To be honest, your problem isn't with Apache or Nginx but with SSL certs.

 

FWIW I did toy with the idea of writing a guide for StartSSL certs and even started it but it's too difficult to do without releasing a whole host of personal information onto the web.

 

I still can't get my head around if that's your main issue, why you don't use nginx-LE and be done with it.  Or are you already familiar with Apache?

Link to comment

Hello,

 

I seem to have a problem with the folder permissions.

I installed the docker with the config folder pointing to /mnt/user/Webserver. The Server starts fine.

The Problem ist that I can't modify/create/delete anything from the files and fodlers created by the Docker.

It always tells me that I require permissions from Tower\nobody (SMB Share).

Are the apache webserver files and folders designed to only be accessible via the root account through something like ftp/sftp?

Can I change the permissions, so I can work with said files/folder with my Unraid user account?

Link to comment

Hello,

 

I seem to have a problem with the folder permissions.

I installed the docker with the config folder pointing to /mnt/user/Webserver. The Server starts fine.

The Problem ist that I can't modify/create/delete anything from the files and fodlers created by the Docker.

It always tells me that I require permissions from Tower\nobody (SMB Share).

Are the apache webserver files and folders designed to only be accessible via the root account through something like ftp/sftp?

Can I change the permissions, so I can work with said files/folder with my Unraid user account?

 

nobody is the correct user perms for Unraid.  How are you accessing the folder/files in terms of smb users etc

Link to comment

I guess I'm not getting the issue. If they insist on using a specific email, why don't you just create it for them? When I did my StartSSL, they would only send to a specific (currently non-existent) address, which I assumed was their way of making me prove I own the domain. I logged into my control panel, created the address they wanted, and presto, everything worked.

 

Do you not have the ability to create and destroy email addresses at will on your own domain?

 

My registrar doesn't include email services, i'd have to set up my own mailserver.

 

To be honest, your problem isn't with Apache or Nginx but with SSL certs.

 

I have it working now by the way. The Lets Encrypt docker is handling ssl and i'm reverse proxying to the Apache docker through nginx.

Link to comment

I guess I'm not getting the issue. If they insist on using a specific email, why don't you just create it for them? When I did my StartSSL, they would only send to a specific (currently non-existent) address, which I assumed was their way of making me prove I own the domain. I logged into my control panel, created the address they wanted, and presto, everything worked.

 

Do you not have the ability to create and destroy email addresses at will on your own domain?

 

My registrar doesn't include email services, i'd have to set up my own mailserver.

 

 

I used my gmail address

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.