[Support] Linuxserver.io - Apache


Recommended Posts

Alright, I've gotten Let's Encrypt working in this. Its *very* crude, and this method voids your warranty from LS.io!

 

Add an environmental variable to your docker:

ADVANCED_SCRIPT = true

 

in your appdata/apache/ folder (note, the root! not the appdata/apache/apache/!) make two files:

 

userscript.sh

apt-get install git -y

git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt

/opt/letsencrypt/letsencrypt-auto --apache --config /config/letsencrypt.ini

 

letsencrypt.ini

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
email = <VALID EMAIL>

# Uncomment and update to generate certificates for the specified
# domains.
domains = <YOU FQDN>

# Uncomment to use a text interface instead of ncurses
text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
#authenticator = webroot
#webroot-path = /config/www/

agree-tos

 

At this point go to your appdata/apache/apache/site-confs/defualt.conf and change the key locations:

SSLCertificateFile "/etc/letsencrypt/live/<domain>/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/<domain>/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/<domain>/chain.pem"

 

This doesn't have any kind of cron to auto-renew every 60 days like is recommended, and there's no checking if it already has a cert so it tries to re-issue on every reboot of the docker, but it should be a good starting point.

 

I welcome any feedback on this.

 

I cannot get this to work....

 

I created the letsencrypt.ini and I edited to read:

 

# This is an example of the kind of things you can do in a configuration file.
# All flags used by the client can be configured here. Run Certbot with
# "--help" to learn more about the available options.

# Use a 4096 bit RSA key instead of 2048
rsa-key-size = 4096

# Uncomment and update to register with the specified e-mail address
email = [email protected]

# Uncomment and update to generate certificates for the specified
# domains.
domains = mypersonaldomainname.com

# Uncomment to use a text interface instead of ncurses
text = True

# Uncomment to use the standalone authenticator on port 443
# authenticator = standalone
# standalone-supported-challenges = tls-sni-01

# Uncomment to use the webroot authenticator. Replace webroot-path with the
# path to the public_html / webroot folder being served by your web server.
#authenticator = webroot
#webroot-path = /config/www/

agree-tos

 

My default.conf reads like this (edited)

 

<VirtualHost *:443>
    ServerName mypersonaldomainname.com

    SSLEngine on

SSLCertificateFile "/etc/letsencrypt/live/mypersonaldomainname.com/cert.pem"
SSLCertificateKeyFile "/etc/letsencrypt/live/mypersonaldomainname.com/privkey.pem"
SSLCertificateChainFile "/etc/letsencrypt/live/mypersonaldomainname.com/chain.pem"

DocumentRoot /config/www/


    <Directory "/config/www/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride all
            Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

 

I manually ran the commands in the userscript.sh to test, and I got the following error:

 

qUjD5hG.jpg

 

After the above, I manually created the folders /etc/letsencrypt/live/mypersonaldomainname.com/ . I re-ran the "/opt/letsencrypt/letsencrypt-auto --apache --config /config/letsencrypt.ini" command again, with the same results.

 

I am wanting to migrate from smdion's Reverse Proxy Server and I am unsure about the process for the certificates. I know that the certificates I have expire after a year's time. Then I have to re-figure out or relearns how to generate them again. I cannot seem to retain that knowledge for a once a year task. I am hoping Lets Encrypt can automate that.  ???

 

Many thanks,

 

H.

 

 

 

 

Link to comment

After 4 days, I resolved what my problem was with the above post. I had the Docker configured to use port 444.... and not 443. Changing the port worked. Face palm.

 

Unfortunately, implementing this will not survive a Docker re-install even with mapping the /etc/letsencrypt/live folder. I tried mapping and the keys are in some type of format that are not seen the mapped folder.

 

Went back to the older keys that last one year.

 

Hoping the docker geniuses implement the LetEncrypt feature soon....  8)  ???  8)

Link to comment

Hey

 

Probably been asked here before, but what exactly is required to get this container up and running as a basic Apache server?

 

I've changed my unRAID webUI port to 8080, rebooted, then tried to use the LinuxServer.io repo to install Apache through the automated docker install wizard in unRAID, then tried to access the "WebUI" for the plugin, or just port 80 on my server.

 

I'm getting refused connections. Seems to be an issue with another docker plugin too (OpenVPN-AS), yet not Deluge. Odd. Only other thing running is the default PlexMediaServer LimeTech Docker

Link to comment

Hey

 

Probably been asked here before, but what exactly is required to get this container up and running as a basic Apache server?

 

I've changed my unRAID webUI port to 8080, rebooted, then tried to use the LinuxServer.io repo to install Apache through the automated docker install wizard in unRAID, then tried to access the "WebUI" for the plugin, or just port 80 on my server.

 

I'm getting refused connections. Seems to be an issue with another docker plugin too (OpenVPN-AS), yet not Deluge. Odd. Only other thing running is the default PlexMediaServer LimeTech Docker

 

Without some idea of your port mappings, logs etc I have no idea.  The fact that you're having problems with two containers that I use myself and know are working makes me think you've configured something wrong.  Also, there's no need to change the Unraid webui port.  I just run Apache on ports 81 & 443 and get my router to forward external traffic on port 80 to port 81 on my unraid box.

Link to comment
  • 2 weeks later...

Great docker here. I was able to muddy my way through this and got most my web apps running though this proxy now, using https!

 

Two questions come to mind, and im not a web guy, Apache and IIS are not my strong points in IT

 

So....what if I want to use this proxy for something like the unraid webinterface or my router, that doesnt seem to have an option to set a base url ??? Create a subdomain maybe?

 

Next question is I used the LetsEncrypt Docker to create my files for running HTTPS trusted. It created my cert for 90 days, will it auto generate a new one if i leave the docker running? Also since it wants HTTPS access...would i need this reverse proxy to send stuff it's way, or am i jest better firing up that docket when i need a new cert? Thanks

Link to comment

So....what if I want to use this proxy for something like the unraid webinterface or my router, that doesnt seem to have an option to set a base url ??? Create a subdomain maybe?

 

Subdomains are the easiest way to do it.  Otherwise you're looking at a load of redirects.  As a bit of advise, don't reverse proxy your Unraid webui.  That is better served by the additional security of a VPN imho.  We have an OpenVPN-AS container that I use myself.

 

Next question is I used the LetsEncrypt Docker to create my files for running HTTPS trusted. It created my cert for 90 days, will it auto generate a new one if i leave the docker running? Also since it wants HTTPS access...would i need this reverse proxy to send stuff it's way, or am i jest better firing up that docket when i need a new cert? Thanks

 

Best firing up that docker, probably would need to stop this one though.

Link to comment

gotcha.... so one thing I would like to get running through this is my PRTG install....which looks like it needs a subdomain re-direct, but cant seem to get it working.

 

I created prtg.test.comso would I use.....

 

<VirtualHost *:443>

    ServerName prtg.test.com

    Redirect permanent / http://192.168.1.5:8081

</VirtualHost>

 

or

 

<VirtualHost prtg.test.com:443>

    ServerName prtg.test.com

    Redirect permanent / http://192.168.1.5:8081

</VirtualHost>

 

 

 

I'm not sure were in the conf file this would go as well, my suspicion is it can go either before or after the existing stuff, as this really is creating another new vvirtual host basically....if that makes sence.

Link to comment

Try something like this..

 

<VirtualHost *:80>
ServerName nextcloud.server.com
ServerAlias nextcloud.server.com
DocumentRoot /config/www/

Redirect permanent / https://nextcloud.server.com/

</VirtualHost>

<VirtualHost *:443>
ServerName nextcloud.server.com
ServerAdmin webmaster@localhost
DocumentRoot /config/www/

SSLCertificateFile /config/keys/2_server.com.crt
SSLCertificateKeyFile /config/keys/decryptedcertificatesigningrequest.key
SSLCertificateChainFile /config/keys/1_root_bundle.crt

SSLEngine on
SSLProxyEngine On
RewriteEngine On
ProxyPreserveHost On

SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

SSLProtocol -All +TLSv1 +TLSv1.1 +TLSv1.2
SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS
SSLHonorCipherOrder on

ProxyRequests Off
ProxyPreserveHost Off
ProxyPass / https://192.168.0.1:444/
ProxyPassReverse / https://192.168.0.1:444/

</VirtualHost>

Link to comment

Had to reinstall after upgrading to unRAID 6.2. Now it won't install. Getting the error:

 

IMAGE ID [latest]: Pulling from linuxserver/apache. 
IMAGE ID [6ffe5d2d6a97]: Already exists. 
IMAGE ID [f4e00f994fd4]: Already exists. 
IMAGE ID [e99f3d1fc87b]: Already exists. 
IMAGE ID [a3ed95caeb02]: Already exists. 
IMAGE ID [ededd75b6753]: Already exists. 
IMAGE ID [1ddde157dd31]: Already exists. 
IMAGE ID [9fdc4b327358]: Pulling fs layer. Download complete. Extracting. Pull complete. 
IMAGE ID [a836128d06ab]: Pulling fs layer. Downloading 100% of 958 B. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [7583a35fe4e8]: Pulling fs layer. Downloading 100% of 38 MB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [0a85f63405f0]: Pulling fs layer. Downloading 100% of 12 KB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [17a5684fe02a]: Pulling fs layer. Downloading 100% of 9 MB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [85f36b6f9c5a]: Pulling fs layer. Downloading 100% of 11 KB. Download complete. Extracting. Pull complete. 
IMAGE ID [787c3c56ceb4]: Pulling fs layer. Download complete. Extracting. Pull complete. 
IMAGE ID [4368e45b7871]: Pulling fs layer. Downloading 100% of 266 B. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [8e0ac95558f6]: Pulling fs layer. Downloading 100% of 12 KB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [2d19abe68f07]: Pulling fs layer. Download complete. Extracting. Pull complete. 
IMAGE ID [d9bfff5c16e8]: Pulling fs layer. Downloading 100% of 16 MB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [086aa41111d0]: Pulling fs layer. Downloading 100% of 356 B. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [43f93ed3f0d5]: Pulling fs layer. Downloading 100% of 3 KB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [53451efcee68]: Pulling fs layer. Download complete. Extracting. Pull complete. 

TOTAL DATA PULLED: 63 MB

Error: layers from manifest don't match image configuration

 

I've been seeing this when trying to update my other Docker applications. How do I fix this?

Link to comment

Had to reinstall after upgrading to unRAID 6.2. Now it won't install. Getting the error:

 

IMAGE ID [latest]: Pulling from linuxserver/apache. 
IMAGE ID [6ffe5d2d6a97]: Already exists. 
IMAGE ID [f4e00f994fd4]: Already exists. 
IMAGE ID [e99f3d1fc87b]: Already exists. 
IMAGE ID [a3ed95caeb02]: Already exists. 
IMAGE ID [ededd75b6753]: Already exists. 
IMAGE ID [1ddde157dd31]: Already exists. 
IMAGE ID [9fdc4b327358]: Pulling fs layer. Download complete. Extracting. Pull complete. 
IMAGE ID [a836128d06ab]: Pulling fs layer. Downloading 100% of 958 B. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [7583a35fe4e8]: Pulling fs layer. Downloading 100% of 38 MB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [0a85f63405f0]: Pulling fs layer. Downloading 100% of 12 KB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [17a5684fe02a]: Pulling fs layer. Downloading 100% of 9 MB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [85f36b6f9c5a]: Pulling fs layer. Downloading 100% of 11 KB. Download complete. Extracting. Pull complete. 
IMAGE ID [787c3c56ceb4]: Pulling fs layer. Download complete. Extracting. Pull complete. 
IMAGE ID [4368e45b7871]: Pulling fs layer. Downloading 100% of 266 B. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [8e0ac95558f6]: Pulling fs layer. Downloading 100% of 12 KB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [2d19abe68f07]: Pulling fs layer. Download complete. Extracting. Pull complete. 
IMAGE ID [d9bfff5c16e8]: Pulling fs layer. Downloading 100% of 16 MB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [086aa41111d0]: Pulling fs layer. Downloading 100% of 356 B. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [43f93ed3f0d5]: Pulling fs layer. Downloading 100% of 3 KB. Verifying Checksum. Download complete. Extracting. Pull complete. 
IMAGE ID [53451efcee68]: Pulling fs layer. Download complete. Extracting. Pull complete. 

TOTAL DATA PULLED: 63 MB

Error: layers from manifest don't match image configuration

 

I've been seeing this when trying to update my other Docker applications. How do I fix this?

There's an entry in the docker FAQ thread about layers from manifest don't match image configuration
Link to comment

Hey, just starting out with this docker and currently know zero about apache and setting it up, so reading as much as I can. Has the content from these links been completly removed or just relocated, as both links appear to be dead? It seems that others have found them useful.

 

Thanks,

 

Rich

 

Link to comment

A while back I had "owncloud" working.  Something happened (not sure what). I uninstalled and reinstalled.  Things are returning back to normal but I get this error "ownCloud will be updated to version 9.1.1".  I am not sure what version I had before.  What should I do to correct this issue?  The only thing I could find was talking about going up to many versions but I just uninstalled and reinstalled my owncloud install.  I ordginally got owncloud working in May 2016 if that helps.

 

Thanks

Bill 

Link to comment

Can i ask what peoples use cases are for Apache as a reverse proxy?

 

I get that it allows for a more secure way to access sites externally and if you're using https it allows for a certificate for the proxy only and not per exposed address, but in quite a few forums I've read, people are also running VPNs, which to my noobie brain allows for secure access as well. So why not just use a VPN?

 

I'm enjoying the research and have so far got Apache up and running over http, with plexpy and plex requests. I just want to make sure i'm not missing something with why or how people are using this feature  :)

 

Thank you,

Rich

 

 

Link to comment

Can i ask what peoples use cases are for Apache as a reverse proxy?

 

I get that it allows for a more secure way to access sites externally and if you're using https it allows for a certificate for the proxy only and not per exposed address, but in quite a few forums I've read, people are also running VPNs, which to my noobie brain allows for secure access as well. So why not just use a VPN?

 

I'm enjoying the research and have so far got Apache up and running over http, with plexpy and plex requests. I just want to make sure i'm not missing something with why or how people are using this feature  :)

 

Thank you,

Rich

 

It's easier to use than a VPN, and it allows my family to access things, like photos etc without me having to setup a VPN to my whole network for them, I just create a new user and password and send them the details.

Link to comment

Can i ask what peoples use cases are for Apache as a reverse proxy?

 

I get that it allows for a more secure way to access sites externally and if you're using https it allows for a certificate for the proxy only and not per exposed address, but in quite a few forums I've read, people are also running VPNs, which to my noobie brain allows for secure access as well. So why not just use a VPN?

 

I'm enjoying the research and have so far got Apache up and running over http, with plexpy and plex requests. I just want to make sure i'm not missing something with why or how people are using this feature  :)

 

Thank you,

Rich

 

It's easier to use than a VPN, and it allows my family to access things, like photos etc without me having to setup a VPN to my whole network for them, I just create a new user and password and send them the details.

 

Thanks for the reply.

 

So am I safe in thinking then, that the primary uses for a reverse proxy in unRAID's case is secure access, ease of access and also specific access (unlike a VPN giving access to the entire network)?

 

One last question, for those of you that have set up things like CouchPotato SickBeard/Rage and Sabnzbd with Apache, is there some kind of authentication you add on the proxy, or are you relying on the applications inbuilt sign in pages?

Link to comment

The advantage of the reverse proxy is that you set all your authentication at that level and not within each app.  I trust Apache way more than something like sabnzbd....

 

Awesome, thank you very much. I'll start looking into authentication next then.

My first mission was just to get access working  :)

Link to comment

How I got LetsEncrypt (LE) Working

 

So I gave Nginx-LE docker a really good try. While I was very easily able to get all the certificates, I had too many issues with various reverse-proxy entries. I got frustrated and gave it up. I have been using Apache for a while now, and decided to give that a try.

 

From the old guides on setting up the SSL certificates, from smbdion, it seems like once they expire, I have to re-learn how to obtain them again. Its not a pretty or easy process. The promise of LE is a very appealing one.

 

One nice thing about the Nginx-LE docker, is that once it creates the certificates for you for the first time, this folder you can copy to other places. So basically you have to properly have the N-LE docker running with the certificates created.

 

To get into the N-LE docker, I use Roland's awesome little script from here:

 

http://lime-technology.com/forum/index.php?topic=39810.msg377140#msg377140

 

Once you are inside the N-LE command line, enter the following commands:

apt-get update
apt-get install -y mc
export TERM=xterm
mc

 

This will install and run Midnight commander. In MC, copy the folder the entire /etc/letsencrypt to /config. Type exit to leave the docker command line.

 

Assuming you will install Apapche in /mnt/cache/appdata/Apache, copy the letsencrypt folder from the N-LE docker into the Apache config folder. Uninstall the N-LE docker.

 

Before installing the Apache docker. You may want to opt for a clean stock /mnt/appdata/apache/apache/site-confs/default.conf file. You will encounter errors if you have already done your reverse proxy modifications to this file. It is best to install the docker to a new folder, saving your existing default.conf to a separate safe place.

 

Here is what a clean default.conf file contains:

<VirtualHost *:80>
    DocumentRoot /config/www/

    <Directory "/config/www/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride all
            Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

<VirtualHost *:443>
    ServerName hernandito.com

SSLEngine on
SSLProtocol All -SSLv2 -SSLv3
SSLCipherSuite AES128+EECDH:AES128+EDH
SSLCertificateFile /config/keys/ssl.crt
SSLCertificateKeyFile /config/keys/decrypted.ssl.key
SSLCertificateChainFile /config/keys/sub.class1.server.ca.pem
SSLProxyEngine On
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off 
ProxyRequests off

    <Directory "/config/www/">
        Options Indexes FollowSymLinks MultiViews
        AllowOverride all
            Order allow,deny
        Allow from all
    </Directory>
</VirtualHost>

 

In the root of the Apache config folder, create a file called userscript.sh with the following code:


crontab /config/crons.conf
# May or may not have HOME set, and this drops stuff into ~/.local.
export HOME="/root"
export PATH="${PATH}:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
if [ ! -f /usr/bin/certbot-auto ]; then
cd /usr/bin/
wget https://dl.eff.org/certbot-auto
chmod a+x /usr/bin/certbot-auto
apt-get update
apt-get install -y mc
certbot-auto --noninteractive --os-packages-only
certbot-auto certonly --noninteractive --agree-tos
fi

 

Create a file in same folder called crons.conf with the following code:

#1 * * * * add any cron strings here
0 0 */3 * * certbot-auto renew

 

Inside the letsencrypt folder that you copied, create a file called cli.ini - but change the parameters below to reflect your email and domain names.

 

# Uncomment to use the staging/testing server - avoids rate limiting.
# server = https://acme-staging.api.letsencrypt.org/directory

# Use a 4096 bit RSA key instead of 2048.
rsa-key-size = 4096

# Set email and domains.
email = [email protected]
domains = yourdomain.com, www.yourdomain.com

# Text interface.
text = True
# No prompts.
non-interactive = True
# Suppress the Terms of Service agreement interaction.
agree-tos = True

# Use the webroot authenticator.
authenticator = webroot
webroot-path = /config/www

 

Go to create the Apache docker, but make the following changes to the setup screen. Change the ports to what you want. Add the letsencrypt folder mapping, and the ADVANCED_SCRIPT variable to true.

8uZW3G8.png

 

The first time you create the docker, it will take a long time to download all the dependencies for LE. Docker restarts should be quick. This script sets up a cron task every 3 days to check to renew the certificates that expire every 3 months. It does this automatically.

 

Check the log screen forany error message when first installing. If all goes well, then edit your  /apache/site-confs file/default.conf replace this text:

SSLCertificateFile /config/keys/ssl.crt
SSLCertificateKeyFile /config/keys/decrypted.ssl.key
SSLCertificateChainFile /config/keys/sub.class1.server.ca.pem

 

With this text (changing yourdomain.com with your actual fully registered domain:

SSLCertificateFile /etc/letsencrypt/live/yourdomain.com/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain.com/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/yourdomain.com/chain.pem

 

One by one, begin adding your reverse proxy entries and test them accordingly.

 

Now......

 

I gave it a good effor to clone the linuxserver Apache docker and make the mods to automate all this. I got very close, but no cigar. I am hoping that the big smart linuxserver brains can take a look at the code I did, and perhaps a) add it to the Apache docker (as a user enabled option), or b) create an alternate Apache docker with LetEncrypt. I really do not have the advanced expertise to create this and reliably support it.

 

Link to Github Docker:

https://github.com/hernandito/Apache-LetsEncrypt

 

Link to XML Template file:

https://github.com/hernandito/docker-templates-tweaks/blob/master/hernandito/Apache-Letsencrypt.xml

 

I would not be surprised if I forgot a step or two above. I will try to help as much as I am capable of.

 

Thanks,

 

H.

 

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.