Jump to content
linuxserver.io

[Support] Linuxserver.io - Nginx

147 posts in this topic Last Reply

Recommended Posts

Although that's a lot easier than hardening each containers webserver individually.  The idea is you do all your SSL and security on the reverse proxy, then communicate to every other app that isn't hardened.

 

I don't use nginx but Apache, it's very simple to add an app in general, once you understand how to do it, takes about five minutes.

 

Some apps require setting a webroot though.

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

Although that's a lot easier than hardening each containers webserver individually.  The idea is you do all your SSL and security on the reverse proxy, then communicate to every other app that isn't hardened.

 

I don't use nginx but Apache, it's very simple to add an app in general, once you understand how to do it, takes about five minutes.

 

Some apps require setting a webroot though.

 

Sent from my LG-H815 using Tapatalk

 

Hmmm... seems simple.

 

I currently have Nginx set up like this

 

Nginx

    --> nginx  ---> site-confs ---> 'default' file

    --> www  ---> root of Wordpress install

 

So do I have to make a new site-confs file and make Nginx get it somehow...? I'm not a network guru, anybody help?

 

Let's say I have a Nextcloud docker at port 9000, IP xx.xx.xx.xx. Any examples on how to configure it?

Share this post


Link to post

There's a nextcloud guide on the ls.io website, for Apache but some nextcloud side changes will apply to both.

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

There's a nextcloud guide on the ls.io website, for Apache but some nextcloud side changes will apply to both.

 

Sent from my LG-H815 using Tapatalk

 

Thanks... I've set up Nextcloud but now I'm stuck at the configuring it for reverse proxy. I have no idea how to point it towards the port. Maybe somebody with Nginx expertise can help me. CHBMB do you use Nginx as well? I understand if you only know Apache, just asking.

 

Currently I made a backup of my default configuration just in case I screw up everything and trash my Wordpress as well.

 

EDIT: Currently this is how I want it set up.

 

Requests from (cloud.ideaman924.com) goes to Nextcloud, requests from (ideaman924.com or www.ideaman924.com) goes to Wordpress. Wordpress bit is done, but I'm having trouble with Nextcloud.

 

I understand I need to make a new

server{}

block and mess around in there, but really, I'm about as dumb as a brick when it comes to networking stuff.

Share this post


Link to post

Read my first post, I don't use nginx

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

Read my first post, I don't use nginx

 

Sent from my LG-H815 using Tapatalk

 

OK CHBMB. Something's wrong... I did manage to set up reverse proxy and my Nextcloud is now live in cloud.ideaman924.com . Which is great.

 

What's not so great is Chrome refusing to execute inline scripts:

 

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-hlSW1HZGmKtDyIDU+HuibO0pPuKa/wQJaUWM+5ysR38='), or a nonce ('nonce-...') is required to enable inline execution.

 

OK... Chrome... What? Funnily when I connect directly (xx.xx.xx.xx:9000), then Chrome shows a 'warning, ssl certificate invalid' error but runs the freaking inline script.

 

I did set up Cloudflare but this shouldn't be relevant because the SSL settings are flexible.

 

Any ideas?

 

EDIT: I just figured it out... lol. Turns out that you need to modify config.php in Nextcloud directory. I didn't read the tutorial properly...

 

EDIT2: Actually, that did nothing. I'm still stuck with the inline script not launching thing.

Share this post


Link to post

If anybody has the time, it would be nice to add Let's Encrypt support to the docker image so I can actually secure my website.

Aptalca has a docker with Let's Encrypt build in.

 

Take a look here for Nextcloud setup with Nginx: https://lime-technology.com/forum/index.php?topic=51466.0

 

Thanks but I already have it set up nice and secure with the current Nginx from Linuxserver. Don't wanna switch base just for an SSL cert.

 

Thanks for the NextCloud link, though!

Share this post


Link to post

I'm not sure, tbh, it's kind of been superceded by the letsencrypt version.

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

Is there a way to have crontabs remain past an update at all please, like the letsencrypt container.

 

I've used this as a generic container for my web based apps, but am struggling with the cron getting wiped out.

 

Thanks in advance.

Share this post


Link to post
5 hours ago, local.bin said:

Is there a way to have crontabs remain past an update at all please, like the letsencrypt container.

 

I've used this as a generic container for my web based apps, but am struggling with the cron getting wiped out.

 

Thanks in advance.

I solved this for my Nextcloud docker with running a script via Community Applications Auto Update module.

Info from http://tower/Settings/Settings/caHelp#autoupdate:

 

/boot/config/plugins/ca.update.applications/scripts/starting/{nameOfContainer}

This script will be executed whenever {nameOfContainer} has been updated

 

 

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud

#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

Edited by ICDeadPpl
  • Like 1

Share this post


Link to post
20 hours ago, ICDeadPpl said:

I solved this for my Nextcloud docker with running a script via Community Applications Auto Update module.

Info from http://tower/Settings/Settings/caHelp#autoupdate:

 

/boot/config/plugins/ca.update.applications/scripts/starting/{nameOfContainer}

This script will be executed whenever {nameOfContainer} has been updated

 

 

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud


#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

Thanks for the insight and option for me to try.

 

I have added similar for my case and await an update to test it.

 

I was hoping for the letsencrypt crontab functionality to be added, but hopefully this will do the job.

Share this post


Link to post
Is there a way to have crontabs remain past an update at all please, like the letsencrypt container.
 
I've used this as a generic container for my web based apps, but am struggling with the cron getting wiped out.
 
Thanks in advance.

I'll look into it

Share this post


Link to post
9 hours ago, aptalca said:


I'll look into it

 

Appreciated, thanks for taking a look.

Share this post


Link to post
On 3/27/2017 at 2:53 PM, ICDeadPpl said:

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud


#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

 

OK, so my script ran according to the logs but only the nextcloud one worked. My other one failed for some reason. I think it was because in the grep command I only had piwik, rather than nginx-piwik.

 

Just to clarify, your abc cron file, is that in addition to the root cron that exists in /etc/crontabs already? I presume so, so how do you get cron to see it as an additional cron?

 

I have manually added abc cron file and restarted the cron service, but abc's commands do not get listed as current crons in crontab -l

Share this post


Link to post
2 minutes ago, local.bin said:

 

OK, so my script ran according to the logs but only the nextcloud one worked. My other one failed for some reason. I think it was because in the grep command I only had piwik, rather than nginx-piwik.

 

Just to clarify, your abc cron file, is that in addition to the root cron that exists in /etc/crontabs already? I presume so, so how do you get cron to see it as an additional cron?

 

I have manually added abc cron file and restarted the cron service, but abc's commands do not get listed as current crons in crontab -l

 

To list the abc crontab, you have to use crontab -u abc -l

 

root@nextcloud:/$ crontab -l
*/15  *  *  *  * s6-setuidgid abc php7 -f /config/www/nextcloud/cron.php
root@nextcloud:/$ crontab -u abc -l
*/16  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1

 

Share this post


Link to post
12 minutes ago, ICDeadPpl said:

 

To list the abc crontab, you have to use crontab -u abc -l

 


root@nextcloud:/$ crontab -l
*/15  *  *  *  * s6-setuidgid abc php7 -f /config/www/nextcloud/cron.php
root@nextcloud:/$ crontab -u abc -l
*/16  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1

 

 

:ph34r: mmh, yes, thats what I was using too, but hadn't noticed a spurious hash in front of the command! 

 

 

Quote

 


root@222cce405d7f:/$ # crontab -u abc -l
 

 

 

Sorry about that :(

Edited by local.bin
clarification

Share this post


Link to post

Can php soap be added to this Docker or the Apache Docker?  Thanks

Share this post


Link to post
On 27/03/2017 at 2:53 PM, ICDeadPpl said:

I solved this for my Nextcloud docker with running a script via Community Applications Auto Update module.

Info from http://tower/Settings/Settings/caHelp#autoupdate:

 

/boot/config/plugins/ca.update.applications/scripts/starting/{nameOfContainer}

This script will be executed whenever {nameOfContainer} has been updated

 

 

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud


#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

Could you clarify if you have anything else done to get this working, as it doesn't recreate the abc crontab file for me.

 

The command works fine in isolation and works great when I manually enter the same details in the abc crontab file myself.

 

It wont though create the file itself on container update.

 

I am trying to track down which logs I might find some information as to why at the moment.

Share this post


Link to post
30 minutes ago, local.bin said:

Could you clarify if you have anything else done to get this working, as it doesn't recreate the abc crontab file for me.

 

The command works fine in isolation and works great when I manually enter the same details in the abc crontab file myself.

 

It wont though create the file itself on container update.

 

I am trying to track down which logs I might find some information as to why at the moment.

 

Sorry, I missed a step or two in my explanation. Here's more detailed instructions.

I have made a script in the /config directory of my docker (host path: /mnt/cache/apps/nextcloud) called install-stuff.sh which contains this:

#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/16  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

You can add more packages and stuff in that script, if needed. Just check what package manager the docker uses, apt, apk and so on.

 

I have that script run every time the docker updates with the following in my  /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud file:

docker exec -t nextcloud /config/install-stuff.sh

Just make sure that the install-stuff.sh has execution rights:.

# From unRAID shell
ls -l /mnt/cache/apps/nextcloud/install-stuff.sh 
# Result should look something like this:
-rwxrwxrwx 1 nobody users 153 Mar 19 08:48 /mnt/cache/apps/nextcloud/install-stuff.sh*
# If not, the run this:
chmod 777 /mnt/cache/apps/nextcloud/install-stuff.sh

or

# From inside the docker shell
root@nextcloud:/$ ls -l /config/install-stuff.sh
# Result should look something like this:
-rwxrwxrwx 1 abc abc 153 Mar 19 08:48 /config/install-stuff.sh
# If not, the run this:
chmod 777 /config/install-stuff.sh

Hope this helps!

Share this post


Link to post
On 08/04/2017 at 11:53 AM, ICDeadPpl said:

 

Sorry, I missed a step or two in my explanation. Here's more detailed instructions.

....

Hope this helps!

 

Thanks, I had a feeling it was a little more involved :)

 

Haven't had a chance to take a look yet, but will do hopefully over the weekend.

 

Share this post


Link to post

I installed this docker last night and got the following errors.  It mentions www.dlink.com but I don't run dlink routers.  I do have some dlink webcams that are exposed to the intraweb via the dlink myhome software but there is no port forwarding of 443 required for that.  I'm wondering if letsencrypt is hanging onto a previous cert tied to the IP my domain has at the moment.

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.<mydomain>
Generating new certificate
WARNING: The standalone specific supported challenges flag is deprecated.

Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.dlink.com
tls-sni-01 challenge for <mydomain>
/usr/lib/python2.7/site-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com", <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com"

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: <mydomain>
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid
from <myip>:443. Received 1 certificate(s), first
certificate had names "www.dlink.com"

Domain: <mydomain>
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid
from <myip>:443. Received 1 certificate(s), first
certificate had names "www.dlink.com"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
/var/run/s6/etc/cont-init.d/50-config: line 108: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Share this post


Link to post

This is the thread for nginx, not letsencrypt

 

Regarding the issue, it is likely due to incorrect forwarding of your domain. Make sure the A record is correct.

Share this post


Link to post

Is this Nginx docker still being supported/updated? The LS hub.docker.com page shows it was last updated June 6th 2017, but the unRAID CA page shows it was last updated December 5, 2015. I already have wild card certs for my domains, so I do not need LetsEncrypt. I just need an Nginx proxy for my other dockers.

 

Thanks for ALL the great work and support from the LinuxServer.io team!

 

buzz

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now