[Support] Linuxserver.io - Nginx


193 posts in this topic Last Reply

Recommended Posts

Although that's a lot easier than hardening each containers webserver individually.  The idea is you do all your SSL and security on the reverse proxy, then communicate to every other app that isn't hardened.

 

I don't use nginx but Apache, it's very simple to add an app in general, once you understand how to do it, takes about five minutes.

 

Some apps require setting a webroot though.

 

Sent from my LG-H815 using Tapatalk

 

 

Link to post
  • Replies 192
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Yes

Is there a guide somewhere on how to get the reverse proxy working? I've always wanted to do this to make all the different services such as Sabnzbd and Sickrage easier to access. I've been messing wi

I solved this for my Nextcloud docker with running a script via Community Applications Auto Update module. Info from http://tower/Settings/Settings/caHelp#autoupdate:   /boot/config/

Posted Images

Although that's a lot easier than hardening each containers webserver individually.  The idea is you do all your SSL and security on the reverse proxy, then communicate to every other app that isn't hardened.

 

I don't use nginx but Apache, it's very simple to add an app in general, once you understand how to do it, takes about five minutes.

 

Some apps require setting a webroot though.

 

Sent from my LG-H815 using Tapatalk

 

Hmmm... seems simple.

 

I currently have Nginx set up like this

 

Nginx

    --> nginx  ---> site-confs ---> 'default' file

    --> www  ---> root of Wordpress install

 

So do I have to make a new site-confs file and make Nginx get it somehow...? I'm not a network guru, anybody help?

 

Let's say I have a Nextcloud docker at port 9000, IP xx.xx.xx.xx. Any examples on how to configure it?

Link to post

There's a nextcloud guide on the ls.io website, for Apache but some nextcloud side changes will apply to both.

 

Sent from my LG-H815 using Tapatalk

 

Thanks... I've set up Nextcloud but now I'm stuck at the configuring it for reverse proxy. I have no idea how to point it towards the port. Maybe somebody with Nginx expertise can help me. CHBMB do you use Nginx as well? I understand if you only know Apache, just asking.

 

Currently I made a backup of my default configuration just in case I screw up everything and trash my Wordpress as well.

 

EDIT: Currently this is how I want it set up.

 

Requests from (cloud.ideaman924.com) goes to Nextcloud, requests from (ideaman924.com or www.ideaman924.com) goes to Wordpress. Wordpress bit is done, but I'm having trouble with Nextcloud.

 

I understand I need to make a new

server{}

block and mess around in there, but really, I'm about as dumb as a brick when it comes to networking stuff.

Link to post

Read my first post, I don't use nginx

 

Sent from my LG-H815 using Tapatalk

 

OK CHBMB. Something's wrong... I did manage to set up reverse proxy and my Nextcloud is now live in cloud.ideaman924.com . Which is great.

 

What's not so great is Chrome refusing to execute inline scripts:

 

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'unsafe-eval'". Either the 'unsafe-inline' keyword, a hash ('sha256-hlSW1HZGmKtDyIDU+HuibO0pPuKa/wQJaUWM+5ysR38='), or a nonce ('nonce-...') is required to enable inline execution.

 

OK... Chrome... What? Funnily when I connect directly (xx.xx.xx.xx:9000), then Chrome shows a 'warning, ssl certificate invalid' error but runs the freaking inline script.

 

I did set up Cloudflare but this shouldn't be relevant because the SSL settings are flexible.

 

Any ideas?

 

EDIT: I just figured it out... lol. Turns out that you need to modify config.php in Nextcloud directory. I didn't read the tutorial properly...

 

EDIT2: Actually, that did nothing. I'm still stuck with the inline script not launching thing.

Link to post

If anybody has the time, it would be nice to add Let's Encrypt support to the docker image so I can actually secure my website.

Aptalca has a docker with Let's Encrypt build in.

 

Take a look here for Nextcloud setup with Nginx: https://lime-technology.com/forum/index.php?topic=51466.0

 

Thanks but I already have it set up nice and secure with the current Nginx from Linuxserver. Don't wanna switch base just for an SSL cert.

 

Thanks for the NextCloud link, though!

Link to post
  • 2 months later...
  • 3 months later...
5 hours ago, local.bin said:

Is there a way to have crontabs remain past an update at all please, like the letsencrypt container.

 

I've used this as a generic container for my web based apps, but am struggling with the cron getting wiped out.

 

Thanks in advance.

I solved this for my Nextcloud docker with running a script via Community Applications Auto Update module.

Info from http://tower/Settings/Settings/caHelp#autoupdate:

 

/boot/config/plugins/ca.update.applications/scripts/starting/{nameOfContainer}

This script will be executed whenever {nameOfContainer} has been updated

 

 

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud

#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

Edited by ICDeadPpl
Link to post
20 hours ago, ICDeadPpl said:

I solved this for my Nextcloud docker with running a script via Community Applications Auto Update module.

Info from http://tower/Settings/Settings/caHelp#autoupdate:

 

/boot/config/plugins/ca.update.applications/scripts/starting/{nameOfContainer}

This script will be executed whenever {nameOfContainer} has been updated

 

 

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud


#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

Thanks for the insight and option for me to try.

 

I have added similar for my case and await an update to test it.

 

I was hoping for the letsencrypt crontab functionality to be added, but hopefully this will do the job.

Link to post
Is there a way to have crontabs remain past an update at all please, like the letsencrypt container.
 
I've used this as a generic container for my web based apps, but am struggling with the cron getting wiped out.
 
Thanks in advance.

I'll look into it
Link to post
On 3/27/2017 at 2:53 PM, ICDeadPpl said:

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud


#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

 

OK, so my script ran according to the logs but only the nextcloud one worked. My other one failed for some reason. I think it was because in the grep command I only had piwik, rather than nginx-piwik.

 

Just to clarify, your abc cron file, is that in addition to the root cron that exists in /etc/crontabs already? I presume so, so how do you get cron to see it as an additional cron?

 

I have manually added abc cron file and restarted the cron service, but abc's commands do not get listed as current crons in crontab -l

Link to post
2 minutes ago, local.bin said:

 

OK, so my script ran according to the logs but only the nextcloud one worked. My other one failed for some reason. I think it was because in the grep command I only had piwik, rather than nginx-piwik.

 

Just to clarify, your abc cron file, is that in addition to the root cron that exists in /etc/crontabs already? I presume so, so how do you get cron to see it as an additional cron?

 

I have manually added abc cron file and restarted the cron service, but abc's commands do not get listed as current crons in crontab -l

 

To list the abc crontab, you have to use crontab -u abc -l

 

root@nextcloud:/$ crontab -l
*/15  *  *  *  * s6-setuidgid abc php7 -f /config/www/nextcloud/cron.php
root@nextcloud:/$ crontab -u abc -l
*/16  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1

 

Link to post
12 minutes ago, ICDeadPpl said:

 

To list the abc crontab, you have to use crontab -u abc -l

 


root@nextcloud:/$ crontab -l
*/15  *  *  *  * s6-setuidgid abc php7 -f /config/www/nextcloud/cron.php
root@nextcloud:/$ crontab -u abc -l
*/16  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1

 

 

:ph34r: mmh, yes, thats what I was using too, but hadn't noticed a spurious hash in front of the command! 

 

 

Quote

 


root@222cce405d7f:/$ # crontab -u abc -l
 

 

 

Sorry about that :(

Edited by local.bin
clarification
Link to post
On 27/03/2017 at 2:53 PM, ICDeadPpl said:

I solved this for my Nextcloud docker with running a script via Community Applications Auto Update module.

Info from http://tower/Settings/Settings/caHelp#autoupdate:

 

/boot/config/plugins/ca.update.applications/scripts/starting/{nameOfContainer}

This script will be executed whenever {nameOfContainer} has been updated

 

 

This is in my Nextcloud docker auto update script in /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud


#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/15  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

 

Could you clarify if you have anything else done to get this working, as it doesn't recreate the abc crontab file for me.

 

The command works fine in isolation and works great when I manually enter the same details in the abc crontab file myself.

 

It wont though create the file itself on container update.

 

I am trying to track down which logs I might find some information as to why at the moment.

Link to post
30 minutes ago, local.bin said:

Could you clarify if you have anything else done to get this working, as it doesn't recreate the abc crontab file for me.

 

The command works fine in isolation and works great when I manually enter the same details in the abc crontab file myself.

 

It wont though create the file itself on container update.

 

I am trying to track down which logs I might find some information as to why at the moment.

 

Sorry, I missed a step or two in my explanation. Here's more detailed instructions.

I have made a script in the /config directory of my docker (host path: /mnt/cache/apps/nextcloud) called install-stuff.sh which contains this:

#!/bin/bash
grep -q -F 'nextcloud' /etc/crontabs/abc || echo '*/16  *  *  *  * php -f /var/www/nextcloud/cron.php > /dev/null 2>&1' >> /etc/crontabs/abc

You can add more packages and stuff in that script, if needed. Just check what package manager the docker uses, apt, apk and so on.

 

I have that script run every time the docker updates with the following in my  /boot/config/plugins/ca.update.applications/scripts/starting/nexctcloud file:

docker exec -t nextcloud /config/install-stuff.sh

Just make sure that the install-stuff.sh has execution rights:.

# From unRAID shell
ls -l /mnt/cache/apps/nextcloud/install-stuff.sh 
# Result should look something like this:
-rwxrwxrwx 1 nobody users 153 Mar 19 08:48 /mnt/cache/apps/nextcloud/install-stuff.sh*
# If not, the run this:
chmod 777 /mnt/cache/apps/nextcloud/install-stuff.sh

or

# From inside the docker shell
root@nextcloud:/$ ls -l /config/install-stuff.sh
# Result should look something like this:
-rwxrwxrwx 1 abc abc 153 Mar 19 08:48 /config/install-stuff.sh
# If not, the run this:
chmod 777 /config/install-stuff.sh

Hope this helps!

Link to post
On 08/04/2017 at 11:53 AM, ICDeadPpl said:

 

Sorry, I missed a step or two in my explanation. Here's more detailed instructions.

....

Hope this helps!

 

Thanks, I had a feeling it was a little more involved :)

 

Haven't had a chance to take a look yet, but will do hopefully over the weekend.

 

Link to post
  • 3 weeks later...

I installed this docker last night and got the following errors.  It mentions www.dlink.com but I don't run dlink routers.  I do have some dlink webcams that are exposed to the intraweb via the dlink myhome software but there is no port forwarding of 443 required for that.  I'm wondering if letsencrypt is hanging onto a previous cert tied to the IP my domain has at the moment.

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.<mydomain>
Generating new certificate
WARNING: The standalone specific supported challenges flag is deprecated.

Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.dlink.com
tls-sni-01 challenge for <mydomain>
/usr/lib/python2.7/site-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com", <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com"

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: <mydomain>
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid
from <myip>:443. Received 1 certificate(s), first
certificate had names "www.dlink.com"

Domain: <mydomain>
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid
from <myip>:443. Received 1 certificate(s), first
certificate had names "www.dlink.com"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
/var/run/s6/etc/cont-init.d/50-config: line 108: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Link to post
  • 1 month later...

Is this Nginx docker still being supported/updated? The LS hub.docker.com page shows it was last updated June 6th 2017, but the unRAID CA page shows it was last updated December 5, 2015. I already have wild card certs for my domains, so I do not need LetsEncrypt. I just need an Nginx proxy for my other dockers.

 

Thanks for ALL the great work and support from the LinuxServer.io team!

 

buzz

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.