[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

@aptalca

 

Is curl already installed or would I have to install it manually?

can't remember off the top of my head but if it's not we will push an update

 

Until then you can install with

apk add --update curl

if it's missing

 

Thanks! Looks like today's update added curl. Can you also add GD? cURL and GD are the most used features and i'm surprised they were not included. In the meantime, I'll add gd manually. Thanks again!

 

Yeah, there are a whole lot of php modules out there. I personally host an html5 site and a bunch of reverse proxies so don't really use php at all.

 

If there are other modules that are commonly used and needed, let us know and we'll add them to this container.

 

I'll go ahead and add php5-gd

 

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

Link to comment

@aptalca

 

Is curl already installed or would I have to install it manually?

can't remember off the top of my head but if it's not we will push an update

 

Until then you can install with

apk add --update curl

if it's missing

 

Thanks! Looks like today's update added curl. Can you also add GD? cURL and GD are the most used features and i'm surprised they were not included. In the meantime, I'll add gd manually. Thanks again!

 

Yeah, there are a whole lot of php modules out there. I personally host an html5 site and a bunch of reverse proxies so don't really use php at all.

 

If there are other modules that are commonly used and needed, let us know and we'll add them to this container.

 

I'll go ahead and add php5-gd

 

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

 

 

No need for a PM, address is here...  ;)

 

https://www.linuxserver.io/donations/

Link to comment

@aptalca

 

Is curl already installed or would I have to install it manually?

can't remember off the top of my head but if it's not we will push an update

 

Until then you can install with

apk add --update curl

if it's missing

 

Thanks! Looks like today's update added curl. Can you also add GD? cURL and GD are the most used features and i'm surprised they were not included. In the meantime, I'll add gd manually. Thanks again!

 

Yeah, there are a whole lot of php modules out there. I personally host an html5 site and a bunch of reverse proxies so don't really use php at all.

 

If there are other modules that are commonly used and needed, let us know and we'll add them to this container.

 

I'll go ahead and add php5-gd

 

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

 

 

No need for a PM, address is here...  ;)

 

https://www.linuxserver.io/donations/

 

I would like to send it to him directly. Thanks

Link to comment

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

 

 

No need for a PM, address is here...  ;)

 

https://www.linuxserver.io/donations/

 

I would like to send it to him directly. Thanks

 

 

I recently joined the linuxserver team and this container was truly a team effort (still is). Feel free to donate to the team if you like. But I don't accept donations personally. Thanks

Link to comment

Trying to get Deluge and Transmission working...

 

CHBMB provided me a configuration, but it doesn't use .htpasswd, and when I tried to modify the script it 404.

Of course, the same setup doesn't work at all for Transmission.

 

#HTPC
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name htpc.*;
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 
*****
ssl_prefer_server_ciphers on;
client_max_body_size 0;

#Muximux
location / {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38095;
}

#Sonarr
location ^~ /tv {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38082/tv;
}	

#Couchpotato
location ^~ /movies {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38083/movies;
}	

#Deluge
location ^~ /deluge {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38085; 
	proxy_set_header  X-Deluge-Base "/deluge/";
}	

#PlexPy
location ^~ /stats {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38090/stats;
}	

}

 

Sonarr, CP, and PlexPy work fine within Muximux, and at /address on their own.

 

Any ideas?

Link to comment

Back to the VPN question.

 

The VPN itself works fine (using OpenVPN-AS), but there is a possibility to have a webpage where I can login and get my configuration files when required.

However, when I try to log in to it at vpn.example.com I get a "502 Bad Gateway".

 

Here is the setup:

server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name vpn.*;
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
client_max_body_size 0;

location / {
	auth_basic off;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.80.1:9443;
}
}

I TRIED WITH 943 SAME ISSUE

 

 

I'll post this in the OpenVPN-AS thread as well if it is determined that this isn't an NGINX issue.

 

Thanks y'all!

Link to comment

Security wise I think it's a bad idea.  Essentially you end up securing your VPN via a Nginx reverse proxy which kind of removes the point of a VPN in the first place which is to provide more security to access certain services on your LAN than you would get from a reverse proxy.

 

Sent from my LG-H815 using Tapatalk

 

 

Link to comment

I'm not sure I follow.

 

I don't want VPN access through NGINX, I'm trying to get access to the OpenVPN-AS login page so that if I need to I can download the config file if I need it. If you go to the admin page you can set it up so that if you are outside your network you can only use the user login and not the admin one.

Link to comment

I'm not sure I follow.

 

I don't want VPN access through NGINX, I'm trying to get access to the OpenVPN-AS login page so that if I need to I can download the config file if I need it. If you go to the admin page you can set it up so that if you are outside your network you can only use the user login and not the admin one.

I could be wrong, but what I think the bald one was getting at was the "out of band" encryption issue. If you allow your secret key to be accessible through an externally available web page, you have just potentially weakened your VPN by allowing a hack that penetrated NGINX to also access your VPN secret key.

 

With any encryption scheme using a public / private key system, you should restrict access to the private key to the absolute minimum possible.

Link to comment

Just looking into this for future use.  How would I handle having multiple domains pointing to the same server?

 

Ex: My current nginx setup has 4 totally different domains, all coming in on the same ip/port then gets sorted out by nginx.

 

Is something like that possible with this container? (I'm 100% new to letsencypt, only switching because of chrome/google no longer recognizing startssl)

Link to comment

Just looking into this for future use.  How would I handle having multiple domains pointing to the same server?

 

Ex: My current nginx setup has 4 totally different domains, all coming in on the same ip/port then gets sorted out by nginx.

 

Is something like that possible with this container? (I'm 100% new to letsencypt, only switching because of chrome/google no longer recognizing startssl)

That's possible with letsencrypt, but not this container. This container only supports one domain with multiple subdomains

Link to comment

Got them both working and with login requirement.

 

Thanks.

 

How did you end up getting Transmission to work?  Did you modify Transmission to support a sub-directory?  What did your Nginx config end up looking like?  Thanks!

 

Try this:

 

location /transmission/ {
    proxy_pass_header X-Transmission-Session-Id;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://10.1.1.3:9091/transmission/web/;
}

location /rpc {
    proxy_pass http://10.1.1.3:9091/transmission/rpc;
}

Link to comment

managed to get myself completely confused here trying to set up a reverse proxy.

 

have managed to get nginx setup and running and managed to configure the password security but cannot for the life of me seem to setup the reverse proxy.

 

I have tried to use the examples in the default config file and also tried to copy over the ones from htpcguides but either way keep getting 502 bad gateway - I can't see what I am doing wrong! I have just spent 3 hours trying different options and am starting to feel like pulling why hair out!

 

I can get to the site fine using the base url which displays the index.html page.

 

Here is my config file:

 

# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}

# main server block
server {
listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name [removed].duckdns.org 192.168.1.28;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

location / {
	try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# With php5-cgi alone:
	fastcgi_pass 127.0.0.1:9000;
	# With php5-fpm:
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	include /etc/nginx/fastcgi_params;
}

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
location ^~ /plexpy {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.28:8181/;
}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
#	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
#	ssl_dhparam /config/nginx/dhparams.pem;
#	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#	ssl_prefer_server_ciphers on;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;
#	}
#}

Link to comment

You generated the .htpasswd file?

 

Some apps are more difficult than others, try this for plexpy

 

    	location /plexpy/ {
   		proxy_pass http://192.168.1.28:8181;
	include /config/nginx/proxy.conf;
      		proxy_bind $server_addr;
      		proxy_set_header X-Forwarded-Host $server_name;
	proxy_set_header X-Forwarded-Ssl     on;
	auth_basic "Restricted";
      		auth_basic_user_file /config/.htpasswd;
	}

Link to comment

Thanks for your help!

 

Sorry for being thick :)

 

Managed to get CouchPotato working using the default one and muximux as the homepage but can't seem to get other apps working

 

The apps I wanted were

 

Sonarr

PlexPy

PlexRequests

NetData

Deluge

 

I've tried the PlexPy command and getting a 404 error, I think this might be down to my plexpy settings though

Link to comment

Thanks for your help!

 

Sorry for being thick :)

 

Managed to get CouchPotato working using the default one and muximux as the homepage but can't seem to get other apps working

 

The apps I wanted were

 

Sonarr

PlexPy

PlexRequests

NetData

Deluge

 

I've tried the PlexPy command and getting a 404 error, I think this might be down to my plexpy settings though

 

# Sonar
# https://github.com/linuxserver/docker-sonarr
#
# Edit the settings and set 
# Url Base to /sonarr

location ^~ /sonarr {
    proxy_pass http://192.168.1.28:8989/sonarr;
    include /config/nginx/proxy.conf;
}

 

# PlexyPy
# https://github.com/linuxserver/docker-plexpy
#
# Settings => Web Interface
# Change http root to /plexpy
#

location ^~ /plexpy/ {
    proxy_pass http://192.168.1.28:8181;
    include /config/nginx/proxy.conf;
    proxy_bind $server_addr;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Ssl     on;
}

 

# PlexRequests
# https://github.com/linuxserver/docker-plexrequests
#
# Run container with -e "URL_BASE"="/plexrequests"
#

location ^~ /requests {
    proxy_pass http://192.168.1.28:3000/requests;
    include /config/nginx/proxy.conf;
}

 

# Deluge
# https://github.com/linuxserver/docker-deluge
#
# No extra settings required
#

location ^~ /deluge {
    proxy_pass http://192.168.1.28:8112/;
    proxy_set_header  X-Deluge-Base "/deluge/";
    include /config/nginx/proxy.conf;
}

 

Netdata i've never heard of, you'll have to figure that one out yourself I'm afraid.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.