[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

Link to comment

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

 

IIRC plex requests links to a plex username.  So probably best just to leave that without .htpasswd.

 

You can setup different .htpasswd files.  But you need one per "group"

Link to comment

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

 

IIRC plex requests links to a plex username.  So probably best just to leave that without .htpasswd.

 

You can setup different .htpasswd files.  But you need one per "group"

You can also add multiple user pass combos to the same htpasswd file

Link to comment

I converted from aptalca's Letsencrypt container over to this one today, thanks aptalca and the rest of LSIO for all your work on this!

 

A few questions:

1) In the old container, I could docker exec into it and run

nginx -t

to have it check the config. But in the new container I have to specify which config file to test:

nginx -c /config/nginx/nginx.conf -t

Is there any way to make this the default?

 

2) In the old container I could restart nginx with "service nginx restart".  How do you restart nginx in the new container, without actually restarting the whole container?

 

3) In /etc/init.d/nginx, the pid is defined as /run/nginx/nginx.pid.  I think that should be /run/nginx.pid?  Hmm, when I try to exec that script it says:

/sbin/openrc-run: bad interpreter: No such file or directory

Is /etc/init.d/nginx even used then?

 

4) Since most people are using this for reverse proxy and not hosting a public website, it might make sense to drop a basic robots.txt file in the default www directory to keep search engines away:

User-agent: *
Disallow: /

Link to comment

 

 

I converted from aptalca's Letsencrypt container over to this one today, thanks aptalca and the rest of LSIO for all your work on this!

 

A few questions:

1) In the old container, I could docker exec into it and run

nginx -t

to have it check the config. But in the new container I have to specify which config file to test:

nginx -c /config/nginx/nginx.conf -t

Is there any way to make this the default?

 

2) In the old container I could restart nginx with "service nginx restart".  How do you restart nginx in the new container, without actually restarting the whole container?

 

3) In /etc/init.d/nginx, the pid is defined as /run/nginx/nginx.pid.  I think that should be /run/nginx.pid?  Hmm, when I try to exec that script it says:

/sbin/openrc-run: bad interpreter: No such file or directory

Is /etc/init.d/nginx even used then?

 

4) Since most people are using this for reverse proxy and not hosting a public website, it might make sense to drop a basic robots.txt file in the default www directory to keep search engines away:

User-agent: *
Disallow: /

 

1) Not that I know of. Old container used a lot of symlinks, which aren't ideal. New container defines files in place.

 

2) s6-svc -h /var/run/s6/services/nginx

 

3) Nginx is started by the s6 service manager. Check out the file /etc/services.d/nginx/run

 

4) Some people host public wordpress sites. We design for the lowest common denominator, but you can always put whatever you need in the www folder as the container doesn't touch that as long as it exists

Link to comment

Hello everyone, first of all, i'd like to thank everyone for making this container. I do, however have a problem. When I try to run it, it gives me an error in the logs.

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] still could not bind()
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

This is going on indefinitely. I managed to set it up by killing the webgui process from the command line. Iset up the network as host and forwarded the right ports but unless i kill the webgui i can't reach the webserver. When I set the network to bridge it does not give me the errors but I still can't reach the websites. I hope someone can help me.

Link to comment

Hello everyone, first of all, i'd like to thank everyone for making this container. I do, however have a problem. When I try to run it, it gives me an error in the logs.

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] still could not bind()
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

This is going on indefinitely. I managed to set it up by killing the webgui process from the command line. Iset up the network as host and forwarded the right ports but unless i kill the webgui i can't reach the webserver. When I set the network to bridge it does not give me the errors but I still can't reach the websites. I hope someone can help me.

 

Post your docker run command.  You can't set the host port to 80 as that the default port Unraid webui uses, instead set it to 81 and then port forward 80 on your router to 81 on your Unraid machine.

 

And have you made any changes to any of the files that are in your appdata folder?  I'm unclear if this is a fresh pull or trying to run a container you've already attempted to configure further.

Link to comment

Wow, thanks for the fast reply. I wasn expecting this.

The command that unraid is doing is this(after i now changed the port to 81):

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="host" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "TCP_PORT_81"="81" -e "EMAIL"="[email protected]" -e "URL"="oliverengelhardt.de" -e "SUBDOMAINS"="www," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
7b66d45a4077800d8590c2576907b3490a09d36ddb27bc3191233fa57ce73a7f

The command finished successfully!

It's a fresh pull. I have not yet touched anything in appdata. I made a screenshot of my config page:

4P9fmW2.png

It still appears to try to bind to port 80 though. the log is unchanged.

Link to comment

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

Link to comment

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

I don't really know :D

Link to comment

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

I don't really know :D

 

I admire the honesty of that answer..... lol  ;D

Link to comment

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

 

Save this as requests in the same folder as default.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.0.1:3000/;
  }
}

 

Alternatively, paste this into default to access plexrequests at server.com/requests (You will need to set the URLBASE to /requests)

 

	location /requests {
	proxy_pass http://192.168.0.1:3000/requests;
	include /config/nginx/proxy.conf;
}

 

Obviously for both you'll need to change the IP address +/- port

Link to comment

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

 

Save this as requests in the same folder as default.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.0.1:3000/;
  }
}

 

Alternatively, paste this into default to access plexrequests at server.com/requests (You will need to set the URLBASE to /requests)

 

	location /requests {
	proxy_pass http://192.168.0.1:3000/requests;
	include /config/nginx/proxy.conf;
}

 

Obviously for both you'll need to change the IP address +/- port

 

The second method works probably because I already had the URLBASE set for PlexRequests to /requests.  The first method gets me a 502 Bad Gateway.  I'm guessing this is because my URLBASE is set?

Link to comment

Yep

 

Sent from my LG-H815 using Tapatalk

 

I've taken out my URLBASE for PlexRequests and confirmed it is now accessed via IP:3000 (no longer /requests).  I've taken out any reference to mydomain.com/requests in 'default.'  I've added a file named 'requests' in the same folder as default containing the following:

 

server {
       listen         80;
       server_name    requests.MYDOMAIN.COM;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.MYDOMAIN.COM;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
        proxy_pass https://10.0.10.26:3000/;
  }
}

 

 

Still getting 502 Bad Gateway.  Am I missing something in my config or placing the 'requests' file in the wrong location?

 

Link to comment

Got some logs?  Docker container and the logs from the /config/logs folder?

 

Redact your domain name.

 

Sent from my LG-H815 using Tapatalk

 

/config/logs folder is empty.  Here is the container log:

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/index.php/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are:  -d www.MYDOMAIN -d requests.MYDOMAIN
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Wed Dec 7 19:45:01 EST 2016
Running certbot renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/MYDOMAIN.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/MYDOMAIN/fullchain.pem (skipped)
No renewals were attempted.
2016-12-07 19:45:02,231 fail2ban.server         [258]: INFO    Starting Fail2ban v0.9.4
2016-12-07 19:45:02,231 fail2ban.server         [258]: INFO    Starting in daemon mode
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

 

EDIT:  Found the issue.  It was the httpS under location /.  Had to remove the S.

Link to comment

Are there any guides or tutorials around on how to have Letsencrypt interact with my other dockers on unraid?

 

I understand the general concept behind Letsencrypt, but I'm not sure what files need to be modified, and how to modify these files.

 

My current setup is your standard dynamic IP address provided by my ISP.  I have this tracked by duckdns so I can associated the IP with the static name.  I'd like to be able to attach to all of my different dockers through https:

 

https://insertname.duckdns.org:2020 - Docker 1c

https://insertname.duckdns.org:3030 - Docker 2

https://insertname.duckdns.org:4040 - Docker 3

 

A few of the dockers I run now are:

 

crashplan

owncloud

plex

plexpy

plexrequests

couchpotato

sonarr

 

Any fingers to point me in the right direction would be greatly appreciated :)

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.