[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

So my letsencrypt docker stopped working.. Ive blown it away and started again but it doesnt seem to write anything into the logs for me to check why its not working. Any recent changes that would stop my old config files from working?
No

Sent from my LG-H815 using Tapatalk

Link to comment

Not sure if this is on-topic here since STAGING isn't exposed in the unraid template, but the --staging and --server parameters to certbot don't seem to work together (even when I manually edit the server URL to be the staging v2 one).  I'm working around this by removing $STGNG from the certbot line in 50-config and setting the --server URL to staging v2

 

--server value conflicts with --staging

 

Link to comment
2 hours ago, psm321 said:

Not sure if this is on-topic here since STAGING isn't exposed in the unraid template, but the --staging and --server parameters to certbot don't seem to work together (even when I manually edit the server URL to be the staging v2 one).  I'm working around this by removing $STGNG from the certbot line in 50-config and setting the --server URL to staging v2

 


--server value conflicts with --staging

 

Check again in the optional settings: 

 

https://hub.docker.com/r/linuxserver/letsencrypt/

 

If its not in your template, you can manually add variables in unRAID.

Edited by smdion
  • Like 1
Link to comment
58 minutes ago, smdion said:

Check again in the optional settings: 

 

https://hub.docker.com/r/linuxserver/letsencrypt/

 

If its not in your template, you can manually add variables in unRAID.

I had in fact added STAGING myself after reading the dockerhub docs (it wasn't in the template, including under additional settings).  I was reporting that that variable no longer works since --server was added to the certbot commandline inside the container a few days ago to support ACMEv2, as --staging (which STAGING sets) does not work with --server

Edited by psm321
Link to comment
1 hour ago, psm321 said:

I had in fact added STAGING myself after reading the dockerhub docs (it wasn't in the template, including under additional settings).  I was reporting that that variable no longer works since --server was added to the certbot commandline inside the container a few days ago to support ACMEv2, as --staging (which STAGING sets) does not work with --server

 

Thanks for the report, I'll look into it. 

 

Certbot documentation is pretty awful when it comes to command line options. They believe everyone should use the interactive script the first time and only automate the renewals, which makes our job very difficult since interactive stuff doesn't really work through docker

Link to comment

Been having trouble getting my reverse proxy to work. I was following this guide   https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ and I am able to get the welcome to our server page. So far I have added radarr and sonarr to the default file but all i get back is a 502 bad gateway. 

 

Here is my default conf file

https://pastebin.com/pKJ1SjMp

Edited by mkono87
Link to comment
7 hours ago, mkono87 said:

Been having trouble getting my reverse proxy to work. I was following this guide   https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ and I am able to get the welcome to our server page. So far I have added radarr and sonarr to the default file but all i get back is a 502 bad gateway. 

 

Here is my default conf file

https://pastebin.com/pKJ1SjMp

 

You're missing the base url. See the cp example in the config file

Link to comment

Hi guys, I have a seemingly odd problem. 

 

So, I installed the docker and went through the process following the guide (synlabs) 

 

I can't get the default homepage of nginx when on my lan. 

 

I do have the it set to 81 and 443 - I did forward the ports, all I'm trying to do for now is to get ombi remotely accessible. 

 

Here is my default config 

 

upstream backend {
	server 192.168.1.225:19999;
	keepalive 64;
}

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location = / {
		return 301 /ombi;
	}

	location /ombi {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.225:3579/ombi;
	}

}

The remote access works, at fakesub.duckdns.org/ombi/login - However it's showing as not secure. 

 

What I had to do was set the base url inside ombi as /ombi 

 

 

 

Edited by riopgtmn
Link to comment
7 hours ago, riopgtmn said:

Hi guys, I have a seemingly odd problem. 

 

So, I installed the docker and went through the process following the guide (synlabs) 

 

I can't get the default homepage of nginx when on my lan. 

 

I do have the it set to 81 and 443 - I did forward the ports, all I'm trying to do for now is to get ombi remotely accessible. 

 

Here is my default config 

 


upstream backend {
	server 192.168.1.225:19999;
	keepalive 64;
}

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location = / {
		return 301 /ombi;
	}

	location /ombi {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.225:3579/ombi;
	}

}

The remote access works, at fakesub.duckdns.org/ombi/login - However it's showing as not secure. 

 

What I had to do was set the base url inside ombi as /ombi 

 

 

 

 

It seems you blindly followed a guide. You have an upstream alias definition that is not used elsewhere.

You won't see the default nginx page because your homepage redirects to /ombi

You also did not set the ombi reverse proxy correctly. See chbmb's config posted a page or two back. 

 

I suggest you start over with a fresh config, make sure your cert works properly with the default homepage, and then implement the ombi reverse proxy. 

 

Or, you can contact the guide's author

Link to comment
14 hours ago, mkono87 said:

If you mean the server_name I  added my domain but still did not work. Getting refused to connect.

 

Check the site config you posted. Read the parts with the cp example. You'll see multiple mentions of the base url. If unsure, Google will lead you to plenty of info on reverse proxy and base url.

Link to comment

Hello,

 

I am using the nginx reverse Proxy for my Nextcloud + Unifi Controller and Unifi Guest Portal.

 

It is based on the subdomain. nextcloud.* unifi.* and unifi-gastportal.*

 

The Nextcloud works fine, secure connection etc. The Nextcloud runs in Bridge Mode with Port 444 and 81. (Unraid IP 192.168.4.18)

 

On the other hand the unifi Controller. It runs in the br0 Mode, so that it gets an own IP Adress (192.168.4.2) (otherwise i get STUN Errors).

 

But i cannot proxy_pass to the unifi Controller. It only works if I run the container in bridge mode with the unraid IP.

 

I always get

502 Bad Gateway


nginx/1.12.2

 

 

I use default config files except for ssl, but with the default one it does not work either.

 

This is what i added to the default site config: (the first works, the second not. Looks like an network error?)

 


server {
    listen 443 ssl;

    #root /config/www;
    index index.html index.htm index.php;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.4.18:4443;    
    }
}

server {
    listen 443 ssl;

    #root /config/www;
    index index.html index.htm index.php;

    server_name unifi.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.4.2:8443;    
    }
}

 

What am I doing wrong? Is it a bug?

 

I can reach the controller if I use the static IP instead of the subdomain.

 

from the error.log:

 

2018/03/22 04:06:11 [error] 379#379: *319 connect() failed (113: Host is unreachable) while connecting to upstream, client: 192.168.4.1, server: unifi.*, request: "GET / HTTP/1.1", upstream: "https://192.168.4.2:8443/", host: "unifi.xxxxxx"

 

Edited by KingB
Link to comment
1 hour ago, KingB said:

Hello,

 

I am using the nginx reverse Proxy for my Nextcloud + Unifi Controller and Unifi Guest Portal.

 

It is based on the subdomain. nextcloud.* unifi.* and unifi-gastportal.*

 

The Nextcloud works fine, secure connection etc. The Nextcloud runs in Bridge Mode with Port 444 and 81. (Unraid IP 192.168.4.18)

 

On the other hand the unifi Controller. It runs in the br0 Mode, so that it gets an own IP Adress (192.168.4.2) (otherwise i get STUN Errors).

 

But i cannot proxy_pass to the unifi Controller. It only works if I run the container in bridge mode with the unraid IP.

 

I always get

502 Bad Gateway


nginx/1.12.2

 

 

I use default config files except for ssl, but with the default one it does not work either.

 

This is what i added to the default site config: (the first works, the second not. Looks like an network error?)

 


server {
    listen 443 ssl;

    #root /config/www;
    index index.html index.htm index.php;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.4.18:4443;    
    }
}

server {
    listen 443 ssl;

    #root /config/www;
    index index.html index.htm index.php;

    server_name unifi.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.4.2:8443;    
    }
}

 

What am I doing wrong? Is it a bug?

 

I can reach the controller if I use the static IP instead of the subdomain.

 

from the error.log:

 

2018/03/22 04:06:11 [error] 379#379: *319 connect() failed (113: Host is unreachable) while connecting to upstream, client: 192.168.4.1, server: unifi.*, request: "GET / HTTP/1.1", upstream: "https://192.168.4.2:8443/", host: "unifi.xxxxxx"

 

 

Not sure why you're getting the connection error, but to prevent the stun errors you need to map port 3478 for udp: https://github.com/linuxserver/docker-unifi

 

EDIT: I believe when a docker container has its own IP, it is sandboxed from the host for security reasons. That is why letsencrypt (running on host) cannot connect to that container but you can from another machine on the lan. I could be wrong though. 

Edited by aptalca
  • Upvote 1
Link to comment
2 hours ago, aptalca said:

 

Not sure why you're getting the connection error, but to prevent the stun errors you need to map port 3478 for udp: https://github.com/linuxserver/docker-unifi

 

EDIT: I believe when a docker container has its own IP, it is sandboxed from the host for security reasons. That is why letsencrypt (running on host) cannot connect to that container but you can from another machine on the lan. I could be wrong though. 

Exactly. Add a mapping for 3478 UDP and set the container back to bridge. That should solve both issues.

 

BTW, does the LSIO Unifi have that mapping set up in the template now? If not, it needs to be.

Link to comment

I've been running the container for a while - Thank you!

 

All of my reverse proxies are set up as destination.mydomain.com, and everything is working, except for one user who can't get access. It's telling her that the site can't be reached and/or it's taking too long. (don't have the exact message.)

 

The only thing that makes any sense to me is that she's tried logging in too many times with the wrong password and hit fail2ban. However, some quick googling seems to indicate that my jail.local config is what should be running and it shows the default "bantime = 600", so she should only be banned for 10 minutes, so the ban shouldn't be lasting for days/weeks.

 

I'm very much a fail2ban noob, so any pointers on where to look to see if she's been banned and instructions on how to unban her would be greatly appreciated.

 

If this isn't the issue (and, based on the config file, I'm not so sure it is), does anyone have any indication on why 1 user out of 8 can't get a connection established to even try to log in?

Link to comment

Are there by chance any hooks in the startup of the container to run a custom user script?  I need to patch the certbot rfc2136 plugin with some hacks to get it to work with my DNS provider (I don't understand my hacks well enough to actually submit upstream).  I figure I'll probably need to build my own container layer on top, but wanted to check before going ahead with that.

Link to comment

Sorry if this has been asked before but i couldnt find it in the thread.

 

Is it possible to add a second domain? 

 

I have multiple domains and am trying to use this docker as a reverse proxy to different VMs on my network. I have got this to work with the first domain, but I cant get the second domain working as I am unable to provide the certificate file in the nginx config files as letsencrypt is only getting the certificates for one domain.

 

I hope that makes sense!

Link to comment
7 hours ago, geekypenguin said:

Sorry if this has been asked before but i couldnt find it in the thread.

 

Is it possible to add a second domain? 

 

I have multiple domains and am trying to use this docker as a reverse proxy to different VMs on my network. I have got this to work with the first domain, but I cant get the second domain working as I am unable to provide the certificate file in the nginx config files as letsencrypt is only getting the certificates for one domain.

 

I hope that makes sense!

 

 

You need to add:

-e EXTRA_DOMAINS

 

Link to comment

Hi!

 

I've been trying to get this working all week and have no clue why it's not working for me. My conf file is below. when I go to https://domain.duckdns.org I get nothing. It just spins. I see the request pass through my firewall (pfsense). I'm wondering if there could be something wrong with nginx? I'm NAT'ing 81 and 443 externally. I've replaced my internal IP.

 

I see Server Ready under logs for the container. I'm wondering if nginx is dropping the requests? Can anyone help point me in the right direction for troubleshooting? I've had Apache working no problems for a couple of years. I feel like I'm missing something obvious.

 

TIA

 

upstream backend {
	server 1.1.1.1:19999;
	keepalive 64;
}

server {
	listen 443 ssl default_server;
#	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location = / {
		return 301 /htpc;
	}
	
	location /nzbget {
		include /config/nginx/proxy.conf;
		proxy_pass http://1.1.1.1:6789/nzbget;
	}
	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://1.1.1.1:8989/sonarr;
	}
	
	location /couchpotato {
		include /config/nginx/proxy.conf;
		proxy_pass http://1.1.1.1:5050/couchpotato;
	}
	
#	location /radarr {
#		include /config/nginx/proxy.conf;
#		proxy_pass http://1.1.1.1:7878/radarr;
#	}
	
#	location /downloads {
#		include /config/nginx/proxy.conf;
#		proxy_pass  http://1.1.1.1:8112/;
#		proxy_set_header  X-Deluge-Base "/downloads/";
#	}
	
	location ~ /netdata/(?<ndpath>.*) {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://backend/$ndpath$is_args$args;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
	}
}

 

 

Edited by CrashnBrn
Link to comment

Is it common to get an email from letsencrypt that my certs are about to expire?  

 

Your certificate (or certificates) for the names listed below will expire in
20 days (on 13 Apr 18 00:22 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

bacnet.duckdns.org

 

Do I need to renew my certs?  I was under the impression they would renew.

Link to comment

Ok so I managed to get letsencrypt going.  I added all my subdomains to my namecheap dns manager.  They all register with letsencrypt.  I edited my default file for nginx to have sonarr and radarr respond to /sonarr and /radarr.


But how do I manage to have them work with https://<service>.mydomain.com ?

EDIT :

I've added another server block to test out one application, but it doesn't work (calibre-web), when i try to load https://library.<retracted>.com , I get the nginx welcome page...  Note : before i did that, i had a location /library going with the same info and that worked like a charm.

 

server {
        server_name library.retracted.com;
        location / {

                proxy_bind              $server_addr;
                proxy_pass              http://192.168.1.69:8083;
                proxy_set_header        Host            $http_host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Scheme        $scheme;
                proxy_set_header        X-Script-Name   /library;        }
}

 

Edited by stefer
Link to comment
On 3/23/2018 at 9:51 PM, CrashnBrn said:

Hi!

 

I've been trying to get this working all week and have no clue why it's not working for me. My conf file is below. when I go to https://domain.duckdns.org I get nothing. It just spins. I see the request pass through my firewall (pfsense). I'm wondering if there could be something wrong with nginx? I'm NAT'ing 81 and 443 externally. I've replaced my internal IP.

 

I see Server Ready under logs for the container. I'm wondering if nginx is dropping the requests? Can anyone help point me in the right direction for troubleshooting? I've had Apache working no problems for a couple of years. I feel like I'm missing something obvious.

 

TIA

 


upstream backend {
	server 1.1.1.1:19999;
	keepalive 64;
}

server {
	listen 443 ssl default_server;
#	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location = / {
		return 301 /htpc;
	}
	
	location /nzbget {
		include /config/nginx/proxy.conf;
		proxy_pass http://1.1.1.1:6789/nzbget;
	}
	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://1.1.1.1:8989/sonarr;
	}
	
	location /couchpotato {
		include /config/nginx/proxy.conf;
		proxy_pass http://1.1.1.1:5050/couchpotato;
	}
	
#	location /radarr {
#		include /config/nginx/proxy.conf;
#		proxy_pass http://1.1.1.1:7878/radarr;
#	}
	
#	location /downloads {
#		include /config/nginx/proxy.conf;
#		proxy_pass  http://1.1.1.1:8112/;
#		proxy_set_header  X-Deluge-Base "/downloads/";
#	}
	
	location ~ /netdata/(?<ndpath>.*) {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://backend/$ndpath$is_args$args;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
	}
}

 

 

Your problem is likely nat loopback

 

Try it on your cell phone with a cell connection. If it works, it is nat loopback

Link to comment
2 hours ago, sgt_spike said:

Is it common to get an email from letsencrypt that my certs are about to expire?  

 

Your certificate (or certificates) for the names listed below will expire in
20 days (on 13 Apr 18 00:22 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

bacnet.duckdns.org

 

Do I need to renew my certs?  I was under the impression they would renew.

Your current cert is good until May 6th.

 

You likely had an older cert that was never revoked, and it is about to expire. You probably just deleted the appdata folder. Nothing to worry about. 

Link to comment
34 minutes ago, stefer said:

Ok so I managed to get letsencrypt going.  I added all my subdomains to my namecheap dns manager.  They all register with letsencrypt.  I edited my default file for nginx to have sonarr and radarr respond to /sonarr and /radarr.


But how do I manage to have them work with https://<service>.mydomain.com ?

EDIT :

I've added another server block to test out one application, but it doesn't work (calibre-web), when i try to load https://library.<retracted>.com , I get the nginx welcome page...  Note : before i did that, i had a location /library going with the same info and that worked like a charm.

 


server {
        server_name library.retracted.com;
        location / {

                proxy_bind              $server_addr;
                proxy_pass              http://192.168.1.69:8083;
                proxy_set_header        Host            $http_host;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        X-Scheme        $scheme;
                proxy_set_header        X-Script-Name   /library;        }
}

 

Your server block is not listening on any port. Check the example in the default site config

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.