[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

5 minutes ago, CHBMB said:

 

IP addresses and server name do need to be changed

 


	satisfy any;
        allow 192.168.0.0/24;
        deny all;

This bit just means it can only be accessed by clients on the 192.168.0.0 subnet. (My LAN)

 

Yeah i figured i get no errors in the logs 

 

but i get the Welcome to our server message i tried both ways.

https://unifi.myserver.us:8843/

https://unifi.myserver.us

 

Do you know if there is a way to run both controllers at the same time ???? i cant get to recognize my backup file since the mismatch versions ... and then i am lost dont know what to do 

Link to comment
1 minute ago, shremi said:

 

Yeah i figured i get no errors in the logs 

 

but i get the Welcome to our server message i tried both ways.

https://unifi.myserver.us:8843/

https://unifi.myserver.us

 

Do you know if there is a way to run both controllers at the same time ???? i cant get to recognize my backup file since the mismatch versions ... and then i am lost dont know what to do  

 

Have you restarted the container? 

Link to comment
2 minutes ago, CHBMB said:

And you've saved that file as unifi in /config/nginx/site-confs/

 

Ohhhh that might be the issue i followed eds video but he never mentioned to save the files on the site folder we used the proxy confgs folder..... 

how should i name the file????

Link to comment
Just now, shremi said:

 

Ohhhh that might be the issue i followed eds video but he never mentioned to save the files on the site folder we used the proxy confgs folder..... 

how should i name the file????

 

4 minutes ago, CHBMB said:

And you've saved that file as unifi

 

Link to comment
16 minutes ago, ufo56 said:

After latest update letsencrypt tries challenge now on http port not https.

 

https://pastebin.com/1PNLnSwG

 

Post your docker run command, there's nothing wrong with the container.  So it's got to be something your end.  I suspect you've run into the fact that letsencrypt has changed it's auth protocols.  Details in the read me.

 

https://github.com/linuxserver/docker-letsencrypt#parameters

Edited by CHBMB
Link to comment

Firstly great work on the docker, the preconfigured proxy files make NGINX so easy to setup.

 

I did a search but nothing came up so i thought i’d Ask the question, is there an easy way to enable Modsecurity.

There are some public dockers intergrating it with nginx and it seems to add an extra layer of protection given it stops some attacks for the end applications being proxied.

 

ModSecurity protects against attacks by looking for:

  • SQL Injection
  • Insuring the content type matches the body data.
  • Protection against malformed POST requests.
  • HTTP Protocol Protection
  • Real-time Blacklist Lookups
  • HTTP Denial of Service Protections
  • Generic Web Attack Protection
  • Error Detection and Hiding

 

Is there an easy way to load in the module myself, maybe someone here has done it before ?

Link to comment

I am really stumped with this whole project.  I'm new to web servers and reverse proxies and don;t know much more than basic networking stuff.  But thanks to the tutorial and this forum I have Letsencrypt and nginx running with my own domain and it all works except for one big problem that I mentioned earlier in this thread - I frequently experience a 20-25 second delay before the page loads for any of my sites.  It doesn't happen all the time.  Sometimes it goes straight to the site but other times after typing the url and hitting enter, nothing happens for 20-25 seconds and then the page loads.

 

I have talked to a couple different people (one on the Emby forums and one on the HardOCP forums) who were very nice and spent quite a bit of time trying to help me with no luck.  Since I first started experiencing this problem I have:

 

  • rebuilt my Unraid server with all new hardware except for the hard drives
  • deleted the Letsencrypt container and appdata folder and reinstalled and configured from scratch 
  • used my old Unraid hardware(Xeon E3-1230 with 32GB RAM) to replace my the hardware (old Celeron with 2GB RAM) in my standalone pfSense computer and reinstalled and configured it from scratch

 

None of that changed a thing.  The couple people that spent a good deal of time helping me each linked to different posts about nginx being very slow in Docker.  I posted one of those here and was told that someone uses nginx in Docker to run production sites and nobody else has commented about experiencing the same thing I am.  They suggested that I try installing nginx on a separate machine as a test.  My problem is that I really don't know how to do that.  Like I said, I was very dependent on tutorials and help to get this working and with Linuxserver bundling Letsencrypt/nginx together and Unraid's nice and easy template system it looks a lot different than a "normal" setup.

 

This is really frustrating and is killing the user experience for my family and friends trying to use Emby and Ombi as both time out a lot due to the delay and they have a hard time accessing either.  Any help or ideas would be greatly appreciated.

 

 

 

Edited by RockDawg
Link to comment
On 8/6/2018 at 10:05 AM, gridrunner said:

Finally, finished making my video on setting up a reverse proxy. Hope it helps people who haven't set it up before :)

 

 

Hello @Gridrunner.

 

I have successfully port forwarded the services, mapped the CNAME's to the DNS record in DuckDNS and also verified the certificates are working as per logs. I get the NGINX landing page for both Binhex-Sonarr and Binhex-radarr when I attempt browse to the CNAME's. So quite obviously DNS, CNAME and port fowarding are working. I have double check both config  (sonarr.subdomain.conf and radarr.subdomain.conf) files, they appear to be OK. See below extract:

 

# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url
# to enable password access, uncomment the two auth_basic lines

server {
    listen 443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr binhex-sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }
}
 

Please advise.

 

Enver

Link to comment
6 hours ago, CHBMB said:

Where is your appdata located on the server? Cache or array? HDD or SSD?



Sent from my Mi A1 using Tapatalk
 

 

If that question was for me, my appdata is on an SSD that is my cache drive.  I don't use the mover or anything so the only thing my cache drive does is handle the appdata for my containers.

Edited by RockDawg
Link to comment

So, would like to get slack notifications from fail2ban. Preferrably with geo lookup.

 

Tried this but to no avail. https://gist.github.com/Dman46/92178d519a7b3ea1e49cbcb7b8fda954

Error messages regarding commands missing. Anyone up and running with slack notifications (with or without geo lookup) on the letsencrypt container that could give some direction?

 

Best regards.

Edited by M203
Spelling.
Link to comment
7 hours ago, Enver said:

Hello @Gridrunner.

 

I have successfully port forwarded the services, mapped the CNAME's to the DNS record in DuckDNS and also verified the certificates are working as per logs. I get the NGINX landing page for both Binhex-Sonarr and Binhex-radarr when I attempt browse to the CNAME's. So quite obviously DNS, CNAME and port fowarding are working. I have double check both config  (sonarr.subdomain.conf and radarr.subdomain.conf) files, they appear to be OK. See below extract:

 

# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url
# to enable password access, uncomment the two auth_basic lines

server {
    listen 443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr binhex-sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }
}
 

Please advise.

 

Enver

13

Hi @Enver

Firstly are sonarr and radarr on a custom user defined docker network?

I see that from the above config that you have removed the hash tags before the auth_ parts to use a password.

have you created that in the container itself by running

htpasswd -c /config/nginx/.htpasswd <yourusername>

personally i didnt have luck using both .htpasswd file with sonarr and sonarr's own password system it just didnt seem to work for me. Not sure why? But i am sure the devs here could shed light on as to why. So i only use sonarr's password in that container without .htpasswd. I should try and get it working without the htpasswd first then add that later when you are sure it works fine.

Link to comment
3 hours ago, RockDawg said:

 

If that question was for me, my appdata is on an SSD that is my cache drive.  I don't use the mover or anything so the only thing my cache drive does is handle the appdata for my containers.

 

Yeah, it was just a thought as the only time I saw this kind of behaviour was when some appdata was on the array and on a spinning rust cache drive, so it took some time to grab the info.

 

Checked the logs in /config/log/nginx?

Link to comment
7 hours ago, gridrunner said:

Hi @Enver

Firstly are sonarr and radarr on a custom user defined docker network?

I see that from the above config that you have removed the hash tags before the auth_ parts to use a password.

have you created that in the container itself by running


htpasswd -c /config/nginx/.htpasswd <yourusername>

personally i didnt have luck using both .htpasswd file with sonarr and sonarr's own password system it just didnt seem to work for me. Not sure why? But i am sure the devs here could shed light on as to why. So i only use sonarr's password in that container without .htpasswd. I should try and get it working without the htpasswd first then add that later when you are sure it works fine.

Hello @gridrunner

 

For simplicity sake I have added back the hash tags for the auth and password lines. Yes, both dockers are running on the same logical network as the NGINX docker. 

 

I have restarted, Letsencrypt, Sonarr and Radarr but the behaviour is the same.....

 

How do I check that DNS resolution between dockers is working? <- Its the only thing I can think of that may be contributing to the problem. I would have assumed the default behavior for unRAID was for the host to manage the DNS resolution between docker containers?

 

Let me know your thoughts.

 

Thanks,

 

Enver

Edited by Enver
Link to comment

Does anyone know how to set it up one of the following ways,

 

a) using manual mode, so it provides the instructions to setup the dns records to validate that way

b) https authentication, not http, as my isp blocks port 80 but don't block 443

c) a dns authentication using a plugin that works would with with dynu.com (dynamic dns provider).

 

I am using my own domain, not just using sub domains on a shared domain.

 

Cheers

 

Edit: I switched over to cloudfare after I learned I could use the dns management on a free account and got this working that way. It would however still be nice to know, maybe for others, if you can do at least a and b.

Edited by GoChris
Link to comment
2 hours ago, GoChris said:

Does anyone know how to set it up one of the following ways,

 

a) using manual mode, so it provides the instructions to setup the dns records to validate that way

b) https authentication, not http, as my isp blocks port 80 but don't block 443

c) a dns authentication using a plugin that works would with with dynu.com (dynamic dns provider).

 

I am using my own domain, not just using sub domains on a shared domain.

 

Cheers

 

Edit: I switched over to cloudfare after I learned I could use the dns management on a free account and got this working that way. It would however still be nice to know, maybe for others, if you can do at least a and b.

a) is not supported by this image

b) is currently not supported by letsencrypt due to the vulnerability

Link to comment
On 8/9/2018 at 1:44 PM, CHBMB said:

 

Yeah, it was just a thought as the only time I saw this kind of behaviour was when some appdata was on the array and on a spinning rust cache drive, so it took some time to grab the info.

 

Checked the logs in /config/log/nginx?

 

 

It turns out the delay issue turns out to have been Namechep's nameservers.  Somebody replied to me on HardOCP that they run a forum and had all kinds of issues when using Namecheap's nameservers.  So I signed up for a free account at Cloudflare and entered their nameserver addresses in my Namecheap account and I haven't had an issue since.

Link to comment
Just now, RockDawg said:

 

 

It turns out the delay issue turns out to have been Namechep's nameservers.  Somebody replied to me on HardOCP that they run a forum and had all kinds of issues when using Namecheap's nameservers.  So I signed up for a free account at Cloudflare and entered their nameserver addresses in my Namecheap account and I haven't had an issue since.

 

That's interesting, I use Namecheap and up until this week used their nameservers and never had an issue.  Switched to cloudflare now, just so I can get a wildcard cert, nothing to do with performance.

Link to comment

My reverse proxies just stopped working and it appears that LetsEncrpyt container is to blame. No errors were logged, but I assume it has something to do with the tls-sni validation change. I set up a new container and it was not able to create the cert using http (port 80 is blocked by ISP). I set up this docker long ago before the auth/validation changes and it appears that I will have to use the DNS validation option. I currently host domains with Google domains and Namecheap. I would rather not switch for simplicity and because I use their email forwarding services (and do not want any email interruptions).

Is there anyway to setup validation with Google Domains or Namecheap? I couldn't find a README

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.