[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 hour ago, CyberMew said:

Finally got mine to work, I had a previous 443 port forward rule pointing to another computer, no wonder connection was refused. However for some reason one of my subdomain cert is showing up as invalid, but no issues for the other 4 subdomains. Anyone has any idea why?

Not enough info to go on

Link to comment

@linuxserver.io Any chance you could add SSLH to this docker? I want to be able to use ssh and website on the same port and it would let me if that one package was installed.

Below is the package requested

https://pkgs.alpinelinux.org/package/edge/testing/x86/sslh

Below is what I'm trying to do:

https://www.ostechnix.com/sslh-share-port-https-ssh/

 

Thanks

Edited by Jerky_san
Link to comment

Hi,

 

Just wondering if anyone else is having an issue with Lets Encrypt that is not allowing access to the server externally?

 

I can access my dockers through the reverse proxy on my internal network however when I try to access it externally or on my phone's network I get nothing but timeout issues.

 

This used to be working I want to say just under 2 weeks ago and I haven't made any changes that I can think of that would affect it - the logs show no sign of error.

 

Any ideas of where I can start looking?

Link to comment
5 hours ago, rhz said:

Hi,

 

Just wondering if anyone else is having an issue with Lets Encrypt that is not allowing access to the server externally?

 

I can access my dockers through the reverse proxy on my internal network however when I try to access it externally or on my phone's network I get nothing but timeout issues.

 

This used to be working I want to say just under 2 weeks ago and I haven't made any changes that I can think of that would affect it - the logs show no sign of error.

 

Any ideas of where I can start looking?

Almost sound like your forwarders aren't working on your router. Have you checked to make sure the ports are open internet facing?

Link to comment
19 hours ago, Jerky_san said:

Almost sound like your forwarders aren't working on your router. Have you checked to make sure the ports are open internet facing?

I checked these today and found out that if I change the port forward to a random one (say 666), I can access it through https://server.name.com:666

 

Changing the service port back to 443 then kills it, so something, somewhere, is blocking 443, but I'm not quite sure where to start in checking what is blocking it.

Link to comment
4 hours ago, rhz said:

I checked these today and found out that if I change the port forward to a random one (say 666), I can access it through https://server.name.com:666

 

Changing the service port back to 443 then kills it, so something, somewhere, is blocking 443, but I'm not quite sure where to start in checking what is blocking it.

You probably need to check to make sure your ISP isn't blocking it. If it isn't perhaps you setup a VPN on your router that took the port?

Link to comment

I configured the Let's Encrypt (nginx) docker with nzbget, organizr, sonarr, radarr, etc. dockers using my own domain. I can access all of those apps using https (https://nzbget.mydomain.com). 

 

But . . . I have lost access to the Unraid GUI. I get a 500 error on the GUI, and a "/etc/nginx/htpasswd" failed (13: Permission denied)" error in /var/log/nginx/error.log. I am trying to enter the GUI locally using http. I can SS=H into unraid, and all the docker apps are accessible. Just not the front end.

 

Advice?

Link to comment
4 minutes ago, madaroda said:

I configured the Let's Encrypt (nginx) docker with nzbget, organizr, sonarr, radarr, etc. dockers using my own domain. I can access all of those apps using https (https://nzbget.mydomain.com). 

 

But . . . I have lost access to the Unraid GUI. I get a 500 error on the GUI, and a "/etc/nginx/htpasswd" failed (13: Permission denied)" error in /var/log/nginx/error.log. I am trying to enter the GUI locally using http. I can SS=H into unraid, and all the docker apps are accessible. Just not the front end.

 

Advice?

Using IP or hostname to access Unraid?

Link to comment
6 minutes ago, CHBMB said:

Using IP or hostname to access Unraid?

Using internal IP will not work (gets the 500 error). Trying hostname (https://unraid.mydomain.com), which in DNS is a C record to mydomain.com (IP set via DDNS on router) just gives me the NGINX "Welcome to our server" page.

Edited by madaroda
Link to comment
Just now, madaroda said:

Using internal IP will not work (gets the 500 error). Trying hostname (https://unraid.mydomain.com), which in DNS is a C record to mydomain.com (IP set via DDNS on router) just gives me the NGINX "Welcome to our server" page.

Can you access it if you stop the LE container?

Link to comment
2 hours ago, CHBMB said:

Can you access it if you stop the LE container?

I figured out how to stop a container in the CLI. Stopping Letsencrypt did not fix the issue. I assumed they were related because it happened right after the LE installation. So, here I am, most likely in the wrong thread, and no solution.

Edited by madaroda
Link to comment
I figured out how to stop a container in the CLI. Stopping Letsencrypt did not fix the issue. I assumed they were related because it happened right after the LE installation. So, here I am, most likely in the wrong thread, and no solution.
So you made your unraid gui accessible to the internet via the LE container?

Sent from my BND-L34 using Tapatalk

Link to comment
On 9/17/2018 at 1:33 PM, Jerky_san said:

@linuxserver.io Any chance you could add SSLH to this docker? I want to be able to use ssh and website on the same port and it would let me if that one package was installed.

Below is the package requested

https://pkgs.alpinelinux.org/package/edge/testing/x86/sslh

Below is what I'm trying to do:

https://www.ostechnix.com/sslh-share-port-https-ssh/

 

Thanks

@linuxserver.io any chance you could do this?

Link to comment

Hey All,

 

I'm having issue's using Nextcloud with the LetsEncrypt proxy.  Basically I can hit the login page to nextcloud without issue, but when I go to login in, I keep getting "504 Gateway Time-out, nginx/1.14.0".  Any thoughts on where I should be looking?  This was working before.

 

Thanks in advance!

 

~Spritz

Link to comment
3 hours ago, Spritzup said:

Hey All,

 

I'm having issue's using Nextcloud with the LetsEncrypt proxy.  Basically I can hit the login page to nextcloud without issue, but when I go to login in, I keep getting "504 Gateway Time-out, nginx/1.14.0".  Any thoughts on where I should be looking?  This was working before.

 

Thanks in advance!

 

~Spritz

are you using the proxy-conf example or did you create your own?

Link to comment

Hey guys, I've been using my Letsencrypt for most of my dockers under domain1.com dockers being ombi,organizr, chevereto, etc etc. I am currently trying to setup a wordpress site under my Nginx docker, and put it through the Lets encrypt docker for the reverse proxy, using a domain2.com. I'm having an issue where I try to set up the site conf "default" file to direct the root location to the nginx docker, but I don't know how to make it work. The root location is the appdata for the nginx docker, both /config and the docker made path for the /ngix-config cause the same issue of not sending the site outside the network. Wordpress does work just fine locally. Any and all help is appreciated.

 

 

Capture.thumb.PNG.eefa63a32b0304d67fff46f53162bcda.PNG

Untitled.png

Link to comment
1 hour ago, aptalca said:

Not willing to route everything through sslh. You can add it yourself via mapping an init file into the /etc/cont-init.d folder

Didn't think it would route through it unless you called it but also assumed everytime I update the docker it would wipe the module and I would have to redo it again.

Link to comment
8 hours ago, Jerky_san said:

Didn't think it would route through it unless you called it but also assumed everytime I update the docker it would wipe the module and I would have to redo it again.

Init file runs during container start. So you can put "apk add --no-cache sslh" in there and it will install if necessary during every container start. 

Link to comment

Hey all,

I setup docker on my ubuntu 18.04 server, using portainer. To have reverse proxy including ssl setup, I used https://hub.docker.com/r/linuxserver/letsencrypt/. When I only had one domain setup, it was working great - the certificate and key was generated in my persisted volume. When I add more subdomains using the SUBDOMAINS env variable, it doesn't generate certificates for the new domains anymore. 

 

The home.mydomain.com/fullchain.pem is existing in the /etc/letsencrypt/live/ directory, the other subdomain files are not though.


The log when starting up:

-------------------------------------,
          _         (),
         | |  ___   _    __,
         | | / __| | |  /  \ ,
         | | \__ \ | | | () |,
         |_| |___/ |_|  \__/,
,
,
Brought to you by linuxserver.io,
We gratefully accept donations at:,
https://www.linuxserver.io/donate/,
-------------------------------------,
GID/UID,
-------------------------------------,
,
User uid:    911,
User gid:    911,
-------------------------------------,
,
[cont-init.d] 10-adduser: exited 0.,
[cont-init.d] 20-config: executing... ,
[cont-init.d] 20-config: exited 0.,
[cont-init.d] 30-keygen: executing... ,
using keys found in /config/keys,
[cont-init.d] 30-keygen: exited 0.,
[cont-init.d] 50-config: executing... ,
Variables set:,
PUID=,
PGID=,
TZ=Netherlands/Amsterdam,
URL=mydomain.com,
SUBDOMAINS=home,plex,sonarr,radarr,domoticz,
EXTRA_DOMAINS=,
ONLY_SUBDOMAINS=true,
DHLEVEL=2048,
VALIDATION=http,
DNSPLUGIN=,
[email protected],
STAGING=,
,
2048 bit DH parameters present,
SUBDOMAINS entered, processing,
SUBDOMAINS entered, processing,
Only subdomains, no URL in cert,
Sub-domains processed are:  -d home.mydomain.com -d plex.mydomain.com -d sonarr.mydomain.com -d radarr.mydomain.com -d domoticz.mydomain.com,
E-mail address entered: [email protected],
http validation is selected,
Certificate exists; parameters unchanged; attempting renewal,
<------------------------------------------------->,
,
<------------------------------------------------->,
cronjob running on Fri Sep 21 14:33:57 UTC 2018,
Running certbot renew,
Saving debug log to /var/log/letsencrypt/letsencrypt.log,
,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
Processing /etc/letsencrypt/renewal/home.mydomain.com.conf,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
Cert not yet due for renewal,
,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
,
The following certs are not due for renewal yet:,
  /etc/letsencrypt/live/home.mydomain.com/fullchain.pem expires on 2018-12-20 (skipped),
No renewals were attempted.,
No hooks were run.,
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -,
[cont-init.d] 50-config: exited 0.,
[cont-init.d] done.,
[services.d] starting services,
[services.d] done.,
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/domoticz.mydomain.com/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/etc/letsencrypt/live/domoticz.mydomain.com/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file),
[21-Sep-2018 14:33:59] ERROR: unable to bind listening socket for address '127.0.0.1:9000': Address in use (98),
[21-Sep-2018 14:33:59] ERROR: FPM initialization failed,


This is my setup:

https://rosk.am/share/2018-09-22_14-33-20.png

2018-09-22_14-34-32.png

Any clue how I can make all the subdomains work and make letsencrypt create the certificates for all subdomains? 

Another thing that I saw in the logs was "ERROR: FPM initialization failed". I had this one appearing as well when I had just 1 subdomain which was working. Can I safely ignore this error, or should I do anything to fix it?

 

Edited by harmjanr
Added small question.
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.