aptalca Posted October 1, 2018 Share Posted October 1, 2018 (edited) 2 hours ago, DZMM said: I just spotted that my /log/nginx/access.log file has hit 4GB with entries going back nearly a year. is there a way to control the size of the log, other than deleting it (which I have)? Thanks There is log rotation, it shouldn't have gotten that big. It rotates weekly and gzips all but the last two Did you modify the crontab? Edited October 1, 2018 by aptalca Quote Link to comment
DZMM Posted October 1, 2018 Share Posted October 1, 2018 1 hour ago, aptalca said: There is log rotation, it shouldn't have gotten that big. It rotates weekly and gzips all but the last two Did you modify the crontab? I haven't changed the crontab (not sure where this setting is) - I've got docker log rotation on. Does that setting control all logs, or just the main container log? Quote Link to comment
FlorinB Posted October 2, 2018 Share Posted October 2, 2018 (edited) Anyone can help me with configuration websockets (wss:// ) over reverse proxy? I have a EdgeRouterX and I have created the following configuration in linuxserver/letsencrypt docker container: #Ubiquiti EdgeRouter-X Reverse Proxy server { listen 80; server_name edgex.*; rewrite ^ https://$host$request_uri? permanent; } server { listen 443 ssl; server_name edgex.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_edgex 192.168.0.10; proxy_pass https://$upstream_edgex; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; } } I can login into the GUI, but i do not see any graphs, interface status or CPU/RAM usage. This is what I see from LAN: This is what I see over NGINX reverse_proxy: In the source code of the page you can see that is using websockets (wss://) : I could not found a working way to forward the wss as well, so any help would be appreciated. Edited October 2, 2018 by FlorinB Quote Link to comment
Jessie Posted October 2, 2018 Share Posted October 2, 2018 On 9/28/2018 at 7:51 AM, Blade said: I use Chrome I do not use Edge or Firefox So are you still having issues? I recall the same symptoms but only when using ie in win10. As ie seems to be pretty well past its use by date, not a big issue. I don't use chrome, but the problem was not there when using firefox or edge. letsencrypt shut down correctly. Quote Link to comment
aptalca Posted October 2, 2018 Share Posted October 2, 2018 9 minutes ago, FlorinB said: Anyone can help me with configuration websockets (wss:// ) over reverse proxy? I have a EdgeRouterX and I have created the following configuration in linuxserver/letsencrypt docker container: #Ubiquiti EdgeRouter-X Reverse Proxy server { listen 80; server_name edgex.*; rewrite ^ https://$host$request_uri? permanent; } server { listen 443 ssl; server_name edgex.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_edgex 192.168.0.10; proxy_pass https://$upstream_edgex; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_buffering off; } } I can login into the GUI, but i do not see any graphs, interface status or CPU/RAM usage. This is what I see from LAN: This is what I see over NGINX reverse_proxy: In the source code of the page you can see that is using websockets (wss://) : I could not found a working way to forward the wss as well, so any help would be appreciated. Check out the preset conf for unifi. I imagine you need something similar Quote Link to comment
Blade Posted October 2, 2018 Share Posted October 2, 2018 13 minutes ago, Jessie said: So are you still having issues? I recall the same symptoms but only when using ie in win10. As ie seems to be pretty well past its use by date, not a big issue. I don't use chrome, but the problem was not there when using firefox or edge. letsencrypt shut down correctly. It seems to be ok the last few times I have shut it down I am keeping an eye on it Quote Link to comment
Gobs Posted October 2, 2018 Share Posted October 2, 2018 On 10/1/2018 at 7:18 AM, twok said: @Gobs please try/ check the following things (helped me) is plex also changed to be in the proxynet network? is the docker container of plex really called "plex" or maybe changed? is your firewall configured to allow the port to be accessed from external? (check with sites like "is my port open") check if logged in to duckdns if your external ip is correctly upgraded Yes Yes My router's settings page says no ports are restricted (should I be worried?) but Is My Port Open says it's not. Port 443 (HTTPS) seems to be the only open port, but I think that's how it should be? I don't quite understand how reverse proxy and lets encrypt works, but as I understand that requests from the outside world go myip:443 -> myserver:32400. Also Nextcloud works, so I would be surprised if that's the problem. Yes it is. Any other suggestions? Quote Link to comment
Gobs Posted October 2, 2018 Share Posted October 2, 2018 On 10/1/2018 at 2:02 PM, sgt_spike said: Gobs, I had the same issues setting up plex. Here's what I did...... If you are using a user defined network for LE and plex, the plex port must be mapped to the host (unraid). To do this edit the config, Docker->click on edit. Change to Advance mode. In the "Extra Parameters" section add this line (changing info to your info) "-p UnRaidIP:32400:32400" this should look something like -p 192.168.1.10:32400:32400 This will allow the webui to load on local. I have not been able to get plex to load via a custom web address as the proxy.config file instructions seems a bit confusing IMHO. Should that read UnRaidIP:1443:32400? Also you said you cannot access plex from outside your local network this way? Because if that's the case I might as well just run plex in host mode and have done with it. Quote Link to comment
FlorinB Posted October 2, 2018 Share Posted October 2, 2018 EdgeRouterX working GUI behind NGINX Reverse Proxy. In case there is anyone else interested into this I have found the solution. Here my config: #Ubiquiti EdgeRouter-X Reverse Proxy #Source: https://community.ubnt.com/t5/EdgeRouter/Access-Edgemax-gui-via-nginx-reverse-proxy-websocket-problem/td-p/1544354 #Adapded by Florin Butoi for docker linuxserver/letsencrypt on 02 Oct 2018 server { listen 80; server_name edgex.*; return 301 https://$host$request_uri; } upstream erl { server 192.168.22.11:443; keepalive 32; } server { listen 443 ssl http2; server_name edgex.*; include /config/nginx/filterhosts.conf; include /config/nginx/ssl.conf; client_max_body_size 512m; location / { proxy_pass https://erl; proxy_http_version 1.1; proxy_buffering off; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "Upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forward-For $proxy_add_x_forwarded_for; } } include /config/nginx/filterhosts.conf; #allow from this ip allow 212.122.123.124; #temporary internet ip on my router allow 178.112.221.111; #deny all others deny all; Quote Link to comment
sgt_spike Posted October 5, 2018 Share Posted October 5, 2018 On 10/2/2018 at 12:41 PM, Gobs said: Should that read UnRaidIP:1443:32400? Also you said you cannot access plex from outside your local network this way? Because if that's the case I might as well just run plex in host mode and have done with it. it should read -p yourunraidip:32400:32400. I switch back to host and still cannot get plex to connect outside my network. Not even at plex.tv. All ports have been forwarded on router. I know at one point I was able to connect outside using plex.tv but for whatever reason went down again. Quote Link to comment
happyagnostic Posted October 5, 2018 Share Posted October 5, 2018 @sgt_spike @Gobs To fix the reverse proxy issue for plex if you followed Spaceinvader One’s tutorial 1. Log into pfsense or whatever firewall Create another Port Forwarding Rule as the tutorial showed (or Duplicate one) but set the ports to 32400 Click Save / Apply 2. In Unraid > Docker > plex > Edit Upper right corner change from Basic View to Advanced View Find the field, Extra Parameters: Paste the following: -p 1900:1900/udp -p 32400:32400/tcp -p 32400:32400/udp -p 32460:32469/tcp -p 32460:32469/udp -p 55353:5353/udp Click Apply 3. Log into your Plex Server > Settings > Remote Access Be sure to Check the Checkbox for Manually specify public port and set 32400 Click Apply *I had to change mDNS ports -p 5353:5353/udp to -p 5353:55353 because there was a conflict with mDNS and wouldn't let my docker start properly... there is probably a bug in the container Quote Link to comment
adoucette Posted October 14, 2018 Share Posted October 14, 2018 On 8/8/2018 at 6:15 PM, Maticks said: Firstly great work on the docker, the preconfigured proxy files make NGINX so easy to setup. I did a search but nothing came up so i thought i’d Ask the question, is there an easy way to enable Modsecurity. There are some public dockers intergrating it with nginx and it seems to add an extra layer of protection given it stops some attacks for the end applications being proxied. ModSecurity protects against attacks by looking for: SQL Injection Insuring the content type matches the body data. Protection against malformed POST requests. HTTP Protocol Protection Real-time Blacklist Lookups HTTP Denial of Service Protections Generic Web Attack Protection Error Detection and Hiding Is there an easy way to load in the module myself, maybe someone here has done it before ? Has anyone found a way (and a how-to guide!) for modsecurity, or another WAF, for hardening a Nextcloud docker install on unRAID? Quote Link to comment
enmesh-parisian-latest Posted October 17, 2018 Share Posted October 17, 2018 (edited) Hey, I've been trying to get letsencrypt up and runnning for a few weeks now with no success. I'm following spaceinvaderone's tutorial with the goal of setting up nextcloud and I'm stuck at requesting the certificate: Domain: REDACTED.duckdns.org ( Type: connection Detail: Fetching http://REDACTED.duckdns.org/.well-known/acme-challenge/REDACTED Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container My ports are forwarded correctly, I've double checked by accessing other containers from outside my network on port 80 & 443 and trying different ports (such as the 180 and 1443 recommended by spaceinvaderone). Letsencrypt just isn't receiving anything. One strange problem I've had which may be related is not being able to connect to unraids terminal from the unriad gui. I get the following error: nginx upstream prematurely closed connection while reading response header from upstream Any ideas? EDIT: SOLVED! I called my ISP, they had ports 80 & 443 blocked by default. They're unblocked now and it works! Edited October 18, 2018 by enmesh-parisian-latest SOLVED Quote Link to comment
Kezza Posted October 18, 2018 Share Posted October 18, 2018 Hi Had this docker up and running for a while with no problems with Nextcloud etc and I'm now wanting to host a WordPress site. I can navigate and have it present index.html located in the letsencrypt www folder however if I try to put index.php file in the folder the browser tries to download the file instead of serving up a page. Is this expected, do I need to configure something to have php pages? Thanks Quote Link to comment
aptalca Posted October 18, 2018 Share Posted October 18, 2018 3 hours ago, Kezza said: Hi Had this docker up and running for a while with no problems with Nextcloud etc and I'm now wanting to host a WordPress site. I can navigate and have it present index.html located in the letsencrypt www folder however if I try to put index.php file in the folder the browser tries to download the file instead of serving up a page. Is this expected, do I need to configure something to have php pages? Thanks Php is enabled by default. Make sure your php block is still enabled in your default site config Quote Link to comment
Kezza Posted October 19, 2018 Share Posted October 19, 2018 20 minutes ago, aptalca said: Php is enabled by default. Make sure your php block is still enabled in your default site config Thanks! No idea why I had removed that.... Quote Link to comment
destrugter Posted October 19, 2018 Share Posted October 19, 2018 (edited) I'm having the following issue when trying to renew my certificate. Quote Attempting to renew cert (redacted.com) from /etc/letsencrypt/renewal/redacted.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/redacted.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/redacted.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1 Error output from if: cat: {privkey,fullchain}.pem: No such file or directory 1 renew failure(s), 0 parse failure(s) [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready I own the domain and have a Dynamic DNS service that updates the domain to point to my IP once per day. It resolves correctly. Edited October 19, 2018 by destrugter Quote Link to comment
aptalca Posted October 19, 2018 Share Posted October 19, 2018 6 hours ago, destrugter said: I'm having the following issue when trying to renew my certificate. I own the domain and have a Dynamic DNS service that updates the domain to point to my IP once per day. It resolves correctly. Post your container settings Quote Link to comment
destrugter Posted October 20, 2018 Share Posted October 20, 2018 6 hours ago, aptalca said: Post your container settings Quote Link to comment
aptalca Posted October 20, 2018 Share Posted October 20, 2018 1 hour ago, destrugter said: Don't do host networking Quote Link to comment
syniex Posted October 20, 2018 Share Posted October 20, 2018 (edited) Is there a way to make to use letsencrypt as reverse proxy from gitlab-ce? My router doesn't allow https(443) port to be open, so i forward it to custom port, so i added to the default configuration "return 301 https://$host:{PORT}$request_uri;" <---- under the http server so it redirect everything to the https with my custom port but it doesn't seems to work with gitlab. when i try to use the sub-domain i get this url: "https://git.{user}.duckdns.org/users/sign_in" without the custom port. here is the configuration i added to support gitlab: server { listen 443 ssl; server_name git.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_gitlab gitlab; proxy_pass http://$upstream_gitlab:9080; } } Is there something i should change? Edited October 20, 2018 by syniex Quote Link to comment
PaDadof2 Posted October 21, 2018 Share Posted October 21, 2018 I've followed spaceinvaders tutorial on how to use letsencrypt with nginx. When I try to access mydomain.duckdns.org on my own network, I get my routers homepage, if I do it using another network, I get the page I'm expecting. I can access my dockers using their ip address, except nextcloud. Thanks in advance for the help. Quote Link to comment
YouAreTheOneNeo Posted October 25, 2018 Share Posted October 25, 2018 I'm getting a 404 on the /.well-known/acme-challenge, causing cert renewal to fail, and i can't seem to find it hunting through the files and folders in the container. I have no idea where to look, and it only stopped working recently. The container is running on it's own IP, 80 and 443 are forwarded from the router (I can still browse to the site as the cert is still valid, although only for another 5 or so days), and it's proxying a bunch of other containers, each with their own IP. The / location is proxied to heimdall, is that possibly why certbot is retrieving a 404 for the acme-challenge? I'll post any conf's needed for info, I just don't want to spam them all unnecessarily up front. Thanks in advance. Quote Link to comment
aptalca Posted October 25, 2018 Share Posted October 25, 2018 3 hours ago, YouAreTheOneNeo said: I'm getting a 404 on the /.well-known/acme-challenge, causing cert renewal to fail, and i can't seem to find it hunting through the files and folders in the container. I have no idea where to look, and it only stopped working recently. The container is running on it's own IP, 80 and 443 are forwarded from the router (I can still browse to the site as the cert is still valid, although only for another 5 or so days), and it's proxying a bunch of other containers, each with their own IP. The / location is proxied to heimdall, is that possibly why certbot is retrieving a 404 for the acme-challenge? I'll post any conf's needed for info, I just don't want to spam them all unnecessarily up front. Thanks in advance. Post your container log and the container settings Quote Link to comment
YouAreTheOneNeo Posted October 25, 2018 Share Posted October 25, 2018 (edited) 3 hours ago, aptalca said: Post your container log and the container settings Log: ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io We gratefully accept donations at: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=Europe/London URL=example.com SUBDOMAINS=www, unifi, tautulli, pihole, cp, sonarr, heimdall, plex, calibre, ombi EXTRA_DOMAINS=vpn.example.com ONLY_SUBDOMAINS=false DHLEVEL=2048 VALIDATION=http DNSPLUGIN= [email protected] STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d www.example.com -d unifi.example.com -d tautulli.example.com -d pihole.example.com -d cp.example.com -d sonarr.example.com -d heimdall.example.com -d plex.example.com -d calibre.example.com -d ombi.example.com EXTRA_DOMAINS entered, processing Extra domains processed are: -d vpn.example.com E-mail address entered: [email protected] http validation is selected Certificate exists; parameters unchanged; attempting renewal <-------------------------------------------------> <-------------------------------------------------> cronjob running on Thu Oct 25 08:50:56 BST 2018 Running certbot renew Saving debug log to /var/log/letsencrypt/letsencrypt.log - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Processing /etc/letsencrypt/renewal/example.com.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cert is due for renewal, auto-renewing... Plugins selected: Authenticator standalone, Installer None Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi Renewing an existing certificate Performing the following challenges: http-01 challenge for calibre.example.com http-01 challenge for cp.example.com http-01 challenge for heimdall.example.com http-01 challenge for ombi.example.com http-01 challenge for pihole.example.com http-01 challenge for plex.example.com http-01 challenge for sonarr.example.com http-01 challenge for tautulli.example.com http-01 challenge for unifi.example.com http-01 challenge for vpn.example.com http-01 challenge for www.example.com http-01 challenge for example.com Waiting for verification... Cleaning up challenges Cleaning up challenges Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Failed authorization procedure. example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [88.98.197.66]: 404. Skipping. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/example.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/example.com/fullchain.pem (failure) - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1 Error output from if: cat: {privkey,fullchain}.pem: No such file or directory 1 renew failure(s), 0 parse failure(s) IMPORTANT NOTES: - The following errors were reported by the server: Domain: example.com Type: unauthorized Detail: Invalid response from http://example.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [1.1.1.1]: 404 To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. [cont-init.d] 50-config: exited 0. [cont-init.d] done. [services.d] starting services [services.d] done. Server ready and container settings: Edited October 25, 2018 by YouAreTheOneNeo Typo Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.