[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, DZMM said:

I just spotted that my /log/nginx/access.log file has hit 4GB with entries going back nearly a year.  is there a way to control the size of the log, other than deleting it (which I have)?

 

Thanks

There is log rotation, it shouldn't have gotten that big. It rotates weekly and gzips all but the last two

 

Did you modify the crontab?

Edited by aptalca
Link to comment
1 hour ago, aptalca said:

There is log rotation, it shouldn't have gotten that big. It rotates weekly and gzips all but the last two

 

Did you modify the crontab?

I haven't changed the crontab (not sure where this setting is) - I've got docker log rotation on.  Does that setting control all logs, or just the main container log?

Link to comment

Anyone can help me with configuration websockets (wss:// ) over reverse proxy?

I have a EdgeRouterX and I have created the following configuration in linuxserver/letsencrypt docker container:

 

#Ubiquiti EdgeRouter-X Reverse Proxy
server { 
	listen 80; 
	server_name edgex.*; 
	rewrite ^ https://$host$request_uri? permanent; 
}

server {
    listen 443 ssl;
	server_name edgex.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
	
    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_edgex 192.168.0.10;
        proxy_pass https://$upstream_edgex;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		proxy_buffering off;
    }
}

I can login into the GUI, but i do not see any graphs, interface status or CPU/RAM usage.

 

This is what I see from LAN:

479419297_Screenshot-20181002_133453-07274.thumb.png.68412fbdb272b6f3013df28d128fd128.png

 

This is what I see over NGINX reverse_proxy:

288631513_Screenshot-20181002_133718-07275.thumb.png.a07b3adda86cd2b6075a7d9069729226.png

 

In the source code of the page you can see that is using websockets (wss://) :

1089648154_Screenshot-20181002_133939-07276.png.72a60ae4095d78b296348784b756311e.png

I could not found a working way to forward the wss as well, so any help would be appreciated.

 

Edited by FlorinB
Link to comment
On ‎9‎/‎28‎/‎2018 at 7:51 AM, Blade said:

I use Chrome

I do not use Edge or Firefox

 

So are you still having issues?

I recall the same symptoms but only when using ie in win10.

 

As ie seems to be pretty well past its use by date, not a big issue.

 

I don't use chrome, but the problem was not there when using firefox or edge.

letsencrypt shut down correctly.

 

Link to comment
9 minutes ago, FlorinB said:

Anyone can help me with configuration websockets (wss:// ) over reverse proxy?

I have a EdgeRouterX and I have created the following configuration in linuxserver/letsencrypt docker container:

 


#Ubiquiti EdgeRouter-X Reverse Proxy
server { 
	listen 80; 
	server_name edgex.*; 
	rewrite ^ https://$host$request_uri? permanent; 
}

server {
    listen 443 ssl;
	server_name edgex.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
	
    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_edgex 192.168.0.10;
        proxy_pass https://$upstream_edgex;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		proxy_buffering off;
    }
}

I can login into the GUI, but i do not see any graphs, interface status or CPU/RAM usage.

 

This is what I see from LAN:

479419297_Screenshot-20181002_133453-07274.thumb.png.68412fbdb272b6f3013df28d128fd128.png

 

This is what I see over NGINX reverse_proxy:

288631513_Screenshot-20181002_133718-07275.thumb.png.a07b3adda86cd2b6075a7d9069729226.png

 

In the source code of the page you can see that is using websockets (wss://) :

1089648154_Screenshot-20181002_133939-07276.png.72a60ae4095d78b296348784b756311e.png

I could not found a working way to forward the wss as well, so any help would be appreciated.

 

Check out the preset conf for unifi. I imagine you need something similar

Link to comment
13 minutes ago, Jessie said:

So are you still having issues?

I recall the same symptoms but only when using ie in win10.

 

As ie seems to be pretty well past its use by date, not a big issue.

 

I don't use chrome, but the problem was not there when using firefox or edge.

letsencrypt shut down correctly.

 

It seems to be ok the last few times I have shut it down

I am keeping an eye on it

 

Link to comment
On 10/1/2018 at 7:18 AM, twok said:

@Gobs please try/ check the following things (helped me)
 

  • is plex also changed to be in the proxynet network?
  • is the docker container of plex really called "plex" or maybe changed?
  • is your firewall configured to allow the port to be accessed from external? (check with sites like "is my port open")
  • check if logged in to duckdns if your external ip is correctly upgraded
  1. Yes
  2. Yes
  3. My router's settings page says no ports are restricted (should I be worried?) but Is My Port Open says it's not. Port 443 (HTTPS) seems to be the only open port, but I think that's how it should be? I don't quite understand how reverse proxy and lets encrypt works, but as I understand that requests from the outside world go myip:443 -> myserver:32400. Also Nextcloud works, so I would be surprised if that's the problem.
  4. Yes it is.

Any other suggestions?

Link to comment

 

On 10/1/2018 at 2:02 PM, sgt_spike said:

Gobs, I had the same issues setting up plex. Here's what I did......

If you are using a user defined network for LE and plex, the plex port must be mapped to the host (unraid). 

   To do this edit the config, Docker->click on edit.  Change to Advance mode.  In the "Extra Parameters" section add this line (changing info to your info)

       "-p UnRaidIP:32400:32400"  this should look something like -p 192.168.1.10:32400:32400 This will allow the webui to load on local. 

   I have not been able to get plex to load via a custom web address as the proxy.config file instructions seems a bit confusing IMHO. 

Should that read UnRaidIP:1443:32400? Also you said you cannot access plex from outside your local network this way? Because if that's the case I might as well just run plex in host mode and have done with it.

Link to comment

EdgeRouterX working GUI behind NGINX Reverse Proxy.

In case there is anyone else interested into this I have found the solution.

 

Here my config:

#Ubiquiti EdgeRouter-X Reverse Proxy
#Source: https://community.ubnt.com/t5/EdgeRouter/Access-Edgemax-gui-via-nginx-reverse-proxy-websocket-problem/td-p/1544354
#Adapded by Florin Butoi for docker linuxserver/letsencrypt on 02 Oct 2018

server {
        listen 80;
        server_name edgex.*;
        return 301 https://$host$request_uri;
}

upstream erl {
        server 192.168.22.11:443;
        keepalive 32;
}

server {
        listen 443 ssl http2;
        server_name edgex.*; 
		include /config/nginx/filterhosts.conf;
		
		include /config/nginx/ssl.conf;
				
        client_max_body_size 512m;

        location / {
                proxy_pass https://erl;
                proxy_http_version 1.1;
                proxy_buffering off;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "Upgrade";
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
        }
}

        include /config/nginx/filterhosts.conf;

#allow from this ip
allow 	212.122.123.124;
#temporary internet ip on my router
allow	178.112.221.111;
#deny all others
deny   	all;

 

Link to comment
On 10/2/2018 at 12:41 PM, Gobs said:

 

Should that read UnRaidIP:1443:32400? Also you said you cannot access plex from outside your local network this way? Because if that's the case I might as well just run plex in host mode and have done with it.

it should read -p yourunraidip:32400:32400.  I switch back to host and still cannot get plex to connect outside my network. Not even at plex.tv.  All ports have been forwarded on router.  I know at one point I was able to connect outside using plex.tv but for whatever reason went down again.

Link to comment

@sgt_spike  @Gobs

 

To fix the reverse proxy issue for plex if you followed Spaceinvader One’s tutorial

1. Log into pfsense or whatever firewall

Create another Port Forwarding Rule as the tutorial showed (or Duplicate one) but set the ports to 32400
Click Save / Apply

 

2. In Unraid > Docker > plex > Edit
Upper right corner change from Basic View to Advanced View
Find the field, Extra Parameters:
Paste the following:
 
-p 1900:1900/udp -p 32400:32400/tcp -p 32400:32400/udp -p 32460:32469/tcp -p 32460:32469/udp -p 55353:5353/udp

Click Apply

 

3. Log into your Plex Server > Settings > Remote Access
Be sure to Check the Checkbox for Manually specify public port and set 32400
Click Apply

 

 

*I had to change mDNS ports -p 5353:5353/udp to -p 5353:55353 because there was a conflict with mDNS and wouldn't let my docker start properly... there is probably a bug in the container

Link to comment
  • 2 weeks later...
On 8/8/2018 at 6:15 PM, Maticks said:

Firstly great work on the docker, the preconfigured proxy files make NGINX so easy to setup.

 

I did a search but nothing came up so i thought i’d Ask the question, is there an easy way to enable Modsecurity.

There are some public dockers intergrating it with nginx and it seems to add an extra layer of protection given it stops some attacks for the end applications being proxied.

 

ModSecurity protects against attacks by looking for:

  • SQL Injection
  • Insuring the content type matches the body data.
  • Protection against malformed POST requests.
  • HTTP Protocol Protection
  • Real-time Blacklist Lookups
  • HTTP Denial of Service Protections
  • Generic Web Attack Protection
  • Error Detection and Hiding

 

Is there an easy way to load in the module myself, maybe someone here has done it before ?

Has anyone found a way (and a how-to guide!) for modsecurity, or another WAF, for hardening a Nextcloud docker install on unRAID?

Link to comment

Hey, I've been trying to get letsencrypt up and runnning for a few weeks now with no success. I'm following spaceinvaderone's tutorial with the goal of setting up nextcloud and I'm stuck at requesting the certificate:

Domain: REDACTED.duckdns.org (
Type: connection
Detail: Fetching
http://REDACTED.duckdns.org/.well-known/acme-challenge/REDACTED
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

My ports are forwarded correctly, I've double checked by accessing other containers from outside my network on port 80 & 443 and trying different ports (such as the 180 and 1443 recommended by spaceinvaderone). Letsencrypt just isn't receiving anything. One strange problem I've had which may be related is not being able to connect to unraids terminal from the unriad gui. I get the following error:

nginx upstream prematurely closed connection while reading response header from upstream

Any ideas?

Screen-Shot-2018-10-17-at-1.01.18-pm.png

Screen-Shot-2018-10-17-at-1.02.41-pm.png




EDIT:  SOLVED! I called my ISP, they had ports 80 & 443 blocked by default. They're unblocked now and it works!

Edited by enmesh-parisian-latest
SOLVED
Link to comment

Hi

 

Had this docker up and running for a while with no problems with Nextcloud etc and I'm now wanting to host a WordPress site.

 

I can navigate and have it present index.html located in the letsencrypt www folder however if I try to put index.php file in the folder the browser tries to download the file instead of serving up a page. Is this expected, do I need to configure something to have php pages?

 

Thanks

 

Link to comment
3 hours ago, Kezza said:

Hi

 

Had this docker up and running for a while with no problems with Nextcloud etc and I'm now wanting to host a WordPress site.

 

I can navigate and have it present index.html located in the letsencrypt www folder however if I try to put index.php file in the folder the browser tries to download the file instead of serving up a page. Is this expected, do I need to configure something to have php pages?

 

Thanks

 

Php is enabled by default. Make sure your php block is still enabled in your default site config

Link to comment

I'm having the following issue when trying to renew my certificate.

 

Quote

Attempting to renew cert (redacted.com) from /etc/letsencrypt/renewal/redacted.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/redacted.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/redacted.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1
Error output from if:
cat: {privkey,fullchain}.pem: No such file or directory

1 renew failure(s), 0 parse failure(s)
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

I own the domain and have a Dynamic DNS service that updates the domain to point to my IP once per day. It resolves correctly.

Edited by destrugter
Link to comment

Is there a way to make to use letsencrypt as reverse proxy from gitlab-ce?

My router doesn't allow https(443) port to be open, so i forward it to custom port,

 

so i added to the default configuration "return 301 https://$host:{PORT}$request_uri;" <---- under the http server so it redirect everything to the https with my custom port

but it doesn't seems to work with gitlab.

 

when i try to use the sub-domain i get this url: "https://git.{user}.duckdns.org/users/sign_in" without the custom port.

 

here is the configuration i added to support gitlab:

 

server {
    listen 443 ssl;

    server_name git.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_gitlab gitlab;
        proxy_pass http://$upstream_gitlab:9080;
    }
}

 

Is there something i should change?

Edited by syniex
Link to comment

I've followed spaceinvaders tutorial on how to use letsencrypt with nginx.  When I try to access mydomain.duckdns.org on my own network, I get my routers homepage, if I do it using another network, I get the page I'm expecting.  I can access my dockers using their ip address, except nextcloud.  Thanks in advance for the help.

Link to comment

I'm getting a 404 on the /.well-known/acme-challenge, causing cert renewal to fail, and i can't seem to find it hunting through the files and folders in the container.

 

I have no idea where to look, and it only stopped working recently.

 

The container is running on it's own IP, 80 and 443 are forwarded from the router (I can still browse to the site as the cert is still valid, although only for another 5 or so days), and it's proxying a bunch of other containers, each with their own IP.

 

The / location is proxied to heimdall, is that possibly why certbot is retrieving a 404 for the acme-challenge?

 

I'll post any conf's needed for info, I just don't want to spam them all unnecessarily up front.

 

Thanks in advance.

Link to comment
3 hours ago, YouAreTheOneNeo said:

I'm getting a 404 on the /.well-known/acme-challenge, causing cert renewal to fail, and i can't seem to find it hunting through the files and folders in the container.

 

I have no idea where to look, and it only stopped working recently.

 

The container is running on it's own IP, 80 and 443 are forwarded from the router (I can still browse to the site as the cert is still valid, although only for another 5 or so days), and it's proxying a bunch of other containers, each with their own IP.

 

The / location is proxied to heimdall, is that possibly why certbot is retrieving a 404 for the acme-challenge?

 

I'll post any conf's needed for info, I just don't want to spam them all unnecessarily up front.

 

Thanks in advance.

Post your container log and the container settings

Link to comment
3 hours ago, aptalca said:

Post your container log and the container settings

Log:

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=example.com
SUBDOMAINS=www, unifi, tautulli, pihole, cp, sonarr, heimdall, plex, calibre, ombi
EXTRA_DOMAINS=vpn.example.com
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.example.com -d unifi.example.com -d tautulli.example.com -d pihole.example.com -d cp.example.com -d sonarr.example.com -d heimdall.example.com -d plex.example.com -d calibre.example.com -d ombi.example.com
EXTRA_DOMAINS entered, processing
Extra domains processed are: -d vpn.example.com
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; attempting renewal
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Oct 25 08:50:56 BST 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/example.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for calibre.example.com
http-01 challenge for cp.example.com
http-01 challenge for heimdall.example.com
http-01 challenge for ombi.example.com
http-01 challenge for pihole.example.com
http-01 challenge for plex.example.com
http-01 challenge for sonarr.example.com
http-01 challenge for tautulli.example.com
http-01 challenge for unifi.example.com
http-01 challenge for vpn.example.com
http-01 challenge for www.example.com
http-01 challenge for example.com
Waiting for verification...
Cleaning up challenges
Cleaning up challenges
Attempting to renew cert (example.com) from /etc/letsencrypt/renewal/example.com.conf produced an unexpected error: Failed authorization procedure. example.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://example.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx [88.98.197.66]: 404. Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/example.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/example.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1

Error output from if:

cat: {privkey,fullchain}.pem: No such file or directory

1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: example.com
Type: unauthorized
Detail: Invalid response from
http://example.com/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
[1.1.1.1]: 404

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

and container settings:

 

image.thumb.png.425449179c996fca01c510741ee20f02.png

 

Edited by YouAreTheOneNeo
Typo
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.