[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

@aptalca

In addition to Modsecurity it would be nice to add as well authelia, is a two factor authentication that would secure  anything you publish on the web.

https://www.authelia.com/

https://github.com/clems4ever/authelia

https://www.reddit.com/r/selfhosted/comments/7gv51h/simple_to_deploy_2fa_nginx_proxy/

 

Honestly I don't know how hard it would be to add Modsecurity or authelia and make it easy for the less experienced users.

 

 

Link to comment
8 hours ago, aptalca said:

Not sure how duo works but ldap auth is already included. For radius, there is no alpine package in the repo. 

Set the X-Ldap-URL to the server where you have Duo's Auth_Proxy installed and setup. You now have 2FA on all logins that are sent by the ldap-auth docker.  ProxyCache/AuthCache needs to be enabled.

 

Works great.  Thanks!

Edited by smdion
Link to comment

Hi, I noticed this warning in the log:

 

nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size

Are "proxy_headers_hash_max_size" and "proxy_headers_hash_bucket_size" set in the file proxy.conf?

 

Should I set both values? That seems to be the common thing to do.

 

I've seen values of "proxy_headers_hash_max_size 512" and "proxy_headers_hash_max_size 51200", same with "proxy_headers_hash_bucket_size 64" and "proxy_headers_hash_bucket_size 6400"—which should I use?

 

Thank you

Link to comment

i am running nextcloud container and letsencrypt container from linuxserver.io. i am using letsencrypt with nginx as a reverse proxy. The container provides standard configs for most docker containers such as nextcloud. the files can be found in "\appdata\letsencrypt\nginx\proxy-confs"

 

i have created an own subdomain for the officeserver but i cant reach it. i am only landing on the page "welcome to nginx"

 

server {
    listen 443 ssl;

    server_name office.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;


    location / {
				include /config/nginx/proxy.conf;
				resolver 127.0.0.11 valid=30s;
                set $upstream_OnlyOfficeDocumentServer OnlyOfficeDocumentServer;
				proxy_pass http://$upstream_OnlyOfficeDocumentServer:443;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto $scheme;
        }
}

i have downloaded the nextcloud plugin "ONLYOFFICE" and have entered my subdomain into the field for the service address. But i always says "error on connect" bad request or timeout.

 

cant figure out where is my failure...thanks in advance.

Link to comment
5 hours ago, mweis said:

i am running nextcloud container and letsencrypt container from linuxserver.io. i am using letsencrypt with nginx as a reverse proxy. The container provides standard configs for most docker containers such as nextcloud. the files can be found in "\appdata\letsencrypt\nginx\proxy-confs"

 

i have created an own subdomain for the officeserver but i cant reach it. i am only landing on the page "welcome to nginx"

 


server {
    listen 443 ssl;

    server_name office.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;


    location / {
				include /config/nginx/proxy.conf;
				resolver 127.0.0.11 valid=30s;
                set $upstream_OnlyOfficeDocumentServer OnlyOfficeDocumentServer;
				proxy_pass http://$upstream_OnlyOfficeDocumentServer:443;
                proxy_redirect off;
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-Forwarded-Host $server_name;
                proxy_set_header X-Forwarded-Proto $scheme;
        }
}

i have downloaded the nextcloud plugin "ONLYOFFICE" and have entered my subdomain into the field for the service address. But i always says "error on connect" bad request or timeout.

 

cant figure out where is my failure...thanks in advance.

Use only lowercase in container names otherwise nginx can't resolve them

Link to comment

I'm not sure if this is the right place, or if its even that helpful, but the latest letsencrypt container update wrecked unraid temporarily for me. Could be unrelated but after the update a bunch of settings went factory and ALL containers got turned off. A reboot seemed to bring everything back up ok. I know this isn't much to go off of but if there is some where you want me to look for logs let me know.

Link to comment
28 minutes ago, dannyo13 said:

Could be unrelated ... I know this isn't much to go off of but if there is some where you want me to look for logs let me know.

If it happens again go to Tools - Diagnostics and post the complete diagnostics zip.

 

Your symptoms sound more like your flash dropping connection.

Link to comment

I just setup Letsencrypt using spaceinvaders video, and a custom domain.  it is working, but I want to simplify connecting to calibre opds server.

currently, i have to configure my ebook reader to connect to https://calibre."myserver".net/opds.  nginx is configured so that https://calibre."myserver".net is essentially redirected to "server ip":8083. 

 

When i try to configure the calibre ningx conf file so that calibre."myserver".net is redirected to "server ip:8083/opds" my epub program will connect and show the categories available, but nothing appears when i click them. 

 

how can i configure my conf file to redirect to the port and path, so i dont have to type in the /odps when setting up a new device, and just type in the calibre.myserver.net.

Link to comment
10 hours ago, Ayefly said:

I just setup Letsencrypt using spaceinvaders video, and a custom domain.  it is working, but I want to simplify connecting to calibre opds server.

currently, i have to configure my ebook reader to connect to https://calibre."myserver".net/opds.  nginx is configured so that https://calibre."myserver".net is essentially redirected to "server ip":8083. 

 

When i try to configure the calibre ningx conf file so that calibre."myserver".net is redirected to "server ip:8083/opds" my epub program will connect and show the categories available, but nothing appears when i click them. 

 

how can i configure my conf file to redirect to the port and path, so i dont have to type in the /odps when setting up a new device, and just type in the calibre.myserver.net.

I think you mean proxy and not redirect (they have very different meanings for webservers) 

 

If you post your config we'll take a look

Link to comment

after some searching, I found references that suggested the mariaDB docker, and instructions on how to configure it and set up a database via terminal:

https://technicalramblings.com/blog/how-to-set-up-a-wordpress-site-with-letsencrypt-and-mariadb-on-unraid/

it really made me sweat to do this, knowing so pathetically little about terminal commands and just blindly following instructions, then getting an error about it not being able to find/connect to the database (I used "localhost") until just taking a chance with using the VPN assigned IP address and the port I set up as per the instructions.

I am now happy to report that I was able to install Wordpress and log into its admin panel...so far so good!

Link to comment
2 hours ago, UntouchedWagons said:

Hi there, could you please add proxy-conf files for Ubooquity? Thanks

\appdata\letsencrypt\nginx\proxy-confs\ubooquity.subfolder.conf

location /ubooquity {
    auth_basic "Restricted";
    auth_basic_user_file /config/nginx/.htpasswd;
	proxy_pass http://192.168.1.111:2202/ubooquity;
	proxy_set_header Host $host;
}

It's not using the custom network interface but that works for me

Link to comment
On 12/4/2018 at 10:25 PM, aptalca said:

I think you mean proxy and not redirect (they have very different meanings for webservers) 

 

If you post your config we'll take a look

# make sure that your dns has a cname set for calibre

server {
    listen 443 ssl;

    server_name calibre.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_calibre calibre-web;
        proxy_pass http://$upstream_calibre:8083;
    }
}

 

That's what I am using that works to access using https://calibre."myserver".net /opds from the internet.  note that i have to remember to add the /opds for calibre, or /opds-comics for ubooquity when i set them up in their apps.

 

When I change proxy_pass http://$upstream_calibre:8083 to http://$upstream_calibre:8083/opds , my epub reader will show the book categories when i connect, but not the contents of each.

Link to comment
13 hours ago, UntouchedWagons said:

Hi there, could you please add proxy-conf files for Ubooquity? Thanks

Here is my config:

\appdata\letsencrypt\nginx\proxy-confs\ubooquity.subfolder.conf

# ubooquity already uses the base url /ubooquity by default so you don't need to do anything extra

location /ubooquity {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth-0;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_ubooquity ubooquity;
    proxy_pass http://$upstream_ubooquity:2202;
}

This is using the custom network feature and domain redirect ...

 

Link to comment

Based on the two previous solutions, I came up with a config for a subdomain-based setup:

 

server {
    listen 443 ssl;

    server_name ubooquity.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_max_temp_file_size 2048m;
        proxy_pass http://$upstream_ubooquity:2202;
    }
}

 

  • Like 1
Link to comment

I am having issues failing the cert authorization.  I believe it is due to my domain host (Google Domains) but I'm unsure.

 

Router: Google Wifi

Domain: mydomain.com

Subdomain:  server.mydomain.com (directed to my ip address)

Port Forward http:  External 80 to Internal 180

Port Forward https:  External 443 to Internal 1443

 

When I check the logs, I get a "can't connect" error that is likely due to port forwarding or dns. 

 

I do not believe it is a port forwarding error as I've changed the port forwards to (80 to 80) and (443 to 443) just to see if I can access the Unraid server from outside my network using server.mydomain.com and that works fine.  

 

When I have the ports forwarded to 180 and 1443 and go to server.mydomain.com, it automatically tries to use https.  Is it possible that Google Domains is automatically directing traffic to https and in turn not allowing my certs to be authorized?  If so, is there a way around it?

  

1983119892_Unraid-LetsEncrypt.thumb.png.462528d71e957dce8dcd76a975acb7fe.png

 

 

Link to comment
9 hours ago, jthacker48 said:

I am having issues failing the cert authorization.  I believe it is due to my domain host (Google Domains) but I'm unsure.

 

Router: Google Wifi

Domain: mydomain.com

Subdomain:  server.mydomain.com (directed to my ip address)

Port Forward http:  External 80 to Internal 180

Port Forward https:  External 443 to Internal 1443

 

When I check the logs, I get a "can't connect" error that is likely due to port forwarding or dns. 

 

I do not believe it is a port forwarding error as I've changed the port forwards to (80 to 80) and (443 to 443) just to see if I can access the Unraid server from outside my network using server.mydomain.com and that works fine.  

 

When I have the ports forwarded to 180 and 1443 and go to server.mydomain.com, it automatically tries to use https.  Is it possible that Google Domains is automatically directing traffic to https and in turn not allowing my certs to be authorized?  If so, is there a way around it?

  imageproxy.php?img=&key=00b562fcac28e727

1983119892_Unraid-LetsEncrypt.thumb.png.462528d71e957dce8dcd76a975acb7fe.png

 

 

Do "docker ps" and post the line containing letsencrypt

Link to comment
9 hours ago, aptalca said:

Do "docker ps" and post the line containing letsencrypt

Honestly, I'm having a similar issue on a fresh install using Google Domains as well. 

 

I can't get nginx to show the "welcome" page to show the container working. I've been banging my head for the past day on this. I have also tried just using 192.168.1.10:180 (local IP) to no avail here. 

root@Apollo:~# docker ps
CONTAINER ID        IMAGE                       COMMAND             CREATED             STATUS                    PORTS                                            NAMES
aed87507ede6        linuxserver/letsencrypt     "/init"             25 minutes ago      Up 2 minutes              0.0.0.0:180->80/tcp, 0.0.0.0:1443->443/tcp       letsencrypt

 

My log shows "Server ready" and that certificate exists, however nothing passes through. My port forwards are set up correctly (EdgeRouter, port 80, going to server IP > 180, port 443 going to server IP > 1443) which matches docker ps for the ports. I edited email and domain names for screenshot of container settings.

 

I have checked that my site is pointing to my correct public address by changing to other containers ports with port forward (port 80, going to server IP > 3579 (Ombi)) and a few others as well, and these were all successful. 

 

Any ideas?

Capture.PNG

Edited by jeiroq
Additional info for diagnosing.
Link to comment
10 hours ago, jeiroq said:

Honestly, I'm having a similar issue on a fresh install using Google Domains as well. 

 

I can't get nginx to show the "welcome" page to show the container working. I've been banging my head for the past day on this. I have also tried just using 192.168.1.10:180 (local IP) to no avail here. 


root@Apollo:~# docker ps
CONTAINER ID        IMAGE                       COMMAND             CREATED             STATUS                    PORTS                                            NAMES
aed87507ede6        linuxserver/letsencrypt     "/init"             25 minutes ago      Up 2 minutes              0.0.0.0:180->80/tcp, 0.0.0.0:1443->443/tcp       letsencrypt

 

My log shows "Server ready" and that certificate exists, however nothing passes through. My port forwards are set up correctly (EdgeRouter, port 80, going to server IP > 180, port 443 going to server IP > 1443) which matches docker ps for the ports. I edited email and domain names for screenshot of container settings.

 

I have checked that my site is pointing to my correct public address by changing to other containers ports with port forward (port 80, going to server IP > 3579 (Ombi)) and a few others as well, and these were all successful. 

 

Any ideas?

Capture.PNG

Post a log

Link to comment
9 hours ago, jthacker48 said:

Here are the docker ps results:

 

image.thumb.png.4609ec4cc93bb4f1a891f7bbc95882f1.png

 

Here are the logs from LetsEncrypt docker:

 

image.png.83d176f50a269e3e2832c8b071a123e9.png

Make sure that your ip is set correctly on your dns provider and that there is a cname created and set up for the "server" subdomain. 

 

If all looks good, you can try stopping the letsencrypt container, create an nginx container with the same exact port mapping, and see if you can reach it through the domain and ports 80 and 443

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.