[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

3 hours ago, sasjafor said:

Hi, I'm trying to setup a reverse-proxy for the unraid webUI. I only want it for my local network and not expose it to the internet. The main reason is to have uniform subdomains for all services on my local network and for the annoying invalid certificate warning to go away.

 

So far, I have been quite successful, but I am struggling with php files getting buffered. Which is something I don't want, as for example the docker update popup box will only display text once the update is finished.

 

Here is my config so far:


server {
    listen 443 ssl;

    server_name unraid.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
	
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
	fastcgi_keep_conn on;
	fastcgi_buffering off;
	proxy_buffering off;
	gzip off;
		
        resolver 127.0.0.11 valid=30s;
        set $upstream_unraid $REDACTED;

	proxy_set_header Upgrade $http_upgrade;
    	proxy_set_header Connection "Upgrade";
        proxy_pass https://$upstream_unraid:4433;
    }
}

I have simply tried to adapt one of the existing templates for the unraid UI. 

All the statements related to buffering didn't change anything. I have also tried not including /config/nginx/proxy.conf and also still no change.

 

I would be glad if someone could help me figure out why php responses still are getting buffered.

Hey this is not necessarily what you're looking for, but I had a much easier time passing the Firefox container, then just accessing the Unraid UI inside the firefox container.  Much less headache IMO.

  • Like 1
Link to comment
37 minutes ago, Coolsaber57 said:

Hey this is not necessarily what you're looking for, but I had a much easier time passing the Firefox container, then just accessing the Unraid UI inside the firefox container.  Much less headache IMO.

Yeah, I'm just looking for local access to the unRAID webgui, so I really just want the benefit of accessing unRAID via unraid.mydomain.com and nothing else, but thank you for the hint anyway.

Link to comment

Ok I've run into an odd issue, trying to figure out where I am going wrong.  I'm trying to proxy the Photoshow docker container with the following config under the https://photos.mydomain.com:

 

# For Photoshow

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photos.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_photos photoshow;
        proxy_pass http://$upstream_photos:8083;
    }

}

However, when I start up the LE container, I get an error, and the container doesn't start:

e': "No such container: 0a7b5297b0bc"

Here's my photoshow config for reference:

 

Am I missing something really obvious?

zzz.PNG

 

Edit: just realized I should have set upstream_photos and used port 80.  Resolved my issue.

Edited by Coolsaber57
Link to comment
43 minutes ago, Coolsaber57 said:

Ok I've run into an odd issue, trying to figure out where I am going wrong.  I'm trying to proxy the Photoshow docker container with the following config under the https://photos.mydomain.com:

 


# For Photoshow

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photos.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_photos photoshow;
        proxy_pass http://$upstream_photos:8083;
    }

}

However, when I start up the LE container, I get an error, and the container doesn't start:


e': "No such container: 0a7b5297b0bc"

Here's my photoshow config for reference:

 

Am I missing something really obvious?

zzz.PNG

 

Edit: just realized I should have set upstream_photos and used port 80.  Resolved my issue.

Yup, when connecting container to container, remember to use the container port, not the host

Link to comment

So it seems from googling that my ISP block port 80. I watched spaceinvader one's video but figured I would ask here before I invest a lot of time figuring how to set all this up... Is it as easy as just selecting a different port? I couldn't seem to find a straight answer on this. Is it more complicated to get around this? possible? I was planning on using DynDns as my ISP router has that function on it.

Link to comment
So it seems from googling that my ISP block port 80. I watched spaceinvader one's video but figured I would ask here before I invest a lot of time figuring how to set all this up... Is it as easy as just selecting a different port? I couldn't seem to find a straight answer on this. Is it more complicated to get around this? possible? I was planning on using DynDns as my ISP router has that function on it.
You don't have to use the port 80 you do have to use for 443 I don't use port 80 whatsoever and it works fine

Sent from my Nokia 7.1 using Tapatalk

Link to comment

Hi everyone, I've searched over this thread but I've not been able to find out what I'm trying to accomplish.  I had Ombi setup on a VM already before I used this docker for LE.  Does anyone know what changes I would need to make to the use the ombi.subdomain.conf file when using ombi not in a container, but on another VM?  Thanks. 

Link to comment
19 minutes ago, ijuarez said:

You don't have to use the port 80 you do have to use for 443 I don't use port 80 whatsoever and it works fine

Sent from my Nokia 7.1 using Tapatalk
 

Thank you! OKay here we go, following spaceinvader one's guide now :)

 

The router actually supports no-ip.com, unfrotunately no duckdns. Hopefully that's still okay? I figured once less thing to set up if it's running on the router?

Edited by maxse
Link to comment
41 minutes ago, maxse said:

So it seems from googling that my ISP block port 80. I watched spaceinvader one's video but figured I would ask here before I invest a lot of time figuring how to set all this up... Is it as easy as just selecting a different port? I couldn't seem to find a straight answer on this. Is it more complicated to get around this? possible? I was planning on using DynDns as my ISP router has that function on it.

If you do http validation, port 80 is required on the wan. 

 

If you do dns validation, you don't need port 80

Link to comment

WOW, it worked guys! First time! Boom! I guess they are not blocking port 80 after all!

 

Quick question, I am only using this for ombi right now.

I selected an option in Ombi under Authorization to enable Plex OAuth.

 

Is there any other password that I need to set for security reasons? Or is that fine? When I tested it, it goes to the ombi page and says log in with Ombi or Log in with plex... Is that enough?

 

Thanks soo much!

Link to comment
5 hours ago, Jclendineng said:

I looked at the dockerfile but could not find an answer.  Is it possible to tweak the nginx on here to get built with opelssl 1.1.1a? (pulling the dockerfile and doing a manual install in unraid) For TLS 1.3 support.  Thanks for any advice.

Not easily, nginx comes from the alpine package repo. We are currently on the latest stable, 3.8, which uses libressl, which doesn't yet support TLS 1.3. However, the edge build of nginx is using openssl 1.1.1, which supports TLS 1.3. When 3.9 stable of alpine is released, it should support TLS 1.3 with nginx.

 

Or you _could_ try and install nginx from the edge repo inside the container but we don't support it, so don't come to us if you try and have issues.

  • Upvote 1
Link to comment
On 12/19/2018 at 11:43 AM, Gobs said:

@happyagnostic

 

So I only just found out what was wrong - having done what you suggested (port forwarding parameters + using Plex with the custom network) I was able to reach my plex, but it still said server unreachable. This was because I use uMatrix to prevent websites from loading scripts, and it was preventing access to plex.tv, so I disabled this and everything works fine now, I'm so happy!

 

I'm still a bit confused as to how the port forwarding works. If I understand correctly, I request goes to plex.mydomain.com through port 443, which is then forwarded to port 1443 by my router, letsencrypt / nginx recieves this request then forwards it to port 32400 on the plex docker? Does that sound about right?

I posted here before about getting plex to work with a reverse proxy, I now have another problem. After rebooting my server, Nextcloud still works beautifully as before, however when I try to go to https://plex.mysubdomain.url I get a 502 bad gateway error. What logs could I look at to find out what's the problem? Any help on the matter?

Link to comment
1 hour ago, Gobs said:

I posted here before about getting plex to work with a reverse proxy, I now have another problem. After rebooting my server, Nextcloud still works beautifully as before, however when I try to go to https://plex.mysubdomain.url I get a 502 bad gateway error. What logs could I look at to find out what's the problem? Any help on the matter?

How did you set it up? Post your proxy conf and we'll take a look

Link to comment
On 1/16/2019 at 4:12 PM, sasjafor said:

Hi, I'm trying to setup a reverse-proxy for the unraid webUI. I only want it for my local network and not expose it to the internet. The main reason is to have uniform subdomains for all services on my local network and for the annoying invalid certificate warning to go away.

 

So far, I have been quite successful, but I am struggling with php files getting buffered. Which is something I don't want, as for example the docker update popup box will only display text once the update is finished.

 

Here is my config so far:


server {
    listen 443 ssl;

    server_name unraid.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
	
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
	fastcgi_keep_conn on;
	fastcgi_buffering off;
	proxy_buffering off;
	gzip off;
		
        resolver 127.0.0.11 valid=30s;
        set $upstream_unraid $REDACTED;

	proxy_set_header Upgrade $http_upgrade;
    	proxy_set_header Connection "Upgrade";
        proxy_pass https://$upstream_unraid:4433;
    }
}

I have simply tried to adapt one of the existing templates for the unraid UI. 

All the statements related to buffering didn't change anything. I have also tried not including /config/nginx/proxy.conf and also still no change.

 

I would be glad if someone could help me figure out why php responses still are getting buffered.

It's not recommended to reverse proxy the unraid gui. Check out this post on a solution for you. https://technicalramblings.com/blog/remotely-accessing-the-unraid-gui-with-guacamole-and-vnc-web-browser/

Link to comment
13 minutes ago, GilbN said:

It's not recommended to reverse proxy the unraid gui. Check out this post on a solution for you. https://technicalramblings.com/blog/remotely-accessing-the-unraid-gui-with-guacamole-and-vnc-web-browser/

I don't want it for remote access though. Only to have the nice green lock for a valid SSL cert when I access unraid via the nginx reverse-proxy LOCALLY.

Link to comment
2 hours ago, sasjafor said:

I don't want it for remote access though. Only to have the nice green lock for a valid SSL cert when I access unraid via the nginx reverse-proxy LOCALLY.

 

2 hours ago, sasjafor said:

I don't want it for remote access though. Only to have the nice green lock for a valid SSL cert when I access unraid via the nginx reverse-proxy LOCALLY.

Oh, then you dont need to do it that way :)

https://youtu.be/T7iR1EbWqEk?t=1005

Edited by GilbN
Link to comment
3 minutes ago, GilbN said:

 

Oh, then you dont need to do it that way :)

https://youtu.be/T7iR1EbWqEk?t=1005

I already know about that way. I wanna use a subdomain of a domain I own, which will only be accessible on my local network. It's actually memorable and looks a lot cleaner than the way with the unraid subdomain. I have it all working through the letsencrypt docker, except for the fact that php files are getting buffered instead of sent synchronously to the browser.

Link to comment
3 minutes ago, sasjafor said:

I already know about that way. I wanna use a subdomain of a domain I own, which will only be accessible on my local network. It's actually memorable and looks a lot cleaner than the way with the unraid subdomain. I have it all working through the letsencrypt docker, except for the fact that php files are getting buffered instead of sent synchronously to the browser.

proxy_buffering off;

 

edit: I see you already have that

Edited by GilbN
Link to comment
1 minute ago, GilbN said:

proxy_buffering off;

 

edit: I see you already have that

I thought maybe something in /config/nginx/proxy.conf conflicts with setting proxy_buffering off, but I tried without including those config lines and it is still getting buffered. I am almost getting the feeling that there is a bug in nginx which causes this problem under my specific circumstances, unless I'm just missing something.

Link to comment

Working with nextcloud and letsencrypt. When I was using cloudflare I had to change the file cloudflare.ini in the dns-conf folder and add my email address and api key to get things working. Changed my mind and went back to just using GoDaddy as my domain name provider. Is there an .ini file for godaddy that I have to change to get things to work.  Do I need to go into the site-conf and under the lines ###SSL Certificates & change those paths ?

Edited by cdkauffmann
add more
Link to comment
1 hour ago, cdkauffmann said:

Working with nextcloud and letsencrypt. When I was using cloudflare I had to change the file cloudflare.ini in the dns-conf folder and add my email address and api key to get things working. Changed my mind and went back to just using GoDaddy as my domain name provider. Is there an .ini file for godaddy that I have to change to get things to work.  Do I need to go into the site-conf and under the lines ###SSL Certificates & change those paths ?

Supported dns providers are listed in the readme. Godaddy is not one of them

Link to comment
On 1/18/2019 at 12:40 PM, aptalca said:

How did you set it up? Post your proxy conf and we'll take a look

The plex.subdomain.conf:

# make sure that your dns has a cname set for plex, if plex is running in bridge mode, the below config should work as is, for host mode,
# replace the line "proxy_pass https://$upstream_plex:32400;" with "proxy_pass https://HOSTIP:32400;" HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")

server {
    listen 443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;


    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_plex plex;
        proxy_pass https://$upstream_plex:32400;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Nginx is listening to port 180 and 1443, since ports 80 and 443 are forwarded on my router to 180 and 1443. Both nginx and plex are running on a custom network in bridge mode.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.