[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 hour ago, Gobs said:

The plex.subdomain.conf:


# make sure that your dns has a cname set for plex, if plex is running in bridge mode, the below config should work as is, for host mode,
# replace the line "proxy_pass https://$upstream_plex:32400;" with "proxy_pass https://HOSTIP:32400;" HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")

server {
    listen 443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;


    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_plex plex;
        proxy_pass https://$upstream_plex:32400;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Nginx is listening to port 180 and 1443, since ports 80 and 443 are forwarded on my router to 180 and 1443. Both nginx and plex are running on a custom network in bridge mode.

Is your Plex container name "plex"?

Link to comment
16 hours ago, aptalca said:

Is your Plex container name "plex"?

It is. Nginx log is shown below as well. In the Nginx log I saw this:

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
Signal handled: Terminated.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

But again, nextcloud works while plex doesn't which is weird.

Link to comment
13 minutes ago, Gobs said:

It is. Nginx log is shown below as well. In the Nginx log I saw this:


[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready
Signal handled: Terminated.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

But again, nextcloud works while plex doesn't which is weird.

Is Plex all set up and running?

 

Also that's not the nginx log. That's part of a docker log of a container

Link to comment
3 hours ago, aptalca said:

Is Plex all set up and running?

 

Also that's not the nginx log. That's part of a docker log of a container

Yes, as in if I go to http://SERVER_IP:32400/web/index.html# I am greeted with a sign in page. I sign in and then Plex looks for servers but to no avail.

Link to comment
28 minutes ago, Gobs said:

Yes, as in if I go to http://SERVER_IP:32400/web/index.html# I am greeted with a sign in page. I sign in and then Plex looks for servers but to no avail.

Well there is your issue. Plex was never set up. You didn't claim your server. Until then it will block reverse proxy connections.

Link to comment

An issue I've had for the past 2 weeks. I've been able to open port 80 (TCP) on my router. (Confirmed on http://canyouseeme.org/.

I've followed SpaceIndaver's instructions, and created the docker, however I'm getting a 404 error:

 

Failed authorization procedure. myserver.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myserver.duckdns.org/.well-known/acme-challenge/BPoI7fI9FIgfwZoIV_JSMFBjr1a8u1K5ATulxHV3gXQ: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

 

This seems like it's accessing a website, but returning a 404?

Link to comment
23 hours ago, aptalca said:

Well there is your issue. Plex was never set up. You didn't claim your server. Until then it will block reverse proxy connections.

Except I can't set it up since if I go to http://SERVER_IP:32400/web/index.html# and sign in Plex cannot find any servers.

 

EDIT: I think this is an issue with Plex. The account that originally claimed the server was deleted, but it would appear that it's still in the Plex database somehow since I cannot create an account with the same email address. I assume then that Plex still considers the server to be claimed by that account, and so won't let any other account claim it.

Edited by Gobs
Link to comment
16 hours ago, Tebasaki said:

An issue I've had for the past 2 weeks. I've been able to open port 80 (TCP) on my router. (Confirmed on http://canyouseeme.org/.

I've followed SpaceIndaver's instructions, and created the docker, however I'm getting a 404 error:

 

Failed authorization procedure. myserver.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://myserver.duckdns.org/.well-known/acme-challenge/BPoI7fI9FIgfwZoIV_JSMFBjr1a8u1K5ATulxHV3gXQ: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

 

This seems like it's accessing a website, but returning a 404?

I believe your port 80 is forwarded to your unraid gui at the moment

Link to comment

 

 

I am trying to get letsencrypt to work with sonarr and having issues.  I have my own domain [domain name].me.  I am running duckdns to update the ip address.  When I start letsencrypt, I am receiving the below error in the log.  My domain is registered with 1and1 and updated the cname to point to the duckdns one that was created.   Created the subdomain of sonarr.[domain name].me off my domain with 1and1. 

 

On my router, I have port forwarded 443 to 1443 and 80 to 180, which match the settings in the docker container.  

 

Any ideas on what is going on?  Please note I am pretty new to UnRaid and dockers and have been struggling with this part of the setup.  After removing and reinstalling the dockers, I am still having the same issues.  

 

 

Error that I am receiving...

 

Failed authorization procedure. sonarr.[domain name].me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94 [2607:f1c0:100f:f000::2fa]: 204

 

- The following errors were reported by the server:

Domain: sonarr.[domain name].me
Type: unauthorized
Detail: Invalid response from
http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94
[2607:f1c0:100f:f000::2fa]: 204

 

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment
1 hour ago, JohnSracic said:

 

 

I am trying to get letsencrypt to work with sonarr and having issues.  I have my own domain [domain name].me.  I am running duckdns to update the ip address.  When I start letsencrypt, I am receiving the below error in the log.  My domain is registered with 1and1 and updated the cname to point to the duckdns one that was created.   Created the subdomain of sonarr.[domain name].me off my domain with 1and1. 

 

On my router, I have port forwarded 443 to 1443 and 80 to 180, which match the settings in the docker container.  

 

Any ideas on what is going on?  Please note I am pretty new to UnRaid and dockers and have been struggling with this part of the setup.  After removing and reinstalling the dockers, I am still having the same issues.  

 

 

Error that I am receiving...

 

Failed authorization procedure. sonarr.[domain name].me (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94 [2607:f1c0:100f:f000::2fa]: 204

 

- The following errors were reported by the server:

Domain: sonarr.[domain name].me
Type: unauthorized
Detail: Invalid response from
http://sonarr.[donaim name].me/.well-known/acme-challenge/mkUMG7gEgQDiPpXRxeaGRx-u--T16bUbDGzCOdxwh94
[2607:f1c0:100f:f000::2fa]: 204

 

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Either your ip or your port forwarding is incorrect. Letsencrypt servers get a response, but it's not from the letsencrypt container.

Link to comment

Hello fellow unRAID users,

 

first I'd like to thank the Linuxserver-Team for the great work with this and all the other containers.

 

I have one small question:

- Will there be added TLS 1.3 support in the future? If yes, do you have an ETA?

 

Reason behind my question: I would like to use TLS 1.3 for my services running on unRAID. I'd like to avoid creating my own letsencrypt container as I really like the easy-to-use letsencrypt container provided by the Linuxserver-Team.

 

Thank you very much in advance and kind regards,

 

bioneye

Link to comment
On 1/23/2019 at 11:52 AM, aptalca said:

Either your ip or your port forwarding is incorrect. Letsencrypt servers get a response, but it's not from the letsencrypt container.

@aptalca, first I want to say thank you for your help.  

 

As you mentioned, there was an issue with the DDNS not updating the subdomain.  Finally got that figured out.  Now I have an issue with sonarr and radarr.  When I navigate to the https://sonarr.[domainname].me, I get the login page for sonarr and radarr both, but after logging in it just spins (the 4 little dots across the screen).  If I click the WebUI from either of these dockers, it works as it should.  Any idea what would cause this? 

 

Figured it out...  since I was using the binhex version of sonarr and radarr, I changed the one line in the configs but overlooked the line for the api. All working now. 

 

Edited by JohnSracic
Link to comment
5 hours ago, bioneye said:

Hello fellow unRAID users,

 

first I'd like to thank the Linuxserver-Team for the great work with this and all the other containers.

 

I have one small question:

- Will there be added TLS 1.3 support in the future? If yes, do you have an ETA?

 

Reason behind my question: I would like to use TLS 1.3 for my services running on unRAID. I'd like to avoid creating my own letsencrypt container as I really like the easy-to-use letsencrypt container provided by the Linuxserver-Team.

 

Thank you very much in advance and kind regards,

 

bioneye

It needs a newer version of nginx that is not yet released for alpine stable. When it is released, or image will use it.

Link to comment
It's forwarded to my unraid server port 80, yes.

 Might u have a way of setting up a VPN on your server, to separate the public and internal parts of your unRAID system, Tabasaki?

 

I have my unRAID webUI running at port 8008 of my VPN, so I can access it at (in my case) 10.0.195.2:8008 *only* after connecting with OpenVPN, and as far as public access goes, *only* port 80 is exposed for my static IP address which points to letsencrypt’s Nginx server.

 

That way you could safely SFTP, SSH, and do everything you need to do “under the hood”, with minimal public exposure of your unRAID server.

 

 

Link to comment

Hi there

 

im trying to get a wildcard cert using Cloudflare but it keeps giving this error - I’ve checked the API key, even regenerated a new one but it just keeps giving the same error every time.  is there anything you can suggest trying? 👍

 

Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=jaxnet.uk
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=4096
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

4096 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of domain.net will be requested
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for domain.net
Cleaning up challenges
Error determining zone_id: 0 connection failed.. Please confirm that you have supplied valid Cloudflare API credentials.

Edited by jack0w
Link to comment
1 hour ago, jack0w said:

Hi there

 

im trying to get a wildcard cert using Cloudflare but it keeps giving this error - I’ve checked the API key, even regenerated a new one but it just keeps giving the same error every time.  is there anything you can suggest trying? 👍

 

Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=jaxnet.uk
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=4096
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

4096 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of jaxnet.uk will be requested
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for jaxnet.uk
Cleaning up challenges
Error determining zone_id: 0 connection failed.. Please confirm that you have supplied valid Cloudflare API credentials.

Make sure you're using the global api key and not the other one. It's a bit confusing to get to global the api key on the cloudflare interface.

 

Also make sure that you're copying and pasting correctly and not missing or introducing characters

  • Like 1
Link to comment
4 hours ago, truetype said:

When I try to connect to my site via subdomain.domain.com it says that the certificate has expired since 26th january. When I restart letsencrypt it does not automatically renew. Can I run a command to force it to renew?

Check the logs under letsencrypt folder to see why the renewals failed the last 30 nights

Link to comment
4 hours ago, aptalca said:

Check the logs under letsencrypt folder to see why the renewals failed the last 30 nights

Thanks for reply. Seems to be a failure with fullchain.pem, and also firewall problem but I haven't changed any firewall settings during the last 6 months...

See log here please https://pastebin.com/UnEP0a4B

 

EDIT: Maybe it has todo with cname configuration at my domain provider? I set my domain as cname to duckdns, that's the only change I made in the past 2 months. 

Edited by truetype
Link to comment

I’m getting ready to setup a reverse proxy for my Tautulli and Ombi containers but I wanted to see where I should buy my domain first. I know it’s possible to just use DuckDNS as a solution but I wanted a cheap domain that my parents would remember. I was thinking under $5 for the year.

 

I’m going to follow spaceinvader one’s guide on YouTube so if anyone has any advice, I’d greatly appreciate that as well.

Link to comment
1 hour ago, ramblinreck47 said:

I’m getting ready to setup a reverse proxy for my Tautulli and Ombi containers but I wanted to see where I should buy my domain first. I know it’s possible to just use DuckDNS as a solution but I wanted a cheap domain that my parents would remember. I was thinking under $5 for the year.

 

I’m going to follow spaceinvader one’s guide on YouTube so if anyone has any advice, I’d greatly appreciate that as well.

Namecheap is my default go to provider.  Using Cloudflare as DNS

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.