[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

3 days ago I posted a question here, about how Nginx in the letsencrypt docker can be made to do what the .htaccess files on Apache does.

My programmer is moving a database driven site of mine from Bluehost to my unRAID server, running the letsencrypt and maridb dockers, and had this .htaccess file:

<ifmodule mod_rewrite.c>
    RewriteEngine on
    RewriteBase /
    RewriteCond %{REQUEST_URI} ^system.*
    RewriteRule ^(.*)$ /index.php/$1 [L]
    RewriteCond %{REQUEST_FILENAME} !-f
    RewriteCond %{REQUEST_FILENAME} !-d
    RewriteRule ^(.*)$ index.php?/$1 [L]
</ifmodule>

until realising that Nginx does not read/obey .htaccess (at least that's how I understood it).

I think he said that he needs to enable mod_rewrite.

does anyone know how this can be accomplished with Nginx?
I hope to find an answer soon, as I don't want to have to pay for yet another month of Bluehost cloud hosting. 😕
 

Link to comment
3 hours ago, Marv said:

 

I have the same problem that I got an email that my cert is going to expire.

I didn't change anything in my docker config for over a year so I don't really know what was causing this.

 

So I tried adding a subdomain in the container settings which triggert a cert renewal.

But I still got the problem that the renewal process is somehow  not working properly.

When checking the letsencrypt logfile it didn't get changed for more than 20 days now.

This is the last entry:

 


cronjob running on Sat Jan 19 02:08:00 CET 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xxxxxxxserver.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/xxxxxxxserver.com/fullchain.pem expires on 2019-02-18 (skipped)
No renewals were attempted.
No hooks were run.

Even the manual renewal by adding a subdomain did not trigger a log entry.

Whats going on here?

Are you sure you're looking in the right place?

 

That log entry is from Jan 19th

 

What does your docker log say after changing the subdomains?

Link to comment
8 hours ago, aptalca said:

Are you sure you're looking in the right place?

 

That log entry is from Jan 19th

 

What does your docker log say after changing the subdomains?

 

I'm looking in /config/log/letsencrypt/letsencrypt.log

 

After another try changing the subdomains the logfile got updated again.

I don't know why it wasn't working before. But it seems to be solved somehow.

Link to comment
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Mon Feb 11 20:09:20 AEDT 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/[...]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [...]
http-01 challenge for www.[...]
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ([...]) from /etc/letsencrypt/renewal/[...].conf produced an unexpected error: Failed authorization procedure. [...] (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://[...]/.well-known/acme-challenge/[...]: Timeout during connect (likely firewall problem), www.[...] (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://[...]/.well-known/acme-challenge/T9kiSatf7ElU1UhFQHSwUAG4udfx58cCUOkRiXQ8Rac: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[...]/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[...]/fullchain.pem (failure)

hi guys, my cert expired so I checked out my logs and saw failures. Sensetives replaced with [...].

 

I manually executed the update script a couple times and got the above, same as the cron-executed ones.

 

I have been able to use this config for well over a year with no worries (and no changes on my part!), not sure what to do. I can still access my configured domain remotely on 443 like always, just now I get a cert error.

 

Any ideas? Anyone else unable to renew for the same reason? Should I just nuke the container and reinstall it? Cheers.

Link to comment
1 hour ago, andrew207 said:

<------------------------------------------------->

<------------------------------------------------->
cronjob running on Mon Feb 11 20:09:20 AEDT 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/[...]
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for [...]
http-01 challenge for www.[...]
Waiting for verification...
Cleaning up challenges
Attempting to renew cert ([...]) from /etc/letsencrypt/renewal/[...].conf produced an unexpected error: Failed authorization procedure. [...] (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://[...]/.well-known/acme-challenge/[...]: Timeout during connect (likely firewall problem), www.[...] (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://[...]/.well-known/acme-challenge/T9kiSatf7ElU1UhFQHSwUAG4udfx58cCUOkRiXQ8Rac: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[...]/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/[...]/fullchain.pem (failure)

hi guys, my cert expired so I checked out my logs and saw failures. Sensetives replaced with [...].

 

I manually executed the update script a couple times and got the above, same as the cron-executed ones.

 

I have been able to use this config for well over a year with no worries (and no changes on my part!), not sure what to do. I can still access my configured domain remotely on 443 like always, just now I get a cert error.

 

Any ideas? Anyone else unable to renew for the same reason? Should I just nuke the container and reinstall it? Cheers.

Looks like you are doing http verification. Make sure port 80 is open or switch to using DNS verification instead.

Link to comment

I believe the issue I am having is with letsencrypt.  If I hit say my sonarr or radarr website (sonarr.domain.me, radarr.domain.me) outside of my network the page comes up as it should.  If I hit the website within my network (Wi-Fi or weird connection) I receive the page cannot be displayed error. This was working but stopped after one of the docker updates. Any one else experience this or have any ideas how to fix it?

 

 If I ping the website address from a terminal window on unraid, it does return the ping correctly.  I also verified the port 443 is routed to port 1443 and port 80 is routed to 180 on my router. 

Edited by JohnSracic
Link to comment
8 minutes ago, JohnSracic said:

If I hit say my sonarr or radarr website (sonarr.domain.me, radarr.domain.me) outside of my network the page comes up as it should.  If I hit the website within my network (Wi-Fi or weird connection) I receive the page cannot be displayed error.

Typically that is a function of your router. Google nat loopback, hairpinning, or reflection combined with your router model.

Link to comment
15 minutes ago, jonathanm said:

Typically that is a function of your router. Google nat loopback, hairpinning, or reflection combined with your router model.

 

14 minutes ago, Taddeusz said:

You need to set up your router for hair pinning or a custom DNS entry that points your public addresses to your private IP address while inside your network.

 

Thank you both for your response. Googled what you said and it appears that my $500 dollar router (eero) does not support this.  With that being said, I have two questions. 

 

1.  Why did this work at first then stop working? 

 

2.  Would you know a work around since my router does not support it? 

 

Thanks! 

Link to comment
8 hours ago, JohnSracic said:

 Would you know a work around since my router does not support it?

Override the DNS entry on your local machines to point the domain to the correct IP.

 

I find it difficult to believe that your router won't let you set a custom DNS entry, but if not, then you can set it in the hosts file on the local machine.

Link to comment
10 minutes ago, jonathanm said:

Override the DNS entry on your local machines to point the domain to the correct IP.

 

I find it difficult to believe that your router won't let you set a custom DNS entry, but if not, then you can set it in the hosts file on the local machine.

I actually just looked at this and it allows me to do a custom DNS entry but sort of confused as the network aspect of things is not my area expertise.  If I make the custom DNS change on the router, how would you do this correctly?  How would I make this change?  Below are screen captures of my route configuration pages for DNS. 

 

The first capture is the default directed to the ISP. The second capture is if I click on custom. 

 

585CC7C4-9CA7-4BA8-BA92-4455C2FF63DB.png

EA254C78-20A8-470A-83C0-CAE8D39FEBB1.png

Edited by JohnSracic
Link to comment
13 minutes ago, JohnSracic said:

I actually just looked at this and it allows me to do a custom DNS entry

Yeah, that's not the change you need to make. I took a look at eero, and apparently you are not alone in your issues. I don't see any way to do that in your router, it's going to have to be changed in your local machines hosts file.

 

As to why it worked before and now it doesn't, I suspect the eero did an update and broke nat reflection. Some routers have the feature without it being configurable.

Link to comment
25 minutes ago, jonathanm said:

Yeah, that's not the change you need to make. I took a look at eero, and apparently you are not alone in your issues. I don't see any way to do that in your router, it's going to have to be changed in your local machines hosts file.

 

As to why it worked before and now it doesn't, I suspect the eero did an update and broke nat reflection. Some routers have the feature without it being configurable.

 

I did the initial search last evening once I seen your post and seen what you did. Then looked at it this morning and seen the custom DNS and thought that may work. I’m pretty surprised that eero does not support this since the hardware is $500.  From what I have read, it’s been an issue for 2+ years with no timeline or if they are going to include it. Would love to just throw it out and buy something different but the wife would not be happy. The more I get into network changes and the unraid dockers, it appears the eero does not have a lot of the advanced network settings. 

 

Regardless, thank you for your help with this. I understand the local machine hosts file.  How would you make the change on iPhones and iPads? 

Edited by JohnSracic
Link to comment
1 hour ago, JohnSracic said:

 

I did the initial search last evening once I seen your post and seen what you did. Then looked at it this morning and seen the custom DNS and thought that may work. I’m pretty surprised that eero does not support this since the hardware is $500.  From what I have read, it’s been an issue for 2+ years with no timeline or if they are going to include it. Would love to just throw it out and buy something different but the wife would not be happy. The more I get into network changes and the unraid dockers, it appears the eero does not have a lot of the advanced network settings. 

 

Regardless, thank you for your help with this. I understand the local machine hosts file.  How would you make the change on iPhones and iPads? 

Kind of an advanced trick so don't expect any further support from me, but you could potentially use a separate dns server like pi-hole where you would tell eero to use that as a custom dns. Pi-hole is more configurable.

 

It seems this guy did just that: https://discourse.pi-hole.net/t/redirect-dyndns-conditionally-no-nat-loopback-owncloud/2846

Link to comment

I had to restore my appdata using the backup/restore plugin and after doing so my letsencrypt container isn't working.  I'm getting the following message over and over in the log:

nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

 

EDIT:  Recreating the container fixed the issue.

Edited by IamSpartacus
Link to comment
3 hours ago, IamSpartacus said:

I had to restore my appdata using the backup/restore plugin and after doing so my letsencrypt container isn't working.  I'm getting the following message over and over in the log:


nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

 

EDIT:  Recreating the container fixed the issue.

Likely the symlinks got messed up during the restore process. How exactly did you restore?

Link to comment

Hello, I need your help to figure this out.

I installed the plugin following Spaceinvader One youtube video.
At first, I wanted access to my Home-Assistant (unraid Docker) from the outside. It work!!!

When I try to connect using the server IP 192.168.2.XXX:8123 (Home assistant port) it dosent work. (Local Network)

I tried to connect NodeRed (unraid Docker) to Home-Assistant container, same issue, no connection. (Local Network)

 

Do you have an idea what the problem? Should I modified / add something in the nginx config file (see attached)? 
For info, I created a network called Proxynet (like spaceinvader video).
 

Thanks for your help! I'm lost...
 

Max

NGNIX_HomeAssistant.png

Link to comment
Hello, I need your help to figure this out.
I installed the plugin following Spaceinvader One youtube video.
At first, I wanted access to my Home-Assistant (unraid Docker) from the outside. It work!!!
When I try to connect using the server IP 192.168.2.XXX:8123 (Home assistant port) it dosent work. (Local Network)
I tried to connect NodeRed (unraid Docker) to Home-Assistant container, same issue, no connection. (Local Network)
 
Do you have an idea what the problem? Should I modified / add something in the nginx config file (see attached)? 
For info, I created a network called Proxynet (like spaceinvader video).
 
Thanks for your help! I'm lost...
 
Max
NGNIX_HomeAssistant.png.567138a45c05e28fa7ee2f22518b3455.png
Hi Speedmax

For local access you are not going through nginx. When you use 192.168.*.* the settings you need to look at are your docker container port mapping. Can you share the docker config?

Sent from my SM-G930W8 using Tapatalk

Link to comment
17 minutes ago, speedmax1979 said:

I took a picture with advance view on.

Unraid_HA_Config.thumb.png.986e46a446f1d8b391043f0585e082b8.png

It looks like you are not exposing any ports to the outside.  It works for nginx because the traffic goes through proxynet, the custom network interface.

 

In HomeAutomation, add a port mapping with the + at the bottom of the container settings.  Map 8123 to 8123.  You are telling the docker to let requests that hit your unraid server on port 8123 to let that through the HomeAutomation container on port 8123.

Link to comment
9 minutes ago, Gog said:

It looks like you are not exposing any ports to the outside.  It works for nginx because the traffic goes through proxynet, the custom network interface.

 

In HomeAutomation, add a port mapping with the + at the bottom of the container settings.  Map 8123 to 8123.  You are telling the docker to let requests that hit your unraid server on port 8123 to let that through the HomeAutomation container on port 8123.

May you show me a config for example? Not sure how to do this...

I'm pretty new with docker stuff. But.. I like this!!!

Unraid_HA_Config+port.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.