[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hi All - While trying to set up Nextcloud with Letsincrypt(Spaceinvader One Method) - I get the following error from the Letsencrypt Log, and really have no idea what to do:

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

And when I access Nextcloud from WAN, I just see: "Welcome to Server"

 

Please advise :)

 

Best,

Link to comment
2 hours ago, IWasJustHere said:

Hi All - While trying to set up Nextcloud with Letsincrypt(Spaceinvader One Method) - I get the following error from the Letsencrypt Log, and really have no idea what to do:

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

And when I access Nextcloud from WAN, I just see: "Welcome to Server"

 

Please advise :)

 

Best,

That error is harmless unless you run anything Lua, which nextcloud doesn't. So you set something up wrong.

Link to comment
On 5/11/2019 at 6:02 PM, aptalca said:

That's an unrelated issue due to the alpine lua package. No fix for that yet, but it's not the cause of your proxy issue

[SOLVED ]You sir - are a champion! I hired a consultant who couldn't figureit out either. Turns out, the Nextcloud conf file I didn't rename correct! (need to learn Krusader better)

Link to comment
On 5/14/2019 at 3:08 PM, aptalca said:

Yes, edit the proxy confs to uncomment the relevant lines. Instructions in there.

 

If you're going to use http auth, first generate the .htpasswd as described in the readme

Which is the proxy conf data ?

Link to comment

Hi all, I've recently started having an issue where HTTP traffic is not auto-redirected to HTTPS, I'm not sure exactly when this issue started happening, but the code I'm using to do that hasn't changed in my config, and now I'm finding that it's not working.

 

 

# REDIRECT TRAFFIC TO HTTPS
server {
	listen 80;

	server_name www.domain.com; 
	return https://www.domain.com$request_uri;
	
}

I've tried this both with and without the www. in the server_name entry. 

For aesthetic reasons I like the redirect to always be https://www.domain.com.

 

Is there some other way I should be doing this redirect?

Link to comment
3 hours ago, CorneliousJD said:

Hi all, I've recently started having an issue where HTTP traffic is not auto-redirected to HTTPS, I'm not sure exactly when this issue started happening, but the code I'm using to do that hasn't changed in my config, and now I'm finding that it's not working.

 

 


# REDIRECT TRAFFIC TO HTTPS
server {
	listen 80;

	server_name www.domain.com; 
	return https://www.domain.com$request_uri;
	
}

I've tried this both with and without the www. in the server_name entry. 

For aesthetic reasons I like the redirect to always be https://www.domain.com.

 

Is there some other way I should be doing this redirect?

Change that section back to the defaults: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/default#L5-L10

 

Right now it is only catching www.domain.com and it's redirecting it to www.domain.com on 443.

 

The defaults catch everything and redirect it to the https version of whatever's requested.

 

Then you can create a second block where it listens on 443, the server name is domain.com and redirects to www.domain.com

Edited by aptalca
Link to comment
14 minutes ago, aptalca said:

Change that section back to the defaults: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/default#L5-L10

 

Right now it is only catching www.domain.com and it's redirecting it to www.domain.com on 443.

 

The defaults catch everything and redirect it to the https version of whatever's requested

 

Thanks, I think i had messed with that because of the www aesthetic I wanted but I can certainly live without that as long as it properly works. Just updated this and it seems to, although I think the 301 redirect on my PC was working for a while and I didn't notice it until I tried from another device. Will do more in-depth testing with things set back to default.

 

Thanks!

Link to comment
7 hours ago, CorneliousJD said:

 

Thanks, I think i had messed with that because of the www aesthetic I wanted but I can certainly live without that as long as it properly works. Just updated this and it seems to, although I think the 301 redirect on my PC was working for a while and I didn't notice it until I tried from another device. Will do more in-depth testing with things set back to default.

 

Thanks!

Edited my post above to add info on how to get redirect to www working.

 

What you want to do is, only catch the naked domain and redirect it to www. You don't want ombi.domain.com to redirect to www.domain.com

Link to comment
20 hours ago, aptalca said:

Ie. nextcloud.subdomain.conf

I don't see something that can help me to set password protection:

 

# make sure that your dns has a cname set for nextcloud
# assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Another question:
Let's encrypt network settings go over bridge 192.168.3.3, I add Dokuwiki for example in the config with the same bridge IP 192.168.3.3 then it works (both over bridge). If I give Dokuwiki an own address like 192.168.3.4 it doesn't work. Why can't Let's encrypt the requests just forward them to another IP?

Edited by Abigel
extra question
Link to comment
2 hours ago, Abigel said:

I don't see something that can help me to set password protection:

 


# make sure that your dns has a cname set for nextcloud
# assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Another question:
Let's encrypt network settings go over bridge 192.168.3.3, I add Dokuwiki for example in the config with the same bridge IP 192.168.3.3 then it works (both over bridge). If I give Dokuwiki an own address like 192.168.3.4 it doesn't work. Why can't Let's encrypt the requests just forward them to another IP?

If there is no setting for http auth, that usually means it doesn't work with it. Nextcloud has its own auth built in so likely it collides with http auth.

 

Do you mean br0? That's macvlan, not bridge, and it blocks connections between host and the containers on it. But I'm making assumptions because you are not providing enough info to understand the situation.

Link to comment

Hi, may someone has a hint how to get the xteve site working behind reverse proxy

 

when i curl the sitenames (local 192.168...../web or my.domain/web) the result is exactly the same, so there are no differences.

 

the symptom when using the external domain is an endless loading spinner on the site

 

here a respond from curl in case that could help

 

...

<!doctype html>
<html>
  <head>
    <meta charset="utf-8">
    <!---
    <meta name="viewport" content="width=device-width, initial-scale=1.0" /> 
    -->
    <title>xTeVe</title>
    <link rel="stylesheet" href="css/screen.css" type="text/css">
    <link rel="stylesheet" href="css/base.css" type="text/css">

    <script language="javascript" type="text/javascript" src="js/base.js"></script>
    <script language="javascript" type="text/javascript" src="js/menu.js"></script>
    <script language="javascript" type="text/javascript" src="js/data.js"></script>
    <script language="javascript" type="text/javascript" src="js/log.js"></script>
    <script language="javascript" type="text/javascript" src="js/users.js"></script>
    <script language="javascript" type="text/javascript" src="js/files.js"></script>
    <script language="javascript" type="text/javascript" src="js/mapping-editor.js"></script>
  </head>

    <body onload="javascript: pageReady();">
      <div id="loading" class="block">
        <div class="loader">
          
        </div>
      </div>

............

screenshot from spinner (site started loading but doesnt go further)

image.thumb.png.c9784a8c0f5f4c4e4d32fec3fb579fed.png

 

and here the reverse proxy conf part yet (it was simpler, but i tried adding all kinda things i readed across the web.

 

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name web.*;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location / {
       auth_basic off;
       allow all; # Allow all to see content 
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:34400;
    proxy_buffering off;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    access_log off;
    }
}

 

in case someone has a idea, thanks ahead ;)

Link to comment

I can't seem to find a similar error searching through this thread. I am trying to get this docker setup as a reverse proxy, and when starting it fails like this:

 

 

Generating new certificate
An unexpected error occurred:
pkg_resources.ContextualVersionConflict: (urllib3 1.25.2 (/usr/lib/python3.6/site-packages), Requirement.parse('urllib3<1.25,>=1.20; python_version >= "3.4"'), {'botocore'})
Please see the logfile '/tmp/tmpffuut7dx' for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Here is the output from the logfile it references:

 

2019-05-18 13:34:09,180:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 10, in <module>
    sys.exit(main())
  File "/usr/lib/python3.6/site-packages/certbot/main.py", line 1349, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/lib/python3.6/site-packages/certbot/plugins/disco.py", line 209, in find_all
    plugin_ep = PluginEntryPoint(entry_point)
  File "/usr/lib/python3.6/site-packages/certbot/plugins/disco.py", line 51, in __init__
    self.plugin_cls = entry_point.load()
  File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2345, in load
    self.require(*args, **kwargs)
  File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 2368, in require
    items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/usr/lib/python3.6/site-packages/pkg_resources/__init__.py", line 789, in resolve
    raise VersionConflict(dist, req).with_context(dependent_req)
pkg_resources.ContextualVersionConflict: (urllib3 1.25.2 (/usr/lib/python3.6/site-packages), Requirement.parse('urllib3<1.25,>=1.20; python_version >= "3.4"'), {'botocore'})
2019-05-18 13:34:09,180:ERROR:certbot.log:An unexpected error occurred:

 

I tried installing python3 with the nerdpack plugin, made no difference. Any ideas about what is going on?

Link to comment
4 minutes ago, monogoat said:

Well all I did when adding it from CA was add in the ports, 80 and 443, the email and the domain. In the mean time I installed NginxProxyManager and it is working fine, so I'll stick with it for now.

 

Thanks

If you don't provide us with the information, we can't help. 

Link to comment
3 minutes ago, CHBMB said:

If you don't provide us with the information, we can't help. 

 

I'm sorry for any confusion, I have it working with the NginxProxyManager so I didn't want to bother using up anyone's time trying to troubleshoot this problem. Thanks for everything you guys do.

Link to comment
3 minutes ago, monogoat said:

 

I'm sorry for any confusion, I have it working with the NginxProxyManager so I didn't want to bother using up anyone's time trying to troubleshoot this problem. Thanks for everything you guys do.

Actually I'm already looking at it, I *think* it's a problem with a python package.

Link to comment
1 minute ago, monogoat said:

I can reinstall the container and provide you with any information you need to help fix, if it doesn't appear isolated to my configuration

It's OK thanks, I think I've isolated it and have submitted a PR to fix it.

Link to comment
15 hours ago, CHBMB said:

Fix has been merged, so if you try again it should work now.

I had the same error with python as monogoat, but it worked after deleting the container and then (re-)install it after the merge. Thank you for the quick fix.

Link to comment

Reinstalled Letsencrypt and add some of the Conf files but am still getting.

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

As I am pretty new to all this any help would be gratefully appreciate.

Link to comment
Reinstalled Letsencrypt and add some of the Conf files but am still getting.
 
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
 
As I am pretty new to all this any help would be gratefully appreciate.
Ignore it, discussed elsewhere in this thread and on GitHub. Harmless error if you're not using Lua and is a problem with the upstream project.

Sent from my Mi A1 using Tapatalk

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.