[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 minutes ago, blaine07 said:

 

 


Anyone? Anything? emoji26.png

You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so.

To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command.

 

Link to comment
You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so.
To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command.
 


My apologies, I didn’t know anything about a docker run command where do I find it, how do I access it so I can post it? Add a subdomain on the setup page for letsencrypt in unraid?

I did post error it gives when trying to renew, will that be different error than when I add a subdomain?

At any rate, please provide more information to your request and I’d be happy too; obviously had I known how or that I was supposed to do the above I would’ve. I ain’t hear to inconvenience anyone but everyone starts somewhere.
Link to comment
You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so.

To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command.

 

 

-------------------------------------

_ ()

| | ___ _ __

| | / __| | | / \

| | \__ \ | | | () |

|_| |___/ |_| \__/

 

 

Brought to you by linuxserver.io

We gratefully accept donations at:

https://www.linuxserver.io/donate/

-------------------------------------

GID/UID

-------------------------------------

 

User uid: 99

User gid: 100

-------------------------------------

 

[cont-init.d] 10-adduser: exited 0.

[cont-init.d] 15-urllib: executing...

Collecting urllib3==1.24.3

Downloading https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl (118kB)

Installing collected packages: urllib3

Found existing installation: urllib3 1.25.3

Uninstalling urllib3-1.25.3:

Successfully uninstalled urllib3-1.25.3

Successfully installed urllib3-1.24.3

[cont-init.d] 15-urllib: exited 0.

[cont-init.d] 20-config: executing...

[cont-init.d] 20-config: exited 0.

[cont-init.d] 30-keygen: executing...

using keys found in /config/keys

[cont-init.d] 30-keygen: exited 0.

[cont-init.d] 50-config: executing...

Variables set:

PUID=99

PGID=100

TZ=America/Chicago

URL=blainej.net

SUBDOMAINS=cloud,blwin10,emby,office,bw

EXTRA_DOMAINS=

ONLY_SUBDOMAINS=true

DHLEVEL=2048

VALIDATION=http

DNSPLUGIN=

[email protected]

STAGING=

 

2048 bit DH parameters present

SUBDOMAINS entered, processing

SUBDOMAINS entered, processing

Only subdomains, no URL in cert

Sub-domains processed are: -d cloud.blaine.net -d blwin10.blaine.net -d emby.blaine.net -d office.blaine.net -d bw.blaine.net

E-mail address entered: [email protected]

http validation is selected

Certificate exists; parameters unchanged; starting nginx

[cont-init.d] 50-config: exited 0.

[cont-init.d] 99-custom-files: executing...

[custom-init] no custom files found exiting...

[cont-init.d] 99-custom-files: exited 0.

[cont-init.d] done.

[services.d] starting services

[services.d] done.

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

 

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

 

no field package.preload['resty.core']

no file './resty/core.lua'

no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'

no file '/usr/local/share/lua/5.1/resty/core.lua'

no file '/usr/local/share/lua/5.1/resty/core/init.lua'

no file '/usr/share/lua/5.1/resty/core.lua'

no file '/usr/share/lua/5.1/resty/core/init.lua'

no file '/usr/share/lua/common/resty/core.lua'

no file '/usr/share/lua/common/resty/core/init.lua'

no file './resty/core.so'

no file '/usr/local/lib/lua/5.1/resty/core.so'

no file '/usr/lib/lua/5.1/resty/core.so'

no file '/usr/local/lib/lua/5.1/loadall.so'

no file './resty.so'

no file '/usr/local/lib/lua/5.1/resty.so'

no file '/usr/lib/lua/5.1/resty.so'

no file '/usr/local/lib/lua/5.1/loadall.so')

nginx: [warn] could not build optimal variables_hash, you should increase either variables_hash_max_size: 1024 or variables_hash_bucket_size: 64; ignoring variables_hash_bucket_size

Server ready

 

Link to comment
You did not post you docker run command. The issue is with the config of letsencrypt and not nextcloud. Don't run any commands to renew certificates inside the container unless told to do so.

To trigger a renewal of certificates, you can modify your config (add a subdomain), and see what the error is. And post it here along with the docker run command.

 

So apparently adding a dummy site to letsencrypt and restarting letsencrypt and letting it error, then removing and restarting again finally got it to renew certs. No idea why or how that fixed it if when its restarted in general it is supposed to fix certs

 

Sent from my SM-G975U using Tapatalk

 

Edit: on another note how can I edit conf files for sites so that http forwards to appropriate https place as well? It isn't a biggy bug currently have to navigate to https for each of them

 

 

 

Link to comment
1 minute ago, blaine07 said:

So apparently adding a dummy site to letsencrypt and restarting letsencrypt and letting it error, then removing and restarting again finally got it to renew certs. No idea why or how that fixed it if when its restarted in general it is supposed to fix certs emoji2373.png

Sent from my SM-G975U using Tapatalk
 

 

You should remove the domain and email from your previous post.

 

The docker run command is in my signature and also in the docker FAQ that is pinned. Also not so hard to search for it 😉

 

As for why it didn't renew your certificate, the letsencrypt logs are needed. Not sure where they are, but probably in your appdata somewhere. But it's working now, so no point checking out.

The renew is not done on container start anymore. It's a cron job running once a day checking the certs.

Link to comment

 

 

 

 

You should remove the domain and email from your previous post.

 

The docker run command is in my signature and also in the docker FAQ that is pinned. Also not so hard to search for it

 

As for why it didn't renew your certificate, the letsencrypt logs are needed. Not sure where they are, but probably in your appdata somewhere. But it's working now, so no point checking out.

The renew is not done on container start anymore. It's a cron job running once a day checking the certs.

 

Yes sir, I had just redacted info.

 

Sorry on run command; not seeing signature on mobile will have to pull up PC.

 

Yeah no idea why it didnt renew either. I guess this would've been 90 days from when I set it all up and it felt the need to remind me of initial frustrations I had LOL. I was NOT aware it didnt update them on startup any longer; great info to have! When is cron set to run; a certain time daily or?

 

Also, any idea on this mate? On another note how can I edit conf files for sites so that http forwards to appropriate https place as well? It isn't a biggy bug currently have to navigate to https for each of them

 

Sent from my SM-G975U using Tapatalk

 

Edit: how rude, forgot to say THANK you man!

 

 

 

Link to comment
2 hours ago, blaine07 said:

 

 

 

 

 

Yes sir, I had just redacted info. emoji106.png

 

Sorry on run command; not seeing signature on mobile will have to pull up PC.

 

Yeah no idea why it didnt renew either. I guess this would've been 90 days from when I set it all up and it felt the need to remind me of initial frustrations I had LOL. I was NOT aware it didnt update them on startup any longer; great info to have! emoji106.png When is cron set to run; a certain time daily or?

 

Also, any idea on this mate? On another note how can I edit conf files for sites so that http forwards to appropriate https place as well? It isn't a biggy bug currently have to navigate to https for each of them emoji2373.png

 

Sent from my SM-G975U using Tapatalk

 

Edit: how rude, forgot to say THANK you man!

 

 

 

All the conf files are in the config folder. /config/nginx/site-confs/default is the one you want to edit for https redirection. There are instructions in there

  • Like 1
Link to comment

Hi

 

I previously had a working nextcloud instance with reverse proxy, but i kept having problems after i moved and got a new ISP router. I have made several unsuccesful attempts in the past months to get it working so tonight i'm finally posting here and hope someone can help.

 

Nextcloud is setup and works just fine on the local network.

Let's encrypt is able to get new certs and to renew old ones.

My issues lies with setting up the reverse proxy to access nextcloud with my duckdns URL. It times out whenever i try to reach the site from behind the pfsense router, the internet or behind the isp router.

 

I would very much appreciate any help or suggestion. Below i posted my config.

 

My network:

The Pfsense Router is in the DMZ of the ISP router

Network.PNG.4700d5d083ba46718814b8f2b84b5d12.PNG

 

Here are my port forwards in both routers (first ISP router then pfsense)

2105645471_PortForwardISP.PNG.6d81ff481d45cb54fc392632df2c60a6.PNG

1366210970_PortForwardPfsense.thumb.PNG.a699bb7c5ca0ad2ee3c0bc8655ec38c8.PNG

NAT loopback is enabled in the pfsense port forwards.

 

Here is my letsencrypt template:

LE.thumb.png.581203bfcde9c12af25b1b8113421873.png

 

 

appdata/letsencrypt/nginx/site-confs/nextcloud

server {
	listen 443 ssl;
	server_name XXX.duckdns.org;

	root /config/www;
	index index.html index.htm index.php;
	
	###SSL Certificates
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	
	###Diffie–Hellman key exchange ###
	ssl_dhparam /config/nginx/dhparams.pem;
	
	###SSL Ciphers
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	
	###Extra Settings###
	ssl_prefer_server_ciphers on;
	###ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Front-End-Https on;

	client_max_body_size 0;

	location / {
		proxy_pass https://19.16.17.101:444/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
	}
}

 

appdata/nextcloud/www/nextcloud/config/config.php

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' => 
  array (
    0 => '19.16.17.101:444',
	1 => 'XXX.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '16.0.1.1',
  'overwrite.cli.url' => 'https://XXX.duckdns.org',
  'overwritehost' => 'XXX.duckdns.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '19.16.17.101:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'XXX',
  'dbpassword' => 'XXX',
  'installed' => true,
);

 

Link to comment
1 hour ago, Lynxphp said:
Hi
 
I previously had a working nextcloud instance with reverse proxy, but i kept having problems after i moved and got a new ISP router. I have made several unsuccesful attempts in the past months to get it working so tonight i'm finally posting here and hope someone can help.
 
Nextcloud is setup and works just fine on the local network.
Let's encrypt is able to get new certs and to renew old ones.
My issues lies with setting up the reverse proxy to access nextcloud with my duckdns URL. It times out whenever i try to reach the site from behind the pfsense router, the internet or behind the isp router.
 
I would very much appreciate any help or suggestion. Below i posted my config.
 
My network:
The Pfsense Router is in the DMZ of the ISP router
Network.PNG.4700d5d083ba46718814b8f2b84b5d12.PNG
 
Here are my port forwards in both routers (first ISP router then pfsense)
2105645471_PortForwardISP.PNG.6d81ff481d45cb54fc392632df2c60a6.PNG
1366210970_PortForwardPfsense.thumb.PNG.a699bb7c5ca0ad2ee3c0bc8655ec38c8.PNG
NAT loopback is enabled in the pfsense port forwards.
 
Here is my letsencrypt template:
LE.thumb.png.581203bfcde9c12af25b1b8113421873.png
 
 
appdata/letsencrypt/nginx/site-confs/nextcloud

server {listen 443 ssl;server_name XXX.duckdns.org;root /config/www;index index.html index.htm index.php;###SSL Certificatesssl_certificate /config/keys/letsencrypt/fullchain.pem;ssl_certificate_key /config/keys/letsencrypt/privkey.pem;###Diffie–Hellman key exchange ###ssl_dhparam /config/nginx/dhparams.pem;###SSL Ciphersssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';###Extra Settings###ssl_prefer_server_ciphers on;###ssl_session_cache shared:SSL:10m;       ### Add HTTP Strict Transport Security ###add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";add_header Front-End-Https on;client_max_body_size 0;location / {	proxy_pass https://19.16.17.101:444/;       proxy_max_temp_file_size 2048m;       include /config/nginx/proxy.conf;}}
 

 
appdata/nextcloud/www/nextcloud/config/config.php


php$CONFIG = array ('memcache.local' => '\\OC\\Memcache\\APCu','datadirectory' => '/data','instanceid' => 'XXX','passwordsalt' => 'XXX','secret' => 'XXX','trusted_domains' =>  array (0 => '19.16.17.101:444',1 => 'XXX.duckdns.org',),'dbtype' => 'mysql','version' => '16.0.1.1','overwrite.cli.url' => 'https://XXX.duckdns.org','overwritehost' => 'XXX.duckdns.org','overwriteprotocol' => 'https','dbname' => 'nextcloud','dbhost' => '19.16.17.101:3306','dbport' => '','dbtableprefix' => 'oc_','mysql.utf8mb4' => true,'dbuser' => 'XXX','dbpassword' => 'XXX','installed' => true,);
 

 

This is a dejavu, i was having issues today after setting my first pfsense router. My question is, was this working before?

Because if it was it could be network issue. In my case what solved the problem was removing a setting in my WAN interface called

"block private networks and loopback addresses"

I'm have a double NAT situation as well. Also go to the website canyouseeme.org and check if the port is actually open.

Also, follow the instructions from @CHBMB maybe that's all you need. 

Sent from my Pixel 2 XL using Tapatalk

Edited by gacpac
Link to comment
5 hours ago, CHBMB said:

@Lynxphp Use the preconfigured reverse proxy conf for Nextcloud and see if that works before you do anything else.

Thanks! I got remote access! However, still no access from the local network.

 

4 hours ago, gacpac said:

This is a dejavu, i was having issues today after setting my first pfsense router. My question is, was this working before?

Because if it was it could be network issue. In my case what solved the problem was removing a setting in my WAN interface called

"block private networks and loopback addresses"

I'm have a double NAT situation as well. Also go to the website canyouseeme.org and check if the port is actually open.

Also, follow the instructions from @CHBMB maybe that's all you need. 

Sent from my Pixel 2 XL using Tapatalk

I only setup my pfsense router after moving (with my new ISP router that doesnt support NAT loopback). I never got local access working with this ISP router.

I tried unchecking "block private networks and loopback addresses" (both on WAN and LAN) but no change.

canyouseeme.org reports that port 443 is open, 80 is not.

 

I tried setting up a NAT forward rule to be able to gain local access, but no succes:alias.thumb.png.f1c79d601cc5d6190c2a4f56c539a483.png2081729110_portforwardLAN.thumb.PNG.b0185780ed81da2f3fbd897af4f8eb46.PNG

Any suggestion?

Link to comment
8 minutes ago, Lynxphp said:

Thanks! I got remote access! However, still no access from the local network.

 

I only setup my pfsense router after moving (with my new ISP router that doesnt support NAT loopback). I never got local access working with this ISP router.

I tried unchecking "block private networks and loopback addresses" (both on WAN and LAN) but no change.

canyouseeme.org reports that port 443 is open, 80 is not.

 

I tried setting up a NAT forward rule to be able to gain local access, but no succes:alias.thumb.png.f1c79d601cc5d6190c2a4f56c539a483.png2081729110_portforwardLAN.thumb.PNG.b0185780ed81da2f3fbd897af4f8eb46.PNG

Any suggestion? 133.92 kB · 0 downloads

Go to services/dns resolver and add your host overrides at the bottom

Link to comment

Why does it say I don't have permission to save anything inside the proxy-confs file in Windows SMB?

 

I can read and write everything else in appdata except for this folder. Even if I set appdata to public, I still get this message.

 

ztXDa4e.jpg

 

H6J7WEu.jpg

Edited by Stubbs
Link to comment
33 minutes ago, Stubbs said:

Why does it say I don't have permission to save anything inside the proxy-confs file in Windows SMB?

 

I can read and write everything else in appdata except for this folder. Even if I set appdata to public, I still get this message.

 

ztXDa4e.jpg

 

H6J7WEu.jpg

That is because otæf the permissions on the files. Do not change the permissions. Instead edit them through command line on the server.

Link to comment
22 hours ago, CHBMB said:

Try again, I've deleted it from our repository,

Sent from my Mi A1 using Tapatalk
 

I just updated the letsencrypt container and the moment it got started, the error is still showing up in logs. The container also created another instance of quassel-web-subfolder.conf without the .sample

Link to comment
22 hours ago, CHBMB said:

Try again, I've deleted it from our repository,

Sent from my Mi A1 using Tapatalk
 

I just updated the letsencrypt container and the moment it got started, the error is still showing up in logs. The container also created another instance of quassel-web-subfolder.conf without the .sample

Link to comment
8 hours ago, saarg said:

That doesn't look correct. The domain should be your duckdns domain and host only the subdomain for nextcloud.

Thanks for your correction. I previously used mydomain.duckdns.org to reach nextcloud directly. I now made the change in the nextcloud and letsencrypt config to have nextcloud at nextcloud.mydomain.duckdns.org. I can reach nextcloud remotely, but still not locally (timeout) :(. Here is my Host override in the DNS resolver:

1454818028_hostoverride2.png.529d41868da56529ead1a4596113030d.png

 

Edited by Lynxphp
words
Link to comment
Thanks for your correction. I previously used mydomain.duckdns.org to reach nextcloud directly. I now made the change in the nextcloud and letsencrypt config to have nextcloud at nextcloud.mydomain.duckdns.org. I can reach nextcloud remotely, but still not locally (timeout) :(. Here is my Host override in the DNS resolver:
1454818028_hostoverride2.png.529d41868da56529ead1a4596113030d.png
 
In pfsense firewall tab then Nat tab. How are your port forwards setup?

Below is how my 443 is setup. Until I got the forwarding stuff I was having issues externally or internally until I got it right. e972956ba7755c593c305a98261b1a51.jpg

Sent from my SM-G975U using Tapatalk

Link to comment
Thanks for the tip [mention=88940]blaine07[/mention].
I have no problems reaching nextcloud externally, which leads to me to think that my port forwarding rules are okay. It's only internally that the connection times out.
Heres a screen of my rules:
443to1443.thumb.PNG.afe9d8eb69ad041c7b430e5fc9acc0ed.PNG80to81.thumb.PNG.261dd938d0c0424256c815c4cd9c7b0a.PNG
80to81.thumb.PNG.dc76bcc77dcbe57da3c32d4023151653.PNG
443to1443.thumb.PNG.532ca22f8e3bc29416279a2c2e42f69d.PNG
Try changing that nat proxy option to default or one of the others. May require pfsense to reboot. I'd bet still that's related to your problem as far as locally being able to access it

Sent from my SM-G975U using Tapatalk

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.