[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Yes i agree with [mention=88940]blaine07[/mention] he is the MVP. Thanks again for all your help [mention=6219]CHBMB[/mention] and to everyone else that helped. Thank you soo much. Now i have to fix my LAN so i can use it inside the LAN at home.
Buy him a beer or two

Sent from my SM-N960U using Tapatalk

Link to comment

I already posted a few days ago regarding setting up letsencrypt for nextcloud and got from no access at all to remote access only, which i am very happy about.

Remote access works perfectly with duckdns but i still can't get local access and that is what i am trying to fix.

 

I will try to summarize the relevant information here.

I run a pfsense router which is in the DMZ behind my ISP router. Both have NAT enabled.

Network.PNG.5499a4539b66bd4717a1e5dbd5bdf5e9.PNG

 

I have port forwarding rules setup and as remote access works, i tend to think that they are not the problem.

 

I have a host override setup in pfsense:

113764489_hostoverride2.png.aecb47543d294e5f48b8700f6a4f97f0.png

Here are the results of nslookup and tracert from a computer within the same network (behind pfsense) as the unraid server on which letsencrypt and nextcloud are running:

nslookup.png.c2b698f66470b0790544fc2ce32747c5.png

My interpretation is that the dns override works as it is correctly resolved with the external (internet) ip. Is that correct? Or should a local dns lookup response be the local ip adress?

 

The fact that the dns seems to work leads me to believe that the problem lies with my configuration of letsencrypt (possibly nextcloud?). Here is the result of a tracert showing the connection timing out:

tracert.png.356482459ffe6c9bef53c4f159874875.png

 

 

My current configuration of LE and nextcloud:

appdata/letsencrypt/nginx/site-confs/nextcloud

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

appdata/nextcloud/www/nextcloud/config/config.php

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' => 
  array (
    0 => '19.16.17.101:444',
	1 => 'nextcloud.XXX.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '16.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.XXX.duckdns.org',
  'overwritehost' => 'nextcloud.XXX.duckdns.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '19.16.17.101:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'XXX',
  'dbpassword' => 'XXX',
  'installed' => true,
);

 

I am quite a networking newbie. I have tried to read and inform myself as much as i could, but i can't seem to figure this out. Any help would be greatly appreciated.

Link to comment
1 hour ago, Lynxphp said:

I already posted a few days ago regarding setting up letsencrypt for nextcloud and got from no access at all to remote access only, which i am very happy about.

Remote access works perfectly with duckdns but i still can't get local access and that is what i am trying to fix.

 

I will try to summarize the relevant information here.

I run a pfsense router which is in the DMZ behind my ISP router. Both have NAT enabled.

Network.PNG.5499a4539b66bd4717a1e5dbd5bdf5e9.PNG

 

I have port forwarding rules setup and as remote access works, i tend to think that they are not the problem.

 

I have a host override setup in pfsense:

113764489_hostoverride2.png.aecb47543d294e5f48b8700f6a4f97f0.png

Here are the results of nslookup and tracert from a computer within the same network (behind pfsense) as the unraid server on which letsencrypt and nextcloud are running:

nslookup.png.c2b698f66470b0790544fc2ce32747c5.png

My interpretation is that the dns override works as it is correctly resolved with the external (internet) ip. Is that correct? Or should a local dns lookup response be the local ip adress?

 

The fact that the dns seems to work leads me to believe that the problem lies with my configuration of letsencrypt (possibly nextcloud?). Here is the result of a tracert showing the connection timing out:

tracert.png.356482459ffe6c9bef53c4f159874875.png

 

 

My current configuration of LE and nextcloud:

appdata/letsencrypt/nginx/site-confs/nextcloud


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

appdata/nextcloud/www/nextcloud/config/config.php


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' => 
  array (
    0 => '19.16.17.101:444',
	1 => 'nextcloud.XXX.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '16.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.XXX.duckdns.org',
  'overwritehost' => 'nextcloud.XXX.duckdns.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '19.16.17.101:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'XXX',
  'dbpassword' => 'XXX',
  'installed' => true,
);

 

I am quite a networking newbie. I have tried to read and inform myself as much as i could, but i can't seem to figure this out. Any help would be greatly appreciated.

From your graphic it looks like you're double natting?

 

Link to comment
2 hours ago, Lynxphp said:

I already posted a few days ago regarding setting up letsencrypt for nextcloud and got from no access at all to remote access only, which i am very happy about.

Remote access works perfectly with duckdns but i still can't get local access and that is what i am trying to fix.

 

I will try to summarize the relevant information here.

I run a pfsense router which is in the DMZ behind my ISP router. Both have NAT enabled.

Network.PNG.5499a4539b66bd4717a1e5dbd5bdf5e9.PNG

 

I have port forwarding rules setup and as remote access works, i tend to think that they are not the problem.

 

I have a host override setup in pfsense:

113764489_hostoverride2.png.aecb47543d294e5f48b8700f6a4f97f0.png

Here are the results of nslookup and tracert from a computer within the same network (behind pfsense) as the unraid server on which letsencrypt and nextcloud are running:

nslookup.png.c2b698f66470b0790544fc2ce32747c5.png

My interpretation is that the dns override works as it is correctly resolved with the external (internet) ip. Is that correct? Or should a local dns lookup response be the local ip adress?

 

The fact that the dns seems to work leads me to believe that the problem lies with my configuration of letsencrypt (possibly nextcloud?). Here is the result of a tracert showing the connection timing out:

tracert.png.356482459ffe6c9bef53c4f159874875.png

 

 

My current configuration of LE and nextcloud:

appdata/letsencrypt/nginx/site-confs/nextcloud


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

appdata/nextcloud/www/nextcloud/config/config.php


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'XXX',
  'passwordsalt' => 'XXX',
  'secret' => 'XXX',
  'trusted_domains' => 
  array (
    0 => '19.16.17.101:444',
	1 => 'nextcloud.XXX.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '16.0.1.1',
  'overwrite.cli.url' => 'https://nextcloud.XXX.duckdns.org',
  'overwritehost' => 'nextcloud.XXX.duckdns.org',
  'overwriteprotocol' => 'https',
  'dbname' => 'nextcloud',
  'dbhost' => '19.16.17.101:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'XXX',
  'dbpassword' => 'XXX',
  'installed' => true,
);

 

Did you also enable the dns resolver?

Link to comment

@Lynxphp you also created an alias for your nextcloud. Let's do this. Why don't you focus on getting your certificates working first, and then you play with adding aliases.Since you have no control over duckdns I'm not sure you can do nextcloud.xxx.duckdns.org

Have you checked space invader guide for nextcloud as well?

Also check this forum, that has been talked before in here.

Sent from my Pixel 2 XL using Tapatalk

Link to comment
27 minutes ago, gacpac said:

@Lynxphp I noticed and please tell me if I'm wrong you are an IP address not reserved by IANA. Meaning you are using a public IP range for a private addressing.
@CHBMB can you help here?

Sent from my Pixel 2 XL using Tapatalk
 

 

9 minutes ago, gacpac said:

@Lynxphp you also created an alias for your nextcloud. Let's do this. Why don't you focus on getting your certificates working first, and then you play with adding aliases.Since you have no control over duckdns I'm not sure you can do nextcloud.xxx.duckdns.org

Have you checked space invader guide for nextcloud as well?

Also check this forum, that has been talked before in here.

Sent from my Pixel 2 XL using Tapatalk
 

@gacpac Please don't ping me, this isn't my job, I help out when I can, I'm currently in bed.

 

Also, @gacpac whilst your enthusiasm is admirable, I'm not certain you understand this stuff as well as you think you do, and no disrespect, you're sometimes confusing the issue even more.

 

The issue looks to me to be that of NAT reflection/Hairpin NAT.

 

@Lynxphp Try adding this in pfsense in the custom options of DNS resolver.
 

server:
local-zone: "xxx.duckdns.org" redirect
local-data: "xxx.duckdns.org 3600 IN A 19.16.17.101"

 

 

 

Link to comment

@CHBMB I know it's not your job, but I figured you probably had a better answer. I do like to help, but that's why I said correct me if I'm wrong. Also sorry If I pinged you, to jump in on this, but you don't have to reply if you are busy.

Everything is cool, I really thank you for all the help you do.

Sent from my Pixel 2 XL using Tapatalk

Link to comment
5 hours ago, Lynxphp said:

I am quite a networking newbie.

Regardless of whether it works for you or not, it's not good to use somebody else's IP addresses in your private network. It can make for some confusing troubleshooting, The 19.16.17.X block of addresses is owned by Ford Motor Company in the USA.

 

I'd advise using blocks of addresses that are reserved for private use, the 192.168.X.X, 10.X.X.X, etc.

Link to comment
Regardless of whether it works for you or not, it's not good to use somebody else's IP addresses in your private network. It can make for some confusing troubleshooting, The 19.16.17.X block of addresses is owned by Ford Motor Company in the USA.
 
I'd advise using blocks of addresses that are reserved for private use, the 192.168.X.X, 10.X.X.X, etc.
I thought that IP looked funny ...

Sent from my SM-N960U using Tapatalk

Link to comment

Could somebody create a NGINX template for Linuxserver.io - ZNC? I've tried but ended up with 502 Bad Gateway :(

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name znc.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_znc znc;
        proxy_pass http://$upstream_znc:6501/;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

I added 

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

per https://wiki.znc.in/Reverse_Proxy , without it I still get 502.

 

Thanks!

Link to comment
Could somebody create a NGINX template for Linuxserver.io - ZNC? I've tried but ended up with 502 Bad Gateway
 
server {   listen 443 ssl;   listen [::]:443 ssl;   server_name znc.*;   include /config/nginx/ssl.conf;   client_max_body_size 0;   # enable for ldap auth, fill in ldap details in ldap.conf   #include /config/nginx/ldap.conf;   location / {       # enable the next two lines for http auth       #auth_basic "Restricted";       #auth_basic_user_file /config/nginx/.htpasswd;       # enable the next two lines for ldap auth       #auth_request /auth;       #error_page 401 =200 /login;       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_znc znc;       proxy_pass http://$upstream_znc:6501/;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;   }}

I added 

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

per https://wiki.znc.in/Reverse_Proxy , without it I still get 502.
 
Thanks!

Then it's working?

Submit a template to the repository then.

It's fine to have extra parameters in there.

Sent from my Mi A1 using Tapatalk

Link to comment
No unfortunately it's not working still, even with that extra parameter described in the znc wiki. I still get 502 bad gateway
I don't use ZNC, might be an idea if you can get it working conventionally using the examples their and post a working example then we might be able to look at translating that to over docker networking.

Unless someone else has a working example?

Figuring out these things can be a time consuming problem so I'm not going to personally pick it up and run with it.

Sent from my Mi A1 using Tapatalk

Link to comment
3 hours ago, bamtan said:

No unfortunately it's not working still, even with that extra parameter described in the znc wiki. I still get 502 bad gateway :(

You don't need to add that line to the bottom, it's already in proxy.conf

 

Is znc on the same user defined bridge network as letsencrypt? Is the container named "znc"? Is it running? Can you reach it via http://unraidip:6501 ?

Link to comment
3 hours ago, CHBMB said:

Also is ZNC over https or http?

Over https

 

I changed

proxy_pass http://$upstream_znc:6501/;

to

proxy_pass https://$upstream_znc:6501/;

 

and now i'm able to see the ZNC login (without css, though). 

 

Once I log in, I get "403 Access denied 

POST requests need to send a secret token to prevent cross-site request forgery attacks."

 

34 minutes ago, aptalca said:

Is znc on the same user defined bridge network as letsencrypt? Is the container named "znc"? Is it running? Can you reach it via http://unraidip:6501 ?

Yeah that's all good from me.

 

Edited by bamtan
Link to comment
11 minutes ago, bamtan said:

Over https

 

I changed

proxy_pass http://$upstream_znc:6501/;

to

proxy_pass https://$upstream_znc:6501/;

 

and now i'm able to see the ZNC login (without css, though). 

 

Once I log in, I get "403 Access denied 

POST requests need to send a secret token to prevent cross-site request forgery attacks."

 

Yeah that's all good from me.

 

Hey @bamtan if you get Nextcloud working within your Lan can you let us know please. I am able to connect to Nextcloud through Wan but inside the network i can. I bought a Linksys to see if i can use that router for my setup. I didn't buy it just for that but it should be a better wireless router then the one i have from my isp. Thanks in advance.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.