[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

10 hours ago, slimshizn said:

Lets encrypt didn't give new certs, so something's up.

This is a very brief description of your problem. What is the exact error in the log?

 

If it used to work and now is suddenly broken, it might be because of an issue of your port 80 routing (at least in my experience this is very often the culprit). Do you know how to access the docker command line and run a cert renewal test? This usually gives you a more detailed error message.

Link to comment
16 hours ago, Seige said:

This is a very brief description of your problem. What is the exact error in the log?

 

If it used to work and now is suddenly broken, it might be because of an issue of your port 80 routing (at least in my experience this is very often the culprit). Do you know how to access the docker command line and run a cert renewal test? This usually gives you a more detailed error message.

Yes, I also checked the ports using outside tests and they are open. Turns out that there was an issue with Cloudflare that night, I can access my RP now outside of my network. Inside my network is still an issue, using a USG3 for my router, upnp is on, not really sure how all the sudden I don't have access to my RP locally. If I visit 192.168.*.* it works fine but if I use my webpage name it will not connect and just times out. 

Link to comment

My ISP is blocking port 80 so I can't get certificates, is there any way around this? I've seen a little bit about DNS challenge, but from what I gather, you need to own the DNS server, which I don't so that doesn't seem like an option unless I'm misunderstanding that. I also been suggested to use a different port, but from what I've read, letsencrypt must use port 80?

 

For my setup I used SpaceInvader's video tutorial and CyanLab's tutorial

Link to comment
My ISP is blocking port 80 so I can't get certificates, is there any way around this? I've seen a little bit about DNS challenge, but from what I gather, you need to own the DNS server, which I don't so that doesn't seem like an option unless I'm misunderstanding that. I also been suggested to use a different port, but from what I've read, letsencrypt must use port 80?
 
For my setup I used SpaceInvader's video tutorial and CyanLab's tutorial
You don't need to own your DNS server.

Use cloudflare and your own domain.

Sent from my SM-N960U using Tapatalk

Link to comment

http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

this is what i get how do i fix this, i have absolutely no idea what this means

Link to comment
2 hours ago, Spoonsy1480 said:

http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

this is what i get how do i fix this, i have absolutely no idea what this means

You are just the 264th person to ask that in this thread.

  • Like 1
Link to comment

Okay I've looked up hairpin nat on the USG, looked in the config.boot file and this is what shows up.
 

Quote

port-forward {
    auto-firewall disable
    hairpin-nat enable
    lan-interface eth1


Should disabling this fix my issue of not seeing server.com on my local network?

Link to comment
17 minutes ago, slimshizn said:

Okay I've looked up hairpin nat on the USG, looked in the config.boot file and this is what shows up.
 


Should disabling this fix my issue of not seeing server.com on my local network?

You need hairpin NAT enabled.  Probably better off asking support avenues for USG unless someone here knows and can answer.

 

Link to comment

@Spoonsy1480
Did you understand my previous comment? It means to go the bleeep bleeep bleeep bleep read the previous posts in this bleep bleeep thread.

 

And do you really think that we are supposed to read your mind about what is not working?

Do you go to the garage and say: My car was working, now it isn't working. What is wrong?

Link to comment
1 minute ago, saarg said:

@Spoonsy1480
Did you understand my previous comment? It means to go the bleeep bleeep bleeep bleep read the previous posts in this bleep bleeep thread.

 

And do you really think that we are supposed to read your mind about what is not working?

Do you go to the garage and say: My car was working, now it isn't working. What is wrong?

Yes I read you post went back through the thread an all I could find was that it didn’t matter as far as I could find out.

yesterday I go to radarr.mydomain.com

and today I cannot access any of them that is the only error I see.

so I am stumped 

Link to comment
3 minutes ago, Spoonsy1480 said:

Yes I read you post went back through the thread an all I could find was that it didn’t matter as far as I could find out.

yesterday I go to radarr.mydomain.com

and today I cannot access any of them that is the only error I see.

so I am stumped 

No idea either.

Link to comment
9 minutes ago, Spoonsy1480 said:

Yes I read you post went back through the thread an all I could find was that it didn’t matter as far as I could find out.

yesterday I go to radarr.mydomain.com

and today I cannot access any of them that is the only error I see.

so I am stumped 

That error you posted, if you'd searched this thread or the github site for the container, has nothing to do with it.  As for why your stuff isn't working, no idea.

Link to comment

Hi guys.

Thank you for the container. I've recently re-set this container up. It's mostly working perfectly. 

I am running two nextcloud containers - one for personal and one for work. Reverse proxy works perfectly for the home one. 

Reverse proxy for the work container doesn't seem to work for me - it just re-directs to the home container.

Home container is called "nextcloud" and mapped to nextcloud.XXX Work container is called "nextcloud_works" and mapped to nextcloudwork.XXX.

Both being run as sub-domain reverse proxies. 

Attached are the reverse proxy configs for both. Any help would be appreciated.

Thanks

nextcloudwork.subdomain.conf nextcloud.subdomain.conf

Link to comment

Still looking for a working calibre subdomain config file. I have:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name calibre.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_calibre calibre;
        proxy_max_temp_file_size 2048m;
        proxy_pass http://$upstream_calibre:8083;
    }
}

with my calibre docker named 'calibre', however accessing the site gives me a bad gateway error. Any ideas?

Link to comment
10 hours ago, FireFtw said:

Still looking for a working calibre subdomain config file. I have:


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name calibre.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_calibre calibre;
        proxy_max_temp_file_size 2048m;
        proxy_pass http://$upstream_calibre:8083;
    }
}

with my calibre docker named 'calibre', however accessing the site gives me a bad gateway error. Any ideas?

If you are using our calibre container, have the containers on their own custom bridge, you are using the wrong port. It's either 8080 or 8081.

When using the name to resolve the container, you need to use the ports internally in the containers.

Link to comment
15 hours ago, storm123 said:

Hi guys.

Thank you for the container. I've recently re-set this container up. It's mostly working perfectly. 

I am running two nextcloud containers - one for personal and one for work. Reverse proxy works perfectly for the home one. 

Reverse proxy for the work container doesn't seem to work for me - it just re-directs to the home container.

Home container is called "nextcloud" and mapped to nextcloud.XXX Work container is called "nextcloud_works" and mapped to nextcloudwork.XXX.

Both being run as sub-domain reverse proxies. 

Attached are the reverse proxy configs for both. Any help would be appreciated.

Thanks

nextcloudwork.subdomain.conf 1.07 kB · 0 downloads nextcloud.subdomain.conf 1.06 kB · 0 downloads

Try changing the variable name to upstream_nextcloud_works

Link to comment
13 hours ago, saarg said:

If you are using our calibre container, have the containers on their own custom bridge, you are using the wrong port. It's either 8080 or 8081.

When using the name to resolve the container, you need to use the ports internally in the containers.

Yep, forgot I didn't have the bridge swapped over. The internal and external ports are both 8083 on the newest docker.

Link to comment

Help please - my cert won't renew.  It's been so long since I've had problems with LE I can't work out how to fix:

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=MyDOMAIN.com
SUBDOMAINS=www,unifi,ha,nextcloud,office,home,heimdall
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.MyDOMAIN.com -d unifi.MyDOMAIN.com -d ha.MyDOMAIN.com -d nextcloud.MyDOMAIN.com -d office.MyDOMAIN.com -d home.MyDOMAIN.com -d heimdall.MyDOMAIN.com
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for MyDOMAIN.com
Waiting for verification...
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
10 hours ago, DZMM said:

Help please - my cert won't renew.  It's been so long since I've had problems with LE I can't work out how to fix:

 


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=MyDOMAIN.com
SUBDOMAINS=www,unifi,ha,nextcloud,office,home,heimdall
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.MyDOMAIN.com -d unifi.MyDOMAIN.com -d ha.MyDOMAIN.com -d nextcloud.MyDOMAIN.com -d office.MyDOMAIN.com -d home.MyDOMAIN.com -d heimdall.MyDOMAIN.com
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for MyDOMAIN.com
Waiting for verification...
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
Challenge failed for domain MyDOMAIN.com

http-01 challenge for MyDOMAIN.com
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: MyDOMAIN.com
Type: connection
Detail: Fetching
http://MyDOMAIN.com/.well-known/acme-challenge/r_lFlfJYMg2gmnwGbgo-4gqRceo17BLkfJUj8CXnK2A:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

 

Port 80 is most likely blocked somewhere between your ISP and the container.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.