[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

On 6/13/2019 at 2:02 PM, storm123 said:

Thanks mate.

Gave it a go.

I now get a connection but it goes to a 500 internal server error.

image.png.c239c27acd8f244fe6600647ae6e44db.png

Any logs I can share to help track down the final step?

Post the new confs you're using and check the error log in the config folder

Link to comment
10 minutes ago, Spoonsy1480 said:


If I knew that I would open it :)
Maybe I will try resetting back to factory settings


Sent from my iPhone using Tapatalk

in your BT home hub go to settings > advanced setings > continue to advanced settings > port forwarding and under game or application you should find already preset HTTP server and assign to the PC you need

 

PS: i have v3 of home hub

Edited by Danuel
Link to comment
in your BT home hub go to settings > advanced setings > continue to advanced settings > port forwarding and under game or application you should find already preset HTTP server and assign to the PC you need
 
PS: i have v3 of home hub

I have v6 I had to add HTTP and HTTPS but only 80 shows closed


Sent from my iPhone using Tapatalk
Link to comment
11 hours ago, storm123 said:

Hi,

Confs for letsencyrpt attached.

Error log makes mention of "[error] 685#685: *996 no host in upstream ":443", client: xxx.xxx.xxx.xxx, server: nextcloudwork.*,"

Thank you for helping so far

nextcloud.subdomain.conf 1.06 kB · 0 downloads nextcloudwork.subdomain.conf 1.08 kB · 0 downloads

You forgot to rename the second variable name in your works one. Fix the last line for proxy pass

Link to comment

I'm having issues accessing Nextcloud from the same LAN that the server is on.  I know that this is a common issue and I have read the last ~dozen or so pages of this thread prior to posting.  My setup was created following the spaceinvader one "How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX" video.  Everything is working fine (certs, outside access) aside from local network access.

 

Hairpin NAT is enabled in my edgerouter, I have restarted the router and server, and cleared my local machines DNS cache since enabling it.  At this point, I just need to confirm if hairpin NAT is related to my issue or if something else is the case.  The ubiquiti docs for hairpin NAT are pretty hefty and I don't want to dig through it without cause.

 

When connecting, I get the following:

 

Error: 404 Not Found

Sorry, the requested URL 'https://[mydomain].duckdns.org/index.php/login' caused an error:

Not found: '/index.php/login'

 

Does this sound like a hairpin nat issue?

Edited by deepthought
Link to comment

Hi

 

My ISP router reset the other day and I had to do port forward again in my ports. Noticed something weird. My nextcloud works outside the network, but not inside. Since I have a double NAT situation and have to forward the port 443 and port 80 twice.  (I've been told that I can use DMZ host to the pfsense to avoid opening ports twice, but I haven't tested yet)

 

To fix it, all I had to do was a host override to my pfsense router, so it hits the internal IP instead of the public. I guess it works, but shouldn't that work without me forcing the dns?

 

If you need a better understanding of my network is. Before you say get rid of the ISP router. I can't, I share my connection

 

   WAN                         LAN                  port forward        WAN                      LAN              port forward                                   

[(public IP) ISP router (10.0.0.1) ] ----- > TCP 80, 443 ----> [(10.0.115) Pfsense (172.16.1.2)] ----> TCP 181, 1443 ------> [unraid server (172.16.1.137)]

 

Also started getting this error, which, it looks like a known issue that should get addressed soon

image.thumb.png.2685ad1845d7f0c4467fa89b8b0b1962.png

Link to comment

I am extremely confused. I have been reading through this trying to find the solution to my issue. Forgive me if i missed it but the more i read the more confused i get. I am trying to set the reverse proxy up but run into A) port 80 is blocked B) DNS doesn't want to work either. I followed spaceinvaderone's video on dns and it didn't work. CLoudflare just won't work for some reason. (just finished trying to delete my account there).

 

I have No-Ip as my domain host. (I do have my own domain with the CNAME's for servers i am trying to get to work with letsencrypt) I made a support ticket and the tech said:

"Historically, customers who use LetsEncrypt will ask us to add a DNS Record to the domain for the LetsEncrypt to work. You may need to see if they require this for your scenario as well. Take a look and let us know if we can answer any questions."

 

I am confused as to what i need. would someone help point me in the right direction please?

 

Thank you.

Link to comment
7 hours ago, Mindsgoneawol said:

I am extremely confused. I have been reading through this trying to find the solution to my issue. Forgive me if i missed it but the more i read the more confused i get. I am trying to set the reverse proxy up but run into A) port 80 is blocked B) DNS doesn't want to work either. I followed spaceinvaderone's video on dns and it didn't work. CLoudflare just won't work for some reason. (just finished trying to delete my account there).

 

I have No-Ip as my domain host. (I do have my own domain with the CNAME's for servers i am trying to get to work with letsencrypt) I made a support ticket and the tech said:

"Historically, customers who use LetsEncrypt will ask us to add a DNS Record to the domain for the LetsEncrypt to work. You may need to see if they require this for your scenario as well. Take a look and let us know if we can answer any questions."

 

I am confused as to what i need. would someone help point me in the right direction please?

 

Thank you.

I am having a similar issue. I don't know where my disconnect is but I think it's with the ports not passing to the docker. So I also follow SpaceInvaders tutorial. I have a domain hosted with GoDaddy and I have setup CNAMES for Sonarr, & Tautulli to test with. They are configured as subdomains that point to my duckdns.org address. I have the DuckDNS docker installed on my unRAID server and it is properly updating the IP. When I pass my subdomains through https://www.whatsmydns.net/ I can see that the subdomain URLs are correctly pointing to my duckdns.org address. I have configured my UniFi USG to pass the port 80 to 180 and 443 to 1443 to the IP of the unRAID server. When I check ports 80 and 443 at https://www.yougetsignal.com/tools/open-ports/ I see port 80 open but 443 is not. Not sure why... I've edited the .conf files to reflect the names of the docker containers.

 

At this point, I am just confused as to why this is not working. Here are some screenshots of my configurations:

 

646715953_ScreenShot2019-06-18at7_00_54PM.thumb.png.c32416eb9b21d974acf604b1c64eafcf.png

 

# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }

    location ~ (/sonarr)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr Sonarr;
        proxy_pass http://$upstream_sonarr:8989;
   }
}

# make sure that your dns has a cname set for tautulli and that your tautulli container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name Tautulli.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_tautulli Tautulli;
        proxy_pass http://$upstream_tautulli:8181;
    }

    location ~ (/mnt/disks/PlexMediaServer/tautulli)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_tautulli Tautulli;
        proxy_pass http://$upstream_tautulli:8181;
    }
}

Any assistance or guidance would be greatly appreciated!

Link to comment
I am having a similar issue. I don't know where my disconnect is but I think it's with the ports not passing to the docker. So I also follow SpaceInvaders tutorial. I have a domain hosted with GoDaddy and I have setup CNAMES for Sonarr, & Tautulli to test with. They are configured as subdomains that point to my duckdns.org address. I have the DuckDNS docker installed on my unRAID server and it is properly updating the IP. When I pass my subdomains through https://www.whatsmydns.net/ I can see that the subdomain URLs are correctly pointing to my duckdns.org address. I have configured my UniFi USG to pass the port 80 to 180 and 443 to 1443 to the IP of the unRAID server. When I check ports 80 and 443 at https://www.yougetsignal.com/tools/open-ports/ I see port 80 open but 443 is not. Not sure why... I've edited the .conf files to reflect the names of the docker containers.
 
At this point, I am just confused as to why this is not working. Here are some screenshots of my configurations:
 
646715953_ScreenShot2019-06-18at7_00_54PM.thumb.png.c32416eb9b21d974acf604b1c64eafcf.png
 
# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base urlserver {   listen 443 ssl;   listen [::]:443 ssl;   server_name sonarr.*;   include /config/nginx/ssl.conf;   client_max_body_size 0;   # enable for ldap auth, fill in ldap details in ldap.conf   #include /config/nginx/ldap.conf;   location / {       # enable the next two lines for http auth       #auth_basic "Restricted";       #auth_basic_user_file /config/nginx/.htpasswd;       # enable the next two lines for ldap auth       #auth_request /auth;       #error_page 401 =200 /login;       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_sonarr sonarr;       proxy_pass http://$upstream_sonarr:8989;   }   location ~ (/sonarr)?/api {       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_sonarr Sonarr;       proxy_pass http://$upstream_sonarr:8989;  }}

# make sure that your dns has a cname set for tautulli and that your tautulli container is not using a base urlserver {   listen 443 ssl;   listen [::]:443 ssl;   server_name Tautulli.*;   include /config/nginx/ssl.conf;   client_max_body_size 0;   # enable for ldap auth, fill in ldap details in ldap.conf   #include /config/nginx/ldap.conf;   location / {       # enable the next two lines for http auth       #auth_basic "Restricted";       #auth_basic_user_file /config/nginx/.htpasswd;       # enable the next two lines for ldap auth       #auth_request /auth;       #error_page 401 =200 /login;       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_tautulli Tautulli;       proxy_pass http://$upstream_tautulli:8181;   }   location ~ (/mnt/disks/PlexMediaServer/tautulli)?/api {       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_tautulli Tautulli;       proxy_pass http://$upstream_tautulli:8181;   }}

Any assistance or guidance would be greatly appreciated!

Is there an error in your LE run command? If so what is it?

Sent from my SM-N960U using Tapatalk

Link to comment
I am having a similar issue. I don't know where my disconnect is but I think it's with the ports not passing to the docker. So I also follow SpaceInvaders tutorial. I have a domain hosted with GoDaddy and I have setup CNAMES for Sonarr, & Tautulli to test with. They are configured as subdomains that point to my duckdns.org address. I have the DuckDNS docker installed on my unRAID server and it is properly updating the IP. When I pass my subdomains through https://www.whatsmydns.net/ I can see that the subdomain URLs are correctly pointing to my duckdns.org address. I have configured my UniFi USG to pass the port 80 to 180 and 443 to 1443 to the IP of the unRAID server. When I check ports 80 and 443 at https://www.yougetsignal.com/tools/open-ports/ I see port 80 open but 443 is not. Not sure why... I've edited the .conf files to reflect the names of the docker containers.
 
At this point, I am just confused as to why this is not working. Here are some screenshots of my configurations:
 
646715953_ScreenShot2019-06-18at7_00_54PM.thumb.png.c32416eb9b21d974acf604b1c64eafcf.png
 
# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base urlserver {   listen 443 ssl;   listen [::]:443 ssl;   server_name sonarr.*;   include /config/nginx/ssl.conf;   client_max_body_size 0;   # enable for ldap auth, fill in ldap details in ldap.conf   #include /config/nginx/ldap.conf;   location / {       # enable the next two lines for http auth       #auth_basic "Restricted";       #auth_basic_user_file /config/nginx/.htpasswd;       # enable the next two lines for ldap auth       #auth_request /auth;       #error_page 401 =200 /login;       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_sonarr sonarr;       proxy_pass http://$upstream_sonarr:8989;   }   location ~ (/sonarr)?/api {       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_sonarr Sonarr;       proxy_pass http://$upstream_sonarr:8989;  }}

# make sure that your dns has a cname set for tautulli and that your tautulli container is not using a base urlserver {   listen 443 ssl;   listen [::]:443 ssl;   server_name Tautulli.*;   include /config/nginx/ssl.conf;   client_max_body_size 0;   # enable for ldap auth, fill in ldap details in ldap.conf   #include /config/nginx/ldap.conf;   location / {       # enable the next two lines for http auth       #auth_basic "Restricted";       #auth_basic_user_file /config/nginx/.htpasswd;       # enable the next two lines for ldap auth       #auth_request /auth;       #error_page 401 =200 /login;       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_tautulli Tautulli;       proxy_pass http://$upstream_tautulli:8181;   }   location ~ (/mnt/disks/PlexMediaServer/tautulli)?/api {       include /config/nginx/proxy.conf;       resolver 127.0.0.11 valid=30s;       set $upstream_tautulli Tautulli;       proxy_pass http://$upstream_tautulli:8181;   }}

Any assistance or guidance would be greatly appreciated!


I have the opposite to you port 80 is closed but 443 is open


Sent from my iPhone using Tapatalk
Link to comment

If you need help with troubleshooting, start with posting your docker log

 

Also, it's not a good idea to test a reverse proxy right off the bat.

 

Set up the container first, check the logs to make sure the certs are retrieved correctly.

 

Then test to make sure you can get to the placeholder homepage.

 

Only then you should test the reverse proxy.

 

Step by step.

 

And here's a detailed guide that covers many scenarios: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

Link to comment
On 6/17/2019 at 1:04 AM, aptalca said:

You forgot to rename the second variable name in your works one. Fix the last line for proxy pass

Thank you for all your help aptalca. I made the change and it didn't work but after some digging I found that it turns out my nextcloud_works docker was broken. I've re-built it and it's all working perfectly now.

Much appreciated.

Link to comment

 

 
 
 
20 hours ago, aptalca said:

If you need help with troubleshooting, start with posting your docker log

 

Also, it's not a good idea to test a reverse proxy right off the bat.

 

Set up the container first, check the logs to make sure the certs are retrieved correctly.

 

Then test to make sure you can get to the placeholder homepage.

 

Only then you should test the reverse proxy.

 

Step by step.

 

And here's a detailed guide that covers many scenarios: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

Weird, I wrote a reply but it didn't get posted. Here I go again then. So I am adding my docker log here for reference. I am able to see Server Ready each time the docker is started.

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=mydomain.com
SUBDOMAINS=tautulli,sonarr,nowshowing
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d tautulli.mydomain.com -d sonarr.mydomain.com -d nowshowing.mydomain.com
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/tautulli.mydomain.com/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nowshowing.mydomain.com
http-01 challenge for sonarr.mydomain.com
http-01 challenge for tautulli.mydomain.com
Waiting for verification...
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/tautulli.mydomain.com/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/tautulli.mydomain.com/privkey.pem
Your cert will expire on 2019-09-17. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

Hopefully, this helps to expose what I am doing incorrectly. I am going through the guide in the link posted above to see if I can glean anything that could help fix this.

Link to comment

I FINALLY FIGURED IT OUT!!! It was my UniFi USG that was the problem. It needed to be rebooted to pass the ports properly. Once it rebooted I was able to access Sonar immediately using my subdomain. The only problem I have now which is a cosmetic one but it's going to irritate my OCD is it only works if the Docker container name is lowercase sonar. I like to have my dockers properly labeled so I would like it to be Sonar. I went into the Proxy-Conf folder and changed the set $upstream_sonarr sonarr; to set $upstream_sonarr Sonarr; in both locations then restarted LetsEncrypt after changing the container name back to Sonarr but I get a 502 Bad Gateway when I do. Is there something I can do to fix this naming dilemma.

 

Also, does anyone have a proxy-conf file for NowShowingv2

 

Thanks, 

Edited by Riotz
  • Like 1
Link to comment
1 hour ago, Riotz said:

I FINALLY FIGURED IT OUT!!! It was my UniFi USG that was the problem. It needed to be rebooted to pass the ports properly. Once it rebooted I was able to access Sonar immediately using my subdomain. The only problem I have now which is a cosmetic one but it's going to irritate my OCD is it only works if the Docker container name is lowercase sonar. I like to have my dockers properly labeled so I would like it to be Sonar. I went into the Proxy-Conf folder and changed the set $upstream_sonarr sonarr; to set $upstream_sonarr Sonarr; in both locations then restarted LetsEncrypt after changing the container name back to Sonarr but I get a 502 Bad Gateway when I do. Is there something I can do to fix this naming dilemma.

 

Also, does anyone have a proxy-conf file for NowShowingv2

 

Thanks, 

In your sonarr container settings, open advanced and into extra arguments enter --network-alias=sonarr

Edited by aptalca
Link to comment
12 hours ago, aptalca said:

In your sonarr container settings, open advanced and into extra arguments enter --network-alias=sonarr

Thank you! This worked Perfectly! Now I just need to figure out how to make Proxy-Confs for the apps that dont have templates. Gonna try to figure this out today. 

Link to comment

Hello can someone help me. Lets encrypt is not working however I configured everything as it should have been done

 

https://gyazo.com/3be724840cde3467cbf1451bd5994d69 - Docker Containers

https://gyazo.com/d0a16a5c0b0560397fc05435dcf12d8f - Lets Encrypt Config

https://gyazo.com/6e3711b7907d19b2cacf68209cd8cb1a - Conf Files

https://gyazo.com/1dd6daa8bb1dd414ef366ba557b28839 - Port Forwarding

https://gyazo.com/61cf2ada525841a28063e6d399e19f91 - CNAME Records

https://gyazo.com/4c340a2ed20d568f20577af70d3e9661 - Lets Encrypt Logs

 

Edited by Guest
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.