[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

15 minutes ago, unMaxe said:

 

Yes I took that into account, my configuration works fine with 443. I had also refer spaceinvaders trutorial :))

 

I only change port in nextcloud.conf from 443 ssl to 53444 ssl, and router config outside port 443 to 53444, all other config are the same. Router seems not the problem because I get on my web-request to the ngix proxy.

Ok than but I also think you are in the wrong config file.

My nextcloud installation is on port 444 - my config (the same you posted above) is still with port 443.

 

You may change the port in the docker configuration / unraid webgui ?

Edited by Toobie
Link to comment
4 hours ago, unMaxe said:

Hello, works great but now i want to configure reserve proxy with a specific ssl port (standard ssl 443 works fine) for nextcloud.

 

I tried to change the port in nextcloud.conf but then i get 403 Forbidden nginx/1.16.0 error, what I do wrong? Thank you very much in advance. Router is configured with this port. Standard ssl (443) works.


server {
    listen 53444 ssl;
    listen [::]:53444 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}


 

Take a step back. What exactly are you trying to achieve?

Are you trying to be able to access nextcloud at https://yourdomain.com:53444 ?

Link to comment

 

grafik.png

For standard ssl 443 port (which works):

 

port 443 (internet) => 443 to 1621 (router) => ngnix (letsencrypt) "listen 443 ssl" map to nextcloud docker

 

 

My dream :):

 

port 51123 (internet) => 51123 to 1621 (router) => ngnix (letsencrypt) "listen 51123 ssl" map to nextcloud docker. I change opposite the other solution above only the nextcloud.subdomain.conf (letsencrypt docker) row "listen 51123 ssl"

 

 

But I try some different settings. Now I could narrow the problem a litte bit. Problem is the nextcloud "ngnix" settings not letsencrypt docker. I tested to forward port 51123 directly (without reserve proxy (letsencrypt docker) ) to nextcloud => same error: "403 Forbidden nginx/1.16.0" ... so its an config issue in nextcloud docker but where I should config that, I am a litte bit confused now...

 

Edit:

OK my "noob" problem solve partially:

setting in nextcloud config.php under "trusted domain":

 

  'trusted_domains' =>
  array (
    0 => 'xx.xx.xx.xx:51123',   (internal ip)
    1 => 'my.domain.com:51123', (domain)
    2 => 'xx.xx.xx.xx:51123', (external ip)

 

BUT works only for internal and external ip not for domain!

Edited by unMaxe
Link to comment
On 8/6/2019 at 5:06 PM, aptalca said:

The only thing I can think of is that geoip v1 was recently removed as it was deprecated a while back and now the databases are no longer available.

 

If you were using geoip, that will result in a failure.

 

Geoip v2 is included in the image with an up-to-date database. You can use that instead

i'm having the same problem and wish to ensure i'm using Geoip v2. i checked the github page but couldn't make much sense of it. can someone point on the right track please. under my appdata, i see a foldedr called geoip2.  presumably its simply a matter of locating the appropriate conf file and referencing the right file? correct? sorta... ?   thansk!! 

Link to comment
4 hours ago, pimogo said:

i'm having the same problem and wish to ensure i'm using Geoip v2. i checked the github page but couldn't make much sense of it. can someone point on the right track please. under my appdata, i see a foldedr called geoip2.  presumably its simply a matter of locating the appropriate conf file and referencing the right file? correct? sorta... ?   thansk!! 

See this post: 

 

Link to comment

Trying to display an image in a directory of images using this. I have a directory of jpg files. I've got this index.php in there:

 

<?php
$dirname = "/camera/";
$images = glob($dirname."*.jpg");

foreach($images as $image) {
	$list[] = $image;
#echo '<img src="'.$image.'" /><br />';
}

sort ($list);
echo "<br><img src="."'".array_pop($list)."'"."><br><br>";



?>

I've tested the above and it works with php called from the shell. So this folder is in the docker at /camera/

 

here's my site config:

upstream backend {
	server 192.168.69.94:19999;
	keepalive 64;
}

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}


	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'xxx'
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location /camera {
		root /;
		index index.php;
	}


	location = / {
		return 301 /htpc;
	}


	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.69.94:8989/sonarr;
	}

	location /tautulli {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.69.94:8181/tautulli;
	}

	location /radarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.69.94:7878/radarr;
	}

	location /htpc {
		include /config/nginx/proxy.conf;

		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://192.168.69.94:8085/htpc;

	}

	
	location /downloads {
		include /config/nginx/proxy.conf;
		proxy_pass  http://192.168.69.94:8112/;
		proxy_set_header  X-Deluge-Base "/downloads/";
	}
	
	location /nextcloud {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.69.94:1443/nextcloud;
	}
	

}

It continues to give me the following error message:

 

2019/08/08 20:34:36 [error] 368#368: *5 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.69.1, server: _, request: "GET /camera/ HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "xx.net"

 

Link to comment
On 8/7/2019 at 7:34 PM, pimogo said:

i'm having the same problem and wish to ensure i'm using Geoip v2. i checked the github page but couldn't make much sense of it. can someone point on the right track please. under my appdata, i see a foldedr called geoip2.  presumably its simply a matter of locating the appropriate conf file and referencing the right file? correct? sorta... ?   thansk!! 

I used this link to help update my geoblocksites.conf

 

https://technicalramblings.com/blog/blocking-countries-with-geolite2-using-the-letsencrypt-docker-container/

Link to comment
22 hours ago, aptalca said:

See this post: 

 

Yes i looked at that previously but couldn't make heads or tails. Do i bash into letscrypt docker and start the install from the section: "Download nginx source" in the github page? And if so, do i go the dynamic or static route? sorry for the questions, but i am genuinely trying. thanks

Link to comment
9 hours ago, pimogo said:

Yes i looked at that previously but couldn't make heads or tails. Do i bash into letscrypt docker and start the install from the section: "Download nginx source" in the github page? And if so, do i go the dynamic or static route? sorry for the questions, but i am genuinely trying. thanks

Everything's already installed. You just edit the nginx config to enable it however you like

Link to comment
On 8/2/2019 at 2:57 PM, aptalca said:

We can add that, too if it doesn't add too much bloat

Hello, there have been quite a few updates to the container since this post. Can you please tell me if this was enabled? If so how would one activate it.

 

Also, is there somewhere that I can check for release notes on updated to the container?

Link to comment
1 hour ago, Riotz said:

Hello, there have been quite a few updates to the container since this post. Can you please tell me if this was enabled? If so how would one activate it.

 

Also, is there somewhere that I can check for release notes on updated to the container?

GitHub readme and the docker hub pages both have changelogs

Link to comment

Hi,

 

I'm trying to enable htpasswd on letsencrypt.

So far I've created the htpasswd file and edited each conf file I'm using in...

appdata\letsencrypt\nginx\proxy-confs

These 2 lines...

        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

removing the # in notepad++

I have not edited any other files.

 

When restarting letsencrypt and browsing the URL to a docker.

I am doing this either on my phones IP (not wifi) or testing on a VPN on my PC.

For example both sonarr and radarr. I get the htaccess user/password prompt.

When entering the correct details another prompt comes up but the password is not accepted.

fail2ban is banning.

 

Is there anything else I need to do or missed to get this working correctly?

 

Thanks

 

Link to comment
2 hours ago, Lien1454 said:

Hi,

 

I'm trying to enable htpasswd on letsencrypt.

So far I've created the htpasswd file and edited each conf file I'm using in...

appdata\letsencrypt\nginx\proxy-confs

These 2 lines...

        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

removing the # in notepad++

I have not edited any other files.

 

When restarting letsencrypt and browsing the URL to a docker.

I am doing this either on my phones IP (not wifi) or testing on a VPN on my PC.

For example both sonarr and radarr. I get the htaccess user/password prompt.

When entering the correct details another prompt comes up but the password is not accepted.

fail2ban is banning.

 

Is there anything else I need to do or missed to get this working correctly?

 

Thanks

 

You likely have double auth, once through htpasswd and once through sonarr/radarr

 

Two solutions:

1) remove internal auth in sonarr/radarr and only rely on http auth, or

2) make sure the user pass are exactly the same for htpasswd and the app's internal auth

Edited by aptalca
Link to comment
On 5/7/2019 at 3:51 AM, Draco said:

Hi There,

 

I have done a bunch of searching here and elsewhere and can't seem to find an answer on this.

 

1. I have OpenVPN AS setup in a docker with ports 943 Web and 9443 TCP VPN port open

2. I am looking to use letsencrypt to redirect 443 for domain vpn.duckdns.org to local server 192.168.1.5:9443 for vpn connections

 

Does anyone have any idea how i would set this up in the letsencrypt docker. Reason for this is work is blocking anything but HTTP/HTTPS so need to be accessing on one of these open ports.

 

Help would greatly be appreciated.

 

Thanks!

 

On 5/7/2019 at 5:28 AM, aptalca said:

Google nginx tcp stream proxy. It's very easy and straightforward.

 

I also would like a way to redirect OpenVPN  through letsencrypt. Is it done through its own special conf file or do we edit nginx default conf file to do it? 

 

@Draco - did you every find an answer and get this working?

 

 

@aptalca - can you provide specific URLs with answers or configurations? I have done the generic google search for "nginx tcp stream proxy" and came up with nothing very useful.

Link to comment
6 hours ago, StanC said:

 

 

I also would like a way to redirect OpenVPN  through letsencrypt. Is it done through its own special conf file or do we edit nginx default conf file to do it? 

 

@Draco - did you every find an answer and get this working?

 

 

@aptalca - can you provide specific URLs with answers or configurations? I have done the generic google search for "nginx tcp stream proxy" and came up with nothing very useful.

Add this to the bottom of your nginx.conf file, put in your ip and port for openvpn

 

 

stream {

    log_format basic '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time';
    access_log /config/log/nginx/streamaccess.log basic;
    error_log /config/log/nginx/streamerror.log;

    server {
        listen 80;
        proxy_pass serverip:port;
    }
}

Edited by aptalca
Link to comment
1 hour ago, aptalca said:

Add this to the bottom of your nginx.conf file, put in your ip and port for openvpn

 

 

stream {

    log_format basic '$remote_addr [$time_local] '
                 '$protocol $status $bytes_sent $bytes_received '
                 '$session_time';
    access_log /config/log/nginx/streamaccess.log basic;
    error_log /config/log/nginx/streamerror.log;

    server {
        listen 80;
        proxy_pass serverip:port;
    }
}

Okay added to the bottom of \appdata\letsencrypt\nginx\nginx.conf. Now I am seeing this in the log after restarting:

 

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

 

There must be something missing because none of the reverse proxy sites are working now (nextcloud, etc). I have disabled the stream statement for now.

Edited by StanC
Update
Link to comment

Hi there!

 

I hope i'm at the right address here, no pun intended :P

I have configured the lets encrypt docker successfully and running 3 containers (heimdall, nextcloud and ombi) on the network i called "proxynet" and all of them are externally working.

The only thing I can't fully work out yet, is how i can let Ombi communicate with Sonarr and Radarr, which both are on a different vlan due to vpn purposes inconjunction with a pfsense vm in that same vlan (this way nzbget only downloads anything through a vpn through pfsense).

 

I do not want to expose Sonarr and Radarr through proxy, just through the separate vlan. 

I hope i'm clear, its a bit of a somewhat complex setup 😊

 

So i hope anyone can point me in the right direction, if at all its possible to have a proxy-ed container on a vlan talk with a container on different vlan within Unraid...

 

Link to comment
6 hours ago, StanC said:

Okay added to the bottom of \appdata\letsencrypt\nginx\nginx.conf. Now I am seeing this in the log after restarting:

 

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

 

There must be something missing because none of the reverse proxy sites are working now (nextcloud, etc). I have disabled the stream statement for now.

You need to disable your http to https redirect in your default site config. You can't have both http and stream listening on port 80

Link to comment
49 minutes ago, SirCaveman said:

Hi there!

 

I hope i'm at the right address here, no pun intended :P

I have configured the lets encrypt docker successfully and running 3 containers (heimdall, nextcloud and ombi) on the network i called "proxynet" and all of them are externally working.

The only thing I can't fully work out yet, is how i can let Ombi communicate with Sonarr and Radarr, which both are on a different vlan due to vpn purposes inconjunction with a pfsense vm in that same vlan (this way nzbget only downloads anything through a vpn through pfsense).

 

I do not want to expose Sonarr and Radarr through proxy, just through the separate vlan. 

I hope i'm clear, its a bit of a somewhat complex setup 😊

 

So i hope anyone can point me in the right direction, if at all its possible to have a proxy-ed container on a vlan talk with a container on different vlan within Unraid...

 

If sonarr and radarr are on macvlan, and others are on a custom bridge, they won't be able to connect to each other. That's a docker security feature to prevent connections between the host (and the host networks) and macvlan

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.