[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

27 minutes ago, growlith said:

Were you able to get this to work with Google DNS?

I have 25 subdomains and a wildcard cert seems like it would make more sense at this point.
I get to the acme-challenge step and it says that it cannot find a text record.

 

I setup the service account, the dns api, the managed zone.  Not sure what I am missing.

Just to confirm, are you using Google cloud dns and not Google domains dns?

 

This only works with Google cloud dns, the paid version

Link to comment
On 7/24/2019 at 2:22 AM, ebnerjoh said:

Hi, 

 

was there recently a change on Letsencrypt? Today my websites were broken, because the certificate was not renewed. Last Renewal was in April. In the Logs I cannot find an relating error, of course there are warnings, but I do not think they are responsible for the issue.

 


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=familie-ebner.at
SUBDOMAINS=cloud,tauchen,solar,ha,solar2,nr,nr2,wetter,wetter2,mqtt,
EXTRA_DOMAINS=cloud.ff-metnitz.at,slideshow.ff-metnitz.at,backup.ff-metnitz.at,
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d cloud.familie-ebner.at -d tauchen.familie-ebner.at -d solar.familie-ebner.at -d ha.familie-ebner.at -d solar2.familie-ebner.at -d nr.familie-ebner.at -d nr2.familie-ebner.at -d wetter.familie-ebner.at -d wetter2.familie-ebner.at -d mqtt.familie-ebner.at
EXTRA_DOMAINS entered, processing
Extra domains processed are: -d cloud.ff-metnitz.at -d slideshow.ff-metnitz.at -d backup.ff-metnitz.at
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/ha.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/mqtt.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/nr.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/nr2.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/wetter.familie-ebner.at:42
nginx: [warn] the "ssl" directive is deprecated, use the "listen ... ssl" directive instead in /config/nginx/site-confs/wetter2.familie-ebner.at:42
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
nginx: [warn] conflicting server name "wetter.familie-ebner.at" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wetter2.familie-ebner.at" on 0.0.0.0:80, ignored
nginx: [warn] conflicting server name "wetter.familie-ebner.at" on 0.0.0.0:443, ignored
nginx: [warn] conflicting server name "wetter2.familie-ebner.at" on 0.0.0.0:443, ignored
Server ready

 

Did you find a solution for this? I just updated the container yesterday and now all my sites are down with this error.

 

EDIT: I eliminated this error by commenting out the ssl on; because apparently its not needed with the listen 443 ssl http2;

However, in doing this, I now have a new error:

 

nginx: [emerg] the size 52428800 of shared memory zone "SSL" conflicts with already declared size 10485760 in /config/nginx/ssl.conf:3

 

I am not finding much on google, any advice is appreciated!

 

Edited by WexfordStyle
corrected and found another error
Link to comment
On 12/8/2019 at 3:44 PM, WexfordStyle said:

Did you find a solution for this? I just updated the container yesterday and now all my sites are down with this error.

 

EDIT: I eliminated this error by commenting out the ssl on; because apparently its not needed with the listen 443 ssl http2;

However, in doing this, I now have a new error:

 

nginx: [emerg] the size 52428800 of shared memory zone "SSL" conflicts with already declared size 10485760 in /config/nginx/ssl.conf:3

 

I am not finding much on google, any advice is appreciated!

 

Also having this exact problem after doing my weekly updates on Sunday. Can't seem to find a solution though?

Link to comment

Getting "Let's Encrypt certificate expiration notice". I had thought, in the past, certs where automatically renewed? Or you could force renewal by stopping and starting LE? I can delete and start again but this just started happening in the past few weeks. All was good previously. Just wondering as in the notes above others are having some weirdness. I can submit logs if that helps?

Link to comment
7 minutes ago, TexasDave said:

Getting "Let's Encrypt certificate expiration notice". I had thought, in the past, certs where automatically renewed? Or you could force renewal by stopping and starting LE? I can delete and start again but this just started happening in the past few weeks. All was good previously. Just wondering as in the notes above others are having some weirdness. I can submit logs if that helps?

I would. That would help to troubleshoot.

  • Like 1
Link to comment

Log from starting earkier today....deleted email and domains.


 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=duckdns.org
SUBDOMAINS=aaa,bbb,ccc
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d aaa -d bbbb -d cccc
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

Link to comment
50 minutes ago, TexasDave said:

Log from starting earkier today....deleted email and domains.


 


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=duckdns.org
SUBDOMAINS=aaa,bbb,ccc
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d aaa -d bbbb -d cccc
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

Did you check the certificate if it's really expiring?

 

The certificate is renewed at night, so be sure to leave you server on or else it will not be renewed.

you can also just add a new fake subdomain to trigger a new certificate.

  • Like 1
Link to comment

I used this handy site (check-your-website.server-daten.de) to check and yes, the certs were expiring.

 

In the docker I deleted one of my domains, then added it back, and now I am back on the 90 day window (cheating, I know).

 

I suspect that it relates to a restore I had to do a few months ago and it is now just manifesting itself. But now sorted...

 

Two side questions - how do you access certbot or ssl-cert from the command line in unRAID? Or how can I check cert status directly from unRAID rather than using a 3rd party site? Just curious. Thanks!

Link to comment
I used this handy site (check-your-website.server-daten.de) to check and yes, the certs were expiring.
 
In the docker I deleted one of my domains, then added it back, and now I am back on the 90 day window (cheating, I know).
 
I suspect that it relates to a restore I had to do a few months ago and it is now just manifesting itself. But now sorted...
 
Two side questions - how do you access certbot or ssl-cert from the command line in unRAID? Or how can I check cert status directly from unRAID rather than using a 3rd party site? Just curious. Thanks!
Load your site in the browser and check the cert in Chrome/Firefox

Sent from my Mi A1 using Tapatalk

  • Like 1
Link to comment

Hello, wondering if an expert can immediately identify the problem here to save me some time messing with my app subfolder conf. 
 

I have my webapp accessible via https://mydomain.duckdns.org:444/appname/
 

this successfully brings you to the login page for this webapp. Once you submit your credentials, you get sent to:


https://mydomain.duckdns.org/appname/entrance/

 

instead of 

 

https://mydomain.duckdns.org:444/appname/entrance/

 

if you go ahead and add the port back in then you’re fine the rest of the way, but that initial login causes the port to disappear from the URL. 

 

location ^~ /appname {
auth_basic “Restricted”;

auth_basic_user_file /config/nginx/.htpasswd;

include /config/nginx/proxy.conf;

proxy_pass http://appname:80;

}

 

Any ideas what I need to add to solve this? Thanks!

Link to comment
1 hour ago, josh1014 said:

Hello, wondering if an expert can immediately identify the problem here to save me some time messing with my app subfolder conf. 
 

I have my webapp accessible via https://mydomain.duckdns.org:444/appname/
 

this successfully brings you to the login page for this webapp. Once you submit your credentials, you get sent to:


https://mydomain.duckdns.org/appname/entrance/

 

instead of 

 

https://mydomain.duckdns.org:444/appname/entrance/

 

if you go ahead and add the port back in then you’re fine the rest of the way, but that initial login causes the port to disappear from the URL. 

 

location ^~ /appname {
auth_basic “Restricted”;

auth_basic_user_file /config/nginx/.htpasswd;

include /config/nginx/proxy.conf;

proxy_pass http://appname:80;

}

 

Any ideas what I need to add to solve this? Thanks!

Probably the app redirecting to the host address without the port

Link to comment

Hey guys,

I'm looking to set up minio with LE, however, I don't see a minio in the config files. Could someone help me out with how to make a config file for it? I really don't have a clue how to write them or what it needs to say. Would appreciate some help with this. Thanks so much!

Link to comment

Hi,

Im trying to get an conf made for traccar, found this, but it doesnt work, so can someone point me in a direction why it fails, or perhaps share a working conf?

 

server {
    listen          IP:80;
    server_name     DOMAIN.COM;
location / {
        proxy_pass http://127.0.0.1:8082;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
location /api/socket {
        proxy_pass http://localhost:8082/api/socket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}

 

Link to comment
5 hours ago, SDEN said:

Hi,

Im trying to get an conf made for traccar, found this, but it doesnt work, so can someone point me in a direction why it fails, or perhaps share a working conf?

 

server {
    listen          IP:80;
    server_name     DOMAIN.COM;
location / {
        proxy_pass http://127.0.0.1:8082;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
location /api/socket {
        proxy_pass http://localhost:8082/api/socket;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}

 

Both localhost and 127.0.0.1 refer to locations inside the letsencrypt container. Replace that with an address letsencrypt can use to access traccar

 

Also it's set to listen only on port 80, which is not right.

 

Don't copy paste a config from elsewhere. Take an existing proxy conf and modify accordingly. Also see the examples provided in the default site conf.

Edited by aptalca
  • Like 1
Link to comment

I have this working on my unraid server with sonarr, radarr, nextcloud and plex. But i have another Unbuntu NUC server running Invoice Ninja.  I have made a subdomain for it but how do I create a .conf  to file for it to use outside of the docker network?

 

 Thanks

Edited by Technazz
Link to comment
6 hours ago, Technazz said:

I have this working on my unraid server with sonarr, radarr, nextcloud and plex. But i have another Unbuntu NUC server running Invoice Ninja.  I have made a subdomain for it but how do I create a .conf  to file for it to use outside of the docker network?

 

 Thanks

Modify an existing conf and use the ip in the proxy pass directive

Link to comment

Just had my certificates expire. Restarted the LE container several times, but it never tried to renew the cert. I also backup my appdata every night, so the container gets restarted nightly. Ended up having to run the renew command manually. 

 

I had gotten some emails saying the certificates were set to expire today, but I just assumed that was normal and that they would get renewed automatically. Guess not.

 

cronjob running on Sun Nov 17 02:08:00 CST 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2019-12-26 (skipped)
No renewals were attempted.
No hooks were run.

I found this repeated over and over in the letsencrypt logs. So it new it was expiring, but never renewed it.

 

Is there anything glaringly obvious that would keep the LE container from renewing the certificates automatically?

Edited by drawmonster
Link to comment
3 hours ago, drawmonster said:

Just had my certificates expire. Restarted the LE container several times, but it never tried to renew the cert. I also backup my appdata every night, so the container gets restarted nightly. Ended up having to run the renew command manually. 

 

I had gotten some emails saying the certificates were set to expire today, but I just assumed that was normal and that they would get renewed automatically. Guess not.

 


cronjob running on Sun Nov 17 02:08:00 CST 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem expires on 2019-12-26 (skipped)
No renewals were attempted.
No hooks were run.

I found this repeated over and over in the letsencrypt logs. So it new it was expiring, but never renewed it.

 

Is there anything glaringly obvious that would keep the LE container from renewing the certificates automatically?

Don't run commands to renew the certificate yourself.

Is your time and date in unraid correct?

You can trigger an update by simply adding a subdomain. After that, you can remove it.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.