[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

43 minutes ago, EdgarWallace said:

Anyone else having an issue with the renewal of the certs? I am leaving the server switched on during the night and having looked at the "Troubleshooting Letsencrypt Image Port Mapping and Forwarding" guide and I can access my server via a cell phone as described in the troubleshooting guide. I haven't changed my router setting either (Ports 443 and 80 are forwarded since years...). Have no idea where to look next.

letsencrypt.log 7.73 kB · 1 download

Since this morning, I have a similar issue, I can't access my locally hosted websites from within my local network, but I can access them via my cell phone (in 4g).

My certs were correctly renewed although -> I followed @aptalca 's guide (setting STAGING to false then true).

Anyone else in my case ?

I can post logs if wanted (but they all seems fine)

 

EDIT : for the setup of everything, I followed @SpaceInvaderOne many guides

Edited by Menthalo
Link to comment
19 minutes ago, Menthalo said:

Since this morning, I have a similar issue, I can't access my locally hosted websites from within my local network, but I can access them via my cell phone (in 4g).

My certs were correctly renewed although -> I followed @aptalca 's guide (setting STAGING to false then true).

Anyone else in my case ?

I can post logs if wanted (but they all seems fine)

 

EDIT : for the setup of everything, I followed @SpaceInvaderOne many guides

If you can access via cell phone, then there is nothing wrong with letsencrypt or ports. Issue is your router. Google hairpin nat or nat loopback

  • Like 1
Link to comment
On 3/9/2020 at 8:42 AM, aptalca said:

You'll have to create a new server block for the subdomain. See the default proxy conf for examples. Server name is defined in there. And then, inside that new server block, you'll create a location block for whatever subfolder you want. 

Thanks @aptalca got it working exactly how I wanted!

Link to comment
On 3/10/2020 at 8:00 PM, aptalca said:

If you can access via cell phone, then there is nothing wrong with letsencrypt or ports. Issue is your router. Google hairpin nat or nat loopback

Thanks @aptalca. I am using a FritzBox as router and was searching that what you suggested and added myurl.com into the DNS-Rebind-Protection exception field and reebooted my router. Still no luck. Question remains, why it the error is coming up now.

 

Edited by EdgarWallace
Link to comment

Hello everyone!

 

I believe this is going to be a long post, so let's get going!

I'm having issues configuring letsencrypt on my unraid server.

 

I followed the excellent video made by Spaceinvader One on the topic, and did everything he showed on the video.

 

Here's my network config:

Internet => Router (Asus RT AC66U) => LAN (Unraid, Desktop, Phones, etc)

 

I watched the video and when I checked the log, the server wasn't coming online, the error message was the one about possible firewall blocking.

After some researching, it seems that my ISP block port 80.

 

Because of this, I purchased a domain to be able to use the DNS method.

I watched the other video on the subject (I'm not pasting the links to keep this post as clean as possible, but I can provide the link if someone want it) and configured everything, using duckdns and cloudflare, now the letsencrypt server shows that it is ready.

However, I still can't access my server from the internet... Tried with ubooquity and rutorrent.

It shows the error 522.

After doing some research, I tried to disable the proxy on cloudflare (the orange cloud thing), and still can't access anything...

 

Here is the port forwarding from my router:

 

 

This is my docker setup

 

 

This is my letsencrypt configuration

 

 

And here is the log

 

 

I can ping domain.duckdns.org and it shows my external IP.

I can ping ubooquity.domain.com and it also shows my external IP.

If I make a DNS lookup for my domain, it correctly shows the duckdns domain

 

 

Error 522 (cloudflare proxy on)

 

 

Cloudflare proxy off

 

 

I spent a good number of hours on this matter but couldn't figured out on my own how to solve this problem...

I'm not an expert linux user (a newbie actually), but can follow instructions or guides!

Thanks in advance for the help of this great community!

 

Edit:

If I set a nginx docker, I can reach the "Welcome to our server message" (both on domain.duckdns.org and ubooquity.domain.com) from my LAN.

However, I can't reach the same page from the internet (phone with 4G)...

 

 

 

 

 

 

 

 

 

 

 

 

Edited by luizmont
Adding nginx information
Link to comment
5 hours ago, luizmont said:

Hello everyone!

 

I believe this is going to be a long post, so let's get going!

I'm having issues configuring letsencrypt on my unraid server.

 

I followed the excellent video made by Spaceinvader One on the topic, and did everything he showed on the video.

 

Here's my network config:

Internet => Router (Asus RT AC66U) => LAN (Unraid, Desktop, Phones, etc)

 

I watched the video and when I checked the log, the server wasn't coming online, the error message was the one about possible firewall blocking.

After some researching, it seems that my ISP block port 80.

 

Because of this, I purchased a domain to be able to use the DNS method.

I watched the other video on the subject (I'm not pasting the links to keep this post as clean as possible, but I can provide the link if someone want it) and configured everything, using duckdns and cloudflare, now the letsencrypt server shows that it is ready.

However, I still can't access my server from the internet... Tried with ubooquity and rutorrent.

It shows the error 522.

After doing some research, I tried to disable the proxy on cloudflare (the orange cloud thing), and still can't access anything...

 

Here is the port forwarding from my router:

image.png.26a415060af71d568e2038446eb208f3.png

 

This is my docker setup

image.png.9405abcc9e32160209fdf734421861f5.png

 

This is my letsencrypt configuration

image.thumb.png.652268182967902e557e90d61d00a286.png

 

And here is the log

image.png.098cc8671bf9d23281ee4c4edade96a6.png

 

I can ping luizmont.duckdns.org and it shows my external IP.

I can ping ubooquity.luizmont.com and it also shows my external IP.

If I make a DNS lookup for my domain, it correctly shows the duckdns domain

image.thumb.png.668b8fce19c228a1c27719c966e9cc92.png

 

Error 522 (cloudflare proxy on)

image.thumb.png.7496e307708be13b15f078cb7ca69627.png

 

Cloudflare proxy off

image.thumb.png.d7ca32073664d55391a03877c03f30b5.png

 

I spent a good number of hours on this matter but couldn't figured out on my own how to solve this problem...

I'm not an expert linux user (a newbie actually), but can follow instructions or guides!

Thanks in advance for the help of this great community!

 

Edit:

If I set a nginx docker, I can reach the "Welcome to our server message" (both on luizmont.duckdns.org and ubooquity.luizmont.com) from my LAN.

However, I can't reach the same page from the internet (phone with 4G)...

 

image.thumb.png.6be6d09e4f5bd9c2e8c2ebef8eea0f87.png

image.thumb.png.440b736e41a2da9e5f8274e9b4b077cd.png

Then the problem is your port forwarding

Link to comment

having issues getting nextcloud to work, I only care about nextcloud no other dockers, Any help would be amazing!

 

So I half found the issue. Not sure how to resolve though.

image.png.2bd2d01a9446abf8bc7aa8dbed634fdb.png

 

This gets the error saying it needs to be setup yet.

 

However if I alter the URL, Then it works fine. How can I have it where the URL is actually correct?

 

https://mydomainname.duckdns.org/index.php/login

 

 

 

 

 

image.png

image.png

Edited by scubieman
Link to comment
On 3/12/2020 at 6:42 PM, aptalca said:

I already followed this steps, as you can see from the screenshot when I told that I made a nginx container, with the same results....

 

Okay, some new information:

I installed and configured pfsense and made the rules to forward doors 180 and 1443.

I installed sonarr and created a cname for it (sonarr.domain.com).

As before, it works on LAN, however outside the LAN it doesn't connect, giving a timed out error....

 

If I use wireguard, for example, I can use it as lan access to my LAN and tunnel access...

 

What might be wrong in my setup?

 

Thanks!

Edited by luizmont
Link to comment
2 hours ago, luizmont said:

I already followed this steps, as you can see from the screenshot when I told that I made a nginx container, with the same results....

 

Okay, some new information:

I installed and configured pfsense and made the rules to forward doors 180 and 1443.

I installed sonarr and created a cname for it (sonarr.luizmont.com).

As before, it works on LAN, however outside the LAN it doesn't connect, giving a timed out error....

 

If I use wireguard, for example, I can use it as lan access to my LAN and tunnel access...

 

What might be wrong in my setup?

 

Thanks!

If you read the article I linked, you'll see that there is a recommended resource with a plethora of information on just port forwarding (portforward.com). Until you can reach the nginx default page on your domain via cell connection, reverse proxy won't work for you outside of the home. And if you're using http validation, letsencrypt container won't even start nginx as it won't be able to validate the cert.

Link to comment
On 3/13/2020 at 12:08 PM, scubieman said:

having issues getting nextcloud to work, I only care about nextcloud no other dockers, Any help would be amazing!

 

So I half found the issue. Not sure how to resolve though.

image.png.2bd2d01a9446abf8bc7aa8dbed634fdb.png

 

This gets the error saying it needs to be setup yet.

 

However if I alter the URL, Then it works fine. How can I have it where the URL is actually correct?

 

https://mydomainname.duckdns.org/index.php/login

 

 

 

 

 

image.png

image.png

Nextcloud should be available at a subdomain like https://nextcloud.yoursubdomain.duckdns.org

 

How did you try to set it up?

Link to comment
1 hour ago, scubieman said:

What information do you need? I followed space invaders video. I guess I did something wrong.

How you set it up.

 

"I followed X video or guide" is not the least bit helpful.

 

Like I said, you should be accessing it at the nextcloud subdomain, not the main url. Either you're not using the right address, or you set it up very differently than we suggest.

Link to comment
On 3/14/2020 at 9:29 PM, aptalca said:

If you read the article I linked, you'll see that there is a recommended resource with a plethora of information on just port forwarding (portforward.com). Until you can reach the nginx default page on your domain via cell connection, reverse proxy won't work for you outside of the home. And if you're using http validation, letsencrypt container won't even start nginx as it won't be able to validate the cert.

Thanks for trying to help me!

 

So, I believe I know the basics of port forwarding, and because of that (only the basics) I don't know what might be wrong in my setup...

 

On 3/14/2020 at 9:29 PM, aptalca said:

Until you can reach the nginx default page on your domain via cell connection, reverse proxy won't work for you outside of the home.

Yeah, I understand that... And I can't access the nginx default page on my cell...

It gives the time out error.

 

On 3/14/2020 at 9:29 PM, aptalca said:

And if you're using http validation, letsencrypt container won't even start nginx as it won't be able to validate the cert.

Can you elaborate on this part?

I think nginx is starting, because I can access it from LAN.

 

 

These are my port forward rules

 

 

And my docker setup

 

 

I can provide more screenshots or logs if needed.

 

Edit: adding a diagram of my network

 

Edited by luizmont
Link to comment
10 hours ago, luizmont said:

Thanks for trying to help me!

 

So, I believe I know the basics of port forwarding, and because of that (only the basics) I don't know what might be wrong in my setup...

 

Yeah, I understand that... And I can't access the nginx default page on my cell...

It gives the time out error.

 

Can you elaborate on this part?

I think nginx is starting, because I can access it from LAN.

 

 

These are my port forward rules

image.thumb.png.e18d1ebc786c6d24f2f04848858c8f73.png

 

And my docker setup

image.thumb.png.c002744ce13fdae63043aecb3bc93d4c.png

 

I can provide more screenshots or logs if needed.

 

Edit: adding a diagram of my network

image.thumb.png.370fa17bc615dff2350b5ddef405c937.png

In your previous post, you posted port forwarding on an asus router, now pfsense. Are you double natting?

Link to comment
6 hours ago, aptalca said:

In your previous post, you posted port forwarding on an asus router, now pfsense. Are you double natting?

No, as I said before, I installed pfsense instead of my asus router, to rule out any problems related to the router.

 

23 hours ago, luizmont said:

Okay, some new information:

I installed and configured pfsense and made the rules to forward doors 180 and 1443.

I installed sonarr and created a cname for it (sonarr.*******.com).

As before, it works on LAN, however outside the LAN it doesn't connect, giving a timed out error....

 

Edited by luizmont
domain
Link to comment
2 hours ago, IKWeb said:

Would I be correct in thinking if a cert that has been issued by LetsEncrypt is due to expire if I restart the container it will be re issued with a new end date? 

Not correct. You need to let the container run and it will renew it before it expires.

It attempt to renew every night at about 2.

When is your cert expiring?

Link to comment
1 hour ago, luizmont said:

@aptalca I have confirmed that my ISP blocks port 80 and 443 (consumer connection).

From what I have read, the only way to use letsencrypt is with DNS challenges.

Is that correct? Can you help me to configure it? Or at least point me in the direction to do this....

 

Thank you very much!

You're already using dns validation, that's why nginx is coming up and reverse proxy works on your lan. If 80/443 are blocked, you'll have to use a different port to access

So you'll forward 444 on the router and access https://domain.com:444

Link to comment
47 minutes ago, aptalca said:

You're already using dns validation, that's why nginx is coming up and reverse proxy works on your lan. If 80/443 are blocked, you'll have to use a different port to access

So you'll forward 444 on the router and access https://domain.com:444

Awesome! It worked!!!!!

 

Let me just understand something.

It is really annoying having to type both the "https://" and the ":444"

Is there a way to do it without having to add the port and the https?

 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.