Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

3025 posts in this topic Last Reply

Recommended Posts

@aptalca

 

Is curl already installed or would I have to install it manually?

can't remember off the top of my head but if it's not we will push an update

 

Until then you can install with

apk add --update curl

if it's missing

 

Thanks! Looks like today's update added curl. Can you also add GD? cURL and GD are the most used features and i'm surprised they were not included. In the meantime, I'll add gd manually. Thanks again!

 

Yeah, there are a whole lot of php modules out there. I personally host an html5 site and a bunch of reverse proxies so don't really use php at all.

 

If there are other modules that are commonly used and needed, let us know and we'll add them to this container.

 

I'll go ahead and add php5-gd

 

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

Share this post


Link to post

@aptalca

 

Is curl already installed or would I have to install it manually?

can't remember off the top of my head but if it's not we will push an update

 

Until then you can install with

apk add --update curl

if it's missing

 

Thanks! Looks like today's update added curl. Can you also add GD? cURL and GD are the most used features and i'm surprised they were not included. In the meantime, I'll add gd manually. Thanks again!

 

Yeah, there are a whole lot of php modules out there. I personally host an html5 site and a bunch of reverse proxies so don't really use php at all.

 

If there are other modules that are commonly used and needed, let us know and we'll add them to this container.

 

I'll go ahead and add php5-gd

 

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

 

 

No need for a PM, address is here...  ;)

 

https://www.linuxserver.io/donations/

Share this post


Link to post

@aptalca

 

Is curl already installed or would I have to install it manually?

can't remember off the top of my head but if it's not we will push an update

 

Until then you can install with

apk add --update curl

if it's missing

 

Thanks! Looks like today's update added curl. Can you also add GD? cURL and GD are the most used features and i'm surprised they were not included. In the meantime, I'll add gd manually. Thanks again!

 

Yeah, there are a whole lot of php modules out there. I personally host an html5 site and a bunch of reverse proxies so don't really use php at all.

 

If there are other modules that are commonly used and needed, let us know and we'll add them to this container.

 

I'll go ahead and add php5-gd

 

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

 

 

No need for a PM, address is here...  ;)

 

https://www.linuxserver.io/donations/

 

I would like to send it to him directly. Thanks

Share this post


Link to post

Thanks for adding GD. Will let you know if any other modules are needed but so far webpage is working great now!

I would like to donate some money to you as a thank you for adding them so quickly and helping me out

 

PM me your Paypal address. Thanks again!!

 

 

No need for a PM, address is here...  ;)

 

https://www.linuxserver.io/donations/

 

I would like to send it to him directly. Thanks

 

 

I recently joined the linuxserver team and this container was truly a team effort (still is). Feel free to donate to the team if you like. But I don't accept donations personally. Thanks

Share this post


Link to post

Trying to get Deluge and Transmission working...

 

CHBMB provided me a configuration, but it doesn't use .htpasswd, and when I tried to modify the script it 404.

Of course, the same setup doesn't work at all for Transmission.

 

#HTPC
server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name htpc.*;
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 
*****
ssl_prefer_server_ciphers on;
client_max_body_size 0;

#Muximux
location / {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38095;
}

#Sonarr
location ^~ /tv {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38082/tv;
}	

#Couchpotato
location ^~ /movies {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38083/movies;
}	

#Deluge
location ^~ /deluge {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38085; 
	proxy_set_header  X-Deluge-Base "/deluge/";
}	

#PlexPy
location ^~ /stats {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.1:38090/stats;
}	

}

 

Sonarr, CP, and PlexPy work fine within Muximux, and at /address on their own.

 

Any ideas?

Share this post


Link to post

Deux, you can use .htpasswd with it.  I do myself.

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

Back to the VPN question.

 

The VPN itself works fine (using OpenVPN-AS), but there is a possibility to have a webpage where I can login and get my configuration files when required.

However, when I try to log in to it at vpn.example.com I get a "502 Bad Gateway".

 

Here is the setup:

server {
listen 443 ssl;
root /config/www;
index index.html index.htm index.php;
server_name vpn.*;
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
client_max_body_size 0;

location / {
	auth_basic off;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.80.1:9443;
}
}

I TRIED WITH 943 SAME ISSUE

 

 

I'll post this in the OpenVPN-AS thread as well if it is determined that this isn't an NGINX issue.

 

Thanks y'all!

Share this post


Link to post

Security wise I think it's a bad idea.  Essentially you end up securing your VPN via a Nginx reverse proxy which kind of removes the point of a VPN in the first place which is to provide more security to access certain services on your LAN than you would get from a reverse proxy.

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

I'm not sure I follow.

 

I don't want VPN access through NGINX, I'm trying to get access to the OpenVPN-AS login page so that if I need to I can download the config file if I need it. If you go to the admin page you can set it up so that if you are outside your network you can only use the user login and not the admin one.

Share this post


Link to post

I'm not sure I follow.

 

I don't want VPN access through NGINX, I'm trying to get access to the OpenVPN-AS login page so that if I need to I can download the config file if I need it. If you go to the admin page you can set it up so that if you are outside your network you can only use the user login and not the admin one.

I could be wrong, but what I think the bald one was getting at was the "out of band" encryption issue. If you allow your secret key to be accessible through an externally available web page, you have just potentially weakened your VPN by allowing a hack that penetrated NGINX to also access your VPN secret key.

 

With any encryption scheme using a public / private key system, you should restrict access to the private key to the absolute minimum possible.

Share this post


Link to post

That's exactly what the bald one was thinking...

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

I'm being stupid sorry.

 

I still don't understand.

 

You're saying that giving access to the login page is a potential security hole?

Share this post


Link to post

Yes.  You want to give access to your OpenVPN key via a reverse proxy.  The weakest link in that chain is the reverse proxy.  Get through that and potentially they have access to your VPN. 

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

Just looking into this for future use.  How would I handle having multiple domains pointing to the same server?

 

Ex: My current nginx setup has 4 totally different domains, all coming in on the same ip/port then gets sorted out by nginx.

 

Is something like that possible with this container? (I'm 100% new to letsencypt, only switching because of chrome/google no longer recognizing startssl)

Share this post


Link to post

Just looking into this for future use.  How would I handle having multiple domains pointing to the same server?

 

Ex: My current nginx setup has 4 totally different domains, all coming in on the same ip/port then gets sorted out by nginx.

 

Is something like that possible with this container? (I'm 100% new to letsencypt, only switching because of chrome/google no longer recognizing startssl)

That's possible with letsencrypt, but not this container. This container only supports one domain with multiple subdomains

Share this post


Link to post

Got them both working and with login requirement.

 

Thanks.

 

How did you end up getting Transmission to work?  Did you modify Transmission to support a sub-directory?  What did your Nginx config end up looking like?  Thanks!

Share this post


Link to post

Got them both working and with login requirement.

 

Thanks.

 

How did you end up getting Transmission to work?  Did you modify Transmission to support a sub-directory?  What did your Nginx config end up looking like?  Thanks!

 

Try this:

 

location /transmission/ {
    proxy_pass_header X-Transmission-Session-Id;
    proxy_set_header X-Forwarded-Host $host;
    proxy_set_header X-Forwarded-Server $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://10.1.1.3:9091/transmission/web/;
}

location /rpc {
    proxy_pass http://10.1.1.3:9091/transmission/rpc;
}

Share this post


Link to post

managed to get myself completely confused here trying to set up a reverse proxy.

 

have managed to get nginx setup and running and managed to configure the password security but cannot for the life of me seem to setup the reverse proxy.

 

I have tried to use the examples in the default config file and also tried to copy over the ones from htpcguides but either way keep getting 502 bad gateway - I can't see what I am doing wrong! I have just spent 3 hours trying different options and am starting to feel like pulling why hair out!

 

I can get to the site fine using the base url which displays the index.html page.

 

Here is my config file:

 

# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}

# main server block
server {
listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name [removed].duckdns.org 192.168.1.28;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

location / {
	try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# With php5-cgi alone:
	fastcgi_pass 127.0.0.1:9000;
	# With php5-fpm:
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	include /etc/nginx/fastcgi_params;
}

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
location ^~ /plexpy {
	auth_basic "Restricted";
	auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://192.168.1.28:8181/;
}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
#	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
#	ssl_dhparam /config/nginx/dhparams.pem;
#	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#	ssl_prefer_server_ciphers on;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;
#	}
#}

Share this post


Link to post

You generated the .htpasswd file?

 

Some apps are more difficult than others, try this for plexpy

 

    	location /plexpy/ {
   		proxy_pass http://192.168.1.28:8181;
	include /config/nginx/proxy.conf;
      		proxy_bind $server_addr;
      		proxy_set_header X-Forwarded-Host $server_name;
	proxy_set_header X-Forwarded-Ssl     on;
	auth_basic "Restricted";
      		auth_basic_user_file /config/.htpasswd;
	}

Share this post


Link to post

Thanks for your help!

 

Sorry for being thick :)

 

Managed to get CouchPotato working using the default one and muximux as the homepage but can't seem to get other apps working

 

The apps I wanted were

 

Sonarr

PlexPy

PlexRequests

NetData

Deluge

 

I've tried the PlexPy command and getting a 404 error, I think this might be down to my plexpy settings though

Share this post


Link to post

Thanks for your help!

 

Sorry for being thick :)

 

Managed to get CouchPotato working using the default one and muximux as the homepage but can't seem to get other apps working

 

The apps I wanted were

 

Sonarr

PlexPy

PlexRequests

NetData

Deluge

 

I've tried the PlexPy command and getting a 404 error, I think this might be down to my plexpy settings though

 

# Sonar
# https://github.com/linuxserver/docker-sonarr
#
# Edit the settings and set 
# Url Base to /sonarr

location ^~ /sonarr {
    proxy_pass http://192.168.1.28:8989/sonarr;
    include /config/nginx/proxy.conf;
}

 

# PlexyPy
# https://github.com/linuxserver/docker-plexpy
#
# Settings => Web Interface
# Change http root to /plexpy
#

location ^~ /plexpy/ {
    proxy_pass http://192.168.1.28:8181;
    include /config/nginx/proxy.conf;
    proxy_bind $server_addr;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Ssl     on;
}

 

# PlexRequests
# https://github.com/linuxserver/docker-plexrequests
#
# Run container with -e "URL_BASE"="/plexrequests"
#

location ^~ /requests {
    proxy_pass http://192.168.1.28:3000/requests;
    include /config/nginx/proxy.conf;
}

 

# Deluge
# https://github.com/linuxserver/docker-deluge
#
# No extra settings required
#

location ^~ /deluge {
    proxy_pass http://192.168.1.28:8112/;
    proxy_set_header  X-Deluge-Base "/deluge/";
    include /config/nginx/proxy.conf;
}

 

Netdata i've never heard of, you'll have to figure that one out yourself I'm afraid.

Share this post


Link to post

Perhaps you could include the relevant apache and nginx sample reverse proxy configs in the documentation of each of the containers? Maybe even in the overview section of the template?

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now