Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

2809 posts in this topic Last Reply

Recommended Posts

Perhaps you could include the relevant apache and nginx sample reverse proxy configs in the documentation of each of the containers? Maybe even in the overview section of the template?

 

Stay tuned... where'd you think I got all them from so quick...  ;)

Share this post


Link to post

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

Share this post


Link to post

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

 

IIRC plex requests links to a plex username.  So probably best just to leave that without .htpasswd.

 

You can setup different .htpasswd files.  But you need one per "group"

Share this post


Link to post

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

 

IIRC plex requests links to a plex username.  So probably best just to leave that without .htpasswd.

 

You can setup different .htpasswd files.  But you need one per "group"

You can also add multiple user pass combos to the same htpasswd file

Share this post


Link to post

I converted from aptalca's Letsencrypt container over to this one today, thanks aptalca and the rest of LSIO for all your work on this!

 

A few questions:

1) In the old container, I could docker exec into it and run

nginx -t

to have it check the config. But in the new container I have to specify which config file to test:

nginx -c /config/nginx/nginx.conf -t

Is there any way to make this the default?

 

2) In the old container I could restart nginx with "service nginx restart".  How do you restart nginx in the new container, without actually restarting the whole container?

 

3) In /etc/init.d/nginx, the pid is defined as /run/nginx/nginx.pid.  I think that should be /run/nginx.pid?  Hmm, when I try to exec that script it says:

/sbin/openrc-run: bad interpreter: No such file or directory

Is /etc/init.d/nginx even used then?

 

4) Since most people are using this for reverse proxy and not hosting a public website, it might make sense to drop a basic robots.txt file in the default www directory to keep search engines away:

User-agent: *
Disallow: /

Share this post


Link to post

 

 

I converted from aptalca's Letsencrypt container over to this one today, thanks aptalca and the rest of LSIO for all your work on this!

 

A few questions:

1) In the old container, I could docker exec into it and run

nginx -t

to have it check the config. But in the new container I have to specify which config file to test:

nginx -c /config/nginx/nginx.conf -t

Is there any way to make this the default?

 

2) In the old container I could restart nginx with "service nginx restart".  How do you restart nginx in the new container, without actually restarting the whole container?

 

3) In /etc/init.d/nginx, the pid is defined as /run/nginx/nginx.pid.  I think that should be /run/nginx.pid?  Hmm, when I try to exec that script it says:

/sbin/openrc-run: bad interpreter: No such file or directory

Is /etc/init.d/nginx even used then?

 

4) Since most people are using this for reverse proxy and not hosting a public website, it might make sense to drop a basic robots.txt file in the default www directory to keep search engines away:

User-agent: *
Disallow: /

 

1) Not that I know of. Old container used a lot of symlinks, which aren't ideal. New container defines files in place.

 

2) s6-svc -h /var/run/s6/services/nginx

 

3) Nginx is started by the s6 service manager. Check out the file /etc/services.d/nginx/run

 

4) Some people host public wordpress sites. We design for the lowest common denominator, but you can always put whatever you need in the www folder as the container doesn't touch that as long as it exists

Share this post


Link to post

Hello everyone, first of all, i'd like to thank everyone for making this container. I do, however have a problem. When I try to run it, it gives me an error in the logs.

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] still could not bind()
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

This is going on indefinitely. I managed to set it up by killing the webgui process from the command line. Iset up the network as host and forwarded the right ports but unless i kill the webgui i can't reach the webserver. When I set the network to bridge it does not give me the errors but I still can't reach the websites. I hope someone can help me.

Share this post


Link to post

Hello everyone, first of all, i'd like to thank everyone for making this container. I do, however have a problem. When I try to run it, it gives me an error in the logs.

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] still could not bind()
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

This is going on indefinitely. I managed to set it up by killing the webgui process from the command line. Iset up the network as host and forwarded the right ports but unless i kill the webgui i can't reach the webserver. When I set the network to bridge it does not give me the errors but I still can't reach the websites. I hope someone can help me.

 

Post your docker run command.  You can't set the host port to 80 as that the default port Unraid webui uses, instead set it to 81 and then port forward 80 on your router to 81 on your Unraid machine.

 

And have you made any changes to any of the files that are in your appdata folder?  I'm unclear if this is a fresh pull or trying to run a container you've already attempted to configure further.

Share this post


Link to post

Wow, thanks for the fast reply. I wasn expecting this.

The command that unraid is doing is this(after i now changed the port to 81):

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="host" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "TCP_PORT_81"="81" -e "EMAIL"="o.engelhardt@gmail.com" -e "URL"="oliverengelhardt.de" -e "SUBDOMAINS"="www," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
7b66d45a4077800d8590c2576907b3490a09d36ddb27bc3191233fa57ce73a7f

The command finished successfully!

It's a fresh pull. I have not yet touched anything in appdata. I made a screenshot of my config page:

4P9fmW2.png

It still appears to try to bind to port 80 though. the log is unchanged.

Share this post


Link to post

OK, map port 443 to 443 and make sure that you've got port forwards in your router to forward 81 ==> 80 and 443 ==>443

Share this post


Link to post

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Share this post


Link to post

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

Share this post


Link to post

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

Share this post


Link to post

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

I don't really know :D

Share this post


Link to post

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

I don't really know :D

 

I admire the honesty of that answer..... lol  ;D

Share this post


Link to post

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

Share this post


Link to post

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

 

Save this as requests in the same folder as default.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.0.1:3000/;
  }
}

 

Alternatively, paste this into default to access plexrequests at server.com/requests (You will need to set the URLBASE to /requests)

 

	location /requests {
	proxy_pass http://192.168.0.1:3000/requests;
	include /config/nginx/proxy.conf;
}

 

Obviously for both you'll need to change the IP address +/- port

Share this post


Link to post

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

 

Save this as requests in the same folder as default.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.0.1:3000/;
  }
}

 

Alternatively, paste this into default to access plexrequests at server.com/requests (You will need to set the URLBASE to /requests)

 

	location /requests {
	proxy_pass http://192.168.0.1:3000/requests;
	include /config/nginx/proxy.conf;
}

 

Obviously for both you'll need to change the IP address +/- port

 

The second method works probably because I already had the URLBASE set for PlexRequests to /requests.  The first method gets me a 502 Bad Gateway.  I'm guessing this is because my URLBASE is set?

Share this post


Link to post

Yep

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

Yep

 

Sent from my LG-H815 using Tapatalk

 

I've taken out my URLBASE for PlexRequests and confirmed it is now accessed via IP:3000 (no longer /requests).  I've taken out any reference to mydomain.com/requests in 'default.'  I've added a file named 'requests' in the same folder as default containing the following:

 

server {
       listen         80;
       server_name    requests.MYDOMAIN.COM;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.MYDOMAIN.COM;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
        proxy_pass https://10.0.10.26:3000/;
  }
}

 

 

Still getting 502 Bad Gateway.  Am I missing something in my config or placing the 'requests' file in the wrong location?

 

Share this post


Link to post

Got some logs?  Docker container and the logs from the /config/logs folder?

 

Redact your domain name.

 

Sent from my LG-H815 using Tapatalk

 

 

Share this post


Link to post

Got some logs?  Docker container and the logs from the /config/logs folder?

 

Redact your domain name.

 

Sent from my LG-H815 using Tapatalk

 

/config/logs folder is empty.  Here is the container log:

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/index.php/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are:  -d www.MYDOMAIN -d requests.MYDOMAIN
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Wed Dec 7 19:45:01 EST 2016
Running certbot renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/MYDOMAIN.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/MYDOMAIN/fullchain.pem (skipped)
No renewals were attempted.
2016-12-07 19:45:02,231 fail2ban.server         [258]: INFO    Starting Fail2ban v0.9.4
2016-12-07 19:45:02,231 fail2ban.server         [258]: INFO    Starting in daemon mode
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

 

EDIT:  Found the issue.  It was the httpS under location /.  Had to remove the S.

Share this post


Link to post

Just got home from work and was going to look at this, so glad you've sorted it.

Share this post


Link to post

Are there any guides or tutorials around on how to have Letsencrypt interact with my other dockers on unraid?

 

I understand the general concept behind Letsencrypt, but I'm not sure what files need to be modified, and how to modify these files.

 

My current setup is your standard dynamic IP address provided by my ISP.  I have this tracked by duckdns so I can associated the IP with the static name.  I'd like to be able to attach to all of my different dockers through https:

 

https://insertname.duckdns.org:2020 - Docker 1c

https://insertname.duckdns.org:3030 - Docker 2

https://insertname.duckdns.org:4040 - Docker 3

 

A few of the dockers I run now are:

 

crashplan

owncloud

plex

plexpy

plexrequests

couchpotato

sonarr

 

Any fingers to point me in the right direction would be greatly appreciated :)

 

Share this post


Link to post

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now