Jump to content
linuxserver.io

[Support] Linuxserver.io - Letsencrypt (Nginx)

4702 posts in this topic Last Reply

Recommended Posts

On 4/7/2020 at 12:08 PM, drsparks68 said:

Hello all,

I am trying to configure f2b for permanent bans.  

 

I have started the container with "--cap-add=NET_ADMIN" and have set the bantime to "-1" for each jail (as noted under "Jail Options" at https://www.fail2ban.org/wiki/index.php/MANUAL_0_8).  

 

I am able to see IP's being detected:

2020-03-30 22:04:20,572 fail2ban.filter         [392]: INFO    [nginx-botsearch] Found 148.72.207.250 - 2020-03-30 22:04:20

2020-03-31 06:46:10,028 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 34.76.172.157 - 2020-03-31 06:46:09
2020-03-31 09:29:25,455 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 128.199.254.23 - 2020-03-31 09:29:25
2020-03-31 11:38:48,885 fail2ban.filter         [386]: INFO    [nginx-botsearch] Found 103.5.150.16 - 2020-03-31 11:38:48

 

But I'm not seeing those in the persistent DB (fail2ban.sqlite3):

 

image.png.ac586d1a2ea4c6c13cb0b63545754f6f.png

 

 

Curious if I'm missing something that is preventing this from working.

 

Thanks in advance,

 

D

 

Now it seems that Fail2Ban isn't working at all...or at least none of the default jails flagged this traffic and banned the source IP (and there were over 600 lines of it in the NGINX access.log):

 

image.thumb.png.0e4a78c957aa4a6341a93210423dec04.png

 

image.thumb.png.e318150770b71bf53f0b9139b35926fb.png

 

Share this post


Link to post
5 hours ago, STEFAN1987 said:

Hi can anyone help me figure out how to get pass this error?

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=serverjohn.com
SUBDOMAINS=deluge,duplicati,grafana,jacket,lidarr,netdata,nextcloud,ombi,plex,radarr,sonarr,tautulli,unraid,www
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=4096
VALIDATION=http
DNSPLUGIN=
EMAIL=@serverjohn.com
STAGING=

DH parameters bit setting changed. Deleting old dhparams file.
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 4096 bit long safe prime, generator 2
This is going to take a long time
.......................................................................................................................+.....................................................................................................................................................................................................................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................................+....................+.......+.....................................................................+........................................................................................................................................................................+...........................................................................................................................................................+.............................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+..............................................................................................................................................................+.....................................................................................................................................................................................................................+........................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................................................................................................................................................................................................................................................................................+....................+..........................................................................+..................................................................................................................................................................................................................................................+..........................................................................................................................................................................................................................................................................................................................+................................................................+.....................................................................................................................................................................................................................................................................+...........................................................................................................+...................................................................................................+......................................................................................................................................+.........................................................................................................+...................................................................................................................................................................................................................................................................................................................................................................................................................................................+..........................................................................+............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................+.......................................+.......................................+.............................................................................................................+.....................................................................................................................................................................................................................................................++*++*++*
DH parameters successfully created - 4096 bits
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d deluge.serverjohn.com -d duplicati.serverjohn.com -d grafana.serverjohn.com -d jacket.serverjohn.com -d lidarr.serverjohn.com -d netdata.serverjohn.com -d nextcloud.serverjohn.com -d ombi.serverjohn.com -d plex.serverjohn.com -d radarr.serverjohn.com -d sonarr.serverjohn.com -d tautulli.serverjohn.com -d unraid.serverjohn.com -d www.serverjohn.com
E-mail address entered: stefan@serverjohn.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for deluge.serverjohn.com
http-01 challenge for duplicati.serverjohn.com
http-01 challenge for grafana.serverjohn.com
http-01 challenge for jacket.serverjohn.com
http-01 challenge for lidarr.serverjohn.com
http-01 challenge for netdata.serverjohn.com
http-01 challenge for nextcloud.serverjohn.com
http-01 challenge for ombi.serverjohn.com
http-01 challenge for plex.serverjohn.com
http-01 challenge for radarr.serverjohn.com
http-01 challenge for serverjohn.com
http-01 challenge for sonarr.serverjohn.com
http-01 challenge for tautulli.serverjohn.com
http-01 challenge for unraid.serverjohn.com
http-01 challenge for www.serverjohn.com
Waiting for verification...
Challenge failed for domain deluge.serverjohn.com
Challenge failed for domain duplicati.serverjohn.com
Challenge failed for domain grafana.serverjohn.com
Challenge failed for domain jacket.serverjohn.com
Challenge failed for domain lidarr.serverjohn.com
Challenge failed for domain netdata.serverjohn.com
Challenge failed for domain nextcloud.serverjohn.com
Challenge failed for domain ombi.serverjohn.com
Challenge failed for domain plex.serverjohn.com
Challenge failed for domain radarr.serverjohn.com
Challenge failed for domain serverjohn.com
Challenge failed for domain sonarr.serverjohn.com
Challenge failed for domain tautulli.serverjohn.com
Challenge failed for domain unraid.serverjohn.com
Challenge failed for domain www.serverjohn.com
http-01 challenge for deluge.serverjohn.com
http-01 challenge for duplicati.serverjohn.com
http-01 challenge for grafana.serverjohn.com
http-01 challenge for jacket.serverjohn.com
http-01 challenge for lidarr.serverjohn.com
http-01 challenge for netdata.serverjohn.com
http-01 challenge for nextcloud.serverjohn.com
http-01 challenge for ombi.serverjohn.com
http-01 challenge for plex.serverjohn.com
http-01 challenge for radarr.serverjohn.com
http-01 challenge for serverjohn.com
http-01 challenge for sonarr.serverjohn.com
http-01 challenge for tautulli.serverjohn.com
http-01 challenge for unraid.serverjohn.com
http-01 challenge for www.serverjohn.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: deluge.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://deluge.serverjohn.com/.well-known/acme-challenge/8E4H5IDuYFjxlRZ7FL86Xdzaf_Vk-3Up0zTw1CyTDS8
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: duplicati.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://duplicati.serverjohn.com/.well-known/acme-challenge/lQLmdIzX8m3WM0tx24HXfVKGORWtOlBMVmB93ncP61g
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: grafana.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://grafana.serverjohn.com/.well-known/acme-challenge/CcXRaYWrjNHyPlleeYmJM1rtVNhg1czIZH6O4bQiXDg
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: jacket.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://jacket.serverjohn.com/.well-known/acme-challenge/2H2wGqtkdmkSZErQ5SUDJH3OA0K2EJUMYKKC9L45VkA
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: lidarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://lidarr.serverjohn.com/.well-known/acme-challenge/xBL_PgEnSbp9XrFS5mJKP3IEn2eUp96uMaXk8RnkykM
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: netdata.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://netdata.serverjohn.com/.well-known/acme-challenge/6EOzYpleuHVzQ7LrXNOMn6aN_KrOa_3butIiwsfWDd0
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: nextcloud.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://nextcloud.serverjohn.com/.well-known/acme-challenge/ik2SU9PAfQtcfvBqUByD14HQQ4skGLmB_7_MDFuY6-A
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: ombi.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://ombi.serverjohn.com/.well-known/acme-challenge/rtjrqFCDHlOXNfjmLQo1QlTERbeNTFHkLhqTlREsEA0
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: plex.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://plex.serverjohn.com/.well-known/acme-challenge/BID2vNE7WmlcDwO3JwQ0PNhhWjDWrMBUSxXhEUTD9EY
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: radarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://radarr.serverjohn.com/.well-known/acme-challenge/c4iFeq_CYWokLiWtGofA292kDGu5HrgyliJEBOH3V9o
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://serverjohn.com/.well-known/acme-challenge/_J2wAH3GZxcEfrC3GlE7fk1pHxXYLgDOOfNYUYpY7jg
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: sonarr.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://sonarr.serverjohn.com/.well-known/acme-challenge/v3mVCVA_UJ5avFqcpSVIGRLhzMt_uGyuhRcV2m-srkA
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: tautulli.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://tautulli.serverjohn.com/.well-known/acme-challenge/A1xvnyKmyR9_x76KwOR3zWOnE6Hhdrvevq5IK0HUMW4
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: unraid.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://unraid.serverjohn.com/.well-known/acme-challenge/UrtTqcVJ0QpFaaPTytbLU6OBRyQZ4VUFkbn2Ijlx7Pw
[2606:4700:3035::681c:1611]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Domain: www.serverjohn.com
Type: unauthorized
Detail: Invalid response from
http://www.serverjohn.com/.well-known/acme-challenge/VBomGHuZb9CQGQpDMKkYlqChznPbdsnbh4yJ0OT_b2U
[2606:4700:3037::681c:1711]: "<html>\r\n<head><title>404 Not
Found</title></head>\r\n<body>\r\n<center><h1>404 Not
Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Inkedcloudflaredns_LI.jpg

Port forwarding issue

Share this post


Link to post
6 hours ago, casperse said:

Oh didnt see that thanks!

 

Would I still be able to use subdomain for other Dockers? under this top-domain?

The current version supports multiple domains like: domain1, domain2

Adding any subdomain to this in the configuration would then create cert. for these subdomain under both domains correct?

 

Is it problematic to also change Nextcloud to its own domain instead of using a subdomain?

(Have read many post in this thread about Nextcloud and that Subdomain is the way to get it working, not one about using a main domain)

 

Again thanks for your help! much appreciated

Sure you can. But you gotta read up and understand nginx configs. Server blocks are for matching and defining domains and subdomains, and location blocks are for uri (subfolder and rest).

Share this post


Link to post
Posted (edited)
17 hours ago, aptalca said:

Sure you can. But you gotta read up and understand nginx configs. Server blocks are for matching and defining domains and subdomains, and location blocks are for uri (subfolder and rest).

 

I have been reading! And thanks to you and this very long thread I am almost there

 

Exercise "Setup Ombi with main domain":

0) Confirm in the log that Letsencrypt gets certificates for everything

1) Change Docker to use custom Proxynet (Networktype)
2) Use template heimdall.subfolder.conf.sample and add your docker name (This case: ombi)

rename it "ombi.subfolder.conf"

 

\rootshare\appdata\letsencrypt\nginx\proxy-confs\ombi.subfolder.conf

location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app ombi;
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

3) Comment out location / in:

appdata\letsencrypt\nginx\site-confs\default

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _; <--- Add my domains here?

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

#    location / {
#        try_files $uri $uri/ /index.html /index.php?$args =404;
#    }
 
     location ~ \.php$ {
         fastcgi_split_path_info ^(.+\.php)(/.+)$;
         fastcgi_pass 127.0.0.1:9000;
         fastcgi_index index.php;
         include /etc/nginx/fastcgi_params;
     }


4) Port setup on docker its the proxy that forwards the port 443 -> Dockers
   And it look like it gets the port from the docker itself  "proxy_pass $upstream_proto://$upstream_app:$upstream_port;"
   So not sure if I need to specify the Ombi port:3579 somewhere


   But where do I specify which main domain"1" should be used for Ombi?
   This should be in the # main server block in the default file above right?
   
   server_name domain1;
   server_name domain2;

 

5) I also found this "Add your domain name to the trusted domains array?" (Don't know what that's about)

 

I apologize for not figuring this out myself - I have spent a lot of time on trial & error

Most on Google use linux and command lines not these very nice configuration files 

Edited by casperse

Share this post


Link to post
1 hour ago, casperse said:

 

I have been reading! And thanks to you and this very long thread I am almost there

 

Exercise "Setup Ombi with main domain":

0) Confirm in the log that Letsencrypt gets certificates for everything

1) Change Docker to use custom Proxynet (Networktype)
2) Use template heimdall.subfolder.conf.sample and add your docker name (This case: ombi)

rename it "ombi.subfolder.conf"

 

\rootshare\appdata\letsencrypt\nginx\proxy-confs\ombi.subfolder.conf


location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app ombi;
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

3) Comment out location / in:

appdata\letsencrypt\nginx\site-confs\default


# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _; <--- Add my domains here?

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

#    location / {
#        try_files $uri $uri/ /index.html /index.php?$args =404;
#    }
#
#    location ~ \.php$ {
#        fastcgi_split_path_info ^(.+\.php)(/.+)$;
#        fastcgi_pass 127.0.0.1:9000;
#        fastcgi_index index.php;
#        include /etc/nginx/fastcgi_params;
#    }


4) Port setup on docker its the proxy that forwards the port 443 -> Dockers
   And it look like it gets the port from the docker itself  "proxy_pass $upstream_proto://$upstream_app:$upstream_port;"
   So not sure if I need to specify the Ombi port:3579 somewhere


   But where do I specify which main domain"1" should be used for Ombi?
   This should be in the # main server block in the default file above right?
   
   server_name domain1;
   server_name domain2;

 

5) I also found this "Add your domain name to the trusted domains array?" (Don't know what that's about)

 

I apologize for not figuring this out myself - I have spent a lot of time on trial & error

Most on Google use linux and command lines not these very nice configuration files 

$upstream_port is defined two lines above

Share this post


Link to post
Posted (edited)
5 hours ago, aptalca said:

$upstream_port is defined two lines above

Yes its defined in the "ombi.subfolder.conf" and I left it as default, like in the Nextcloud conf. (subdomain) video setup to the default port 443:

set $upstream_port 443; right? (I tried changing it to 3579 makes no difference)

 

Just thought that I would need some configuration "link" between the two dockers and the 2 domains:

domain_1 --> ombi IP:3579

image.png.6e5f29fb004e4dd96c33fd68eb47218c.png

(I am waiting with domain_2 until I have cracked the first main domain_2--> nextcloud IP:  (PHP config.php)

 

Getting the sub.domain working was so simple, would it be better and easier to setup a DNS verification instead using a wildcard SSL Certificate?

The cert. is working for both main and sub domains so I guess it doesn't really matter

 

Update: I also found this guide - https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/#usingheimdallasthehomepageatdomainroot

And it's exactly like you told me, cant see any errors - but for some reason it doesn't work... must be missing something

Edited by casperse

Share this post


Link to post

Anyone got Plex to work with reverse proxy?

I tried the sample config but gets bad gateway and my plex account does not find server.
Tried with both "bridge" and the custom made "proxynet" networks

Share this post


Link to post

For the last two posters:

 

502 means letsencrypt can't reach the other service at the address and port defined.

 

Fyi, 443 is not the correct port for ombi. Also ombi does not use https, it's http

Share this post


Link to post
35 minutes ago, aptalca said:

Fyi, 443 is not the correct port for ombi. Also ombi does not use https, it's http

 

Dam it was right in front of me! missed it didn't have https ! (I did try swapping ports)

I think I understand how it works now!

 

So if I copy the Heimdahl template to use with nextcloud

Then how to I set the right domain to point to each?

Domain_1 --> Ombi (THIS WORKS NOW! :-)

Domain_2 --> Nextcloud

 

I can't see how Letsencrypt can tell which domain should point to each specific docker?

Thanks again! this is awesome!

 

Share this post


Link to post
Posted (edited)
2 hours ago, casperse said:

 

Dam it was right in front of me! missed it didn't have https ! (I did try swapping ports)

I think I understand how it works now!

 

So if I copy the Heimdahl template to use with nextcloud

Then how to I set the right domain to point to each?

Domain_1 --> Ombi (THIS WORKS NOW! 🙂

Domain_2 --> Nextcloud

 

I can't see how Letsencrypt can tell which domain should point to each specific docker?

Thanks again! this is awesome!

 

Server name directive.

 

Create a new subdomain conf for the new server name

Edited by aptalca

Share this post


Link to post
Posted (edited)
On 4/11/2020 at 3:19 AM, aptalca said:

Server name directive.

 

Create a new subdomain conf for the new server name

 So again copying the sample from Heimdahl.subfolder.conf.sample and creating the "nextcloud.subfolder.conf"

Quote

# In order to use this location block you need to edit the default file one folder up and comment out the / location

location / {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app nextcloud;
    set $upstream_port 443;
    set $upstream_proto https;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

Than adding the two servers to the appdata\letsencrypt\nginx\site-confs\defaults conf

(Removing the two lines for the htpassword in the example below)

#  auth_basic "Restricted";

#  auth_basic_user_file /config/nginx/.htpasswd;

 

Quote

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above

# notice this is a new server block, you need a new server block for each subdomain

 

server {

 listen 443 ssl http2;

 listen [::]:443 ssl http2;

 

 root /config/www;

 index index.html index.htm index.php;

 

 server_name domain_1;

 include /config/nginx/ssl.conf;

 client_max_body_size 0;

 

 location / {

#  auth_basic "Restricted";

#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;

  proxy_pass http://192.168.0.6:3579;

 }

}

 

server {

 listen 443 ssl http2;

 listen [::]:443 ssl http2;

 

 root /config/www;

 index index.html index.htm index.php;

 

 server_name domain_2;

 include /config/nginx/ssl.conf;

 client_max_body_size 0;

 

 location / {

#  auth_basic "Restricted";

#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;

  proxy_pass http://192.168.0.6:443;

 }

}

Then of course updating the nextcloud PHP configuration to the domain and not the sub.domian

I have been reading your old posts today :-)

Did I forget something?

 

Would sub.domains still work? bitwarden.domain_2

Or would I need to define them as servers also?

 

Update: Adding domain should be like this right?

image.thumb.png.d3ccce284067c7011678062f3921efa9.png

 

I thought I had made some A record wrong but if I just enter one domain it works, but if I add more domains I get this error:

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

On page 167 I found a note about creating this extra field for more domains?

But it talks about subdomains? would I be able to do as shown below?

image.png.c0dc63a155d066c2f8ddb8970c2259dd.png

Edited by casperse

Share this post


Link to post

@aptalca, after digging around further, I stumbled on some resources for setting up the stream module (e.g., https://www.nginx.com/blog/tcp-load-balancing-udp-load-balancing-nginx-tips-tricks/. However, I still haven't been able to get it up and running, mainly because I'm not sure what the proxy-conf file should look like for a docker needing to utilize the stream module. 

I added the following to my nginx.conf (previous was default nginx.conf that comes with the letsencrypt docker):

http{
#default stuff
}

stream {
    upstream stream_backend {
		# 10.20.30.222:5432 is the postgres docker address that is functioning on local network
        server 10.20.30.222:5432;
    }
    server {
    listen 5432;
    proxy_pass stream_backend;
    }
}

I tried many variations of "postgres.subdomain.conf" files, however none of them worked. My naive thinking is that nginx would be taking traffic from 443 and the stream module would somehow map that to a local address as if the remote location was inside the local network (10.20.30.222:5432 in this case). So, I expected it to look something like the below code. Attempting to connect remotely with pgadmin4 requires a hostname and a specified port. If I pass "5432" I get "Unable to connect to server: timeout expired" and passing port "443" gives me "Unable to connect to server: received invalid response to SSL negotiation: H" (this one is probably not surprising). 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name postgres.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        #TCP traffic should be forwarded to the "stream_backend" upstream group
        set $upstream_postgres stream_backend;
         proxy_pass http://$upstream_postgres;
    }
}

I don't understand how to tell nginx to take in an address like "postgres.mydomain.com" and resolve that as if it were localhost:5432 on my local network.

I really appreciate any guidance! I'm excited to learn how the stream module works, because I think it will open up a lot of new potential for my server. Thanks!

Share this post


Link to post
On 4/11/2020 at 3:19 AM, aptalca said:

Server name directive.

 

Create a new subdomain conf for the new server name

 

Ok I have almost read through the entire thread and on page 167 I found the missing parameter to insert the extra domain names! LOL

I now have 3 domains added and getting certificates!

 

Domain_1 --> Nextcloud (OK)

Domain_2 --> Ombi (Not working)

sub-domain.Domain_2 (OK)

sub-domain.Domain_3 (OK)

 

But I still can't get the two main domains to co-exist...

I know it's how I add the two servers to the default conf?

 

I have created the two main domain on the sample from Heimdahl.subfolder.conf.sample and created:

 

"nextcloud.subfolder.conf"

"ombi.subfolder.conf"

 

I just need some help on how to define the servers in the appdata\letsencrypt\nginx\site-confs\defaults (conf)

My addition in Yellow

Quote

## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# redirect all traffic to https
server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

# main server block
server {
    listen 443 ssl http2 default_server;
    listen [::]:443 ssl http2 default_server;

    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # all ssl related config moved to ssl.conf
    include /config/nginx/ssl.conf;

    # enable for ldap auth
    #include /config/nginx/ldap.conf;

    client_max_body_size 0;

#    location / {
#        try_files $uri $uri/ /index.html /index.php?$args =404;
#    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }


}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain 

server {

 listen 443 ssl http2;
 listen [::]:443 ssl http2;

 root /config/www;
 index index.html index.htm index.php;

 server_name DOMAIN_Ombi;
 include /config/nginx/ssl.conf;
 client_max_body_size 0;

 location / {

#  auth_basic "Restricted";
#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;
  proxy_pass http://192.168.0.6:3579;

 }

}

server {

 listen 443 ssl http2;
 listen [::]:443 ssl http2;

 root /config/www;
 index index.html index.htm index.php;

 server_name DOMAIN_Nextcloud";
 include /config/nginx/ssl.conf;
 client_max_body_size 0;

 location / {

#  auth_basic "Restricted";
#  auth_basic_user_file /config/nginx/.htpasswd;

  include /config/nginx/proxy.conf;
  proxy_pass http://192.168.0.6:443;

 }

}

 

Share this post


Link to post
Posted (edited)
3 hours ago, casperse said:

 

Ok I have almost read through the entire thread and on page 167 I found the missing parameter to insert the extra domain names! LOL

I now have 3 domains added and getting certificates!

 

Domain_1 --> Nextcloud (OK)

Domain_2 --> Ombi (Not working)

sub-domain.Domain_2 (OK)

sub-domain.Domain_3 (OK)

 

But I still can't get the two main domains to co-exist...

I know it's how I add the two servers to the default conf?

 

I have created the two main domain on the sample from Heimdahl.subfolder.conf.sample and created:

 

"nextcloud.subfolder.conf"

"ombi.subfolder.conf"

 

I just need some help on how to define the servers in the appdata\letsencrypt\nginx\site-confs\defaults (conf)

My addition in Yellow

 

The heimdall subfolder method is only for setting the homepage of the main domain. You don't need to do that for the homepage of a secondary domain because it is not already set up.

 

For ombi as the homepage of the second domain, just use the ombi subdomain conf, and edit the server name to read "seconddomain.com"

Edited by aptalca

Share this post


Link to post
Posted (edited)
4 hours ago, aptalca said:

The heimdall subfolder method is only for setting the homepage of the main domain. You don't need to do that for the homepage of a secondary domain because it is not already set up.

 

For ombi as the homepage of the second domain, just use the ombi subdomain conf, and edit the server name to read "seconddomain.com"

Perfect that did it!  - So NO need to change anything in the default conf for the: # main server block? I thought you said that was needed?

 

Is there any security implications, I can see that any subdomain I can think of will now always point to domain_1

 

anything*.domain_1

anything*.domain_2

anything*.domain_3

 

all --> will point to the domain set for the "Heimdal subfolder sample" which was for domain_1 (Nextcloud)

Normally I guess you would get a "This site can’t be reached"

Or is this because each domain have a A record and a C name *.domain1-> A record? so Letsencrypt just forwards everything to the domain_1

 

I have been playing with this all day :-) hoping to remove my old Synology setup

 

[UPDATE]: Nextcloud works but cant connect to the IOS app, switching Nextcloud to Domain_2 and using Domain_1 with Emby resolved that, Nextcloud wants the sample file for the Subdomain not the subfolder?

 

Everything seem to work!

But I am getting alot of Unraid log errors?

I can see that the IP is from my Laptop that I used to test whit

 


Apr 12 20:52:59 SERVER nginx: 2020/04/12 20:52:59 [error] 10389#10389: *34579 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:01 SERVER nginx: 2020/04/12 20:53:01 [error] 10389#10389: *34593 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:02 SERVER nginx: 2020/04/12 20:53:02 [error] 10389#10389: *34599 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34604 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34607 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34612 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:03 SERVER nginx: 2020/04/12 20:53:03 [error] 10389#10389: *34615 recv() failed (104: Connection reset by peer) while reading upstream, client: 192.168.0.34, server: , request: "GET //wsproxy/5700/ HTTP/1.1", upstream: "http://127.0.0.1:5700/", host: "192.168.0.6"
Apr 12 20:53:04 SERVER nginx: 2020/04/12 20:53:04 [error] 10389#10389: *34618 recv() failed (104: Connection reset by peer) while reading upstre
Apr 12 21:59:13 SERVER nginx: 2020/04/12 21:59:13 [error] 10389#10389: *56034 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 127.0.0.1, server: , request: "GET /admin/api.php?version HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "127.0.0.1"
Apr 12 21:59:13 SERVER nginx: 2020/04/12 21:59:13 [error] 10389#10389: *56036 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: ::1, server: , request: "GET /admin/api.php?version HTTP/1.1", upstream: "fastcgi://unix:/var/run/php5-fpm.sock:", host: "localhost"

Edited by casperse

Share this post


Link to post
Posted (edited)

Hi GUys- 

 

Quick question. I've tried researching this question all morning but seems like most items that touch on it just assume this as common knowledge.. i'm trying to get my cloudflare dns A record to point to my root domain, but it doesn't let me use my duckdns.. It wants an external ip. problem iS my external ip is dynamic (hence why i use duckns).  See image below.

 

image.thumb.png.19f8ea69fe7501c12f81c5c5098bfc55.png

 

How do i satisfy this requirement with a dynamic ip?

 

Thanks!

Edited by pimogo

Share this post


Link to post
2 hours ago, pimogo said:

Hi GUys- 

 

Quick question. I've tried researching this question all morning but seems like most items that touch on it just assume this as common knowledge.. i'm trying to get my cloudflare dns A record to point to my root domain, but it doesn't let me use my duckdns.. It wants an external ip. problem iS my external ip is dynamic (hence why i use duckns).  See image below.

 

image.thumb.png.19f8ea69fe7501c12f81c5c5098bfc55.png

 

How do i satisfy this requirement with a dynamic ip?

 

Thanks!

A records point to IP addresses

Share this post


Link to post
4 hours ago, aptalca said:

A records point to IP addresses


I can give it my external wan ip but it’ll likely change at some point. Am I stuck manually changing it everytime if I want the root to my domain resolved?

Share this post


Link to post
9 hours ago, pimogo said:


I can give it my external wan ip but it’ll likely change at some point. Am I stuck manually changing it everytime if I want the root to my domain resolved?

There are a multitude of options to update ip on dns. Many routers provide that feature. We also have a ddclient image that does just that

Share this post


Link to post
1 hour ago, aptalca said:

There are a multitude of options to update ip on dns. Many routers provide that feature. We also have a ddclient image that does just that

Thanks! WIll loook at ddclient! Appreciate your  help.

Share this post


Link to post

I have been struggling with getting letsencrypt to work for a while. I've used Spaceinvader One's tutorials but I haven't been successful with either http or dns validation. I've messed with cloudflare settings and the proxy configs and it still seems that cloudflare is unable to communicate with my server. On Chrome I get Error 525 and on Firefox I get Error 521 from cloudflare.

Sometimes I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome, although I'm not able to consistently reproduce this error.

 

Cloudflare settings:1165021995_CloudflareConfig.thumb.png.ecdf27e2311ca76556f1cea63a437dfd.png

My A record IP is my weebly site

 

Docker Settings:682139160_Dockersettings.thumb.png.24e5b1bc55126480805ada55f4ef293b.png

 

Ports 80 and 443 are forwarded to 180 and 1443

 

 

And my deluge.subdomain.conf file (I'm using the binhex-delugevpn docker container but I've changed the title of the docker container to deluge):

# make sure that your dns has a cname set for deluge and that your deluge container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name deluge.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app deluge;
        set $upstream_port 8112;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Also a new issue I've been having is that _acme-challenge continues to fail with the following error:

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: deluge.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.deluge.mydomain.com

Domain: sonarr.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.sonarr.mydomain.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

I've checked the cloudflare.ini file and it has the correct email and API token.

I've noticed that an _acme-challenge TXT record occasionally appears in my cloudflare dns settings but it will disappear, and the server doesn't start after it has disappeared. This has only started recently and the server has started in the past without a TXT record present in my dns settings.

Regardless of whether the server starts or not, I continue to receive 525 and 521 errors from cloudflare

 

I feel like there's some vital step I'm missing here but I've been unable to figure out what it is.

Share this post


Link to post
2 hours ago, kage1414 said:

I have been struggling with getting letsencrypt to work for a while. I've used Spaceinvader One's tutorials but I haven't been successful with either http or dns validation. I've messed with cloudflare settings and the proxy configs and it still seems that cloudflare is unable to communicate with my server. On Chrome I get Error 525 and on Firefox I get Error 521 from cloudflare.

Sometimes I get ERR_SSL_VERSION_OR_CIPHER_MISMATCH from chrome, although I'm not able to consistently reproduce this error.

 

Cloudflare settings:1165021995_CloudflareConfig.thumb.png.ecdf27e2311ca76556f1cea63a437dfd.png

My A record IP is my weebly site

 

Docker Settings:682139160_Dockersettings.thumb.png.24e5b1bc55126480805ada55f4ef293b.png

 

Ports 80 and 443 are forwarded to 180 and 1443

 

 

And my deluge.subdomain.conf file (I'm using the binhex-delugevpn docker container but I've changed the title of the docker container to deluge):


# make sure that your dns has a cname set for deluge and that your deluge container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name deluge.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app deluge;
        set $upstream_port 8112;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Also a new issue I've been having is that _acme-challenge continues to fail with the following error:


IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: deluge.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.deluge.mydomain.com

Domain: sonarr.mydomain.com
Type: unauthorized
Detail: No TXT record found at _acme-challenge.sonarr.mydomain.com

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

I've checked the cloudflare.ini file and it has the correct email and API token.

I've noticed that an _acme-challenge TXT record occasionally appears in my cloudflare dns settings but it will disappear, and the server doesn't start after it has disappeared. This has only started recently and the server has started in the past without a TXT record present in my dns settings.

Regardless of whether the server starts or not, I continue to receive 525 and 521 errors from cloudflare

 

I feel like there's some vital step I'm missing here but I've been unable to figure out what it is.

https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

Share this post


Link to post
4 hours ago, kage1414 said:

I've combed over every step in this tutorial but I'm still not having any success.

I also just received a rate limit error from LetEncrypt

Use the staging variable when testing.

Share this post


Link to post
Posted (edited)

Hey, since i didn't know how to install my wildcard-certificate on the nextcloud-image I installed this container and its working. 🙂

But I do not really feel comfortable with having my router port 80 open AND answering it. Is it possible to turn off answering http requests?

 

Unbenannt.PNG.949f44ef835b7d2c6c680141cd782338.PNG

Edited by Greyberry

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.