[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

8 hours ago, alturismo said:

just use the ip instead dockername as hostname, also the correct port, thats it.

Is this all I need to do? My plex server is running on 192.168.0.9:32400. I have also added the custom server access url in plex. As far as I can tell, it's working okey now. When I first connect to https://plex.mydomain.com I get a warning that tells me that this application isn't hosted by plex, and I need to sign in again. This is fine. When I do this, everything works. Is there anything else I need to, or should configure before using this?

And also in the spaceinvaderone video, he adds a custom network to his proxycontainers. I haven't done this with plex as it is on another server. Plex is just running in hostmode. Should I do something about that? Should I create a custom network profile on that server as well? Sorry for all the n00b questions. I am fairly new to this.

 

 

server {
listen 443 ssl;
listen [::]:443 ssl;

server_name plex.*;

include /config/nginx/ssl.conf;

client_max_body_size 0;
proxy_redirect off;
proxy_buffering off;

# enable for ldap auth, fill in ldap details in ldap.conf

 

#include /config/nginx/ldap.conf;

# enable for Authelia
#include /config/nginx/authelia-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;

# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;

# enable for Authelia
#include /config/nginx/authelia-location.conf;

include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app 192.168.0.9;
set $upstream_port 32400;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header X-Plex-Device $http_x_plex_device;
proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
proxy_set_header X-Plex-Platform $http_x_plex_platform;
proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
proxy_set_header X-Plex-Product $http_x_plex_product;
proxy_set_header X-Plex-Token $http_x_plex_token;
proxy_set_header X-Plex-Version $http_x_plex_version;
proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
proxy_set_header X-Plex-Provides $http_x_plex_provides;
proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
proxy_set_header X-Plex-Model $http_x_plex_model;
}
}

Link to comment

I've been having an issue the last couple of weeks where LetsEncrypt stops responding around every 12-14 hours-ish.  No errors in the the logs, nothing looks out of place. I haven't made changes to the container in over a year with the exception of updates.  A simple restart of the container and all is back to normal for another 14 hours. 

 

Any tips on where to start looking?

Link to comment
On 6/19/2020 at 11:06 AM, SeveredDime said:

I've been having an issue the last couple of weeks where LetsEncrypt stops responding around every 12-14 hours-ish.  No errors in the the logs, nothing looks out of place. I haven't made changes to the container in over a year with the exception of updates.  A simple restart of the container and all is back to normal for another 14 hours. 

 

Any tips on where to start looking?

I'm having the same issue. I've been trying to figure it out but it's getting annoying.

Link to comment

Hi, I'm hoping I can get some assistance.  I'm following spaceinvaders instructions on How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX.  The problem I'm having is with letsencrypt.  It keeps coming up with 

Performing the following challenges:
http-01 challenge for okavangonextcloud.duckdns.org
http-01 challenge for okavangoserver.duckdns.org
Waiting for verification...
Challenge failed for domain okavangonextcloud.duckdns.org
Challenge failed for domain okavangoserver.duckdns.org

 

I'm pretty sure it's my something to do with my port forwarding.  Problem is I don't know what. Is there anyone here familiar with a linksys router?  I can't quite figure out how to forward port 80 to 180 and 443 to 1443.  I tried a few diff things but none seem to work.

imageproxy.php?img=&key=e5eec7c5c933ca16

router.jpg

Link to comment
5 hours ago, saarg said:

The Cron job to renew the certs are run at 02:08, so check if there are any errors for certbot.

Might be that you guys have a network issue and something in the process is locked up.

o-o welp that helped.. was trying to renew my domain that is behind cloudflare so it was failing.. Danke Danke

Edited by Jerky_san
Link to comment
1 hour ago, DigitalDivide said:

Hi, I'm hoping I can get some assistance.  I'm following spaceinvaders instructions on How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX.  The problem I'm having is with letsencrypt.  It keeps coming up with 

Performing the following challenges:
http-01 challenge for okavangonextcloud.duckdns.org
http-01 challenge for okavangoserver.duckdns.org
Waiting for verification...
Challenge failed for domain okavangonextcloud.duckdns.org
Challenge failed for domain okavangoserver.duckdns.org

 

I'm pretty sure it's my something to do with my port forwarding.  Problem is I don't know what. Is there anyone here familiar with a linksys router?  I can't quite figure out how to forward port 80 to 180 and 443 to 1443.  I tried a few diff things but none seem to work.

imageproxy.php?img=&key=e5eec7c5c933ca16

router.jpg

Use 80 and 443 as external and 180 and 1443 as internal. Then use the IP of unraid. Of course you have to add two entries.

 

Is your subdomain of duckdns okavangonextcloud and okavangoserver or just okavango?

Link to comment

Didn't work,

Waiting for verification...
Challenge failed for domain okavangonextcloud.duckdns.org
Challenge failed for domain okavangoserver.duckdns.org
http-01 challenge for okavangonextcloud.duckdns.org
http-01 challenge for okavangoserver.duckdns.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: okavangonextcloud.duckdns.org
Type: connection
Detail: Fetching
http://okavangonextcloud.duckdns.org/.well-known/acme-challenge/aujXkgpsq114zWvcYW3AjEYCbqpoExXkV1GKpqFxawk:
Timeout during connect (likely firewall problem)

Domain: okavangoserver.duckdns.org
Type: connection
Detail: Fetching
http://okavangoserver.duckdns.org/.well-known/acme-challenge/7omhOmbExgOh2o8fh7snrX6uzBcILok1p-kP6AEDk_8:
Timeout during connect (likely firewall problem)

 

image.thumb.png.f668dc8bcdb6a23d9747d62b7f583200.png

Link to comment
10 minutes ago, aptalca said:

Anything in the docker log?

That I see no.. just says "server ready" until I restart it. Ports go completely down but the docker itself is still running. Error logs do not show anything either but it was able to renew the cert last night so it must of went down after that happened.

Link to comment
1 hour ago, Jerky_san said:

That I see no.. just says "server ready" until I restart it. Ports go completely down but the docker itself is still running. Error logs do not show anything either but it was able to renew the cert last night so it must of went down after that happened.

Can you post the output of ”ps -ef" from inside the container when that happens?

Link to comment

Am I doing this wrong or what don't I understand here....   ? (which is a lot)

 

I'm playing with a Gotify docker container for push notifications.

I'm playing with this letsencrypt docker for SSL certificates.

 

Is it possible/how do I use the SSL certs from the letscrypt container in the Gotify container?

 

The Gotify config file has an area for SSL


  ssl:
    enabled: false # if https should be enabled
    redirecttohttps: true # redirect to https if site is accessed by http
    listenaddr: "" # the address to bind on, leave empty to bind on all addresses
    port: 443 # the https port
    certfile: # the cert file (leave empty when using letsencrypt)
    certkey: # the cert key (leave empty when using letsencrypt)
    letsencrypt:
      enabled: false # if the certificate should be requested from letsencrypt
      accepttos: false # if you accept the tos from letsencrypt
      cache: data/certs # the directory of the cache from letsencrypt

But this seems to require that letsencrypt is running within the same docker container?

 

I've tried just copying the files from appdata/letsencrypt to a folder in appdata/gotify but the files "weren't found", so not sure where gotify was looking for them.  The main config file is found in appdata/gotify/config, tried the certs there also.

 

Gotify doesn't have a support thread here so I'll try in the letsencrypt thread, since I need letsencrypt files ;)

 

Thanks for any assistance.

Link to comment

Success

 

I modified all the lines from okavangonextcloud to okavangonextcloud.duckdns.org and that did the trick.  Not usre if they should all be like that but it worked.  I was able to login via internal webguie and externally

 

array (
    0 => '192.168.1.138:444',
    1 => 'okavangonextcloud.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '19.0.0.12',
  'overwrite.cli.url' => 'https://okavangonextcloud.duckdns.org',
  'overwritehost' => 'okavangonextcloud.duckdns.org',

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.