[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

19 minutes ago, saarg said:

 

Why are you using command line? Sudoku is not used on unraid, so if you are running anything other than unraid, please go to our forum at linuxserver.io to get help. 

Hahaha, sorry, I realize now that this is the wrong forum... Yeah, I'm not using unraid. Thanks for trying to help me though!

Link to comment
8 hours ago, RAINMAN said:

I'm a bit confused now that I am trying to add another subdomain.

 

When I look at the certificates for all my domains they are issued to plex.mydomain.com.  Even if the domain is grafana.mydomain.com but its still coming up as valid.  Do I have this setup right?  I would have expected it to be issue for each subdomain?  (Note: I am not using letsencrypt docker for the top level domain.  That is hosted separate) 

 

Second, I was trying to add a subdomain for crashplan and it appears right, but it didn't load the actual VNC content.  It loads the title bar and the certificate is green (but issued to plex.mydomain.com).  

 

To resolve this I had to add the following 2 lines to the /location block.  Maybe it will help someone if they have the same issue.

 


        location / {

                # Added block for websockets
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                auth_basic "Restricted";
                auth_basic_user_file /config/nginx/.htpasswd;
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.0.100:7810;
        }

 

 

Certificates can contain multiple urls. Your browser is likely showing the first one listed. If you click on the details you'll see all of them. If the address didn't match, you wouldn't get the green padlock and would get a warning instead. 

Link to comment

may i ask why some sites dont show properly while they are behind reverse proxies, easy sample unraid webui (just as sample)

 

blob.png.50fe33e4400ab6ef662f8e2c6f5939b9.png

 

may some hints where to start to get all sites properly proxied ?

 

its better here to use site.domain.com instead domain.com/site, but still i have errors like this on several proxied local sites ...

and cant find a real solution ..

Link to comment
On 12/15/2017 at 10:10 AM, local.bin said:

 

You need to go back and make the other changes I mentioned, as what you quoted was not what I posted. changing the action will stop it trying to send the mail from localhost:

 

Edit jail.local and add the following to the nextcloud or other jail;

  Quote

mta      = sendmail
action   = sendmail-whois[name=nextcloud, dest=<destination email address>]

 

 

Copy ..action.d/sendmail-whois.conf to sendmail-whois.local and then edit the last line of the action, changing the sendmail command line part;

 

  Quote

Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<from email account name> -ap<account password> <dest>

 

Hm, when looking at what I posted I just see the same? 

 

[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
mta = sendmail
action = sendmail-whois[name=letsencrypt, dest=<[email protected]>]

 

Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<username> -ap<password> <dest>

 

Link to comment

Every time I start the docker I get the following message in the log;

 

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d bacnet.duckdns.org
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for duckdns.org
tls-sni-01 challenge for bacnet.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
- The following errors were reported by the server:

Domain: duckdns.org
Type: connection
Detail: Timeout

Domain: bacnet.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting. 

Link to comment
16 hours ago, sgt_spike said:

Every time I start the docker I get the following message in the log;

 

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d bacnet.duckdns.org
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for duckdns.org
tls-sni-01 challenge for bacnet.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout, bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
- The following errors were reported by the server:

Domain: duckdns.org
Type: connection
Detail: Timeout

Domain: bacnet.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting. 

 

It seems you have two issues:

 

1. Your url should be bacnet.duckdns.org not duckdns.org because you do not control duckdns.org

 

2. bacnet is not properly forwarded to your ip and/or container

Link to comment
32 minutes ago, aptalca said:

 

It seems you have two issues:

 

1. Your url should be bacnet.duckdns.org not duckdns.org because you do not control duckdns.org

 

2. bacnet is not properly forwarded to your ip and/or container

for the settings, duckdns.org should be the domain and bacnet should be in the subdomain?

 

to forward bacnet to unraid do I edit the duckdns docker?

Link to comment
Just now, sgt_spike said:

Yes it does

@sgt_spike

My duckdns docker has my subdomain listed under SUBDOMAINS (your's would be bacnet) and the token is from the duckdns webpage.

That is the only 2 edits I have ever made to duckdns docker.

Within the LE docker settings I have my host port set to 9443 and that forwards to 443 inside the container.

In my router, I have a port forward that forwards 443 WAN to <unRAID IP>:9443

 

So from the outside it looks like:

subdomain.duckdns.org:443 -> router forwards this to <unRAID IP>:9443 -> to inside LE docker 443

 

Hope this helps.

Link to comment
9 minutes ago, blurb2m said:

@sgt_spike

My duckdns docker has my subdomain listed under SUBDOMAINS (your's would be bacnet) and the token is from the duckdns webpage.

That is the only 2 edits I have ever made to duckdns docker.

Within the LE docker settings I have my host port set to 9443 and that forwards to 443 inside the container.

In my router, I have a port forward that forwards 443 WAN to <unRAID IP>:9443

 

So from the outside it looks like:

subdomain.duckdns.org:443 -> router forwards this to <unRAID IP>:9443 -> to inside LE docker 443

 

Hope this helps.

 

Seems like I get the same errors

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
No subdomains defined
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for bacnet.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. bacnet.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: bacnet.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Capture.PNG

Docker Settings.PNG

Link to comment

@sgt_spike oh! change that LE docker setting where it says "only subdomains" to "true". you only want to generate certs for bacnet

that should definitely help, if not you do have another issue about a missing variable.

 

hmm your settings look different, mine has Email, Domain Name, subdomain(s), only subdomains

 

change Domain Name: "duckdns.org" (without quotes)

click the button at the bottom that says "Add another Path, Port, Variable or Device"

Config type: Variable

Name: Subdomain(s)

Key: SUBDOMAINS

Value: bacnet

Description: Subdomains you'd like the cert to cover (comma separated, no spaces) ie www,ftp,cloud,

 

This should tell LE which certs to generate and not try to generate them for the duckdns main domain since you don't own that.

Link to comment
7 hours ago, blurb2m said:

@sgt_spike oh! change that LE docker setting where it says "only subdomains" to "true". you only want to generate certs for bacnet

that should definitely help, if not you do have another issue about a missing variable.

 

hmm your settings look different, mine has Email, Domain Name, subdomain(s), only subdomains

 

change Domain Name: "duckdns.org" (without quotes)

click the button at the bottom that says "Add another Path, Port, Variable or Device"

Config type: Variable

Name: Subdomain(s)

Key: SUBDOMAINS

Value: bacnet

Description: Subdomains you'd like the cert to cover (comma separated, no spaces) ie www,ftp,cloud,

 

This should tell LE which certs to generate and not try to generate them for the duckdns main domain since you don't own that.

 

Don't do that. That is incorrect

Link to comment
2 hours ago, sgt_spike said:

 

Don't do what?  What's incorrect?

 

No I got the same error message.  I feel like I have something missing.  I just don't know

 

Don't set only subdomains to true. Set the domain/url to bacnet.duckdns.org

 

Did you reboot the router after you set the port forward? Maybe you have to

Link to comment
1 hour ago, aptalca said:

 

Don't set only subdomains to true. Set the domain/url to bacnet.duckdns.org

 

Did you reboot the router after you set the port forward? Maybe you have to

 

Did as you suggest.  Got the same error.  I was looking around and opened to the "don'teditthisfile.conf" and noticed it never updateds when I changed the docker settings.  I removed the docker and re-installed it.  

 

Do I need to supply a pw along with the email address in order to gain access to my duckdns.org account?

Link to comment

Im going nuts over here.  I have had plex up and running perfectly for months.  Now something has changed and I am not sure if its a cert thing or not.  Last night my friend couldnt reach my server, but I could reach it from my phone not on wifi and at my work computer. Plex also showed that it was accessible from outside my network.  Now it shows that the remote connection is no longer accessible.  I can access it outside my network. and when I try to connect I get a NET::ERR_CERT_COMMON_NAME_INVALID error.  Im not sure if this has to do with my reverse proxy or plex or something else.  I updated and restarted my edgerouter x, I checked updates on plex and the letsencrypt docker.  I checked to make sure requests were going through the firewall and they were as they always have been.  I am not sure where the problem lies.  Anyone else having this issue?

 

 

    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.1.5:32400;
    }

    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.1.5:32400/web;
    }

 

This is the plex related section of my default file for nginx

Link to comment
12 hours ago, DZMM said:

Is anyone using Lidarr?  It works, but the icons don't display:

 


# Lidarr
	location /lidarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://172.32.12.69:8686/lidarr/;
	}

 

screenshot_70.thumb.jpg.03537acc6ed89c9d45b344e0b31fabf4.jpg

 

This works for me. 

	# LIDARR CONTAINER
	location ^~ /lidarr {
		#auth_request /auth-admin;
    	proxy_pass http://192.168.1.34:8686/lidarr;
		include /config/nginx/proxy.conf;		
    	proxy_set_header Host $host;
    	proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	

Try and remove your trailing / on the proxy_pass line

Edited by GilbN
  • Like 1
Link to comment
8 hours ago, GilbN said:

 

This works for me. 


	# LIDARR CONTAINER
	location ^~ /lidarr {
		#auth_request /auth-admin;
    	proxy_pass http://192.168.1.34:8686/lidarr;
		include /config/nginx/proxy.conf;		
    	proxy_set_header Host $host;
    	proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	

Try and remove your trailing / on the proxy_pass line

Thank you - that did the trick.  Out of interest, what do your extra lines do?

Link to comment

Lets encypt Log

 



| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.jacksparrow1234.com -d nextcloud.greygooseman.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for jacksparrow1234.com
tls-sni-01 challenge for www.jacksparrow1234.com
tls-sni-01 challenge for nextcloud.jacksparrow1234.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. nextcloud.jacksparrow1234.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 9111a98c620472f4c2706a71f638ddbf.3f4653460ed4c2584ab728fcde4f3ccf.acme.invalid from 452.149.238.180:443. Received 1 certificate(s), first certificate had names "mediaserver, mediaserver.local", www.jacksparrow1234.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested b032986d6daccd2444bf41b0362457e3.dad5d11f4fdac008afcf427953089bfd.acme.invalid from 452.149.238.180:443. Received 1 certificate(s), first certificate had names "mediaserver, mediaserver.local"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.jacksparrow1234.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
9111a98c620472f4c2706a71f638ddbf.3f4653460ed4c2584ab728fcde4f3ccf.acme.invalid
from 452.149.238.180:443. Received 1 certificate(s), first
certificate had names "mediaserver, mediaserver.local"

Domain: www.jacksparrow1234.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
b032986d6daccd2444bf41b0362457e3.dad5d11f4fdac008afcf427953089bfd.acme.invalid
from 212.159.138.140:443. Received 1 certificate(s), first
certificate had names "mediaserver, mediaserver.local"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.