[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

9 hours ago, CHBMB said:

You've got http port defined twice, so remove one, and remove HTTPVAL = FALSE (the whole variable)

 

Hi CHBMB,

Please could you elaborate on how to remove HTTPVAL = FALSE? I think having it there may be my issue now, but can't see a way to remove that variable? I have removed my "extra" http option like you've recommended to sdoksdlkk but I can't see a way to do so for HTTPVAL?

Link to comment
 
Hi CHBMB,
Please could you elaborate on how to remove HTTPVAL = FALSE? I think having it there may be my issue now, but can't see a way to remove that variable? I have removed my "extra" http option like you've recommended to sdoksdlkk but I can't see a way to do so for HTTPVAL?
Try switching on advanced. Or go to settings docker and turn on authoring mode.

Sent from my LG-H815 using Tapatalk

Link to comment
14 hours ago, aptalca said:

 

Post your site config. Make sure the ip you defined is correct and valid (no localhost or 127.0.0.1, etc.)

upstream backend {
    server 192.168.1.47:19999;
    keepalive 64;
}

server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location = / {
        return 301 /htpc;
    }

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.47:8989;
    }
    
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.47:7878/radarr;
    }

    location /htpc {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.47:8085/htpc;
    }

    
    location /downloads {
        include /config/nginx/proxy.conf;
        proxy_pass  http://192.168.1.47:8112/;
        proxy_set_header  X-Deluge-Base "/downloads/";
    }
    
    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.1.47:32400;
    }

    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.1.47:32400/web;
    }

    location /nextcloud {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.1.47:444/nextcloud;
    }
    
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

 

I followed this tutorial. I suspect it is a bit dated with the new images out.

 

Edited by torn8o
add link to tutorial
Link to comment
6 hours ago, torn8o said:

upstream backend {
    server 192.168.1.47:19999;
    keepalive 64;
}

server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location = / {
        return 301 /htpc;
    }

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.47:8989;
    }
    
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.47:7878/radarr;
    }

    location /htpc {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.47:8085/htpc;
    }

    
    location /downloads {
        include /config/nginx/proxy.conf;
        proxy_pass  http://192.168.1.47:8112/;
        proxy_set_header  X-Deluge-Base "/downloads/";
    }
    
    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.1.47:32400;
    }

    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.1.47:32400/web;
    }

    location /nextcloud {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.1.47:444/nextcloud;
    }
    
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

 

I followed this tutorial. I suspect it is a bit dated with the new images out.

 

 

Hmm, not sure. It's complaining about not being able to reach a host, perhaps the netdata one. Is that container running? 

Link to comment

Hi,

 

I followed the great guide of @CHBMB at https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

 

Unfortunately I have a problem with letsencrypt.

 

I am using the file

 

server {  
    listen 443 ssl;
    server_name nextcloud.whatevermydomainis.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://my.inter.nal.ip:444/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

 

placed in the path /mnt/user/appdata/letsencrypt/nginx/site-confs/nextcloud

 

When I restart the letsencrypt docker I get the following error in the log: 

 

 

nginx: [emerg] the size 10485760 of shared memory zone "SSL" conflicts with already declared size 52428800 in /config/nginx/site-confs/nextcloud:20
nginx: [emerg] the size 10485760 of shared memory zone "SSL" conflicts with already declared size 52428800 in /config/nginx/site-confs/nextcloud:20
 

Unfortunately I do not have a clue how to solve this. Could someone be so kind to help me?

 

Cheers!

Link to comment
23 hours ago, CHBMB said:

Try switching on advanced. Or go to settings docker and turn on authoring mode.

Sent from my LG-H815 using Tapatalk
 

 

God damn it, I feel even more stupid than usual and that's saying something!   Thank you.

Although it didn't solve my problem, at least I've learnt something. Think my ISP must block port 80 inbound :(

Link to comment
9 minutes ago, CHBMB said:

Remove line 20 as that's what the error is telling you is causing the issue.

 

Wow, thank you so much for such a fast reply esp. on a Sunday!! I commented out 

 

ssl_session_cache shared:SSL:10m;

 

and not it does not throw the error anymore  

 

P.S. May I suggest to extend your guide in respect to this config file? You do not write that the line

 

proxy_pass https://192.168.0.1:444/;

needs to be changed to the internal IP of the unRAID server and the port of Nextcloud chosen above.

Edited by moinmoin
added PS
Link to comment

Hi, i switched also now from apache to letsencrypt, some smaller issues i dont understand.

 

server is used as reverse proxy mainly.

 

2 sites i dont get proxied like before

 

1st one is cops

 

config looks like this

 

    location ^~ /calibre {
       auth_basic off;
       allow all; # Allow all to see content 
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:9090/calibre;
    }

 

also tried proxy_pass http://192.168.1.2:9090 without the /calibre ... no change

 

all i get is either 404 or file not found error, nothing in the error logs, only access logs showing ...

 

11.22.33.44 - - [11/Feb/2018:11:05:22 +0100] "GET /favicon.ico HTTP/1.1" 200 430 "https://my.domain.de/calibre/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36"
11.22.33.44 - - [11/Feb/2018:11:05:23 +0100] "GET /calibre/ HTTP/1.1" 404 200 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36"
11.22.33.44 - - [11/Feb/2018:11:05:23 +0100] "GET /favicon.ico HTTP/1.1" 200 430 "https://my.domain.de/calibre/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36"
11.22.33.44 - - [11/Feb/2018:11:15:16 +0100] "GET /calibre/index.php HTTP/1.1" 404 47 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.51 Safari/537.36"

 

in apache it looked like this

 

<Location /calibre>
    ProxyPass http://192.168.1.2:9090 retry=0
    # retry=0 => avoid 503's when restarting etherpad-lite
        ProxyPassReverse http://192.168.1.2:9090
        SetOutputFilter proxy-html
        ProxyHTMLURLMap http://192.168.1.2:9090
    </Location>
    RewriteRule ^/calibre$ /calibre/ [R]

 

as the 2nd site is more or less the same error ...

 

For any Tipps thanks ahead

Link to comment
9 hours ago, alturismo said:

1st one is cops

 

config looks like this

 

    location ^~ /calibre {
       auth_basic off;
       allow all; # Allow all to see content 
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:9090/calibre;
    }

 

i used....

 

        location ^~/books {
		proxy_pass http://192.168.0.1:82/;
		rewrite /books/?(.*) /$1 break;
		auth_basic "Restricted";
    		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
	}

But I could only ever get it to work if I manually put in the trailing slash into the URL.

Link to comment
Prior to the letsencrypt change, the template below worked for small business server.
There are 2 lines added to allow emails to be sent to external devices eg phones.
 
After the letsencrypt change I changed the settings in the docker to HTTPVAL = true and redirected external port 80 to 8088 internally.
 
Certificates worked again but no more emails can be received externally to phones etc.
On the local network, sbs works normally.
 
Any ideas?
 
I wondered whether redirecting port 80 might have had an effect, but I bypassed the proxy by directing port 443 directly back to the sbs server and blocked port 80 and the emails worked normally.  So it has to be an issue with the proxy.
 
 
listen 443 ssl;
    server_name remote.mydomanename.com.au;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
# cancelled the following line after upgrade to nextcloud 13
#    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
 client_max_body_size 0;
# the next 2 lines allowed exchange in small business server send emails externally.  The rest of this template is otherwise unchanged.
 proxy_request_buffering off;
    proxy_buffering off;
     
    location / {
        proxy_pass https://192.168.10.21:443/;
     proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}
Link to comment
3 hours ago, sdoksdlkk said:

 

Pretty sure I've done what you suggested and still not working. 

 

Is this correct?

Unraid UpdateContainer (2).png

 

You still have HTTPVAL in there. You need to remove that and add VALIDATION instead and set it to http

 

You also need to change network mode to bridge instead of host. It is now trying to bind port 80 but unraid is using it

Edited by aptalca
Link to comment
6 hours ago, Jessie said:
Prior to the letsencrypt change, the template below worked for small business server.
There are 2 lines added to allow emails to be sent to external devices eg phones.
 
After the letsencrypt change I changed the settings in the docker to HTTPVAL = true and redirected external port 80 to 8088 internally.
 
Certificates worked again but no more emails can be received externally to phones etc.
On the local network, sbs works normally.
 
Any ideas?
 
I wondered whether redirecting port 80 might have had an effect, but I bypassed the proxy by directing port 443 directly back to the sbs server and blocked port 80 and the emails worked normally.  So it has to be an issue with the proxy.
 
 
listen 443 ssl;
    server_name remote.mydomanename.com.au;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
# cancelled the following line after upgrade to nextcloud 13
#    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
 client_max_body_size 0;
# the next 2 lines allowed exchange in small business server send emails externally.  The rest of this template is otherwise unchanged.
 proxy_request_buffering off;
    proxy_buffering off;
     
    location / {
        proxy_pass https://192.168.10.21:443/;
     proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

 

I don't quite follow what changes you made. 

 

When you forward port 80 to your unraid server for validation, you don't need to make any changes to your nginx site config. Letsencrypt puts up its own webserver listening on port 80 during validation. Nginx doesn't need to listen on 80

Link to comment
Quote

proxy_request_buffering off;
    proxy_buffering off;

The 2 lines above made the external emails work.  (they are in the template above)

 

Prior to the HTTPVAL modification I had port 80 ported to the sbs server.

After the letsencrypt changes, I changed HTTPVAL to true and:-

In the router I pointed 443 to the unraid server.

I also pointed external port 80 to internal port 8088 in the router. 

To get the letsencrypt docker to work, I configured http as 8080 and https as 443.

I wondered if I might have to redirect 8088 back to 80 to the sbs server.  But I don't know how to do that.

 

As an experiment I bypassed the letsencrypt docker and ported 443 back to the sbs server.  Emails worked again.

I then turned off porting on port 80 to the sbs server.  The emails still worked.

 

When I switched back to the letsencrypt docker, I lost external email functionality again.  I also can't access remote.mydomain.com.au which is remote access to the sbs server.

All of this worked before the letsencrypt changes.

In the letsencrypt template 

http set at 8088

https set at 443

HTTPVAL = true

Edited by Jessie
Additional info
Link to comment
9 hours ago, CHBMB said:

 

i used....

 


        location ^~/books {
		proxy_pass http://192.168.0.1:82/;
		rewrite /books/?(.*) /$1 break;
		auth_basic "Restricted";
    		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
	}

But I could only ever get it to work if I manually put in the trailing slash into the URL.

 

thank you, works as described ;)

Link to comment
7 hours ago, Jessie said:

The 2 lines above made the external emails work.  (they are in the template above)

 

Prior to the HTTPVAL modification I had port 80 ported to the sbs server.

After the letsencrypt changes, I changed HTTPVAL to true and:-

In the router I pointed 443 to the unraid server.

I also pointed external port 80 to internal port 8088 in the router. 

To get the letsencrypt docker to work, I configured http as 8080 and https as 443.

I wondered if I might have to redirect 8088 back to 80 to the sbs server.  But I don't know how to do that.

 

As an experiment I bypassed the letsencrypt docker and ported 443 back to the sbs server.  Emails worked again.

I then turned off porting on port 80 to the sbs server.  The emails still worked.

 

When I switched back to the letsencrypt docker, I lost external email functionality again.  I also can't access remote.mydomain.com.au which is remote access to the sbs server.

All of this worked before the letsencrypt changes.

In the letsencrypt template 

http set at 8088

https set at 443

HTTPVAL = true

 

So what you're saying is, if you forward the ports directly to your sbs server, it works, but if it's proxied through letsencrypt it doesn't? Then you should modify your proxy settings. 

 

If I understand correctly, before any changes, port 80 was "ported to the sbs server", I'm assuming that means forwarded to the sbs on the router, so it wasn't reverse proxied when it worked

Link to comment
1 hour ago, aptalca said:

 

1/So what you're saying is, if you forward the ports directly to your sbs server, it works, but if it's proxied through letsencrypt it doesn't? Then you should modify your proxy settings. 

 

2/If I understand correctly, before any changes, port 80 was "ported to the sbs server", I'm assuming that means forwarded to the sbs on the router, so it wasn't reverse proxied when it worked

1/ Correct. 

However prior to Letsencrypt breaking it worked perfectly using standard settings plus the 2 proxy buffering lines.

Now it doesn't and I don't know why.

 

2/ Correct.

In SBS, port 80 is used to get to http://remote.mydomain.com.  If it is closed you can still get there via https://remote.mydomain.com through port 443.

When going via http port 80, sbs redirects to https on port 443.

Now, if I try to go to https://remote.mydomain.com I get an nginx 502 bad gateway error.

I'm also running 2 nextcloud dockers through this proxy and they work fine.

 

Edited by Jessie
Link to comment

Hi

I need some help to make the LE docker image works.

I created a subdomain on duckdns.org. Dns propagation is fine (tested on https://dnschecker.org)

 

When I start the docker, everything is fine, the command finished successfully. But in logs I have these errors :

Failed authorization procedure. xxx.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: xxx.duckdns.org
Type: connection
Detail: Fetching
http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE:
Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. 
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Can someone tell me what I'm doing wrong ?

 

Thanks !

 

Here are my docker configuration and my port forwarding.

LEdocker.jpg

portForwarding.jpg

Link to comment
33 minutes ago, deadnote said:

Hi

I need some help to make the LE docker image works.

I created a subdomain on duckdns.org. Dns propagation is fine (tested on https://dnschecker.org)

 

When I start the docker, everything is fine, the command finished successfully. But in logs I have these errors :


Failed authorization procedure. xxx.duckdns.org (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: xxx.duckdns.org
Type: connection
Detail: Fetching
http://xxx.duckdns.org/.well-known/acme-challenge/Ey1_KaCKpqDnA86-Q46OkTcgUyTxRTGpARr8Aj2ONAE:
Timeout

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. 
- Your account credentials have been saved in your Certbot configuration directory at /etc/letsencrypt. You should make a secure backup of this folder now. This configuration directory will also contain certificates and private keys obtained by Certbot so making regular backups of this folder is ideal.

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Can someone tell me what I'm doing wrong ?

 

Thanks !

 

Here are my docker configuration and my port forwarding.

LEdocker.jpg

portForwarding.jpg

 

Your Wan port forward is wrong for port 80. Change it from 81 to 80.

  • Upvote 1
Link to comment

I seem to get the following problem when trying to create the letsencrypt docker. Am I missing something?

 

Unraid Docker log:

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Backwards compatibility check. . .
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d ********
E-mail address entered: ********
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:

ValueError: Requesting acme-v01.api.letsencrypt.org/directory: Host is unreachable
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

var/log/letsencrypt/letsencrypt.log:

root@c919d7ca660d:/$ cat /var/log/letsencrypt/letsencrypt.log
2018-02-14 10:06:53,961:DEBUG:certbot.main:certbot version: 0.21.1
2018-02-14 10:06:53,961:DEBUG:certbot.main:Arguments: ['--renew-by-default', '--non-interactive', '--standalone', '--preferred-challenges', 'http', '--rsa-key-size', '4096', '-m', '******', '--no-eff-email', '--agree-tos', '-d', '******']
2018-02-14 10:06:53,961:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#certbot-route53:auth,PluginEntryPoint#dns-cloudflare,PluginEntryPoint#dns-cloudxns,PluginEntryPoint#dns-digitalocean,PluginEntryPoint#dns-dnsimple,PluginEntryPoint#dns-dnsmadeeasy,PluginEntryPoint#dns-google,PluginEntryPoint#dns-luadns,PluginEntryPoint#dns-nsone,PluginEntryPoint#dns-rfc2136,PluginEntryPoint#dns-route53,PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2018-02-14 10:06:53,976:DEBUG:certbot.log:Root logging level set at 20
2018-02-14 10:06:53,977:INFO:certbot.log:Saving debug log to /var/log/letsencrypt/letsencrypt.log
2018-02-14 10:06:53,977:DEBUG:certbot.plugins.selection:Requested authenticator standalone and installer None
2018-02-14 10:06:54,053:DEBUG:certbot.plugins.selection:Single candidate plugin: * standalone
Description: Spin up a temporary webserver
Interfaces: IAuthenticator, IPlugin
Entry point: standalone = certbot.plugins.standalone:Authenticator
Initialized: <certbot.plugins.standalone.Authenticator object at 0x1550cfbb8310>
Prep: True
2018-02-14 10:06:54,054:DEBUG:certbot.plugins.selection:Selected authenticator <certbot.plugins.standalone.Authenticator object at 0x1550cfbb8310> and installer None
2018-02-14 10:06:54,054:INFO:certbot.plugins.selection:Plugins selected: Authenticator standalone, Installer None
2018-02-14 10:06:55,343:DEBUG:acme.client:Sending GET request to https://acme-v01.api.letsencrypt.org/directory.
2018-02-14 10:06:55,346:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
2018-02-14 10:06:58,465:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    sys.exit(main())
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1240, in main
    return config.func(config, plugins)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1104, in certonly
    le_client = _init_le_client(config, auth, installer)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 632, in _init_le_client
    acc, acme = _determine_account(config)
  File "/usr/lib/python2.7/site-packages/certbot/main.py", line 511, in _determine_account
    config, account_storage, tos_cb=_tos_cb)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 163, in register
    acme = acme_from_config_key(config, key)
  File "/usr/lib/python2.7/site-packages/certbot/client.py", line 45, in acme_from_config_key
    return acme_client.Client(config.server, key=key, net=net)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 72, in __init__
    self.net.get(directory).json())
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 681, in get
    self._send_request('GET', url, **kwargs), content_type=content_type)
  File "/usr/lib/python2.7/site-packages/acme/client.py", line 653, in _send_request
    raise ValueError("Requesting {0}{1}:{2}".format(host, path, err_msg))
ValueError: Requesting acme-v01.api.letsencrypt.org/directory: Host is unreachable
2018-02-14 10:06:58,465:ERROR:certbot.log:An unexpected error occurred:

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.