[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, Drider said:

Is there a guide or tutorial on setting up the \nginx\site-confs\default file?

 

I'm on unRAID 6.1.9 (I know old), and when I configure a fresh install everything works great, meaning I can remote to my mail server 400 miles away, browse to subdomain.mydomain.com and get it to redirect me to the https://subdomain.mydomain.com default index.html.

I actually impressed myself because I got it to work through Godaddy redirecting a CNAME to my free-dns subdomain back to the dynamic IP here at home, while keeping the secure lock and correct address in the address bar.

 

Problem is, I've been hitting a severe roadblock trying to get the correct format in the default site-confs file to get to my OMBI docker container. It seems like everytime I edit the default file, it borks the whole system, and no matter where I connect from I get an ERROR_CONNECTION_REFUSED.  Trying to undo edits and save, or replacing the file with a backup resolves nothing, and I end up having to uninstall/reinstall the container, to get back to functional.

 

EDIT: I did try newperms Tool on my appdata folder, which actually help to speed up my server GUI navigation, but nothing else...

 

Maybe someone can give me the quick version, but a guide or reference for editing that file would be just as appreciated.

 

My base url for ombi: /request

Ports are default at 3579 for both container and host as I can't seem to find where I can change that.

and the server's host address is 192.168.0.69

 

I know I'm close, but just can't seem to get it...  It would also be nice to utilize just the sub-domain.domain address for my users navigating to the site omitting </request>.

From what I can tell in the default file example this is possible, no?

 

Bonus Round:

 

I have basic authentication turned on for myself and my users, using the built in PLEX account authentication, but what's the most secure way to implement this?

 

To quote linuxserver.io:

 

Is this something I should be interested in setting as well?  Any guides, or reference for implementation?

 

 

I appreciate the help, as i'm finally getting around to actually using the 2xE5-2670 128GB RAM beast I built a couple years back, ... (The first one at least...) 

 

Googling subdomain reverse proxy, nginx site config and htpasswd will get you tons of guides. None of those are specific to docker or unraid, they are all universal concepts to do with nginx. Some people also posted guides or their site configs on this forum. 

 

There are examples in the default site config for both subfolder and subdomain methods. Check out the example for subdomain, pay attention to the description that says "no base url" and use the same settings for ombi

Link to comment

Had my site working fine the other day. But now when headed to my host.domain.net (obfuscated) I'm getting '401 authorization required, nginx' outside my network. Oddly enough, when I access on my phone (on cell network) via Chrome it works, but not Firefox (401 auth), even after clearing cache. Others were able to connect as of last night, but now are getting the same 401 but on either browser.

 

Originally I thought this had something to do with installing Pi-Hole the other day and changing the DNS in my router to the docker IP (changes since reverted to try to troubleshoot this). I don't know if that would've caused an issue, but PH was working fine and I had people accessing the server remotely. I do own my own domain and the host is setup as DNS (A) and I have ports setup correctly (80->81, 443->444) setup in the LE docker. Using No-IP and have their DUC updating my IP every 5min. host.domain.net works perfectly on local network. Unraid 6.5.0 running LE + Organizr, both dockers current.

 

Edit: I thought there may have been something wrong at my host level so I tossed them a support ticket and got this:

Quote

 

It looks like host.domain.net is connecting on 80 and getting redirected to 443, but the SSL is not available there:

curl -v host.domain.net
* Rebuilt URL to: host.domain.net /
* Trying MYIP...
* Connected to host.domain.net (MYIP) port 80 (#0)

GET / HTTP/1.1
Host: host.domain.net
User-Agent: curl/7.43.0
Accept: /

< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.12.2
< Date: Wed, 11 Apr 2018 19:27:13 GMT
< Content-Type: text/html
< Content-Length: 185
< Connection: keep-alive
< Location:  https://host.domain.net/
< Expires: Thu, 01 Jan 1970 00:00:01 GMT
< Cache-Control: no-cache
< Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
< X-Frame-Options: SAMEORIGIN
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< X-Robots-Tag: none
<
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.12.2</center>
</body>
</html>
* Connection #0 to host host.domain.net left intact

I checked port 443 just to be sure, and it looks like there is no SSL handshake as suspected:

openssl s_client -connect host.domain.net:443
CONNECTED(00000003)
29438:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:/BuildRoot/Library/Caches/com.apple.xbs/Sources/OpenSSL098/OpenSSL098-59.60.1/src/ssl/s23_clnt.c:593:

 

My power went out the other day, is it possible that something got messed up somehow in my config (or elsewhere) because of it? Ran a parity check and everything was fine, and it appeared that everything was working correctly after that.. but this issue has me at a loss.

 

Edit #2: So cleared all browser cache, certs, etc from Chrome and now also getting the same 401 error. Some sort of cert error? What could this possibly be? I'm not getting any errors in docker dashboard log or in Unraid log. I deleted docker image and reinstalled LE and Organizr.. to the same effect.

Edited by Skrumpy
Link to comment
6 hours ago, Skrumpy said:

Had my site working fine the other day. But now when headed to my host.domain.net (obfuscated) I'm getting '401 authorization required, nginx' outside my network. Oddly enough, when I access on my phone (on cell network) via Chrome it works, but not Firefox (401 auth), even after clearing cache. Others were able to connect as of last night, but now are getting the same 401 but on either browser.

 

Originally I thought this had something to do with installing Pi-Hole the other day and changing the DNS in my router to the docker IP (changes since reverted to try to troubleshoot this). I don't know if that would've caused an issue, but PH was working fine and I had people accessing the server remotely. I do own my own domain and the host is setup as DNS (A) and I have ports setup correctly (80->81, 443->444) setup in the LE docker. Using No-IP and have their DUC updating my IP every 5min. host.domain.net works perfectly on local network. Unraid 6.5.0 running LE + Organizr, both dockers current.

 

Edit: I thought there may have been something wrong at my host level so I tossed them a support ticket and got this:

My power went out the other day, is it possible that something got messed up somehow in my config (or elsewhere) because of it? Ran a parity check and everything was fine, and it appeared that everything was working correctly after that.. but this issue has me at a loss.

 

Edit #2: So cleared all browser cache, certs, etc from Chrome and now also getting the same 401 error. Some sort of cert error? What could this possibly be? I'm not getting any errors in docker dashboard log or in Unraid log. I deleted docker image and reinstalled LE and Organizr.. to the same effect.

 

Could be an issue with the site config, or port forwarding. Are you sure you're not accidentally forwarding 443 to unraid gui? 

 

Post your site config and we'll take a look 

Link to comment
19 hours ago, Drider said:

Is there a guide or tutorial on setting up the \nginx\site-confs\default file?

 

I'm on unRAID 6.1.9 (I know old), and when I configure a fresh install everything works great, meaning I can remote to my mail server 400 miles away, browse to subdomain.mydomain.com and get it to redirect me to the https://subdomain.mydomain.com default index.html.

I actually impressed myself because I got it to work through Godaddy redirecting a CNAME to my free-dns subdomain back to the dynamic IP here at home, while keeping the secure lock and correct address in the address bar.

 

Problem is, I've been hitting a severe roadblock trying to get the correct format in the default site-confs file to get to my OMBI docker container. It seems like everytime I edit the default file, it borks the whole system, and no matter where I connect from I get an ERROR_CONNECTION_REFUSED.  Trying to undo edits and save, or replacing the file with a backup resolves nothing, and I end up having to uninstall/reinstall the container, to get back to functional.

 

EDIT: I did try newperms Tool on my appdata folder, which actually help to speed up my server GUI navigation, but nothing else...

 

Maybe someone can give me the quick version, but a guide or reference for editing that file would be just as appreciated.

 

My base url for ombi: /request

Ports are default at 3579 for both container and host as I can't seem to find where I can change that.

and the server's host address is 192.168.0.69

 

I know I'm close, but just can't seem to get it...  It would also be nice to utilize just the sub-domain.domain address for my users navigating to the site omitting </request>.

From what I can tell in the default file example this is possible, no?

 

Bonus Round:

 

I have basic authentication turned on for myself and my users, using the built in PLEX account authentication, but what's the most secure way to implement this?

 

To quote linuxserver.io:

 

Is this something I should be interested in setting as well?  Any guides, or reference for implementation?

 

 

I appreciate the help, as i'm finally getting around to actually using the 2xE5-2670 128GB RAM beast I built a couple years back, ... (The first one at least...) 

 

I have some guides on https://technicalramblings.com 

 

https://technicalramblings.com/blog/how-to-setup-organizr-with-letsencrypt-on-unraid/

 

It's for Organizr but has lots of sub directory examples. 

 

If you want live support I recommend checking out the Organizr discord. https://organizr.us/discord 

We help people from scratch getting all set up with a domain and reverse proxy everything everyday. 

  • Upvote 1
Link to comment
14 hours ago, GilbN said:

 

I have some guides on https://technicalramblings.com 

 

https://technicalramblings.com/blog/how-to-setup-organizr-with-letsencrypt-on-unraid/

 

It's for Organizr but has lots of sub directory examples. 

 

If you want live support I recommend checking out the Organizr discord. https://organizr.us/discord 

We help people from scratch getting all set up with a domain and reverse proxy everything everyday. 

 

Thank you so much for your offer, it's a delightful change from the normal response I find on the infrequent posts for help I place here in the forums.

I forced my way though 16 hours of reading posts, (10 invested before my original post), here in the forums, and trial and error after the initial response to my inquiry was basically met with the same information inquired by my posting.  It's always frustrating learning new things with unRAID.  Spending countless hours scouring Threads that are 100's of pages long, to finally piece together an understanding of a site-conf file, (and change a Cloudflare SSL setting I've still not seen mentioned), is just  ....  nerve wracking. 

Especially looking at it now in a completed working form, and seeing it's literally a 10 minute job.  If only a quick reference of working files were stickied at the top of a thread, and not needing pieced together through 1800 posts..  (Many examples I found were conflicting, and took a lot of time to find correct syntax)  ... and I know I've looked before, but am I not seeing where a Search Thread, or discussion option is?..  I don't even find it in the advanced search...  Searching the entire forum for a specific item is ...  Futile.

 

Anyway, I was able to get to the point of a 502 error, and from there I backtracked to one of these posts I'd read having the same issue, and resolving. (setting proxy_pass to http and not https, again conflicting posts in this thread mostly showing https)

 

I own a Business to Business consulting firm, and I really would love to start offing the benefits of unRAID to our clientele, but the support system is just infuriating.  I just can't risk the time that could be potentially lost in troubleshooting answers in the bottomless abyss of these forums.

 

Disclaimer to those that might think I'm being to harsh:  No, I'm not a linux expert, Yes, I know what the search button does, and I typically don't even post until I've worn the thing out.  Yes I HAVE learned many things from this forum.  Yes, I understand every setup is different, and with different variables.

Though I'm not an expert in all things I.T. I have enough natural talent in the field that I mostly piece things together by deciphering working examples.

 

I'm sorry for the rant, I guess I'm just very analytical, and wish there was a better learn "on your own support system" for unRAID, or at least a more organized way of finding key information.  Time is quite valuable.

 

Thanks again for your offer of assistance.

(It's late, and been a long day, I'm sure there's a few typos in this post, my apologies.)

Edited by Drider
Link to comment

I had a working letsencrpyt+nextcloud dockers with cloudflare wild card dns cert. I relocated the server to a new physical location with again a static IP. However, lan ip range was also changed from 192.168.1.* to 10.0.0.*. I changed unRAID ip fine. I also changed all A records at cloudflare for the new IP and made the necessary port forward (443 --> 444, 80 --> 81). Restarted the docker without any error.  I did also the changes in NC config.php.

 

But, still I cannot access to nextcloud using https://cloud.mydomain.com.The browser says that it is an illegal certificate.

 

What am I missing? Thanks.

 

EDIT: Never mind. The port was wrong. Thanks.

 

Edited by sse450
Link to comment
5 hours ago, dalben said:

 

Not sure if this was missed or not.

 

 

 

This is the problem:

 

Domain: <myDomain>.com
Type: unauthorized
Detail: Invalid response from
http://<myDomain>.com/.well-known/acme-challenge/rJ8VKGkOO2WhCIj6JJkgTrQCRrLU_Lno-XuWe6pU10U
[222.164.xxx.xxx]: 404

 

When letsencrypt tries to connect to your domain at port 80, it doesn't reach the right container. Either there is a problem with the port forwarding, or there's something else that's listening on port 80. 

 

Oy can post your port forward and dns settings here if you want us to take a look

Link to comment
1 hour ago, aptalca said:

Oy can post your port forward and dns settings here if you want us to take a look

 

I came home to find the server had hung.  Power cycled it to get it going with no problem.  Started the letsencrypt docker so I could see the logs again and FMD letsencrypt started fine, pulled the certs and installed everything.  I just checked from my phone and the site is accessible.

 

I have no idea what it didn't work or why it works now.  Nothing has changed.  But I remember now why "have you tried restarting your machine" was the first question asked from support people.

 

Thanks and sorry for wasting your time

Link to comment
22 hours ago, dalben said:

 

I came home to find the server had hung.  Power cycled it to get it going with no problem.  Started the letsencrypt docker so I could see the logs again and FMD letsencrypt started fine, pulled the certs and installed everything.  I just checked from my phone and the site is accessible.

 

I have no idea what it didn't work or why it works now.  Nothing has changed.  But I remember now why "have you tried restarting your machine" was the first question asked from support people.

 

Thanks and sorry for wasting your time

 

Glad it's working now

Link to comment
2 hours ago, sgt_spike said:

Could someone point me in the right direction to setup a connection to mariadb?  I want to be able to connect to a db from a webpage and query it.

 

Do you need help with connecting to mariadb or are you looking for a web based software solution that does remote mysql queries?

Link to comment
1 hour ago, aptalca said:

 

Do you need help with connecting to mariadb or are you looking for a web based software solution that does remote mysql queries?

connecting to mariadb

 

I have letsencrypt docker and mariadb docker installed on unraid.  I want to host a site that can query the db to some me movie titles

 

thx

Edited by sgt_spike
Link to comment
1 hour ago, sgt_spike said:

connecting to mariadb

 

I have letsencrypt docker and mariadb docker installed on unraid.  I want to host a site that can query the db to some me movie titles

 

thx

 

While you're setting up the site, when it asks for the database info, enter your host (unraid) ip adress and the port you mapped 3306 to

Link to comment

So while I was on vacation my Edgerouter X decided to stop responding so when I got home, I had no choice to hard reset it and reconfigure it. Most things are working in Nas and can confirm my ddns is working but all my web apps going through nginx says refuse to connect. Also noticed things like tautulli is not sending me pushbullet updates. Would it be a good idea to resintall the docker and copy over the nginx default file?  Im not sure what else to do. Everything looks untouched and I made sure the port forwarding is correct in my router.

Link to comment
2 hours ago, mkono87 said:

So while I was on vacation my Edgerouter X decided to stop responding so when I got home, I had no choice to hard reset it and reconfigure it. Most things are working in Nas and can confirm my ddns is working but all my web apps going through nginx says refuse to connect. Also noticed things like tautulli is not sending me pushbullet updates. Would it be a good idea to resintall the docker and copy over the nginx default file?  Im not sure what else to do. Everything looks untouched and I made sure the port forwarding is correct in my router.

 

I wouldn't touch the containers. The error was with your router, so it's something not configured correctly there I guess. 

Link to comment
8 hours ago, saarg said:

 

I wouldn't touch the containers. The error was with your router, so it's something not configured correctly there I guess. 

funny thing is I decided to have unraid static from within settings. Before, I use my router to map static ips to the Mac address. so I did that I got some notifications in tautulli working again. still no proxy working but step in the right direction. 

 

edit: reinstalled the container, then copy and pasted the config and everything is working again

Edited by mkono87
Link to comment

 cqan someone please point me in the right direction im trying to set this docker up with owjncloud i folled chmb guide here  https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy  and for the most part have things going when i launch the letsencrypt docker i get taken to welcome to our server  but when i launch owncloud i get 502 bad gateway ive been at this for 22 hours any help would be greatly appreciated

20180415081225750.jpeg

20180415081414631.jpeg

20180415081619567.jpeg

20180415081913122.jpeg

20180415082531924.jpeg

20180415082431762.jpeg

Edited by Sinister
Link to comment
4 hours ago, Sinister said:

 cqan someone please point me in the right direction im trying to set this docker up with owjncloud i folled chmb guide here  https://blog.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy  and for the most part have things going when i launch the letsencrypt docker i get taken to welcome to our server  but when i launch owncloud i get 502 bad gateway ive been at this for 22 hours any help would be greatly appreciated

20180415081225750.jpeg

20180415081414631.jpeg

20180415081619567.jpeg

20180415081913122.jpeg

20180415082531924.jpeg

20180415082431762.jpeg

 

1. You are proxy_passing http not https. AND you are proxy_passing the letsencrypt container?! you need to proxy_pass the NEXTCLOUD container!  proxy_pass https://192.168.1.113:8443;

 

2: you config.php is wrong it needs to be 'overwrite.cli.url' => 'https://YOURsubdomain.duckdns.org', NOT you localip to nextcloud

Edited by GilbN
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.