[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

[tuxbass]

Not sure if this belongs here, but have you guys encountered a situation where you're unable to access pages from within your LAN?

My nginx config routes all http traffic to https. When some machine in the LAN tries to access the server via mydomain.com, then the protocol can be seen to change to https (meaning server is reached), but then request times out.

 

Everything is OK from outside the LAN and target service is reached.

Checked router config - NAT loopback is enabled.

What gives?

[CHBMB]

Not sure if this belongs here, but have you guys encountered a situation where you're unable to access pages from within your LAN?

My nginx config routes all http traffic to https. When some machine in the LAN tries to access the server via mydomain.com, then the protocol can be seen to change to https (meaning server is reached), but then request times out.

 

Everything is OK from outside the LAN and target service is reached.

Checked router config - NAT loopback is enabled.

What gives?

 

I can access pages from my LAN just fine, but I know some people can't, it may well be something your ISP has implemented and out of your control.  Could test by using a VPN client out your LAN and then access your site.

[JonathanM]

Not sure if this belongs here, but have you guys encountered a situation where you're unable to access pages from within your LAN?

My nginx config routes all http traffic to https. When some machine in the LAN tries to access the server via mydomain.com, then the protocol can be seen to change to https (meaning server is reached), but then request times out.

 

Everything is OK from outside the LAN and target service is reached.

Checked router config - NAT loopback is enabled.

What gives?

I've seen that issue with loopback. Some routers don't like to play nice, do you have any loopback options you can play with? Try disabling loopback and see what happens.

[tuxbass]

Not sure if this belongs here, but have you guys encountered a situation where you're unable to access pages from within your LAN?

My nginx config routes all http traffic to https. When some machine in the LAN tries to access the server via mydomain.com, then the protocol can be seen to change to https (meaning server is reached), but then request times out.

 

Everything is OK from outside the LAN and target service is reached.

Checked router config - NAT loopback is enabled.

What gives?

I've seen that issue with loopback. Some routers don't like to play nice, do you have any loopback options you can play with? Try disabling loopback and see what happens.

 

Interesting. Turned NAT loopback off and now mydomain.eu resolves. But - no cert is detected and browser deems the page insecure.

 

Edit: scrap that - just tried from incognito window & another device - now it routes to router configuration landing page.

[CHBMB]

Not sure if this belongs here, but have you guys encountered a situation where you're unable to access pages from within your LAN?

My nginx config routes all http traffic to https. When some machine in the LAN tries to access the server via mydomain.com, then the protocol can be seen to change to https (meaning server is reached), but then request times out.

 

Everything is OK from outside the LAN and target service is reached.

Checked router config - NAT loopback is enabled.

What gives?

I've seen that issue with loopback. Some routers don't like to play nice, do you have any loopback options you can play with? Try disabling loopback and see what happens.

 

Interesting. Turned NAT loopback off and now mydomain.eu resolves. But - no cert is detected and browser deems the page insecure.

 

Edit: scrap that - just tried from incognito window & another device - now it routes to router configuration landing page.

 

That's loopback in action.....  try entering https://domain.com:443/

[tuxbass]

Not sure if this belongs here, but have you guys encountered a situation where you're unable to access pages from within your LAN?

My nginx config routes all http traffic to https. When some machine in the LAN tries to access the server via mydomain.com, then the protocol can be seen to change to https (meaning server is reached), but then request times out.

 

Everything is OK from outside the LAN and target service is reached.

Checked router config - NAT loopback is enabled.

What gives?

I've seen that issue with loopback. Some routers don't like to play nice, do you have any loopback options you can play with? Try disabling loopback and see what happens.

 

Interesting. Turned NAT loopback off and now mydomain.eu resolves. But - no cert is detected and browser deems the page insecure.

 

Edit: scrap that - just tried from incognito window & another device - now it routes to router configuration landing page.

 

That's loopback in action.....  try entering https://domain.com:443/

 

Loopback turned off and navigating directly to https address does resolve the service again, but as mentioned previously, no certs are detected. And after entering the exception to enter anyways, I'm yet again greeted by the router landing page.

[CHBMB]

You rebooted the router?  Only other thing I can think of.

 

Might be your ISP is the issue not your router settings?

[tuxbass]

You rebooted the router?  Only other thing I can think of.

 

Might be your ISP is the issue not your router settings?

 

Didn't reboot, as toggling the loopback obviously had an effect.

Wouldn't ISP be to suspect when the service wasn't accessible from the WAN side, which is not my case?

[CHBMB]

You rebooted the router?  Only other thing I can think of.

 

Might be your ISP is the issue not your router settings?

 

Didn't reboot, as toggling the loopback obviously had an effect.

Wouldn't ISP be to suspect when the service wasn't accessible from the WAN side, which is not my case?

 

I dunno?  But if it's not working from changing the router setting then I can't think of anything else.

[Fma965]

ok so im using the old docker by alptaca fine, i move over this to this (no copying of files etc)

 

and all i get is this.

 

Generating new certificate

Failed authorization procedure. remote.cyanlabs.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: SERVFAIL looking up A for remote.cyanlabs.net

 

IMPORTANT NOTES:

- If you lose your account credentials, you can recover through

e-mails sent to [email protected].

- The following errors were reported by the server:

 

Domain: remote.cyanlabs.net

Type: connection

Detail: DNS problem: SERVFAIL looking up A for remote.cyanlabs.net

 

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A record(s) for that domain

contain(s) the right IP address. Additionally, please check that

your computer has a publicly routable IP address and that no

firewalls are preventing the server from communicating with the

client. If you're using the webroot plugin, you should also verify

that you are serving files from the webroot path you provided.

- Your account credentials have been saved in your Certbot

configuration directory at /etc/letsencrypt. You should make a

secure backup of this folder now. This configuration directory will

also contain certificates and private keys obtained by Certbot so

making regular backups of this folder is ideal.

/var/run/s6/etc/cont-init.d/50-config: line 105: cd: /config/keys/letsencrypt: No such file or directory

[cont-init.d] 50-config: exited 1.

[cont-finish.d] executing container finish scripts...

[cont-finish.d] done.

[s6-finish] syncing disks.

[s6-finish] sending all processes the TERM signal.

[s6-finish] sending all processes the KILL signal and exiting.

 

now if i stop this docker and launch the old one everything works fine still, i don't use A records though as i use CNAME's pointing to my own DDNS service running on a VPS

 

 

edit: port 80 external is forwarded to 81 internal and 443 to 443.

 

edit2: ok it seems letsencrypt or docker doesn't like cnames. any way around this? i'll add a A record each time certificate expires if required but if there is a automated way let me know.

 

final edit: ok so my DDNS was being weird, switched to duckdns and all good.

[aptalca]

The old one was still working fine because the certs didn't need to be renewed yet. It would likely break when they expired unless the ddns issue was resolved

[jfrancais]

What version of nginx is included with this?  does it support stream?  I'd like to use this same docker to handle non http traffic as well.  I'd like to have this handle vnc and ssh for certain domains.  Is this possible?

[aptalca]

What version of nginx is included with this?  does it support stream?  I'd like to use this same docker to handle non http traffic as well.  I'd like to have this handle vnc and ssh for certain domains.  Is this possible?

https://pkgs.alpinelinux.org/package/v3.4/main/x86_64/nginx

 

No stream mod in this version, but the next version will include it. No eta yet (currently testing it)

[jfrancais]

Perfect, I look forward to it.  Thanks for the great Docker!

[razor]

In Aptalca's docker I was able to load simplexml_load_file() but in this version it does not appear to be enabled. I get the following error:

 

"PHP message: PHP Warning:  simplexml_load_file(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP?"

 

Can this be enabled?

[aptalca]

In Aptalca's docker I was able to load simplexml_load_file() but in this version it does not appear to be enabled. I get the following error:

 

"PHP message: PHP Warning:  simplexml_load_file(): Unable to find the wrapper "https" - did you forget to enable it when you configured PHP?"

 

Can this be enabled?

 

It seems you need the php5-openssl package/module. We'll add it shortly.

[razor]

Awesome. Thanks for the quick reply. I manually added it and that was what I was missing.

 

Sent from my SM-G930U using Tapatalk

 

 

[endiz]

anyone have location settings for putting unraid behind nginx?

[CHBMB]

anyone have location settings for putting unraid behind nginx?

 

No, and if you're thinking of publishing your Unraid webui over the internet.  Don't do it.  Setup a VPN instead.

[endiz]

Yea good point, I'll just ssh tunnel in if I need it. Thanks for your devoted support CHBMB, appreciate it.

[endiz]

Has anyone tried creating a webdav folder using this docker? Would you mind sharing your nginx config for the webdav location? I'm looking to share a few unraid shares behind an htpasswd file.

[jfrancais]

any chance stream got added to this new version?  Still looking to be able to proxy connect to my VNC, etc.

[mattekure]

I am trying to setup Nextcloud.  I used the configuration below with the minor changes in port.  When I try to access it at my subdomain, it forwards me to the default "Welcome to our server" page.

 

In the nginx error log I see a bunch of 2017/01/16 14:58:51 [error] 329#0: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.1.1, serv      1 er: _, request: "GET /status.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "owncloud.mattekure.com"

 

The nginx documentation here https://docs.nextcloud.com/server/9/admin_manual/installation/nginx_examples.html suggests a lot of fastcgi configs in the server {} block.  I didnt see these in the config below, so I havnt put any in yet.

 

 

Edit: didnt need to see the whole quoted topic.

 

[CHBMB]

I am trying to setup Nextcloud.  I used the configuration below with the minor changes in port.  When I try to access it at my subdomain, it forwards me to the default "Welcome to our server" page.

 

In the nginx error log I see a bunch of 2017/01/16 14:58:51 [error] 329#0: *1 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 192.168.1.1, serv      1 er: _, request: "GET /status.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "owncloud.mattekure.com"

 

The nginx documentation here https://docs.nextcloud.com/server/9/admin_manual/installation/nginx_examples.html suggests a lot of fastcgi configs in the server {} block.  I didnt see these in the config below, so I havnt put any in yet.

 

 

Be more helpful if you posted more of your own config files than mine, I know those ones, I use them,

[mattekure]

Edit, I just saw a stupid mistake, disregard for now

 

 

Sorry, I didnt change much, but here goes.  I didnt make any changes to nginx.conf

 

File "nextcloud" in nginx site-confs

      1 server {
      2        listen         80;
      3        server_name    owncloud.server.com;
      4        return         301 https://$server_name$request_uri;
      5 }
      6
      7 server {
      8         listen 443 ssl;
      9         server_name owncloud.server.com;
     10
     11         root /config/www;
     12         index index.html index.htm index.php;
     13
     14         ###SSL Certificates
     15         ssl_certificate /config/keys/letsencrypt/fullchain.pem;
     16         ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
     17
     18         ###DiffieHellman key exchange ###
     19         ssl_dhparam /config/nginx/dhparams.pem;
     20
     21         ###SSL Ciphers
     22         ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-S     22 HA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SH     22 A384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA2     22 56:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNU     22 LL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
     23
     24         ###Extra Settings###
     25         ssl_prefer_server_ciphers on;
     26         ssl_session_cache shared:SSL:10m;
     27
     28         ### Add HTTP Strict Transport Security ###
     29         add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
     30         add_header Front-End-Https on;
     31
     32         client_max_body_size 0;
     33
     34         location / {
     35         proxy_pass https://192.168.0.1:4433/;
     36   }
     37 }

 

config.php from nextcloud

 

1 <?php
      2 $CONFIG = array (
      3   'memcache.local' => '\\OC\\Memcache\\APCu',
      4   'datadirectory' => '/data',
      5   'instanceid' => 'ocoh2ii67wmp',
      6   'passwordsalt' => 'i+gdNt8CcyS8B+D7EKwTldfUxUDhYb',
      7   'secret' => 'xxxx',
      8   'trusted_domains' =>
      9   array (
     10     0 => '192.168.1.9:4433',
     11     1 => 'owncloud.mattekure.com',
     12   ),
     13   'overwrite.cli.url' => 'https://owncloud.mattekure.com',
     14   'overwritehost' => 'owncloud.mattekure.com',
     15   'overwriteprotocol' => 'https',
     16   'dbtype' => 'mysql',
     17   'version' => '9.1.0.16',
     18   'dbname' => 'nextcloud',
     19   'dbhost' => '192.168.1.9',
     20   'dbport' => '',
     21   'dbtableprefix' => 'oc_',
     22   'dbuser' => 'nextcloud',
     23   'dbpassword' => 'xxxxxx',
     24   'logtimezone' => 'UTC',
     25   'installed' => true,
     26   'mail_smtpmode' => 'smtp',
     27   'mail_smtpsecure' => 'tls',
     28   'mail_from_address' => 'xxxxxx',
     29   'mail_domain' => 'gmail.com',
     30   'mail_smtpauthtype' => 'LOGIN',
     31   'mail_smtpauth' => 1,
     32   'mail_smtphost' => 'xxxx',
     33   'mail_smtpport' => '587',
     34   'mail_smtpname' => 'xxxx',
     35   'mail_smtppassword' => 'xxxxx',
     36 );