Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

Hi all,

 

I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://.

 

My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues.

Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me.

 

I don't know enough about it and its keeping me up at night!

 

The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance.

 

Can anyone shed some light on this for me?

 

Cheers.

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

Hi all,

 

I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://.

 

My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues.

Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me.

 

I don't know enough about it and its keeping me up at night!

 

The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance.

 

Can anyone shed some light on this for me?

 

Cheers.

Password protection if you haven't set it up already. See the docker hub page about htpasswd

 

Hi all,

 

I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://.

 

My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues.

Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me.

 

I don't know enough about it and its keeping me up at night!

 

The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance.

 

Can anyone shed some light on this for me?

 

Cheers.

Password protection if you haven't set it up already. See the docker hub page about htpasswd

Yep I'm using htpasswd for all of the reverse proxies apart from plex requests. Anything else you can think of?

 

Sent from my SM-G930F using Tapatalk

 

 

I'm having an issue moving from the old docker to the new one. The old one, i was running a PHPBB forum using PHP5. I used the following settings in my default file:

 

location ~ \.php$   {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param modHeadersAvailable true;
include fastcgi_params;
}

 

my forum worked great in the old docker. When I moved to the new docker, i noticed that there is already prexisting PHP5 code in the stock default file. I commented it out and used mine. Didnt' work, there is no "php5-fpm.sock" file in /var/run.  So I tried using the existing code:

 

location ~ \.php$   {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}

 

and PHP5 is not working for me. I tried a simple php test file and it's blank. my forum doesn't work, gives an error that indicates something is wrong with PHP.

 

Any advice? Should i copy php5-fpm.sock from the old docker over the new? or will that get wiped out in a future update?

Ok, so looks like my PHP is in fact working. But i think going from 5.5.9 (old docker) to 5.6.29 (new docker) there is a particular module that seems to have been deprecated that is used by PHPBB (http://php.net/manual/en/intro.mysql.php). I think this is the root of my problems. I'll keep digging, but if anyone else has ideas, don't be shy  ;D

Ok, i tried a completely different forum software. Same one Limetech is using (SMF) and i get to the install screen and it gives me this error

 

"Critical Error!

The installer was unable to detect any database support in PHP. Please ask your host to ensure that PHP was compiled with the desired database, or that the proper extension is being loaded. "

 

Looks like the PHP installation in this docker was not configured for any particular database. Is this something I can remedy myself? or would the base image have to be changed?

I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01

challenge"

 

It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it?

I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01

challenge"

 

It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it?

 

2 things that come to mind as i also just bought a new namecheap domain and went through this yesterday:

 

1) You need an A + Dynamic DNS record for @ and also anything else you define. In my case that was also 'www' and 'nextcloud'

 

2) do you have dynamic dns setup? is that your correct WAN ip? I'm using Mace's DDClient docker to update namecheap with my IP address.

I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01

challenge"

 

It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it?

 

2 things that come to mind as i also just bought a new namecheap domain and went through this yesterday:

 

1) You need an A + Dynamic DNS record for @ and also anything else you define. In my case that was also 'www' and 'nextcloud'

 

2) do you have dynamic dns setup? is that your correct WAN ip? I'm using Mace's DDClient docker to update namecheap with my IP address.

 

I've already done point 1. As for 2, I haven't set up ddclient yet. I manually entered my WAN IP at namecheap, but I have no clue where it got 192.64.119.73

I've already done point 1. As for 2, I haven't set up ddclient yet. I manually entered my WAN IP at namecheap, but I have no clue where it got 192.64.119.73

 

You should see the IP for each record in your Advanced DNS page. Do you see that IP showing up for any of the records?

regarding PHP5 and mySQL, i see in the dockerfile you have the following:

 

# install packages
RUN \
apk add --no-cache \
certbot \
curl \
fail2ban \
php5-curl \
php5-gd \
php5-mcrypt && \

 

I think php5-mysqlnd would be the module I'd need added. I was reading this guide which had a section for adding mysql for PHP5 in an nginx installation: https://www.howtoforge.com/tutorial/installing-nginx-with-php-fpm-and-mariadb-lemp-on-debian-jessie/

 

I'm missing the MySQL and MySQLi sections in my phpinfo page (see attached example from howtoforge link

php_info_mysql.png.902ced65b348601837247ba5f63338ef.png

regarding PHP5 and mySQL, i see in the dockerfile you have the following:

 

# install packages
RUN \
apk add --no-cache \
certbot \
curl \
fail2ban \
php5-curl \
php5-gd \
php5-mcrypt && \

 

I think php5-mysqlnd would be the module I'd need added. I was reading this guide which had a section for adding mysql for PHP5 in an nginx installation: https://www.howtoforge.com/tutorial/installing-nginx-with-php-fpm-and-mariadb-lemp-on-debian-jessie/

 

I'm missing the MySQL and MySQLi sections in my phpinfo page (see attached example from howtoforge link

There are a ton of php modules and we only included the most commonly used ones (so as not to bloat the image unnecessarily). We can add more modules as we get requests. I'll look into  adding a sql one before the next Friday update

There are a ton of php modules and we only included the most commonly used ones (so as not to bloat the image unnecessarily). We can add more modules as we get requests. I'll look into  adding a sql one before the next Friday update

 

Thanks!

So eventually letsencrypt started. Now I can't get it to redirect traffic to nextcloud. I have port 443 open and I've followed, to the best of my knowledge, the configuration instructions I've found, but using nextcloud.myserver.com results in connection refused. If I try nextcloud.myserver.com:7443 (the port forwarded for nextcloud), it does connect to my server so the domain is resolving to my ip

You should paste the nextcloud section in your default site-conf file.

You need to post your config files and your docker run commands for both containers otherwise we're shooting in the dark.

 

Sent from my LG-H815 using Tapatalk

 

 

You need to post your config files and your docker run commands for both containers otherwise we're shooting in the dark.

 

Sent from my LG-H815 using Tapatalk

 

Are you talking to me or Techn0mancer?

I won't say I figured it out, but I beat my head against the keyboard until it started working

I won't say I figured it out, but I beat my head against the keyboard until it started working

 

That's the way to go  ;D  try 5 different things, find out it worked and have no idea which of the 5 did it. but whatever, it's working now  ::)  the majority of what i get working is done using this method.

Hey all. This is probably stupidly simple but beginner with nginx configs, 4 hours and many many google searches later im not too much further into my problem.

 

Essentially i have stats.domain.co.uk loading up PlexPy perfectly using letsencrypt. Now trying to get requests.domain.co.uk to point to Plex Requests.

 

My default config file below. The first and second "server_name" seem to work perfectly. http traffic is denied and https gets to PlexPy perfectly, but the 3rd server_name doesnt make it to Plex Requests. Tried even using the stats.domain.co.uk with the port for Requests and that works fine so doesnt seem to be the Docker.

 

Any pointers as to what i need to change below? Just want requests.domain.co.uk to work alongside stats.domain.co.uk

 

# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name stats.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX STATS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:8181;	
}
}


server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name requests.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX REQUESTS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:3000/request;	
}
}

Hey all. This is probably stupidly simple but beginner with nginx configs, 4 hours and many many google searches later im not too much further into my problem.

 

Essentially i have stats.domain.co.uk loading up PlexPy perfectly using letsencrypt. Now trying to get requests.domain.co.uk to point to Plex Requests.

 

My default config file below. The first and second "server_name" seem to work perfectly. http traffic is denied and https gets to PlexPy perfectly, but the 3rd server_name doesnt make it to Plex Requests. Tried even using the stats.domain.co.uk with the port for Requests and that works fine so doesnt seem to be the Docker.

 

Any pointers as to what i need to change below? Just want requests.domain.co.uk to work alongside stats.domain.co.uk

 

# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name stats.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX STATS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:8181;	
}
}


server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name requests.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX REQUESTS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:3000/request;	
}
}

 

Likely an issue because https://domain.com is proxied to http://ip/requests

 

It is usually a good idea to keep that base url (in this case "requests") the same between the domain address and the proxied address.

 

You can either try to remove the base url from the plex requests container so that you access it at just http://serverip:port and so the proxied address would match the domain address (no base url) or you can try "location /requests" in the config and access it at requests.domain.com/requests (not pretty).

 

You can also try adding a trailing slash at the end of the requests in your existing config. It *may* work

 

What I found works was separate config files for each subdomain.  So as well as default I got files and nextcloud in there.  Not sure looking at yours how you got it setup.

 

Also, remove the URL_BASE parameter as you don't need it and like aptalca says it's probably overcomplicating things.

 

RNWSRCr.png

 

Then place a file called requests in the same folder as default and use this as the contents.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www/;
index index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# With php5-cgi alone:
	fastcgi_pass 127.0.0.1:9000;
	# With php5-fpm:
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php; 
	include /etc/nginx/fastcgi_params;
}
    	
location / {
	proxy_pass http://10.0.0.11:3000;
	include /config/nginx/proxy.conf;	
}

}

This Plugin works like a charm :), but I have one question: When I connect from my external URL to my application (like emby), the application get only the IP «172.17.0.2 » at every online user, and not the real IP. Is this normal?

 

Thanks and happy new year.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.