Jump to content

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

sse450 Apprentice

sse450

Posted
Posted

Dear friends, I tried to setup this container for a couple of days and arrived at a stupid position.

 

Using https://hme.domain.com,  I can connect to my server and see the "Welcome to our server" banner. So, nginx, certs, port forwarding, subdomain setup are all OK.

 

If I use https://hme.domain.com/sonarr, then I just get "Sonarr Ver." in the top left corner and nothing else. Similarly, https://hme.domain.com/radarr prints "Radarr Ver." in the top left corner. Obviously, these are from the very bottom of sonarr and radarr pages. I think this shows that connection from the internet is OK. But, why can't I see the whole page of sonarr and radarr instead of just two words from the very bottom of these pages.

 

The only additions to the /mnt/user/appdata/letsencrypt/nginx/site-confs/default are below:

 

        location  /sonarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:8989/sonarr;
        }

        location  /radarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:7878/radarr;
        }
Does this problem ring any bell for anybody?

 

Thank you for your support.

 

 

Link to comment
GilbN Contributor

GilbN

Posted
Posted (edited)
1 hour ago, sse450 said:

Dear friends, I tried to setup this container for a couple of days and arrived at a stupid position.

 

Using https://hme.domain.com,  I can connect to my server and see the "Welcome to our server" banner. So, nginx, certs, port forwarding, subdomain setup are all OK.

 

If I use https://hme.domain.com/sonarr, then I just get "Sonarr Ver." in the top left corner and nothing else. Similarly, https://hme.domain.com/radarr prints "Radarr Ver." in the top left corner. Obviously, these are from the very bottom of sonarr and radarr pages. I think this shows that connection from the internet is OK. But, why can't I see the whole page of sonarr and radarr instead of just two words from the very bottom of these pages.

 

The only additions to the /mnt/user/appdata/letsencrypt/nginx/site-confs/default are below:

 

        location  /sonarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:8989/sonarr;
        }

        location  /radarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:7878/radarr;
        }
Does this problem ring any bell for anybody?

 

Thank you for your support.

 

 

Did you set base url in the apps? eg. /sonarr

73F7E0D9-5F29-482E-9C01-9B20E7F9234A.thumb.png.23bb8127a80d5e8bbd93ae0bb8b3da53.png

Edited by GilbN
Link to comment
tazire Contributor

tazire

Posted
Posted

I'm trying to get this working for the first time. I have installed the docker as directed but keep getting this error repeating

 

nginx: [emerg] BIO_new_file("/config/keys/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/config/keys/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file)

 

Currently i just want to get the docker working before i actually begin reverse proxy access to other containers etc.

 

And here is the container params

 

nginx.jpg.1f94a78a75acd70b0f3df2405401fd21.jpg

Link to comment
aptalca Proficient

aptalca

Posted
Posted
11 hours ago, tazire said:

I'm trying to get this working for the first time. I have installed the docker as directed but keep getting this error repeating

 

nginx: [emerg] BIO_new_file("/config/keys/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/config/keys/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file)

 

Currently i just want to get the docker working before i actually begin reverse proxy access to other containers etc.

 

And here is the container params

 

nginx.jpg.1f94a78a75acd70b0f3df2405401fd21.jpg

 

Try changing /mnt/user to /mnt/cache or /mnt/diskX

Link to comment
Living Legend Enthusiast

Living Legend

Posted
Posted

I did a search on this thread for "mqtt" and "mosquitto", but yielded no results.

 

I currently use spants/mqtt docker in conjunction with homeassistant/home-assistant docker.

 

All of my remote accessing is done through this docker, linuxserver/letsencrypt.

 

Because of this, I've been able to greatly reduce the ports I have open on my router.

 

I currently have 5.  The basic 80, 8080, 443.  And then 32400 for Plex and 1194 for OpenVPN as I have found no other way to get this working without doing so.

 

I'm using OwnTracks on an Android OS phone to remotely send device location via MQTT.  Because of this, I need to be able to access this docker remotely.

 

I tried the most generic change to the default file under "site-confs":
  

location /mqtt {
        proxy_pass http://192.168.1.3:1883/;
        include /config/nginx/proxy.conf;
    }

Unfortunately, this does not work.

 

Any experience with a similar setup that could possibly point me in the right direction so I can try to avoid opening up more ports on my router?

Link to comment
DZMM Proficient

DZMM

Posted
Posted
2 hours ago, Living Legend said:

I did a search on this thread for "mqtt" and "mosquitto", but yielded no results.

 

I currently use spants/mqtt docker in conjunction with homeassistant/home-assistant docker.

 

All of my remote accessing is done through this docker, linuxserver/letsencrypt.

 

Because of this, I've been able to greatly reduce the ports I have open on my router.

 

I currently have 5.  The basic 80, 8080, 443.  And then 32400 for Plex and 1194 for OpenVPN as I have found no other way to get this working without doing so.

 

I'm using OwnTracks on an Android OS phone to remotely send device location via MQTT.  Because of this, I need to be able to access this docker remotely.

 

I tried the most generic change to the default file under "site-confs":
  


location /mqtt {
        proxy_pass http://192.168.1.3:1883/;
        include /config/nginx/proxy.conf;
    }

Unfortunately, this does not work.

 

Any experience with a similar setup that could possibly point me in the right direction so I can try to avoid opening up more ports on my router?

I haven't opened up port 1883 to get owntracks to work.  It's been a while since i setup, but I think owntracks responds to 'polls' from the local instance so you don't need to open up a port.

Link to comment
DZMM Proficient

DZMM

Posted
Posted
3 hours ago, DZMM said:

I haven't opened up port 1883 to get owntracks to work.  It's been a while since i setup, but I think owntracks responds to 'polls' from the local instance so you don't need to open up a port.

Yep, just double-checked by putting my phone on cellular and pinging home-assistant and my owntracks works with the MQTT docker by ensuring the outgoing ports are open, not the incoming.  I have for my appdata\MQTT\conf.d\myphone_mqtt.conf:

  

connection cloudmqtt
address mXX.cloudmqtt.com:non-ssl port
remote_username MAIN CLOUDMQTT USERNAME
remote_password MAIN CLOUDMQTT PASSWORD
clientid cloudmqtt
try_private false
start_type automatic
topic # in
topic owntracks out

 

and I've allowed outgoing the non-ssl and websockets port from the cloudmqtt instance in my router (running this ports using selective routing over my vpn for more peace of mind) .   'owntracks out' is so that cloudmqtt doesn't get flooded with my smartthings messages, or anything else I add in the future. 

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
I have been reading from page 46 and I could not find this HTTPVAL. I have enabled the “advanced view” and all I see at the bottom are PUID and PGID.
 
I have port forward on my firewall 80:81 and 443:442.
 
Here is my settings:
 
7c79ea3a3e414d67833e92f901ca4c28.jpg&key=008dbff935d4b40eb981816a218b9925ecd09547c7f15e7e929c81bda73f411c
 
 
Here is the error :
 
a91caf0363a429a8b380e2ec3e5f2457.jpg&key=9efe168759653e7a2da09fea3b4d1357d3c6c0976f84312ba8626951501771f3
 
It's changed again. Take a look at the Github readme for up to date info.

Sent from my LG-H815 using Tapatalk

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
It's changed again. Take a look at the Github readme for up to date info.

Sent from my LG-H815 using Tapatalk

Although to be honest looking at the info you provided it does look like either your port forward or DNS isn't correct.

Sent from my LG-H815 using Tapatalk

Link to comment
tazire Contributor

tazire

Posted
Posted

Ok just looking for a little help getting nextcloud working as i'd like. I tried following the directions given in the earlier posts on the nextcloud support thread but it mostly applies to if you want to use the address xxx.server.com. I am trying to get it working with server.com/nextcloud. Currently I am having a couple of issues. Firstly I can access my nextcloud perfectly fine from outside my network with server.com/network however... within my network I am having issues and also I cant get it to play nice with the android app and the windows app either. At present while on the network I cant connect when using the unraid GUI. it sends me to 192.168.1.18:4433 but in order to access it on my network I have to input 192.168.1.18/nextcloud in order to access it. Also if I am on my own network and I go to server.com/nextcloud it redirects me to the correct local ip but does not seem to connect through letsencrypt as I get the insecure notice. Ill attach my configs for reference. Just FYI sonarr and couchpotato work exactly as i'd like with the setup I have. 

 

 

config.php

default.txt

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
Ok just looking for a little help getting nextcloud working as i'd like. I tried following the directions given in the earlier posts on the nextcloud support thread but it mostly applies to if you want to use the address xxx.server.com. I am trying to get it working with server.com/nextcloud. Currently I am having a couple of issues. Firstly I can access my nextcloud perfectly fine from outside my network with server.com/network however... within my network I am having issues and also I cant get it to play nice with the android app and the windows app either. At present while on the network I cant connect when using the unraid GUI. it sends me to 192.168.1.18:4433 but in order to access it on my network I have to input 192.168.1.18/nextcloud in order to access it. Also if I am on my own network and I go to server.com/nextcloud it redirects me to the correct local ip but does not seem to connect through letsencrypt as I get the insecure notice. Ill attach my configs for reference. Just FYI sonarr and couchpotato work exactly as i'd like with the setup I have. 
 
 
config.php
default.txt
This is one of the reasons I don't support the subfolder method.

You probably need to look at hairpin NAT or NAT reflection on your router.

Sent from my LG-H815 using Tapatalk

Link to comment
pingmanping Apprentice

pingmanping

Posted
Posted
Although to be honest looking at the info you provided it does look like either your port forward or DNS isn't correct.

Sent from my LG-H815 using Tapatalk



What do you mean by DNS?

This is the stateful flow from my SRX firewall. (I replaced my public IP with 1.1.1.1)

Session ID: 48579, Policy name: untrust_TO_LENGINX/80, Timeout: 2, Valid
In: 66.118.142.167/43834 --> 1.1.1.1/80;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 40,
Out: 10.0.20.11/81 --> 66.118.142.167/43834;tcp, Conn Tag: 0x0, If: irb.20, Pkts: 1, Bytes: 40,



Sent from my iPad using Tapatalk
Link to comment
aptalca Proficient

aptalca

Posted
Posted
4 hours ago, pingmanping said:

I have been reading from page 46 and I could not find this HTTPVAL. I have enabled the “advanced view” and all I see at the bottom are PUID and PGID.

 

I have port forward on my firewall 80:81 and 443:442.

 

Here is my settings:

 

7c79ea3a3e414d67833e92f901ca4c28.jpg&key=008dbff935d4b40eb981816a218b9925ecd09547c7f15e7e929c81bda73f411c

 

 

Here is the error :

 

a91caf0363a429a8b380e2ec3e5f2457.jpg&key=9efe168759653e7a2da09fea3b4d1357d3c6c0976f84312ba8626951501771f3

 

 

Your outgoing connection to the letsencrypt server is failing

Link to comment
pingmanping Apprentice

pingmanping

Posted
Posted
 
Your outgoing connection to the letsencrypt server is failing


I put my letsencrypt container to my DMZ subnet. Do you think this is the problem?
I put a VM in the DMZ and I was able to browse the Internet. I disabled my pihole and letsencrypt was still failing with the same error.

I did some testing to verified the destination NAT by installing the Linuxserver.io NGINX container and I was able to hit the page. But letsencrypt fails to work.


Sent from my iPad using Tapatalk
Link to comment
pingmanping Apprentice

pingmanping

Posted
Posted
1 hour ago, aptalca said:

 

Your outgoing connection to the letsencrypt server is failing

Here is update. I used the bridge mode and everything works.

 

I really don't want to use my unraid IP when opening inbound ports from the Internet. 

How are you deploying your letsencrypt?

 

My plan was to put the LE container in my DMZ and this seems to fail to work. I would like to put my pivpn, emby, nextcloud behind the letsencrypt container.

Link to comment
aptalca Proficient

aptalca

Posted
Posted
10 hours ago, pingmanping said:

Here is update. I used the bridge mode and everything works.

 

I really don't want to use my unraid IP when opening inbound ports from the Internet. 

How are you deploying your letsencrypt?

 

My plan was to put the LE container in my DMZ and this seems to fail to work. I would like to put my pivpn, emby, nextcloud behind the letsencrypt container.

 

DMZ means opening up every single port. No firewall. Don't do it. 

 

Forward a single port (443) if you're using dns validation or 80 and 443 if using http validation, to letsencrypt on unraid and reverse proxy everything else. Configure the built in fail2ban for additional security like against ddos and brute force attempts (recidive does wonders) 

Link to comment
tazire Contributor

tazire

Posted
Posted
14 hours ago, CHBMB said:

This is one of the reasons I don't support the subfolder method.

You probably need to look at hairpin NAT or NAT reflection on your router.

Sent from my LG-H815 using Tapatalk
 

 Ok I'm not going to lie I dont really know much about that NAT stuff. As you can probably see from my default config I have the method you suggest there but commented out. I did this as I was having issues getting that to work also. Should your method work fine even with the subfolder method on other containers? I'm willing to go back at it if its just going to work as intended.

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
8 minutes ago, tazire said:

 Ok I'm not going to lie I dont really know much about that NAT stuff. As you can probably see from my default config I have the method you suggest there but commented out. I did this as I was having issues getting that to work also. Should your method work fine even with the subfolder method on other containers? I'm willing to go back at it if its just going to work as intended.

 

Yeah it works fine with other stuff as subfolders, but you'll still have the issue with hairpin NAT.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...