Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

You say it doesn't work on WAN, have you tried using your mobile phone on mobile data?  Could be a problem with your router settings

 

And to confirm, it's working on LAN?

 

5 minutes ago, CHBMB said:

You say it doesn't work on WAN, have you tried using your mobile phone on mobile data?  Could be a problem with your router settings

 

And to confirm, it's working on LAN?

 

Yeah same error LAN or WAN. Router settings:

image.png.bb06ee0fc585fb4dd2e7a68efd0c2690.png

35 minutes ago, CHBMB said:

So it's not working on LAN either?

Correct, I cannot access using my duckdns domain on WAN or LAN. 

Correct, I cannot access using my duckdns domain on WAN or LAN. 
OK, here's the deal, the container is working perfectly, it's grabbed the certs and started nginx, but I think somewhere you've configured Nginx wrong and now it's not working, there's no easy fix for this, what I'd recommend, is reinstalling the container, with new appdata and then editing the nginx default file and try to work out where you've introduced the error.

6 hours ago, Odessa said:

 

@CHBMB Thank you very much, here is my LE run command:

https://pastebin.com/sTnfSFkk

 

My LE log:

https://pastebin.com/9DawkVww

[personal info obfuscated]

 

I see the error regarding port in the log, but 443 does not show as used in my docker mappings. Note I cannot currently access the default web page from outside, I get "ERR_CONNECTION_REFUSED" in browser.

 

 

Issue 1: you are redirecting from www.yourdomain to yourdomain, however you have the option only_subdomains set to true, so your cert only covers www, but not yourdomain

 

Issue 2: are you using ldap for authorization? How is that set up? 

 

Issue 3: nginx isn't even starting for you because you have another site config enabled somewhere with a server block that contains the "default_server" directive

So I'm attempting to get this set up while still using Cloudflare as my DNS.

 

In the docker set up fields, it asks for the following (among other things):

- Subdomains: I put "wildcard" here without the quotes, since CF has all the CNAME breakouts and everything

- Validation Type: I've put "dns" without the quotes

- dns-plugin: Not sure what to put for this one?

 

Thoughts? Any help is appreciated!

5 minutes ago, Magic815 said:

So I'm attempting to get this set up while still using Cloudflare as my DNS.

 

In the docker set up fields, it asks for the following (among other things):

- Subdomains: I put "wildcard" here without the quotes, since CF has all the CNAME breakouts and everything

- Validation Type: I've put "dns" without the quotes

- dns-plugin: Not sure what to put for this one?

 

Thoughts? Any help is appreciated!

https://github.com/linuxserver/docker-letsencrypt#parameters

On 6/4/2018 at 2:36 PM, aptalca said:

 

That's just the problem. Acme challenge key is generated on the fly by letsencrypt servers. So you can't really do that with a variable. Manual validation process goes like this:

 

--snipp---

 

PS. I personally don't think using cloudflare is a workaround. It delivers about 10% of the internet (cdn, proxy) and I bet it is a lot more reliable as a dns provider than any hosting company

20

 

Thanks for clarification on LE workflow. Got why it won't work, I assume that my usecase is not intended due to the fact that my Unraid Server is not available from WAN. Ofc you can argue about importance of ssl encryption in a LAN-Only Mode. The only access to the server can be done via VPN into the Lan and then going to unnraid.domain.tld.

3 hours ago, Aluavin said:

 

Thanks for clarification on LE workflow. Got why it won't work, I assume that my usecase is not intended due to the fact that my Unraid Server is not available from WAN. Ofc you can argue about importance of ssl encryption in a LAN-Only Mode. The only access to the server can be done via VPN into the Lan and then going to unnraid.domain.tld.

 

As far as validation goes, your server does not need to be reachable from the internet as long as you use dns validation. Your server (the container) will connect to the letsencrypt servers and get a key, post it on cloudflare (or another supported dns provider) and then the letsencrypt servers will connect to the dns server to check the txt record. They won't try and connect to your unraid machine. The only connection from unraid will be outgoing. 

 

My question is, what is your purpose for getting the cert? If you want to use the cert for openvpn, you can use letsencrypt to get it and manage it, and then you can mount the folder in the openvpn container and point to the cert. 

 

If you want to use it for local connections but still with third party validation, I guess you can do that as long as your dns directs local clients to the local address when they query for the domain name (pfsense will do it with dns resolver). 

Edited by aptalca

I'm receiving this error in the letsencrpyt logfile but can't find a solution.

   

nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

 

17 hours ago, aptalca said:

 

Issue 1: you are redirecting from www.yourdomain to yourdomain, however you have the option only_subdomains set to true, so your cert only covers www, but not yourdomain

Issue 2: are you using ldap for authorization? How is that set up? 

Issue 3: nginx isn't even starting for you because you have another site config enabled somewhere with a server block that contains the "default_server" directive

Ok I removed the rule for #1.
#2 sorry I couldn't figure out what this means - no reference ldap in my settings

#3 - I discovered other versions of my site-conf/default file which seemed to be interfering - removed these and I can now access the  ngix home page externally! I have hope that this could work.

 

Ok, so I know LE is working! But how do I access my dockers?

 

[domain].duckdns.org/ombi gives a 500 error

here's my ombi setting in site-conf/default

 

#OMBI CONTAINER
location /ombi {
auth_request /auth-4;
proxy_pass http://192.168.1.146:3579/ombi;
include /config/nginx/proxy.conf;
}

TY!

Edited by Odessa

34 minutes ago, Odessa said:

Ok I removed the rule for #1.
#2 sorry I couldn't figure out what this means - no reference ldap in my settings

#3 - I discovered other versions of my site-conf/default file which seemed to be interfering - removed these and I can now access the  ngix home page externally! I have hope that this could work.

 

Ok, so I know LE is working! But how do I access my dockers?

 

[domain].duckdns.org/ombi gives a 500 error

here's my ombi setting in site-conf/default

 


#OMBI CONTAINER
location /ombi {
auth_request /auth-4;
proxy_pass http://192.168.1.146:3579/ombi;
include /config/nginx/proxy.conf;
}

TY!

 

What are you trying to accomplish with the auth_request line? What is /auth-4 referring to?

 

Just remove that ombi config and use the built-in one. Instructions here: https://github.com/linuxserver/docker-letsencrypt/blob/master/README.md#site-config-and-reverse-proxy

Edited by aptalca

20 minutes ago, aptalca said:

 

What are you trying to accomplish with the auth_request line? What is /auth-4 referring to?

Just remove that ombi config and use the built-in one. Instructions here: https://github.com/linuxserver/docker-letsencrypt/blob/master/README.md#site-config-and-reverse-proxy

 

Ok thank you I found the readme file. I used the built in config and set ombi base URL but is still gives a 500 error:

 

location /ombi {
    return 301 $scheme://$host/ombi/;
}

location /ombi/ {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_ombi ombi;
    proxy_pass http://$upstream_ombi:3579;
}

if ($http_referer ~* /ombi/) {
    rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;
}

 

8 minutes ago, Odessa said:

 

Ok thank you I found the readme file. I used the built in config and set ombi base URL but is still gives a 500 error:

 


location /ombi {
    return 301 $scheme://$host/ombi/;
}

location /ombi/ {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_ombi ombi;
    proxy_pass http://$upstream_ombi:3579;
}

if ($http_referer ~* /ombi/) {
    rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;
}

 

 

Did you put both letsencrypt and ombi on the same custom network as described in the readme? Are you using the default default site config, which has the include statement inside the server block for the proxy-confs? If you modified that part, delete the default site config and restart. After that navigate to https://yourdomain/ombi

On 6/2/2018 at 9:09 PM, aptalca said:

 

I use unifi, but only for APs. The router is pfsense

OK, thanks.

 

Looking back, the initial problems I had setting up this container look like they were because of this need to restart the USG router to get the port forwarding working again.  Also explains why it "magically" started working for me.  I imagine the router upgraded itself and rebooted.

21 hours ago, aptalca said:

Did you put both letsencrypt and ombi on the same custom network as described in the readme? 

tbh this is way over my head. How would you explain this to someone who isn't a networking expert?

 

Quote

If you are using unraid, create a custom network in command line, then go to docker service settings (under advanced) and 
set the option "Preserve user defined networks:" to "Yes". Then in each container setting, do one of the following:
  2) Unraid 6.5.1 or later - in the network type dropdown, select "Custom : [networkname]".
  You would have to do the above for the letsencrypt container as well, so they are all on the same custom network.

 

I am looking in docker advanced view, tools, network settings... I don't see any of these options.

 

thanks

 

1 hour ago, Odessa said:

tbh this is way over my head. How would you explain this to someone who isn't a networking expert?

 

 

I am looking in docker advanced view, tools, network settings... I don't see any of these options.

 

thanks

 

Creating a custom network in command line, just four lines above: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L24

 

The preserve setting is under docker settings, advanced view (see screenshot). The rest is in container settings. It says "Then in each container setting, do one of the following:" so you need to look for that option in container settings, not docker settings. 

 

I recommend reading the entire document first, before attempting changes so you understand all the steps first. 

Screenshot_20180607-010914_Chrome.jpg

On 6/6/2018 at 2:01 AM, aptalca said:

My question is, what is your purpose for getting the cert? If you want to use the cert for openvpn, you can use letsencrypt to get it and manage it, and then you can mount the folder in the openvpn container and point to the cert. 

3

 

The main purpose is that I have a clean URL while maintaining a TLS Connection so my Drives can be encrypted. I know that I could mock the URL with a custom DNS, but for now, an A-Level record to my local IP does the deal. same goes for nextcloud.domain.tld pointing to nextclouds docker IP address.

 

However, I think I have to accept that I have to use Cloudflare (or a different supported provider, preferably route53), open up my server so I can use http validation (won't do that) or to obtain the cert manually. In this case, option #3 seems to be I have to take until I've got some spare time to evaluate a domain movement to route53, Cloudflare is to sketchy for me.

Edited by Aluavin

31 minutes ago, Aluavin said:

 

The main purpose is that I have a clean URL while maintaining a TLS Connection so my Drives can be encrypted. I know that I could mock the URL with a custom DNS, but for now, an A-Level record to my local IP does the deal. same goes for nextcloud.domain.tld pointing to nextclouds docker IP address.

 

However, I think I have to accept that I have to use Cloudflare (or a different supported provider, preferably route53), open up my server so I can use http validation (won't do that) or to obtain the cert manually. In this case, option #3 seems to be I have to take until I've got some spare time to evaluate a domain movement to route53, Cloudflare is to sketchy for me.

 

Ok, I get it now.

 

But how is cloudflare sketchy if you're only going to use it to set the A record to a local ip that will only work inside your lan? You don't have to move your domain anywhere. You just point your nameservers on your domain host to cloudflare's nameservers.

On 6/6/2018 at 10:12 PM, aptalca said:

Creating a custom network in command line, just four lines above: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L24

The preserve setting is under docker settings, advanced view (see screenshot). The rest is in container settings. It says "Then in each container setting, do one of the following:" so you need to look for that option in container settings, not docker settings. 

I recommend reading the entire document first, before attempting changes so you understand all the steps first. 

 

OMG it worked, thank you @aptalca. I will make a donation. I must say it is extremely difficult for a docker newbie to figure out. No other docker approached this level of troubleshooting. Thanks for walking me through. I may create a user friendly guide.

Hello guys.

I'm having a little trouble right from the start. So I installed the docker, but I get an execution error(server error) when I try to start it.

When I try to change the ports I get this error message:

/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (562d830479261e90e8ad0a784fb2d05da0e1e122aae19e393fab7bf4d4c5bcc8): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use.

The command failed.

What am I doing wrong? (I am running on Unraid 6.5.0)

420936993_Screenshot(7).thumb.png.97294f1c02d4c31f94d9ff0ecceaf8ca.png

Screenshot (8).png

Edited by Heciruam

1 hour ago, Heciruam said:

Hello guys.

I'm having a little trouble right from the start. So I installed the docker, but I get an execution error(server error) when I try to start it.

When I try to change the ports I get this error message:


/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (562d830479261e90e8ad0a784fb2d05da0e1e122aae19e393fab7bf4d4c5bcc8): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use.

The command failed.

What am I doing wrong? (I am running on Unraid 6.5.0)

420936993_Screenshot(7).thumb.png.97294f1c02d4c31f94d9ff0ecceaf8ca.png

Screenshot (8).png

 

It says that port 445 is in use by something else. Pick a different port

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.