Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

6 hours ago, Glenn said:

I haven't really learned the ins and outs of the modes yet, so I just went off of what the guides i was using had. 

 

 

image.thumb.png.75e0d8f637633c137eb79b2f9e803ce0.png

image.thumb.png.1c634866cc21cbba6ffbb289eeec28b3.png

 

image.thumb.png.71f8226402fceda5ba294ff7b1f8cf30.png

sorry for the late reply, so you have 2 network cards and have them set to bond?

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

Hello,

 

First of all, thank you for your work ! 

 

I have problem using your plugin. I can't get it to obtain the certificates. I have used certibot and hosted a web server before on another machine, and I didn't have any problem, so my ISP doesn't block any port.

 

This is the error that I get :

Quote

Failed authorization procedure.

 

2566335.xyz (http-01): urn:ietf:params:acme:error:connection:: The server could not connect to the client to verify the domain :: Fetching http://2566335.xyz/.well-known/acme-challenge/okr2q6AOqCJKPZWCYQfd-4r9MPKAhl9D3hmc7X5OlDk: Timeout during connect (likely firewall problem),

 

www.2566335.xyz (http-01): urn:ietf:params:acme:error:connection:: The server could not connect to the client to verify the domain :: Fetching http://www.2566335.xyz/.well-known/acme-challenge/IXluIrRlEw5xsmD7gjqaXM3iZgN8Rv7uxYF3jYHMd4o: Timeout during connect (likely firewall problem)

 

Port 80 of the container is accessible via the port 18100, port 443 is accessible via the port 18200.

I made the appropriate port forwarding in my router.

Quote

Service Name | Source Target | Port Range | Local IP | Local Port | Protocol

unRAID WebGUI | | 16500 | 192.168.1.110 | 80 | TCP

HTTP Lets Encrypt | | 80 | 192.168.1.110 | 18100 | TCP

HTTPS Lets Encrypt | | 443 | 192.168.1.110 | 18200 | TCP

 

My DNS configuration:

Quote

Name / Host / Alias | TTL | Type | Priority | Data / Value / Answer / Destination

@ | 300 | A | | 176.131.3.8

nextcloud | 300 | CNAME | | @

www | 300 | CNAME | | @

 

I don't understand why it doesn't work. As I said, I never had any problem with Let's Encrypt before.

Could you help me please?

 

Thank you

Edited by wblondel

my motherboard has two nics

 

43 minutes ago, wblondel said:

Hello,

 

First of all, thank you for your work ! 

 

I have problem using your plugin. I can't get it to obtain the certificates. I have used certibot and hosted a web server before on another machine, and I didn't have any problem, so my ISP doesn't block any port.

 

This is the error that I get :

 

Port 80 of the container is accessible via the port 18100, port 443 is accessible via the port 18200.

I made the appropriate port forwarding in my router.

 

My DNS configuration:

 

I don't understand why it doesn't work. As I said, I never had any problem with Let's Encrypt before.

Could you help me please?

 

Thank you

Try restarting your router

20 minutes ago, aptalca said:

Try restarting your router

Sometimes the simplest thing just works! Thank you aha!

my motherboard has two nics
 
Did you mean to bond them ( nic teaming)?

Not and expert at bonding but I do know the the switch has to be able to do link aggrigation other wise it's a wast of time.

Sent from my BND-L34 using Tapatalk

So I am so lost in where I am going wrong here and I hope it is something obvious that I'm just missing. Below is the log I get from the docker

 

Quote

 

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=duckdns.org
SUBDOMAINS=REDACTEDDUCKDNSDOMAIN
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d REDACTEDDUCKDNSDOMAIN.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for unraidcerberus.duckdns.org
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. REDACTEDDUCKDNSDOMAIN.duckdns.org (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://REDACTEDDUCKDNSDOMAIN.duckdns.org/.well-known/acme-challenge/iheqo0YHCuC5t0RprDd4mV7b7B6bM4ILSr-sli6t-CA: "<html>

<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: REDACTEDDUCKDNSDOMAIN.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://REDACTEDDUCKDNSDOMAIN.duckdns.org/.well-known/acme-challenge/iheqo0YHCuC5t0RprDd4mV7b7B6bM4ILSr-sli6t-CA:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 


My unraid network settings:

 

download-1.thumb.png.7854fc53d45e036a9dd7e77d32ce950c.png

 

My LetsEncrypt docker settings:

 

download-2.thumb.png.562470839cdc9b68b10654240e9a5794.png

 

My port forwarding in my router:

 

download-3.thumb.png.a93c7a49377481314781b81190b1d1b5.png

 

Based on other posts here I've already checked and made sure my ISP doesn't block port 80. I also tested to make sure the port forwarding is working correctly by temporarily putting another docker on the ports I have letsencrypt set to and it was accessible externally from both, so the forwarding looks correct. My server is using duckdns to keep my IP updated. Anyone know what might be going on here or have things I can try?

1 hour ago, halorrr said:

So I am so lost in where I am going wrong here and I hope it is something obvious that I'm just missing. Below is the log I get from the docker

 


My unraid network settings:

 

download-1.thumb.png.7854fc53d45e036a9dd7e77d32ce950c.png

 

My LetsEncrypt docker settings:

 

download-2.thumb.png.562470839cdc9b68b10654240e9a5794.png

 

My port forwarding in my router:

 

download-3.thumb.png.a93c7a49377481314781b81190b1d1b5.png

 

Based on other posts here I've already checked and made sure my ISP doesn't block port 80. I also tested to make sure the port forwarding is working correctly by temporarily putting another docker on the ports I have letsencrypt set to and it was accessible externally from both, so the forwarding looks correct. My server is using duckdns to keep my IP updated. Anyone know what might be going on here or have things I can try?

Your port forwarding is incorrect. You need to forward outside port 80 to host's 180

3 hours ago, aptalca said:

Your port forwarding is incorrect. You need to forward outside port 80 to host's 180

Ahhhhh I see, I misunderstood the settings in my router and thought that was the case with how I had it set. Internal to external port forwarding is under "Virtual Servers" in my router. All working now though!

Furthering my setup, I'm trying to get my reverse proxy set up for all my services. I did transmission first, removing .sample from the config name, restarting lets encrypt and it worked beautifully. However the second one I went to do was sonarr, and after removing .sample from the sonarr.subdomain.conf.sample and restarting letencrypt, the log started spamming this error:

 

nginx: [emerg] unexpected end of file, expecting "}" in /config/nginx/proxy-confs/sonarr.subdomain.conf:36

 

Which I can't really figure out why since the character it is asking for seems to be exactly where it should be and I haven't changed any settings on it:

 

# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url

server {
    listen 443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }
    
    location ^~ /api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
}

Anyone know what is going on here? Also is there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com ?

17 minutes ago, halorrr said:

Furthering my setup, I'm trying to get my reverse proxy set up for all my services. I did transmission first, removing .sample from the config name, restarting lets encrypt and it worked beautifully. However the second one I went to do was sonarr, and after removing .sample from the sonarr.subdomain.conf.sample and restarting letencrypt, the log started spamming this error:

 


nginx: [emerg] unexpected end of file, expecting "}" in /config/nginx/proxy-confs/sonarr.subdomain.conf:36

 

Which I can't really figure out why since the character it is asking for seems to be exactly where it should be and I haven't changed any settings on it:

 


# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url

server {
    listen 443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }
    
    location ^~ /api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
}

Anyone know what is going on here? Also is there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com ?

There should be one more } at the end of this config file to close the server section.

 

14 minutes ago, dstanley said:

There should be one more } at the end of this config file to close the server section.

 

Yup, that was my mistake. It's fixed in the next update

Perfect! Thanks for all your help! Any idea on if there a way within letsencrypt to auto forward http to https? So if I type in transmission.mydomain.com it goes to https://transmission.mydomain.com?

 

EDIT: Nevermind found it in the defaut file in the site-confs folder.

Edited by halorrr

On 9/11/2018 at 1:45 AM, aptalca said:

Post what you have. Either pastebin or screenshots where necessary. 

 

And also, are you going to https://ombi.domain.com

Yes I'm going to that url (where domain is my own domain).

 

Currently I'm trying this:

server {
	listen 80;
	server_name _;
    rewrite     ^   https://$host$request_uri? permanent;
}

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	# Replace domain.com with my own domain
	server_name ombi.domain.com;

	# Removed just in case this is sensitive
	ssl_certificate LOCATION_REDACTED;    
	ssl_certificate_key LOCATION_REDACTED;    
	ssl_dhparam LOCATION_REDACTED;    
	ssl_ciphers 'CIPHER_REDACTED';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security "max-age=31536000";


	client_max_body_size 0;

	location / {
		auth_basic off;    
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.55:12345;	
	}
}

 

Can we run this docker in a custom bridge mode with a fixed IP address, i.e. not host?

11 hours ago, CyberMew said:

Yes I'm going to that url (where domain is my own domain).

 

Currently I'm trying this:


server {
	listen 80;
	server_name _;
    rewrite     ^   https://$host$request_uri? permanent;
}

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	# Replace domain.com with my own domain
	server_name ombi.domain.com;

	# Removed just in case this is sensitive
	ssl_certificate LOCATION_REDACTED;    
	ssl_certificate_key LOCATION_REDACTED;    
	ssl_dhparam LOCATION_REDACTED;    
	ssl_ciphers 'CIPHER_REDACTED';
	ssl_prefer_server_ciphers on;

	add_header Strict-Transport-Security "max-age=31536000";


	client_max_body_size 0;

	location / {
		auth_basic off;    
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.55:12345;	
	}
}

 

Try removing the auth basic lines

4 hours ago, surfshack66 said:

Can we run this docker in a custom bridge mode with a fixed IP address, i.e. not host?

You're not supposed to run it in host mode. 

 

Either bridge or custom bridge. I recommend "user defined bridge" 

8 hours ago, aptalca said:

You're not supposed to run it in host mode. 

 

Either bridge or custom bridge. I recommend "user defined bridge" 

Thanks. Just wanted to double check because I didn't see it defined explicitly on https://hub.docker.com/r/linuxserver/letsencrypt/

Has anyone had any luck setting up Let's Encrypt to work with Blue Iris and Stunnel?

 

I currently have Blue Iris and Stunnel working together (meaning I can port forward my stunnel port in my router and stunnel will redirect to the Blue Iris port, thus giving https). I was hoping to setup Let's Encrypt to work with Stunnel in order to use Let's Encrypts 443 port and close the Stunnel port to the world.

 

I have Let's Encrypt successfully working with Nextcloud. The next cloud config file is "letsencrypt\nginx\site-confs\nextcloud".

 

I was thinking that all I would have to do is copy the nextcloud config and rename it as follows: "letsencrypt\nginx\site-confs\blueiris" and I changed the new blue iris config to as follows:

 

server {
	listen 443 ssl;
	server_name fake.archedraft.server.name.org;

	root /config/www;
	index index.html index.htm index.php;
	
	###SSL Certificates
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	
	###Diffie–Hellman key exchange ###
	ssl_dhparam /config/nginx/dhparams.pem;
	
	###SSL Ciphers
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	
	###Extra Settings###
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Front-End-Https on;

	client_max_body_size 0;
	
	location /stunnel {
		proxy_pass https://192.168.1.105:8998/stunnel/;
		include /config/nginx/proxy.conf;
	}
	
}

When I restart the Let's Encrypt Docker and attempt to connect to https://fake.archedraft.server.name.org/stunnel - I revived the following message in my browser:

404 Not Found


nginx/1.14.0

 

Any ideas on what I am screwing up?

13 hours ago, aptalca said:

Try removing the auth basic lines

Removed, restarted docker, same issue, very weird

On 8/13/2018 at 6:52 AM, CHBMB said:

Namecheaps API isn't compatible with DNS Auth, I changed my DNS provider to Cloudflare and used their DNS plugin.

Sent from my Mi A1 using Tapatalk
 

Wish i would have read this before I just switched over to them. So is that still true? There's no way to use namecheap with letsencrypt?

I was getting

Detail: DNS problem: SERVFAIL looking up A for

in my letsencrypt log....is that because of namecheap?

 

I'm in the process of moving nameservers over to cloudfare. Ugh, everything was working perfectly before too. Glutton for punishment

Edited by ffhelllskjdje

It was true a month ago.  In reality it's only a five minute job to change the DNS to cloudflare.  No massive drama

It was true a month ago.  In reality it's only a five minute job to change the DNS to cloudflare.  No massive drama
I like drama!

Sent from my BND-L34 using Tapatalk

7 hours ago, archedraft said:

Has anyone had any luck setting up Let's Encrypt to work with Blue Iris and Stunnel?

 

 

For anyone wondering the answer is yes! I had to edit my let's encrypt config and made "blueiris" a sub domain. As soon as I changed that it started working immediately. I was also able to close my stunnel port forwarding rule in my router! Let's Encrypt is pretty cool stuff. 😎

 

server {
	listen 443 ssl;

	root /config/www;
	index index.html index.htm index.php;

	server_name blueiris.random.server.name.org;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location / {
		include /config/nginx/proxy.conf;
		proxy_pass  https://192.168.1.100:8777;	
#		NOTE: Port 8777 is the stunnel port number and not the blue iris http port number
	}
}

 

Edited by archedraft

Finally got mine to work, I had a previous 443 port forward rule pointing to another computer, no wonder connection was refused. However for some reason one of my subdomain cert is showing up as invalid, but no issues for the other 4 subdomains. Anyone has any idea why?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.