L0rdRaiden Posted December 2, 2018 Share Posted December 2, 2018 @aptalca In addition to Modsecurity it would be nice to add as well authelia, is a two factor authentication that would secure anything you publish on the web. https://www.authelia.com/ https://github.com/clems4ever/authelia https://www.reddit.com/r/selfhosted/comments/7gv51h/simple_to_deploy_2fa_nginx_proxy/ Honestly I don't know how hard it would be to add Modsecurity or authelia and make it easy for the less experienced users. Quote Link to comment
smdion Posted December 2, 2018 Share Posted December 2, 2018 (edited) 8 hours ago, aptalca said: Not sure how duo works but ldap auth is already included. For radius, there is no alpine package in the repo. Set the X-Ldap-URL to the server where you have Duo's Auth_Proxy installed and setup. You now have 2FA on all logins that are sent by the ldap-auth docker. ProxyCache/AuthCache needs to be enabled. Works great. Thanks! Edited December 2, 2018 by smdion Quote Link to comment
aptalca Posted December 2, 2018 Share Posted December 2, 2018 3 hours ago, L0rdRaiden said: is available for nginx https://www.nginx.com/blog/compiling-and-installing-modsecurity-for-open-source-nginx/ https://github.com/SpiderLabs/ModSecurity-nginx No alpine package for the module Quote Link to comment
vurt Posted December 3, 2018 Share Posted December 3, 2018 Hi, I noticed this warning in the log: nginx: [warn] could not build optimal proxy_headers_hash, you should increase either proxy_headers_hash_max_size: 512 or proxy_headers_hash_bucket_size: 64; ignoring proxy_headers_hash_bucket_size Are "proxy_headers_hash_max_size" and "proxy_headers_hash_bucket_size" set in the file proxy.conf? Should I set both values? That seems to be the common thing to do. I've seen values of "proxy_headers_hash_max_size 512" and "proxy_headers_hash_max_size 51200", same with "proxy_headers_hash_bucket_size 64" and "proxy_headers_hash_bucket_size 6400"—which should I use? Thank you Quote Link to comment
mweis Posted December 3, 2018 Share Posted December 3, 2018 i am running nextcloud container and letsencrypt container from linuxserver.io. i am using letsencrypt with nginx as a reverse proxy. The container provides standard configs for most docker containers such as nextcloud. the files can be found in "\appdata\letsencrypt\nginx\proxy-confs" i have created an own subdomain for the officeserver but i cant reach it. i am only landing on the page "welcome to nginx" server { listen 443 ssl; server_name office.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_OnlyOfficeDocumentServer OnlyOfficeDocumentServer; proxy_pass http://$upstream_OnlyOfficeDocumentServer:443; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto $scheme; } } i have downloaded the nextcloud plugin "ONLYOFFICE" and have entered my subdomain into the field for the service address. But i always says "error on connect" bad request or timeout. cant figure out where is my failure...thanks in advance. Quote Link to comment
aptalca Posted December 3, 2018 Share Posted December 3, 2018 5 hours ago, mweis said: i am running nextcloud container and letsencrypt container from linuxserver.io. i am using letsencrypt with nginx as a reverse proxy. The container provides standard configs for most docker containers such as nextcloud. the files can be found in "\appdata\letsencrypt\nginx\proxy-confs" i have created an own subdomain for the officeserver but i cant reach it. i am only landing on the page "welcome to nginx" server { listen 443 ssl; server_name office.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_OnlyOfficeDocumentServer OnlyOfficeDocumentServer; proxy_pass http://$upstream_OnlyOfficeDocumentServer:443; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto $scheme; } } i have downloaded the nextcloud plugin "ONLYOFFICE" and have entered my subdomain into the field for the service address. But i always says "error on connect" bad request or timeout. cant figure out where is my failure...thanks in advance. Use only lowercase in container names otherwise nginx can't resolve them Quote Link to comment
mweis Posted December 3, 2018 Share Posted December 3, 2018 yep i already figured this out, but also the onlyoffice docker can only be runned in host mode so i actually have no solution for this Quote Link to comment
dannyo13 Posted December 3, 2018 Share Posted December 3, 2018 I'm not sure if this is the right place, or if its even that helpful, but the latest letsencrypt container update wrecked unraid temporarily for me. Could be unrelated but after the update a bunch of settings went factory and ALL containers got turned off. A reboot seemed to bring everything back up ok. I know this isn't much to go off of but if there is some where you want me to look for logs let me know. Quote Link to comment
trurl Posted December 3, 2018 Share Posted December 3, 2018 28 minutes ago, dannyo13 said: Could be unrelated ... I know this isn't much to go off of but if there is some where you want me to look for logs let me know. If it happens again go to Tools - Diagnostics and post the complete diagnostics zip. Your symptoms sound more like your flash dropping connection. Quote Link to comment
aptalca Posted December 3, 2018 Share Posted December 3, 2018 5 hours ago, mweis said: yep i already figured this out, but also the onlyoffice docker can only be runned in host mode so i actually have no solution for this Is the host ip/port in the proxy pass directive Quote Link to comment
Ayefly Posted December 4, 2018 Share Posted December 4, 2018 I just setup Letsencrypt using spaceinvaders video, and a custom domain. it is working, but I want to simplify connecting to calibre opds server. currently, i have to configure my ebook reader to connect to https://calibre."myserver".net/opds. nginx is configured so that https://calibre."myserver".net is essentially redirected to "server ip":8083. When i try to configure the calibre ningx conf file so that calibre."myserver".net is redirected to "server ip:8083/opds" my epub program will connect and show the categories available, but nothing appears when i click them. how can i configure my conf file to redirect to the port and path, so i dont have to type in the /odps when setting up a new device, and just type in the calibre.myserver.net. Quote Link to comment
aptalca Posted December 5, 2018 Share Posted December 5, 2018 10 hours ago, Ayefly said: I just setup Letsencrypt using spaceinvaders video, and a custom domain. it is working, but I want to simplify connecting to calibre opds server. currently, i have to configure my ebook reader to connect to https://calibre."myserver".net/opds. nginx is configured so that https://calibre."myserver".net is essentially redirected to "server ip":8083. When i try to configure the calibre ningx conf file so that calibre."myserver".net is redirected to "server ip:8083/opds" my epub program will connect and show the categories available, but nothing appears when i click them. how can i configure my conf file to redirect to the port and path, so i dont have to type in the /odps when setting up a new device, and just type in the calibre.myserver.net. I think you mean proxy and not redirect (they have very different meanings for webservers) If you post your config we'll take a look Quote Link to comment
tillkrueger Posted December 5, 2018 Share Posted December 5, 2018 since this question has probably been answered before, could anyone point me toward instructions for how to set up the database for Wordpress before installing WP on letsencrypt? also, how do I move the www folder out of the cache drive (where my appdata folder currently resides) onto the protected array? Quote Link to comment
tillkrueger Posted December 5, 2018 Share Posted December 5, 2018 after some searching, I found references that suggested the mariaDB docker, and instructions on how to configure it and set up a database via terminal:https://technicalramblings.com/blog/how-to-set-up-a-wordpress-site-with-letsencrypt-and-mariadb-on-unraid/ it really made me sweat to do this, knowing so pathetically little about terminal commands and just blindly following instructions, then getting an error about it not being able to find/connect to the database (I used "localhost") until just taking a chance with using the VPN assigned IP address and the port I set up as per the instructions. I am now happy to report that I was able to install Wordpress and log into its admin panel...so far so good! Quote Link to comment
UntouchedWagons Posted December 6, 2018 Share Posted December 6, 2018 Hi there, could you please add proxy-conf files for Ubooquity? Thanks Quote Link to comment
Gog Posted December 6, 2018 Share Posted December 6, 2018 2 hours ago, UntouchedWagons said: Hi there, could you please add proxy-conf files for Ubooquity? Thanks \appdata\letsencrypt\nginx\proxy-confs\ubooquity.subfolder.conf location /ubooquity { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; proxy_pass http://192.168.1.111:2202/ubooquity; proxy_set_header Host $host; } It's not using the custom network interface but that works for me Quote Link to comment
Ayefly Posted December 6, 2018 Share Posted December 6, 2018 On 12/4/2018 at 10:25 PM, aptalca said: I think you mean proxy and not redirect (they have very different meanings for webservers) If you post your config we'll take a look # make sure that your dns has a cname set for calibre server { listen 443 ssl; server_name calibre.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_calibre calibre-web; proxy_pass http://$upstream_calibre:8083; } } That's what I am using that works to access using https://calibre."myserver".net /opds from the internet. note that i have to remember to add the /opds for calibre, or /opds-comics for ubooquity when i set them up in their apps. When I change proxy_pass http://$upstream_calibre:8083 to http://$upstream_calibre:8083/opds , my epub reader will show the book categories when i connect, but not the contents of each. Quote Link to comment
dstanley Posted December 6, 2018 Share Posted December 6, 2018 13 hours ago, UntouchedWagons said: Hi there, could you please add proxy-conf files for Ubooquity? Thanks Here is my config: \appdata\letsencrypt\nginx\proxy-confs\ubooquity.subfolder.conf # ubooquity already uses the base url /ubooquity by default so you don't need to do anything extra location /ubooquity { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf #auth_request /auth-0; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2202; } This is using the custom network feature and domain redirect ... Quote Link to comment
UntouchedWagons Posted December 6, 2018 Share Posted December 6, 2018 Based on the two previous solutions, I came up with a config for a subdomain-based setup: server { listen 443 ssl; server_name ubooquity.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_max_temp_file_size 2048m; proxy_pass http://$upstream_ubooquity:2202; } } 1 Quote Link to comment
jthacker48 Posted December 8, 2018 Share Posted December 8, 2018 I am having issues failing the cert authorization. I believe it is due to my domain host (Google Domains) but I'm unsure. Router: Google Wifi Domain: mydomain.com Subdomain: server.mydomain.com (directed to my ip address) Port Forward http: External 80 to Internal 180 Port Forward https: External 443 to Internal 1443 When I check the logs, I get a "can't connect" error that is likely due to port forwarding or dns. I do not believe it is a port forwarding error as I've changed the port forwards to (80 to 80) and (443 to 443) just to see if I can access the Unraid server from outside my network using server.mydomain.com and that works fine. When I have the ports forwarded to 180 and 1443 and go to server.mydomain.com, it automatically tries to use https. Is it possible that Google Domains is automatically directing traffic to https and in turn not allowing my certs to be authorized? If so, is there a way around it? Quote Link to comment
aptalca Posted December 8, 2018 Share Posted December 8, 2018 9 hours ago, jthacker48 said: I am having issues failing the cert authorization. I believe it is due to my domain host (Google Domains) but I'm unsure. Router: Google Wifi Domain: mydomain.com Subdomain: server.mydomain.com (directed to my ip address) Port Forward http: External 80 to Internal 180 Port Forward https: External 443 to Internal 1443 When I check the logs, I get a "can't connect" error that is likely due to port forwarding or dns. I do not believe it is a port forwarding error as I've changed the port forwards to (80 to 80) and (443 to 443) just to see if I can access the Unraid server from outside my network using server.mydomain.com and that works fine. When I have the ports forwarded to 180 and 1443 and go to server.mydomain.com, it automatically tries to use https. Is it possible that Google Domains is automatically directing traffic to https and in turn not allowing my certs to be authorized? If so, is there a way around it? Do "docker ps" and post the line containing letsencrypt Quote Link to comment
jeiroq Posted December 9, 2018 Share Posted December 9, 2018 (edited) 9 hours ago, aptalca said: Do "docker ps" and post the line containing letsencrypt Honestly, I'm having a similar issue on a fresh install using Google Domains as well. I can't get nginx to show the "welcome" page to show the container working. I've been banging my head for the past day on this. I have also tried just using 192.168.1.10:180 (local IP) to no avail here. root@Apollo:~# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES aed87507ede6 linuxserver/letsencrypt "/init" 25 minutes ago Up 2 minutes 0.0.0.0:180->80/tcp, 0.0.0.0:1443->443/tcp letsencrypt My log shows "Server ready" and that certificate exists, however nothing passes through. My port forwards are set up correctly (EdgeRouter, port 80, going to server IP > 180, port 443 going to server IP > 1443) which matches docker ps for the ports. I edited email and domain names for screenshot of container settings. I have checked that my site is pointing to my correct public address by changing to other containers ports with port forward (port 80, going to server IP > 3579 (Ombi)) and a few others as well, and these were all successful. Any ideas? Edited December 9, 2018 by jeiroq Additional info for diagnosing. Quote Link to comment
jthacker48 Posted December 9, 2018 Share Posted December 9, 2018 (edited) 8 hours ago, aptalca said: Do "docker ps" and post the line containing letsencrypt Here are the docker ps results: Here are the logs from LetsEncrypt docker: Edited December 9, 2018 by jthacker48 Quote Link to comment
aptalca Posted December 9, 2018 Share Posted December 9, 2018 10 hours ago, jeiroq said: Honestly, I'm having a similar issue on a fresh install using Google Domains as well. I can't get nginx to show the "welcome" page to show the container working. I've been banging my head for the past day on this. I have also tried just using 192.168.1.10:180 (local IP) to no avail here. root@Apollo:~# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES aed87507ede6 linuxserver/letsencrypt "/init" 25 minutes ago Up 2 minutes 0.0.0.0:180->80/tcp, 0.0.0.0:1443->443/tcp letsencrypt My log shows "Server ready" and that certificate exists, however nothing passes through. My port forwards are set up correctly (EdgeRouter, port 80, going to server IP > 180, port 443 going to server IP > 1443) which matches docker ps for the ports. I edited email and domain names for screenshot of container settings. I have checked that my site is pointing to my correct public address by changing to other containers ports with port forward (port 80, going to server IP > 3579 (Ombi)) and a few others as well, and these were all successful. Any ideas? Post a log Quote Link to comment
aptalca Posted December 9, 2018 Share Posted December 9, 2018 9 hours ago, jthacker48 said: Here are the docker ps results: Here are the logs from LetsEncrypt docker: Make sure that your ip is set correctly on your dns provider and that there is a cname created and set up for the "server" subdomain. If all looks good, you can try stopping the letsencrypt container, create an nginx container with the same exact port mapping, and see if you can reach it through the domain and ports 80 and 443 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.