Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

48 minutes ago, izarkhin said:

HI guys,

 

My certificate fails to renew. I have a free DuckDNS account that worked just fine before. I verified that the account is valid and has the correct IP address. What could be the problem? The config and the log files are attached.

 

Thanks!

[removed].duckdns.org.conf 1015 B · 0 downloads letsencrypt.log 3.05 kB · 0 downloads

Never mind! Turns out I needed to open port 80 for the challenge to work. All fine now.

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

did anyone ever manage to get a nginx subdomain proxy setup with bitnami's phpbb that you wouldn't mind sharing?

I've set up Letsencrypt/nginx wildcard on an unraid docker with my own domain.  Letsencrypt certificates appear to download fine. I've got sonarr, radarr and a few more subdomains edited and renamed in proxy-confs. Letsencrypt docker opens and ends in "Server ready." Domain.me and anything.domain.me resolve to correct IP.

 

But nothing opens. https://sonarr.domain.me et all are unable to establish a connection to the server, even though sonarr.domain.me pings correctly (to the WAN address). I suspect a config issue, but where?

7 hours ago, madaroda said:

I've set up Letsencrypt/nginx wildcard on an unraid docker with my own domain.  Letsencrypt certificates appear to download fine. I've got sonarr, radarr and a few more subdomains edited and renamed in proxy-confs. Letsencrypt docker opens and ends in "Server ready." Domain.me and anything.domain.me resolve to correct IP.

 

But nothing opens. https://sonarr.domain.me et all are unable to establish a connection to the server, even though sonarr.domain.me pings correctly (to the WAN address). I suspect a config issue, but where?

Try following this https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Hey guys. I have followed this site to create a website using Wordpress but when i go to the https://servername.com it goes to my nextcloud. However, when i go to https://www.servername.com it gives me this site can be reached. Can someone help me figure out the issue please? i am using the EXTRA_DOMAIN parameters and i dont see the name of the domain i use on the logs. I only see the others from my DNS provider.

Edited by Tucubanito07

40 minutes ago, Tucubanito07 said:

Hey guys. I have followed this site to create a website using Wordpress but when i go to the https://servername.com it goes to my nextcloud. However, when i go to https://www.servername.com it gives me this site can be reached. Can someone help me figure out the issue please? i am using the EXTRA_DOMAIN parameters and i dont see the name of the domain i use on the logs. I only see the others from my DNS provider.

Post what you changed/tried to make it work and we'll take a look

3 minutes ago, aptalca said:

Post what you changed/tried to make it work and we'll take a look

Thank you so much @aptalca This config is the one that this guide said to use. https://technicalramblings.com/blog/how-to-set-up-a-wordpress-site-with-letsencrypt-and-mariadb-on-unraid/

 

# REDIRECT WWW TO https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.domainname.com; 
 return 301 https://domainnamecom$request_uri;
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
    listen 80;
    server_name domainname.com; 
    return 301 https://domainname.com$request_uri;
}

# BLOG SITE
server {
 listen 443 ssl http2;
 server_name domainname.com;

## Source: https://github.com/1activegeek/nginx-config-collection
## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
#FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/

proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 
 client_max_body_size 0; 
 
 root /config/www/wordpress/;
 index index.html index.php;
  
location ~ /\. {
deny all;

location / {
try_files $uri $uri/ /index.php?_url=$uri&$query_string; 
}

 
# PHP
 location ~ \.php$ {
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
 # With php7-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7-fpm:
 #fastcgi_pass unix:/var/run/php7-fpm.sock;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
 }
 
 fastcgi_buffer_size 4K;
 fastcgi_buffers 64 4k; 
}

 

So i dont think that one is the one working. I copied the nextcloud config file and changed the name of the site server and also the app name. I believe this one is the ones that is working. Since it had nextcloud i changed it to WordPress and now i get a 502 Bad Gateway. Here is that config.

 

# make sure that your dns has a cname set for nextcloud
# assuming this container is called "letsencrypt", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['letsencrypt'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mydomainname.com;

    include /config/nginx/ssl.conf;

    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app WordPress;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }
}
 

This is how the container looks

 image.thumb.png.75b7397344e8df54950a9a18d32919e8.png

 

The logs look like this. I dont see the domain i own with google on the EXTRA_DOMAIN parameters.

image.thumb.png.dd635f234231d4412e41f75589063758.png

You have probably used the wrong name for the variable. It's EXTRA_DOMAINS.

Show us how it looks like if you click Edit on Extra domain.

 

And please use the code tag if you insert config files or else it's a pain to read them.

 

Like this

Much easier to read for our sore eyes

 

Edited by saarg

18 minutes ago, saarg said:

You have probably used the wrong name for the variable. It's EXTRA_DOMAINS.

Show us how it looks like if you click Edit on Extra domain.

 

And please use the code tag if you insert config files or else it's a pain to read them.

 


Like this

Much easier to read for our sore eyes

 

Ok so i was missing the S in EXTRA_DOMAINS i had EXTRA_DOMAIN. I do see that my domain on the logs does not have an error. Before i was doing domainname.com,www.domainname.com. The www.domainname.com was the one throwing an error. I delete it. Now i have been trying other configs like the ones above and grrr. 

This is the config i am using under letsencrypt/nginx/proxy-confs/

 

# REDIRECT WWW TO https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.domainame.com; 
 return 301 https://domainame.com$request_uri;
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
    listen 80;
    server_name domainame.com; 
    return 301 https://domainame.com$request_uri;
}

# BLOG SITE
server {
 listen 443 ssl http2;
 server_name domainame.com;

## Source: https://github.com/1activegeek/nginx-config-collection
## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
#FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/

proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 
 client_max_body_size 0; 
 
 root /config/www/wordpress/;
 index index.html index.php;
  
location ~ /\. {
deny all;

location / {
try_files $uri $uri/ /index.php?_url=$uri&$query_string; 
}

 
# PHP
 location ~ \.php$ {
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
 # With php7-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7-fpm:
 #fastcgi_pass unix:/var/run/php7-fpm.sock;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
 }
 
 fastcgi_buffer_size 4K;
 fastcgi_buffers 64 4k; 
}

56 minutes ago, Tucubanito07 said:

This is the config i am using under letsencrypt/nginx/proxy-confs/

 

# REDIRECT WWW TO https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.domainame.com; 
 return 301 https://domainame.com$request_uri;
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
    listen 80;
    server_name domainame.com; 
    return 301 https://domainame.com$request_uri;
}

# BLOG SITE
server {
 listen 443 ssl http2;
 server_name domainame.com;

## Source: https://github.com/1activegeek/nginx-config-collection
## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
#FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/

proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 
 client_max_body_size 0; 
 
 root /config/www/wordpress/;
 index index.html index.php;
  
location ~ /\. {
deny all;

location / {
try_files $uri $uri/ /index.php?_url=$uri&$query_string; 
}

 
# PHP
 location ~ \.php$ {
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
 # With php7-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7-fpm:
 #fastcgi_pass unix:/var/run/php7-fpm.sock;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
 }
 
 fastcgi_buffer_size 4K;
 fastcgi_buffers 64 4k; 
}

Learn how to put the config in a code tag!

Don't we already have a wordpress proxy-conf?

3 minutes ago, saarg said:

Learn how to put the config in a code tag!

Don't we already have a wordpress proxy-conf?

I don't see in under proxy-conf. That is where i looked first before asking and i don't see anything. What do you mean by putting a config in a code tag?

3 minutes ago, Tucubanito07 said:

I don't see in under proxy-conf. That is where i looked first before asking and i don't see anything. What do you mean by putting a config in a code tag?

Look a couple of posts up. I already asked you to do it there.

 

I thought we had one, but no we don't have a proxy-conf for it.

4 minutes ago, saarg said:

Look a couple of posts up. I already asked you to do it there.

 

I thought we had one, but no we don't have a proxy-conf for it.

Yea you guys don't have one. Now, when you say look a couple of posts up i dont see where you said to try anything.

Just now, Tucubanito07 said:

Yea you guys don't have one. Now, when you say look a couple of posts up i dont see where you said to try anything.

 

Screenshot_20200517-211010.png

5 minutes ago, saarg said:

 

Screenshot_20200517-211010.png

I have already resolve the problem with not getting the certificate. I only need to point the NGINX to the wordpress domain so people can see the site. I know on nextcloud they have a config file we have to change to connect to reverse proxy. However, i dont see a config file in wordpress. 

This is the config i am using under letsencrypt/nginx/proxy-confs/

 

# REDIRECT WWW TO https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.domainame.com; 
 return 301 https://domainame.com$request_uri;
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
    listen 80;
    server_name domainame.com; 
    return 301 https://domainame.com$request_uri;
}

# BLOG SITE
server {
 listen 443 ssl http2;
 server_name domainame.com;

## Source: https://github.com/1activegeek/nginx-config-collection
## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
#FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/

proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 
 client_max_body_size 0; 
 
 root /config/www/wordpress/;
 index index.html index.php;
  
location ~ /\. {
deny all;
} 
location / {
try_files $uri $uri/ /index.php?_url=$uri&$query_string; 
}

 
# PHP
 location ~ \.php$ {
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
 # With php7-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7-fpm:
 #fastcgi_pass unix:/var/run/php7-fpm.sock;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
 }
 
 fastcgi_buffer_size 4K;
 fastcgi_buffers 64 4k; 
}

When you say tag do you mean like this? @saarg

29 minutes ago, Tucubanito07 said:

This is the config i am using under letsencrypt/nginx/proxy-confs/

 

# REDIRECT WWW TO https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.domainame.com; 
 return 301 https://domainame.com$request_uri;
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
    listen 80;
    server_name domainame.com; 
    return 301 https://domainame.com$request_uri;
}

# BLOG SITE
server {
 listen 443 ssl http2;
 server_name domainame.com;

## Source: https://github.com/1activegeek/nginx-config-collection
## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
#FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/

proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 
 client_max_body_size 0; 
 
 root /config/www/wordpress/;
 index index.html index.php;
  
location ~ /\. {
deny all;
} 
location / {
try_files $uri $uri/ /index.php?_url=$uri&$query_string; 
}

 
# PHP
 location ~ \.php$ {
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
 # With php7-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7-fpm:
 #fastcgi_pass unix:/var/run/php7-fpm.sock;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
 }
 
 fastcgi_buffer_size 4K;
 fastcgi_buffers 64 4k; 
}

When you say tag do you mean like this? @saarg

Finally 😁

2 minutes ago, saarg said:

Finally 😁

I apologize. I didnt know what you meant.

8 hours ago, Tucubanito07 said:

This is the config i am using under letsencrypt/nginx/proxy-confs/

 

# REDIRECT WWW TO https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.domainame.com; 
 return 301 https://domainame.com$request_uri;
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
    listen 80;
    server_name domainame.com; 
    return 301 https://domainame.com$request_uri;
}

# BLOG SITE
server {
 listen 443 ssl http2;
 server_name domainame.com;

## Source: https://github.com/1activegeek/nginx-config-collection
## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";
#FEATURE POLICY: READ MORE HERE: https://scotthelme.co.uk/a-new-security-header-feature-policy/

proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 
 client_max_body_size 0; 
 
 root /config/www/wordpress/;
 index index.html index.php;
  
location ~ /\. {
deny all;
} 
location / {
try_files $uri $uri/ /index.php?_url=$uri&$query_string; 
}

 
# PHP
 location ~ \.php$ {
 fastcgi_split_path_info ^(.+\.php)(/.+)$;
 # With php7-cgi alone:
 fastcgi_pass 127.0.0.1:9000;
 # With php7-fpm:
 #fastcgi_pass unix:/var/run/php7-fpm.sock;
 fastcgi_index index.php;
 include /etc/nginx/fastcgi_params;
 }
 
 fastcgi_buffer_size 4K;
 fastcgi_buffers 64 4k; 
}

When you say tag do you mean like this? @saarg

You have way too many modifications there. Either contact the author of the guide you used, or use our guide here: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

On 4/22/2020 at 6:30 AM, aptalca said:

502 means letsencrypt can't reach the service at the specified address and port

How can I drill down the issue? I haven't remaned the container and the port is pretty straight forward. It work for several other containers, but not for nextcloud.

8 hours ago, Jaster said:

How can I drill down the issue? I haven't remaned the container and the port is pretty straight forward. It work for several other containers, but not for nextcloud.

Can't say without seeing your settings

I found out, that the nextcloud container seems not to be reachable via the name, if I use the server ip, it's fine. every other container works fine.

12 hours ago, Jaster said:

I found out, that the nextcloud container seems not to be reachable via the name, if I use the server ip, it's fine. every other container works fine.

Is it on the same custom bridge as letsencrypt and the container name is all lowercase?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.