mgladwin Posted December 20, 2016 Share Posted December 20, 2016 Hi all, I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://. My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues. Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me. I don't know enough about it and its keeping me up at night! The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance. Can anyone shed some light on this for me? Cheers. Quote Link to comment
aptalca Posted December 20, 2016 Share Posted December 20, 2016 Hi all, I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://. My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues. Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me. I don't know enough about it and its keeping me up at night! The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance. Can anyone shed some light on this for me? Cheers. Password protection if you haven't set it up already. See the docker hub page about htpasswd Quote Link to comment
mgladwin Posted December 20, 2016 Share Posted December 20, 2016 Hi all, I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://. My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues. Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me. I don't know enough about it and its keeping me up at night! The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance. Can anyone shed some light on this for me? Cheers. Password protection if you haven't set it up already. See the docker hub page about htpasswd Yep I'm using htpasswd for all of the reverse proxies apart from plex requests. Anything else you can think of? Sent from my SM-G930F using Tapatalk Quote Link to comment
Kewjoe Posted December 26, 2016 Share Posted December 26, 2016 I'm having an issue moving from the old docker to the new one. The old one, i was running a PHPBB forum using PHP5. I used the following settings in my default file: location ~ \.php$ { try_files $uri =404; fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param modHeadersAvailable true; include fastcgi_params; } my forum worked great in the old docker. When I moved to the new docker, i noticed that there is already prexisting PHP5 code in the stock default file. I commented it out and used mine. Didnt' work, there is no "php5-fpm.sock" file in /var/run. So I tried using the existing code: location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; # With php5-fpm: #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } and PHP5 is not working for me. I tried a simple php test file and it's blank. my forum doesn't work, gives an error that indicates something is wrong with PHP. Any advice? Should i copy php5-fpm.sock from the old docker over the new? or will that get wiped out in a future update? Quote Link to comment
Kewjoe Posted December 26, 2016 Share Posted December 26, 2016 Ok, so looks like my PHP is in fact working. But i think going from 5.5.9 (old docker) to 5.6.29 (new docker) there is a particular module that seems to have been deprecated that is used by PHPBB (http://php.net/manual/en/intro.mysql.php). I think this is the root of my problems. I'll keep digging, but if anyone else has ideas, don't be shy Quote Link to comment
Kewjoe Posted December 27, 2016 Share Posted December 27, 2016 Ok, i tried a completely different forum software. Same one Limetech is using (SMF) and i get to the install screen and it gives me this error "Critical Error! The installer was unable to detect any database support in PHP. Please ask your host to ensure that PHP was compiled with the desired database, or that the proper extension is being loaded. " Looks like the PHP installation in this docker was not configured for any particular database. Is this something I can remedy myself? or would the base image have to be changed? Quote Link to comment
Techn0mancer Posted December 27, 2016 Share Posted December 27, 2016 I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01 challenge" It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it? Quote Link to comment
Kewjoe Posted December 27, 2016 Share Posted December 27, 2016 I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01 challenge" It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it? 2 things that come to mind as i also just bought a new namecheap domain and went through this yesterday: 1) You need an A + Dynamic DNS record for @ and also anything else you define. In my case that was also 'www' and 'nextcloud' 2) do you have dynamic dns setup? is that your correct WAN ip? I'm using Mace's DDClient docker to update namecheap with my IP address. Quote Link to comment
Techn0mancer Posted December 27, 2016 Share Posted December 27, 2016 I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01 challenge" It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it? 2 things that come to mind as i also just bought a new namecheap domain and went through this yesterday: 1) You need an A + Dynamic DNS record for @ and also anything else you define. In my case that was also 'www' and 'nextcloud' 2) do you have dynamic dns setup? is that your correct WAN ip? I'm using Mace's DDClient docker to update namecheap with my IP address. I've already done point 1. As for 2, I haven't set up ddclient yet. I manually entered my WAN IP at namecheap, but I have no clue where it got 192.64.119.73 Quote Link to comment
Kewjoe Posted December 27, 2016 Share Posted December 27, 2016 I've already done point 1. As for 2, I haven't set up ddclient yet. I manually entered my WAN IP at namecheap, but I have no clue where it got 192.64.119.73 You should see the IP for each record in your Advanced DNS page. Do you see that IP showing up for any of the records? Quote Link to comment
Kewjoe Posted December 27, 2016 Share Posted December 27, 2016 regarding PHP5 and mySQL, i see in the dockerfile you have the following: # install packages RUN \ apk add --no-cache \ certbot \ curl \ fail2ban \ php5-curl \ php5-gd \ php5-mcrypt && \ I think php5-mysqlnd would be the module I'd need added. I was reading this guide which had a section for adding mysql for PHP5 in an nginx installation: https://www.howtoforge.com/tutorial/installing-nginx-with-php-fpm-and-mariadb-lemp-on-debian-jessie/ I'm missing the MySQL and MySQLi sections in my phpinfo page (see attached example from howtoforge link Quote Link to comment
aptalca Posted December 27, 2016 Share Posted December 27, 2016 regarding PHP5 and mySQL, i see in the dockerfile you have the following: # install packages RUN \ apk add --no-cache \ certbot \ curl \ fail2ban \ php5-curl \ php5-gd \ php5-mcrypt && \ I think php5-mysqlnd would be the module I'd need added. I was reading this guide which had a section for adding mysql for PHP5 in an nginx installation: https://www.howtoforge.com/tutorial/installing-nginx-with-php-fpm-and-mariadb-lemp-on-debian-jessie/ I'm missing the MySQL and MySQLi sections in my phpinfo page (see attached example from howtoforge link There are a ton of php modules and we only included the most commonly used ones (so as not to bloat the image unnecessarily). We can add more modules as we get requests. I'll look into adding a sql one before the next Friday update Quote Link to comment
Kewjoe Posted December 27, 2016 Share Posted December 27, 2016 There are a ton of php modules and we only included the most commonly used ones (so as not to bloat the image unnecessarily). We can add more modules as we get requests. I'll look into adding a sql one before the next Friday update Thanks! Quote Link to comment
Techn0mancer Posted December 27, 2016 Share Posted December 27, 2016 So eventually letsencrypt started. Now I can't get it to redirect traffic to nextcloud. I have port 443 open and I've followed, to the best of my knowledge, the configuration instructions I've found, but using nextcloud.myserver.com results in connection refused. If I try nextcloud.myserver.com:7443 (the port forwarded for nextcloud), it does connect to my server so the domain is resolving to my ip Quote Link to comment
Kewjoe Posted December 27, 2016 Share Posted December 27, 2016 You should paste the nextcloud section in your default site-conf file. Quote Link to comment
Techn0mancer Posted December 27, 2016 Share Posted December 27, 2016 I followed the directions here http://lime-technology.com/forum/index.php?topic=53542.msg522472#msg522472 As far as I can see I didn't miss anything. I also get the same result trying to redirect myserver.com/htpcman to the HTPC Manager docker. For that I added: location ^~ /htpcman { include /config/nginx/proxy.conf; proxy_pass http://10.11.12.106:8085/htpcman; } Quote Link to comment
CHBMB Posted December 27, 2016 Share Posted December 27, 2016 You need to post your config files and your docker run commands for both containers otherwise we're shooting in the dark. Sent from my LG-H815 using Tapatalk Quote Link to comment
Kewjoe Posted December 28, 2016 Share Posted December 28, 2016 You need to post your config files and your docker run commands for both containers otherwise we're shooting in the dark. Sent from my LG-H815 using Tapatalk Are you talking to me or Techn0mancer? Quote Link to comment
CHBMB Posted December 28, 2016 Share Posted December 28, 2016 Techn0mancer. Sent from my LG-H815 using Tapatalk Quote Link to comment
Techn0mancer Posted December 28, 2016 Share Posted December 28, 2016 I won't say I figured it out, but I beat my head against the keyboard until it started working Quote Link to comment
Kewjoe Posted December 28, 2016 Share Posted December 28, 2016 I won't say I figured it out, but I beat my head against the keyboard until it started working That's the way to go try 5 different things, find out it worked and have no idea which of the 5 did it. but whatever, it's working now the majority of what i get working is done using this method. Quote Link to comment
Kuroyukihimeeee Posted January 2, 2017 Share Posted January 2, 2017 Hey all. This is probably stupidly simple but beginner with nginx configs, 4 hours and many many google searches later im not too much further into my problem. Essentially i have stats.domain.co.uk loading up PlexPy perfectly using letsencrypt. Now trying to get requests.domain.co.uk to point to Plex Requests. My default config file below. The first and second "server_name" seem to work perfectly. http traffic is denied and https gets to PlexPy perfectly, but the 3rd server_name doesnt make it to Plex Requests. Tried even using the stats.domain.co.uk with the port for Requests and that works fine so doesnt seem to be the Docker. Any pointers as to what i need to change below? Just want requests.domain.co.uk to work alongside stats.domain.co.uk # redirect all traffic to https server { listen 80; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name stats.*; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; #PLEX STATS location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://10.0.0.11:8181; } } server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name requests.*; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; #PLEX REQUESTS location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://10.0.0.11:3000/request; } } Quote Link to comment
aptalca Posted January 2, 2017 Share Posted January 2, 2017 Hey all. This is probably stupidly simple but beginner with nginx configs, 4 hours and many many google searches later im not too much further into my problem. Essentially i have stats.domain.co.uk loading up PlexPy perfectly using letsencrypt. Now trying to get requests.domain.co.uk to point to Plex Requests. My default config file below. The first and second "server_name" seem to work perfectly. http traffic is denied and https gets to PlexPy perfectly, but the 3rd server_name doesnt make it to Plex Requests. Tried even using the stats.domain.co.uk with the port for Requests and that works fine so doesnt seem to be the Docker. Any pointers as to what i need to change below? Just want requests.domain.co.uk to work alongside stats.domain.co.uk # redirect all traffic to https server { listen 80; server_name _; return 301 https://$host$request_uri; } server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name stats.*; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; #PLEX STATS location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://10.0.0.11:8181; } } server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name requests.*; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; #PLEX REQUESTS location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://10.0.0.11:3000/request; } } Likely an issue because https://domain.com is proxied to http://ip/requests It is usually a good idea to keep that base url (in this case "requests") the same between the domain address and the proxied address. You can either try to remove the base url from the plex requests container so that you access it at just http://serverip:port and so the proxied address would match the domain address (no base url) or you can try "location /requests" in the config and access it at requests.domain.com/requests (not pretty). You can also try adding a trailing slash at the end of the requests in your existing config. It *may* work Quote Link to comment
CHBMB Posted January 2, 2017 Share Posted January 2, 2017 What I found works was separate config files for each subdomain. So as well as default I got files and nextcloud in there. Not sure looking at yours how you got it setup. Also, remove the URL_BASE parameter as you don't need it and like aptalca says it's probably overcomplicating things. Then place a file called requests in the same folder as default and use this as the contents. server { listen 80; server_name requests.server.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name requests.server.com; root /config/www/; index index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; # With php5-cgi alone: fastcgi_pass 127.0.0.1:9000; # With php5-fpm: #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } location / { proxy_pass http://10.0.0.11:3000; include /config/nginx/proxy.conf; } } Quote Link to comment
Gokux Posted January 2, 2017 Share Posted January 2, 2017 This Plugin works like a charm , but I have one question: When I connect from my external URL to my application (like emby), the application get only the IP «172.17.0.2 » at every online user, and not the real IP. Is this normal? Thanks and happy new year. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.