[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

This Plugin works like a charm :), but I have one question: When I connect from my external URL to my application (like emby), the application get only the IP «172.17.0.2 » at every online user, and not the real IP. Is this normal?

 

Thanks and happy new year.

I believe so. Basically, every user's connection is proxied through the letsencrypt container and so emby thinks that all the requests are coming from that container. And the container ip is that 172.x.x.x one.

 

If it's an issue you'd like to fix, there may be a way to do it through the options in proxy.conf but I don't know which. You'd have to search online.

Link to comment
I believe so. Basically, every user's connection is proxied through the letsencrypt container and so emby thinks that all the requests are coming from that container. And the container ip is that 172.x.x.x one.
I was a little bit surprised, because on Apache virtual hosts, it was never a "problem".

 

If it's an issue you'd like to fix, there may be a way to do it through the options in proxy.conf but I don't know which. You'd have to search online.

I have searched around and found this. So I took just the first part in my site-confs

 

[...]
location / {
    	proxy_pass https://192.168.0.100:8920/;
    	proxy_set_header  Host $host;
proxy_set_header  X-Real-IP $remote_addr;
proxy_set_header  X-Forwarded-For $remote_addr;
}
[...]

 

and it seems to work. ;D

Link to comment

I believe so. Basically, every user's connection is proxied through the letsencrypt container and so emby thinks that all the requests are coming from that container. And the container ip is that 172.x.x.x one.
I was a little bit surprised, because on Apache virtual hosts, it was never a "problem".

 

If it's an issue you'd like to fix, there may be a way to do it through the options in proxy.conf but I don't know which. You'd have to search online.

I have searched around and found this. So I took just the first part in my site-confs

 

[...]
location / {
    	proxy_pass https://192.168.0.100:8920/;
    	proxy_set_header  Host $host;
proxy_set_header  X-Real-IP $remote_addr;
proxy_set_header  X-Forwarded-For $remote_addr;
}
[...]

 

and it seems to work. ;D

Glad you figured it out.

 

That's my experience with nginx. There is always an option to fix whatever, but it may not be obvious and may require some online research to figure out.

Link to comment

Hello,

 

Yesterday I was trying to set up my Plex and ownCloud under subdomain based reverse proxy, but after many unsuccessful tries it stopped work at all.

Tried to "reinstall" container, but receiving error:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Kiev" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="radiacija.lt" -e "SUBDOMAINS"="plex," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p :80/tcp -p 192.168.1.50:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

docker: Invalid hostPort: 192.168.1.50.

See '/usr/bin/docker run --help'.

 

The command failed.

Tried to restart server, any other IP, still the same.

Any suggestions please.

 

Link to comment

Hello,

 

Yesterday I was trying to set up my Plex and ownCloud under subdomain based reverse proxy, but after many unsuccessful tries it stopped work at all.

Tried to "reinstall" container, but receiving error:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Kiev" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="radiacija.lt" -e "SUBDOMAINS"="plex," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p :80/tcp -p 192.168.1.50:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

docker: Invalid hostPort: 192.168.1.50.

See '/usr/bin/docker run --help'.

 

The command failed.

Tried to restart server, any other IP, still the same.

Any suggestions please.

 

The error message tells you what's wrong:

 

docker: Invalid hostPort: 192.168.1.50.

-p 192.168.1.50:443/tcp

 

Change that to 443 instead of 192.168.1.50

Link to comment

Hello,

 

Yesterday I was trying to set up my Plex and ownCloud under subdomain based reverse proxy, but after many unsuccessful tries it stopped work at all.

Tried to "reinstall" container, but receiving error:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Kiev" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="radiacija.lt" -e "SUBDOMAINS"="plex," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p :80/tcp -p 192.168.1.50:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

docker: Invalid hostPort: 192.168.1.50.

See '/usr/bin/docker run --help'.

 

The command failed.

Tried to restart server, any other IP, still the same.

Any suggestions please.

 

The error message tells you what's wrong:

 

docker: Invalid hostPort: 192.168.1.50.

-p 192.168.1.50:443/tcp

 

Change that to 443 instead of 192.168.1.50

 

Damn... I new to this, I thought that I need to set up an IP address. Now it is working. Thanks!

Link to comment

Is it required to have some services running (and thus valid nginx site-configs) prior to querying LE, or can we simply spin vanilla docker-letsencrypt container up and it should acquire the certs for the (sub)domains we've defined?

 

DNS settings are ok, but LE server is still unable to see my end.

 

Domain: www.mydomain.eu
Type: connection
Detail: Failed to connect to 217.111.111.111:443 for TLS-SNI-01

Link to comment

Is it required to have some services running (and thus valid nginx site-configs) prior to querying LE, or can we simply spin vanilla docker-letsencrypt container up and it should acquire the certs for the (sub)domains we've defined?

 

DNS settings are ok, but LE server is still unable to see my end.

 

As long as you have a valid domain name and the DNS servers are accurate as to your WAN IP address the container will start provided your port forwards are setup.

 

The configs included out the box are valid.  I quite often add and remove subdomains for testing purposes.

 

Post your docker run command and the log and we might be able to help a little more.

Link to comment

Is it required to have some services running (and thus valid nginx site-configs) prior to querying LE, or can we simply spin vanilla docker-letsencrypt container up and it should acquire the certs for the (sub)domains we've defined?

 

DNS settings are ok, but LE server is still unable to see my end.

Post your docker run command and the log and we might be able to help a little more.

 

Generating a 2048 bit RSA private key
.............................+++
..........+++
writing new private key to '/config/keys/cert.key'
-----
Subject Attribute /C has no known NID, skipped
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..........................
DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.eu -d emby.mydomain.eu -d seafile.mydomain.eu
Generating new certificate
Failed authorization procedure. www.mydomain.eu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 217.111.111.111:443 for TLS-SNI-01 challenge, mydomain.eu (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to 217.111.111.111:443 for TLS-SNI-01 challenge
IMPORTANT NOTES:
- If you lose your account credentials, you can recover through
e-mails sent to [email protected].
- The following errors were reported by the server:

Domain: www.mydomain.eu
Type: connection
Detail: Failed to connect to 217.111.111.111:443 for TLS-SNI-01
challenge

Domain: mydomain.eu
Type: connection
Detail: Failed to connect to 217.111.111.111:443 for TLS-SNI-01
challenge

To fix these errors, please make sure that your domain name was...

 

Router NAT settings: vGGOcKm.png

 

Docker run:

/plugins/dynamix.docker.manager/scripts/docker create --name="nginx-letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/Paris" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.eu" -e "SUBDOMAINS"="www,emby,seafile" -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="1000" -e "PGID"="100" -p 89:80/tcp -p 449:443/tcp -v "/mnt/user/appdata/nginx-letsencrypt":"/config":rw -v "/mnt/user":"/unraid":rw linuxserver/letsencrypt

 

Btw, is there a more convenient way of checking the run command than clicking 'Save' in template page?

Link to comment

First thing why are you running with PUID 1000 and PGID 1000, our template has them 99 and 100 specifically for Unraid.

 

Go to whatismyip.com and confirm that 217.111.111.111 is indeed your IP.  (I assume you've redacted that, as it just doesn't look right)

 

And just to check you own the mydomain.eu name?

 

Might be worth just setting up www until you get it sorted.

Link to comment

First thing why are you running with PUID 1000 and PGID 1000, our template has them 99 and 100 specifically for Unraid.

 

Go to whatismyip.com and confirm that 217.111.111.111 is indeed your IP.  (I assume you've redacted that, as it just doesn't look right)

 

And just to check you own the mydomain.eu name?

 

Might be worth just setting up www until you get it sorted.

 

PUID 100*

 

It's my regular user on unraid (instead of default nobody).

 

IP is correct, DNS settings are confirmed. mydomain.eu is owned by me, bought via gandi.net.

Link to comment

First thing why are you running with PUID 1000 and PGID 1000, our template has them 99 and 100 specifically for Unraid.

 

Go to whatismyip.com and confirm that 217.111.111.111 is indeed your IP.  (I assume you've redacted that, as it just doesn't look right)

 

And just to check you own the mydomain.eu name?

 

Might be worth just setting up www until you get it sorted.

 

PUID 100*

 

It's my regular user on unraid (instead of default nobody).

 

IP is correct, DNS settings are confirmed. mydomain.eu is owned by me, bought via gandi.net.

 

Only other thing I can think of is that there's an issue with your ports then.  Although they look fine on that pic,  Try http://www.yougetsignal.com/tools/open-ports/

 

Nothing unusual about your network at all? VPN or anything?

 

EDIT:  Other thing I just thought of, if you're using Cloudflare then turn off the proxying.

Link to comment

First thing why are you running with PUID 1000 and PGID 1000, our template has them 99 and 100 specifically for Unraid.

 

Go to whatismyip.com and confirm that 217.111.111.111 is indeed your IP.  (I assume you've redacted that, as it just doesn't look right)

 

And just to check you own the mydomain.eu name?

 

Might be worth just setting up www until you get it sorted.

 

PUID 100*

 

It's my regular user on unraid (instead of default nobody).

 

IP is correct, DNS settings are confirmed. mydomain.eu is owned by me, bought via gandi.net.

 

Only other thing I can think of is that there's an issue with your ports then.  Although they look fine on that pic,  Try http://www.yougetsignal.com/tools/open-ports/

 

Nothing unusual about your network at all? VPN or anything?

 

EDIT:  Other thing I just thought of, if you're using Cloudflare then turn off the proxying.

 

Good ideas.

1) not using cloudflare

2) 443 is closed, but I assume that's because there's no service sitting on this side; any quick ways to put up some service to validate ports?

3) my router config might be wrong after all. discovered there's more than one interface (for WAN/LAN). router UI is in spanish, having a bit trouble with that :P

Link to comment

Good ideas.

1) not using cloudflare

 

Well that's ruled out that one!

2) 443 is closed, but I assume that's because there's no service sitting on this side; any quick ways to put up some service to validate ports?

 

Spin up our nginx container (without LE) don't forget you're port forwarding 443 ==> 449

 

3) my router config might be wrong after all. discovered there's more than one interface (for WAN/LAN). router UI is in spanish, having a bit trouble with that :P

 

My wife had a Spanish lesson this evening, doesn't understand tech at all, and has gone to sleep, so can't help you with that one.  ;D

Link to comment

:'(

 

Didn't work. Looking at your old docker versus the new docker for any packages with SQL in the name:

 

Old:

php5-mysqlnd \
php5-pgsql \
php5-sqlite \

 

New:

php5-mysqli
php5-pdo_mysql

 

From my reading online, I believe the correct package to install is "php5-mysqlnd". Sorry to be a bother  ;D Let me know if it's possible to add that package. Thanks for helping!!

Link to comment

 

 

:'(

 

Didn't work. Looking at your old docker versus the new docker for any packages with SQL in the name:

 

Old:

php5-mysqlnd \
php5-pgsql \
php5-sqlite \

 

New:

php5-mysqli
php5-pdo_mysql

 

From my reading online, I believe the correct package to install is "php5-mysqlnd". Sorry to be a bother  ;D Let me know if it's possible to add that package. Thanks for helping!!

 

There is no separate php5-mysqlnd (library, native driver) package on alpine but it is included in the php package (info.php shows it as active).

 

You need to use either the mysqli or the pdo extensions: https://dev.mysql.com/downloads/connector/php-mysqlnd/

Link to comment

Ok I figured it out. I spent a few hours adding php5 modules to this docker (that were installed on the old docker) until I got my forum to work. I finally narrowed it down to "php5-ctype". I'm not clear why that one is needed, but without it, my forum will not budge.  Any chance you can add that one? I promise not to bother you again (for a little while  ;D)

Link to comment

Ok I figured it out. I spent a few hours adding php5 modules to this docker (that were installed on the old docker) until I got my forum to work. I finally narrowed it down to "php5-ctype". I'm not clear why that one is needed, but without it, my forum will not budge.  Any chance you can add that one? I promise not to bother you again (for a little while  ;D)

I'll look into it. Ooc, which forum software are you using?

Link to comment

Ok I figured it out. I spent a few hours adding php5 modules to this docker (that were installed on the old docker) until I got my forum to work. I finally narrowed it down to "php5-ctype". I'm not clear why that one is needed, but without it, my forum will not budge.  Any chance you can add that one? I promise not to bother you again (for a little while  ;D)

I'll look into it. Ooc, which forum software are you using?

 

http://www.phpbb.com

 

I also had a copy of SMF (same forum limetech uses) as a alternate while trying to isolate. They behaved exactly the same (didn't work until i put the ctype module in)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.