[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

[vurt]

Hi, I'm trying to reverse proxy NextCloud.

 

I followed the install instructions here.

 

when I try https://advurt.net/nextcloud/, I get this 400 error:

 

400 Bad Request

The plain HTTP request was sent to HTTPS port

 

My NextCloud config:

 

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxxxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => '192.168.1.252:444',
    1 => 'advurt.net',
  ),
  'overwrite.cli.url' => 'https://advurt.net',
  'overwritehost'     => 'advurt.net',
  'overwriteprotocol' => 'https',
  'overwritewebroot'  => '/nextcloud',


  'dbtype' => 'mysql',
  'version' => '11.0.1.2',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.252:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'xxxxxxxxxxxx',
  'dbpassword' => 'xxxxxxxxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
);

 

My letsencrypt site-confs/default:

 

# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}

# main server block
server {
listen 443 ssl default_server;

root /config/www;
index index.html index.htm index.php;

server_name _;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'xxxxxxxxxxxx';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

location / {
	try_files $uri $uri/ /index.html /index.php?$args =404;
}

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# With php5-cgi alone:
	fastcgi_pass 127.0.0.1:9000;
	# With php5-fpm:
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	include /etc/nginx/fastcgi_params;
}

#Config for NextCloud
	location ^~ /nextcloud {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.252:444/;
	}

 

 

[CHBMB]

Last line of your config like the error says needs to be https not http.

 

proxy_pass http://192.168.1.252:444/;

should be

proxy_pass https://192.168.1.252:444/;

 

Sent from my LG-H815 using Tapatalk

 

 

[RAINMAN]

Also how are most people using this..for example do you create an index.html page with links to each of your web interfaces to the dockers you are trying to reach?  If so do you keep the "landing" page open to the public and then when you click the link to the docker...then it goes to https???  The reason I am asking is that I would like to have www.mydomain.com be open to the public with a link to a public photo gallery (using an unraid docker...haven't picked one yet) and then have some other page with hyperlinks to my hidden docker management tools.

 

Thanks in advance for any help you can provide.

 

Dan

 

I havent finished mine yet but I just grabbed one of the templates listed below and modified it. Still in progress but this is what I have so far.  The icons go from a slight faded colour and to bigger on mouse over. (like the unraid icon is -- that one has the mouseover active) It also is a bit responsive but there is a lot of extra CSS in the template that I haven't deleted. 

 

[vurt]

Last line of your config like the error says needs to be https not http.

 

Sent from my LG-H815 using Tapatalk

 

Thank you, that fixed it but that leads to a new issue:

 

server.com/nextcloud/ takes a very long time to open, and when I finally get to the login page and enter my credentials, the page turns into a 504 Gateway Time-out error.

 

This doesn't happen when I use other reverse proxies like server.com/deluge/.

[CHBMB]

Last line of your config like the error says needs to be https not http.

 

Sent from my LG-H815 using Tapatalk

 

Thank you, that fixed it but that leads to a new issue:

 

server.com/nextcloud/ takes a very long time to open, and when I finally get to the login page and enter my credentials, the page turns into a 504 Gateway Time-out error.

 

This doesn't happen when I use other reverse proxies like server.com/deluge/.

 

Is there a disk that needs to spin up for nextcloud to work?

[vurt]

 

 

Is there a disk that needs to spin up for nextcloud to work?

 

Hmm possibly, how can I check that?

 

I had set the NextCloud share to only use Disk 1. But I've been working on this the whole afternoon starting with fresh installs of MariaDB and NextCloud, I'd assume the disk is already spun up?

 

If it is a disk spinning up issue, how do I fix it? Will setting up the NextCloud share to use All Disks be better?

 

And I've accessed server.com/nextcloud/ a few times, getting to the login page, logging in, and eventually timing out with 504 error.  Shouldn't this have resolved itself once the disk is spun up?

[CHBMB]

And I've accessed server.com/nextcloud/ a few times, getting to the login page, logging in, and eventually timing out with 504 error.  Shouldn't this have resolved itself once the disk is spun up?

 

Yeah, I would have thought.  Not sure then, leave it running and see if that helps after an hour or so?

[vurt]

And I've accessed server.com/nextcloud/ a few times, getting to the login page, logging in, and eventually timing out with 504 error.  Shouldn't this have resolved itself once the disk is spun up?

 

Yeah, I would have thought.  Not sure then, leave it running and see if that helps after an hour or so?

 

I also realized the internal IP of https://192.168.1.252:444/ no longer works, I assume this is because of the reverse proxy that's been set up?

 

EDIT:

 

I reverted the configs for NextCloud and letsencrype back to before the reverse proxy attempt, and can confirm I can access NextCloud at the internal IP with no problem.

 

The slow loading of the login page and the timeout after logging in makes me think it's NextCloud that's the problem and not Letsencrypt. I'll try posting in the NextCloud thread.

 

Thanks CHBMB!

[local.bin]

Been all morning trying to figure out why I cannot access my website after a memory stick crash and rebuild.

 

I have a backup of the configs and reinstated them but could not connect.

 

I just thought of trying to connect via my mobile 4g and it connected first time.

 

Is there any way I could have banned myself with fail2ban or the like, as to the reason me not being able to access my site from my own broadband connection?

 

Thanks in advance

 

Edit: Just tried via a vpn and connected straight away too, so it seems I have banned myself? How do I go about unbanning myself

[Shamalamadindong]

What sort of error message do you get in the browser?

[local.bin]

What sort of error message do you get in the browser?

 

for me?

 

No error message just times out but doesn't give a 404 or anything.

[aptalca]

Been all morning trying to figure out why I cannot access my website after a memory stick crash and rebuild.

 

I have a backup of the configs and reinstated them but could not connect.

 

I just thought of trying to connect via my mobile 4g and it connected first time.

 

Is there any way I could have banned myself with fail2ban or the like, as to the reason me not being able to access my site from my own broadband connection?

 

Thanks in advance

 

Edit: Just tried via a vpn and connected straight away too, so it seems I have banned myself? How do I go about unbanning myself

Exec into the container and use fail2ban-client to unban

[local.bin]

Been all morning trying to figure out why I cannot access my website after a memory stick crash and rebuild.

 

I have a backup of the configs and reinstated them but could not connect.

 

I just thought of trying to connect via my mobile 4g and it connected first time.

 

Is there any way I could have banned myself with fail2ban or the like, as to the reason me not being able to access my site from my own broadband connection?

 

Thanks in advance

 

Edit: Just tried via a vpn and connected straight away too, so it seems I have banned myself? How do I go about unbanning myself

Exec into the container and use fail2ban-client to unban

 

Great, thanks

[ritalin]

Hello all, hoping for a little help. Ive been at this for two days now, and dont have much hair left.

Im attempting to get LetsEncrypt setup for my Home-Assistant.io docker, but Im running into a few issues.

 

The first is that I cant seem to get HA to see my certs. I constantly run into the following error.

 

ERROR (MainThread) [homeassistant.bootstrap] Invalid config for [http]: not a file for dictionary value @ data['http']['ssl_certificate']. Got '/certs/etc/letsencrypt/live/mydomain.com/fullchain.pem'

not a file for dictionary value @ data['http']['ssl_key']. Got '/certs/etc/letsencrypt/live/mydomain.com/privkey.pem

 

/certs/... is a path setup in the Home-Assistant docker pointing to /mnt/user/appdata/letsencrypt/

Im positive this is a permissions error as I can get around it by copying the pem files out of /archive/myserver.com/ and dropping them directly into the Home-Assistant directory "/mnt/user/appdata/home-assistant"

 

Not quite sure how to change the permissions, still new to all this.

 

 

The second issue I am having is getting the proxy to work correctly. Page is not resolving "Unable to connect"

https://myservername.com resolves correctly and shows the "Welcome to our Server" page.

The sub I have setup through NoIP is ha.myserver.com

 

I followed the instrustions listed here by CHBMB for setting up NextCloud.

So in /letsencrypt/nginx/site-confs I have a file names "ha" with the following in it.

 

server {
       listen         80;
       server_name    ha.mydomain.com;
       return         301 https://$server_name$requests_uri;
}

server {
listen 443 ssl;
server_name ha.mydomain.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.1.2:8123;
  }
}

 

The following is the pertinent information from the configuration.yaml file in my Home-Assistant install.

 

http:
  api_password: MyPassword
  base_url: 192.168.1.2:8123
  ssl_certificate: /config/fullchain1.pem
  ssl_key: /config/privkey1.pem

 

Here is some additional info from the HA site regarding the HTTP section of the configuration.yaml.

https://home-assistant.io/components/http/

[CHBMB]

Unable to give specific help on this, but I would drop trying to get HA to use the certs from LE.  Allow LE to do all the SSL stuff and just get LE to connect to HA via a http reverse proxy

[ritalin]

Unable to give specific help on this, but I would drop trying to get HA to use the certs from LE.  Allow LE to do all the SSL stuff and just get LE to connect to HA via a http reverse proxy

 

Ok, Im game.

Am I still on the right path with the HA file in the same directory as the default file?

[CHBMB]

Yeah

[ritalin]

Yeah

 

Sorry man, Im banging my head against the desk over here.

Anything you can spot that you think is wrong, Id appreciate the help.

 

Here is a my letsencrypt docker setup

 

My Router's Firewall

 

Here is the ha file sitting in /mnt/user/appdata/letsencrypt/nginx/site-confs/ with the default file.

server {
       listen         80;
       server_name    ha.mydomain.com;
       return         301 https://$server_name$requests_uri;
}

server {
listen 443 ssl;
server_name ha.mydomain.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass http://192.168.1.2:8123;

 

 

Does the contents of the default file matter at all, if the ha file is whats doing the reverse proxy?

Since Home-Assistant is running in another docker on the same machine, should the proxy_pass be the ip or localhost, or does it even matter?

Ive been working on this for so long now, and I dont fully comprehend the syntax of this HA file, I feel like Im overlooking something stupid.

 

 

Thanks again for any help offered.

 

 

 

 

[aptalca]

First confirm that the ha subdomain works by directing the ha site config to a static html file (remove just the proxy bit and it should open the Welcome page)

 

Then you can see if the reverse proxy works.

 

Does the home assistant page work at that ip and port 8123?

 

you can also try adding in the include for proxy conf as shown in the examples. That contains specific rules to make the proxies work.

[ritalin]

First confirm that the ha subdomain works by directing the ha site config to a static html file (remove just the proxy bit and it should open the Welcome page)

 

Then you can see if the reverse proxy works.

 

Does the home assistant page work at that ip and port 8123?

 

you can also try adding in the include for proxy conf as shown in the examples. That contains specific rules to make the proxies work.

 

Alright I think Im making some progress.

Ive got it working, but the redirect all traffic to https portion is causing issues.

If I unhash it, the page fails to load no matter if I manually specify https or not.

 

Is there something wrong with the servername portion?

#server {
       #listen         80;
       #server_name    ha.mydomain.com;
       #return         301 https://$server_name$requests_uri;
#}

 

Other than that, the last hurdle is that I can't log into home-assistant when I load up the secure link. Not via https:ha.mydomain.com or https://192.168.1.2:8123

After I enter the password, it just spins for a bit and then I get a notice below the password field of Unable to Connect. Have you ever run into an issue like that with a proxy?

 

REALLY! Thank you for the help.

 

 

[Bizmo]

Having a strange issue when updating muximux from 1.0 to 2.0

 

In config I have

 

location /admin {

auth_basic "Restricted";

auth_basic_user_file /config/nginx/.htpasswd;

}

 

This allows me to lock down the /admin directory which is where I run Muximux.

 

into this directory I pasted the contents of the muximux 1 docker and I am fine but when I go to replace it with 2 I just get a white screen in safari and a 500 error in Chrome.

 

I have run chmod 777 and 775 on the directory to try and default permissions with no luck and have tried to restart the docker but nothing.

 

Any ideas?

[Tyler]

Other than that, the last hurdle is that I can't log into home-assistant when I load up the secure link. Not via https:ha.mydomain.com or https://192.168.1.2:8123

After I enter the password, it just spins for a bit and then I get a notice below the password field of Unable to Connect. Have you ever run into an issue like that with a proxy?

 

Hi ritalin

 

I have this Letsencrypt / Nginx docker, and the Home Assistant docker setup working.

Just wanted to check if you've had a read of the Home Assistant team's guide for setting up Nginx: https://home-assistant.io/ecosystem/nginx/

Specifically their sample config in step 8 (looks like you've already done the rest).

This is what I based my config on, and having a quick look over your config it seems to be missing a few settings/parameters.

 

I'm by no means an expert with Nginx or docker, but if you're still having issues I can post a copy of my configs.

[jfrancais]

What version of nginx is included with this?  does it support stream?  I'd like to use this same docker to handle non http traffic as well.  I'd like to have this handle vnc and ssh for certain domains.  Is this possible?

https://pkgs.alpinelinux.org/package/v3.4/main/x86_64/nginx

 

No stream mod in this version, but the next version will include it. No eta yet (currently testing it)

 

With the recent changes, has stream mod made it in yet?

[sparklyballs]

What version of nginx is included with this?  does it support stream?  I'd like to use this same docker to handle non http traffic as well.  I'd like to have this handle vnc and ssh for certain domains.  Is this possible?

https://pkgs.alpinelinux.org/package/v3.4/main/x86_64/nginx

 

No stream mod in this version, but the next version will include it. No eta yet (currently testing it)

 

With the recent changes, has stream mod made it in yet?

 

https://github.com/linuxserver/docker-letsencrypt/blob/master/Dockerfile#L38

[skyline7349]

So im trying to configure proxy pass for this docker to point example.com/request to my plex request docker. Ive been looking on this forum and internet and no solutions seem to work. I made my server config very simple

 

server {
listen 80 default_server;
server_name _;
location / {
	#include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.90:3000;
}
#return 301 https://$host$request_uri;
}

 

This works and shows my the plex request page.

 

When i make it this.

 

server {
listen 80 default_server;
server_name _;
location /request {
	#include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.90:3000;
}
#return 301 https://$host$request_uri;
}

 

it doesnt work. Ive also tried with location as

/request/

 

That didnt work either. So my letsencrypt docker is setup to have external port of 83. When i go to http://192.168.1.90:83/request/ for some reason it redirects the url to http://192.168.1.90/request/ which isnt correct.

 

Does this have something to do with setting up other proxy headers?