[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

jfrancais Apprentice

jfrancais

Posted
Posted

What version of nginx is included with this?  does it support stream?  I'd like to use this same docker to handle non http traffic as well.  I'd like to have this handle vnc and ssh for certain domains.  Is this possible?

https://pkgs.alpinelinux.org/package/v3.4/main/x86_64/nginx

 

No stream mod in this version, but the next version will include it. No eta yet (currently testing it)

 

With the recent changes, has stream mod made it in yet?

 

https://github.com/linuxserver/docker-letsencrypt/blob/master/Dockerfile#L38

 

Hmmm, that implies it is there, but I get an error when using stream in my config files. 

 

nginx: [emerg] unknown directive "stream"

 

Anyone have this working?  Does something need to be flagged to enable?

Link to comment
  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

ritalin Noob

ritalin

Posted
Posted
Hi ritalin

 

I have this Letsencrypt / Nginx docker, and the Home Assistant docker setup working.

Just wanted to check if you've had a read of the Home Assistant team's guide for setting up Nginx: https://home-assistant.io/ecosystem/nginx/

Specifically their sample config in step 8 (looks like you've already done the rest).

This is what I based my config on, and having a quick look over your config it seems to be missing a few settings/parameters.

 

I'm by no means an expert with Nginx or docker, but if you're still having issues I can post a copy of my configs.

 

TYLER!!! Thank you man. Seriously thank you a lot.

I had to fiddle with the file provided in the link a bit but I finally got it up and running.

I'm going to post again after this with the setting I'm using just in case anyone else comes across this thread needing help with Home-Assistant and LetsEncrypt.

  • Like 1
Link to comment
ritalin Noob

ritalin

Posted
Posted

Home-Assistant Docker with LetsEncrypt Docker setup on a sub domain

 

Considering I spend/wasted a good deal of time running around in circles trying to get this working and looking at various locations for info, I thought it would be nice to share my setup just incase someone else is going through the same thing.

 

Here is how I have my sub domain encrypted and setup as a  reverse proxy through nginx in LetsEncrypt.

 

My letsencrypt docker setup

Letsencrypt_docker.jpg

 

My Router's Firewall

Port_Forward.jpg

 

The configuration.yaml HTML section for Home-Assistant

http:
  api_password: MyPassWord
  base_url: 192.168.1.2:8123

 

A secondary file named "ha" in the /nginx/site-confs directory containing the following code. 

    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        # Update this line to be your domain
        server_name SUB.MYDOMAIN.com;

        # These shouldn't need to be changed
        listen 80 default_server;
        #listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;
    }

    server {
        # Update this line to be your domain
        server_name SUB.MYDOMAIN.com;

        # Ensure these lines point to your SSL certificate and key
        ssl_certificate /config/etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem;
        ssl_certificate_key /config/etc/letsencrypt/live/MYDOMAIN.COM/privkey.pem;
        # Use these lines instead if you created a self-signed certificate
        # ssl_certificate /etc/nginx/ssl/cert.pem;
        # ssl_certificate_key /etc/nginx/ssl/key.pem;

        # Ensure this line points to your dhparams file
        ssl_dhparam /config/nginx/dhparams.pem;


        # These shouldn't need to be changed
        listen 443 ssl ;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        proxy_buffering off;

        location / {
            # Update this line to be your HA servers local ip and port
            proxy_pass http://192.168.1.2:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

 

Startup your HA and LetsEncrypt Docker and you should now be able to securely access Home-Assistant from outside your network.

 

Thank you again to Tyler, Aptalca and CHBMB for your help.

  • Upvote 2
Link to comment
Tyler Rookie

Tyler

Posted
Posted

TYLER!!! Thank you man. Seriously thank you a lot.

I had to fiddle with the file provided in the link a bit but I finally got it up and running.

I'm going to post again after this with the setting I'm using just in case anyone else comes across this thread needing help with Home-Assistant and LetsEncrypt.

 

No problem, glad it helped.

 

Just a suggestion for the Home Assistant config, you probably want to enable the configuration option for "use_x_forwarded_for" so the client's IP address is passed to Home Assistant rather than the IP of the Nginx docker.

This also allows you to use the IP Ban options.  More details on the Home Assistant HTTP config page: https://home-assistant.io/components/http/

Here's a sample config for Home Assistant:

http:
  api_password: MyPassWord
  base_url: SUB.MYDOMAIN.com:8123
  use_x_forwarded_for: True
  ip_ban_enabled: True
  login_attempts_threshold: 5

 

And on the Nginx config side you've already got the relevant Proxy setting enabled:

server {
    ...
    location / {
        ...
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        ...
    }
}

 

That being said, if you're security conscious you're likely far better off managing things at the Nginx layer. And it's great that this docker already has Fail2ban built in.

  • Upvote 1
Link to comment
allanp81 Contributor

allanp81

Posted
Posted

Default config:

 

# listening on port 80 disabled by default, remove the "#" signs to enable

# redirect all traffic to https

#server {

# listen 80;

# server_name my_server;

# return 301 https://$host$request_uri;

#}

 

# main server block

server {

listen 443 ssl;

 

root /config/www;

index index.html index.htm index.php;

 

server_name _;

 

ssl_certificate /config/keys/letsencrypt/fullchain.pem;

ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

ssl_dhparam /config/nginx/dhparams.pem;

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

ssl_prefer_server_ciphers on;

 

client_max_body_size 0;

 

location / {

try_files $uri $uri/ /index.html /index.php?$args =404;

}

 

location ~ \.php$ {

fastcgi_split_path_info ^(.+\.php)(/.+)$;

# With php7-cgi alone:

fastcgi_pass 127.0.0.1:9000;

# With php7-fpm:

#fastcgi_pass unix:/var/run/php7-fpm.sock;

fastcgi_index index.php;

include /etc/nginx/fastcgi_params;

}

 

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"

# notice this is within the same server block as the base

# don't forget to generate the .htpasswd file as described on docker hub

location ^~ /cp {

auth_basic "Restricted";

auth_basic_user_file /config/nginx/.htpasswd;

include /config/nginx/proxy.conf;

proxy_pass http://192.168.7.11:5050/;

}

 

}

 

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above

# notice this is a new server block, you need a new server block for each subdomain

#server {

# listen 443 ssl;

#

# root /config/www;

# index index.html index.htm index.php;

#

# server_name cp.*;

#

# ssl_certificate /config/keys/letsencrypt/fullchain.pem;

# ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

# ssl_dhparam /config/nginx/dhparams.pem;

# ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

# ssl_prefer_server_ciphers on;

#

# client_max_body_size 0;

#

# location / {

# auth_basic "Restricted";

# auth_basic_user_file /config/nginx/.htpasswd;

# include /config/nginx/proxy.conf;

# proxy_pass http://192.168.7.11:5050;

# }

#}

#

Link to comment
jfrancais Apprentice

jfrancais

Posted
Posted
On 2/17/2017 at 3:11 PM, jfrancais said:

 

Hmmm, that implies it is there, but I get an error when using stream in my config files. 

 

nginx: [emerg] unknown directive "stream"

 

Anyone have this working?  Does something need to be flagged to enable?

Anyone got stream working?  All my searching still seems to point to stream module not enabled.

Link to comment
allanp81 Contributor

allanp81

Posted
Posted

I'm still looking for some pointers as to how to get some of my services working via nginx. The lets encrypt part works fine, I can see the page that says:

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: [email protected]

 

I have forwarded 443 on my router etc. and can see that page when I try and access remotely but if I try and set up something like couch potato then I still see the same page even though the url shows the login information that you'd normally see for couch potato.

Link to comment
Niallain Noob

Niallain

Posted
Posted

Trying to get this setup but the container stops as soon as it is started.

I'm seeing the below in syslog.

 

Anyone have any ideas? 

Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state
Feb 21 20:10:13 Perks-NAS kernel: device veth847b694 entered promiscuous mode
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state
Feb 21 20:10:14 Perks-NAS kernel: eth0: renamed from veth5c8720b
Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state
Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state

 

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
9 minutes ago, Niallain said:

Trying to get this setup but the container stops as soon as it is started.

I'm seeing the below in syslog.

 

Anyone have any ideas? 


Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state
Feb 21 20:10:13 Perks-NAS kernel: device veth847b694 entered promiscuous mode
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state
Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state
Feb 21 20:10:14 Perks-NAS kernel: eth0: renamed from veth5c8720b
Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state
Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state

 

That all looks normal to me, post your docker run command, link in my sig.

Link to comment
Niallain Noob

Niallain

Posted
Posted (edited)
32 minutes ago, CHBMB said:

That all looks normal to me, post your docker run command, link in my sig. 

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name="letsencrypt"

 

Edited by Niallain
removing sensitive information
Link to comment
CHBMB Veteran

CHBMB

Posted
Posted (edited)
39 minutes ago, Niallain said: 

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/London" -e HOST_OS="unRAID" -e "EMAIL"="xxxxxxxx" -e "URL"="xxxxxxxxxx" -e "SUBDOMAINS"="www,request,stats,cp,sb,sr" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
9755b3c412186846761ab161d81924628705180b92bafa4be47029fb69c76852

The command finished successfully!

 

Can you post you docker log.

Edited by CHBMB
Link to comment
jfrancais Apprentice

jfrancais

Posted
Posted
6 hours ago, jfrancais said:

Anyone got stream working?  All my searching still seems to point to stream module not enabled.

OK, I made some head way on stream.  I was able to enable stream by adding the following to my nginx.conf file:

load_module "modules/ngx_stream_module.so";

Now I'm able to flow my VNC traffic thru.  Unfortunately it doesnt help my with my overall goal.  I was hoping to do tcp forwarding based on the hostname (IE vnc.address.com and vnc2.address.com would both go to nginx and forward to the appropriate vnc backend.  Looks like I need nginx 1.11.5 before I can continue on that path:

http://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based-on-hostname

Link to comment
squirrellydw Community Regular

squirrellydw

Posted
Posted

So would anyone like to help me setup Lets Encrypt?  I just can't figure it out.  We could use Team Viewer.  Thinking Thursday sometime if that would work for anyone.  I live in the USA on the east coast.  Just let me know ahead of time what information you might need so I can have it all ready to go.  Feel free to PM if you want.

 

Thanks

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing