jfrancais Posted February 17, 2017 Share Posted February 17, 2017 What version of nginx is included with this? does it support stream? I'd like to use this same docker to handle non http traffic as well. I'd like to have this handle vnc and ssh for certain domains. Is this possible? https://pkgs.alpinelinux.org/package/v3.4/main/x86_64/nginx No stream mod in this version, but the next version will include it. No eta yet (currently testing it) With the recent changes, has stream mod made it in yet? https://github.com/linuxserver/docker-letsencrypt/blob/master/Dockerfile#L38 Hmmm, that implies it is there, but I get an error when using stream in my config files. nginx: [emerg] unknown directive "stream" Anyone have this working? Does something need to be flagged to enable? Quote Link to comment
ritalin Posted February 17, 2017 Share Posted February 17, 2017 Hi ritalin I have this Letsencrypt / Nginx docker, and the Home Assistant docker setup working. Just wanted to check if you've had a read of the Home Assistant team's guide for setting up Nginx: https://home-assistant.io/ecosystem/nginx/ Specifically their sample config in step 8 (looks like you've already done the rest). This is what I based my config on, and having a quick look over your config it seems to be missing a few settings/parameters. I'm by no means an expert with Nginx or docker, but if you're still having issues I can post a copy of my configs. TYLER!!! Thank you man. Seriously thank you a lot. I had to fiddle with the file provided in the link a bit but I finally got it up and running. I'm going to post again after this with the setting I'm using just in case anyone else comes across this thread needing help with Home-Assistant and LetsEncrypt. 1 Quote Link to comment
ritalin Posted February 17, 2017 Share Posted February 17, 2017 Home-Assistant Docker with LetsEncrypt Docker setup on a sub domain Considering I spend/wasted a good deal of time running around in circles trying to get this working and looking at various locations for info, I thought it would be nice to share my setup just incase someone else is going through the same thing. Here is how I have my sub domain encrypted and setup as a reverse proxy through nginx in LetsEncrypt. My letsencrypt docker setup My Router's Firewall The configuration.yaml HTML section for Home-Assistant http: api_password: MyPassWord base_url: 192.168.1.2:8123 A secondary file named "ha" in the /nginx/site-confs directory containing the following code. map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { # Update this line to be your domain server_name SUB.MYDOMAIN.com; # These shouldn't need to be changed listen 80 default_server; #listen [::]:80 default_server ipv6only=on; return 301 https://$host$request_uri; } server { # Update this line to be your domain server_name SUB.MYDOMAIN.com; # Ensure these lines point to your SSL certificate and key ssl_certificate /config/etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem; ssl_certificate_key /config/etc/letsencrypt/live/MYDOMAIN.COM/privkey.pem; # Use these lines instead if you created a self-signed certificate # ssl_certificate /etc/nginx/ssl/cert.pem; # ssl_certificate_key /etc/nginx/ssl/key.pem; # Ensure this line points to your dhparams file ssl_dhparam /config/nginx/dhparams.pem; # These shouldn't need to be changed listen 443 ssl ; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; proxy_buffering off; location / { # Update this line to be your HA servers local ip and port proxy_pass http://192.168.1.2:8123; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } Startup your HA and LetsEncrypt Docker and you should now be able to securely access Home-Assistant from outside your network. Thank you again to Tyler, Aptalca and CHBMB for your help. 2 Quote Link to comment
Tyler Posted February 18, 2017 Share Posted February 18, 2017 TYLER!!! Thank you man. Seriously thank you a lot. I had to fiddle with the file provided in the link a bit but I finally got it up and running. I'm going to post again after this with the setting I'm using just in case anyone else comes across this thread needing help with Home-Assistant and LetsEncrypt. No problem, glad it helped. Just a suggestion for the Home Assistant config, you probably want to enable the configuration option for "use_x_forwarded_for" so the client's IP address is passed to Home Assistant rather than the IP of the Nginx docker. This also allows you to use the IP Ban options. More details on the Home Assistant HTTP config page: https://home-assistant.io/components/http/ Here's a sample config for Home Assistant: http: api_password: MyPassWord base_url: SUB.MYDOMAIN.com:8123 use_x_forwarded_for: True ip_ban_enabled: True login_attempts_threshold: 5 And on the Nginx config side you've already got the relevant Proxy setting enabled: server { ... location / { ... proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ... } } That being said, if you're security conscious you're likely far better off managing things at the Nginx layer. And it's great that this docker already has Fail2ban built in. 1 Quote Link to comment
allanp81 Posted February 18, 2017 Share Posted February 18, 2017 Can anyone help me please? I've got lets encrypt working but cannot for the life of me get something like Couch Potato to work via the proxy part. I've set it so that it should https://myserver/cp and it kind of looks like it works as the url changes automatically to the login url but the page itself just still shows the default index.html. Quote Link to comment
Shamalamadindong Posted February 18, 2017 Share Posted February 18, 2017 Post your config. Quote Link to comment
allanp81 Posted February 18, 2017 Share Posted February 18, 2017 Default config: # listening on port 80 disabled by default, remove the "#" signs to enable # redirect all traffic to https #server { # listen 80; # server_name my_server; # return 301 https://$host$request_uri; #} # main server block server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; # With php7-cgi alone: fastcgi_pass 127.0.0.1:9000; # With php7-fpm: #fastcgi_pass unix:/var/run/php7-fpm.sock; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub location ^~ /cp { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.7.11:5050/; } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl; # # root /config/www; # index index.html index.htm index.php; # # server_name cp.*; # # ssl_certificate /config/keys/letsencrypt/fullchain.pem; # ssl_certificate_key /config/keys/letsencrypt/privkey.pem; # ssl_dhparam /config/nginx/dhparams.pem; # ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; # ssl_prefer_server_ciphers on; # # client_max_body_size 0; # # location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.7.11:5050; # } #} # Quote Link to comment
Shamalamadindong Posted February 19, 2017 Share Posted February 19, 2017 I assume you did generate the httppassword file? Quote Link to comment
allanp81 Posted February 19, 2017 Share Posted February 19, 2017 Yes, that appears to work ok as it prompts. I've tried removing that section from the default file and same issue. Quote Link to comment
rix Posted February 19, 2017 Share Posted February 19, 2017 Thank you very much for the upgrade to PHP7! Quote Link to comment
jrdnlc Posted February 21, 2017 Share Posted February 21, 2017 I'm trying to host a service but the XML parser php extension is needed. Can you guys add this to the docker? Quote Link to comment
jfrancais Posted February 21, 2017 Share Posted February 21, 2017 On 2/17/2017 at 3:11 PM, jfrancais said: Hmmm, that implies it is there, but I get an error when using stream in my config files. nginx: [emerg] unknown directive "stream" Anyone have this working? Does something need to be flagged to enable? Anyone got stream working? All my searching still seems to point to stream module not enabled. Quote Link to comment
allanp81 Posted February 21, 2017 Share Posted February 21, 2017 I'm still looking for some pointers as to how to get some of my services working via nginx. The lets encrypt part works fine, I can see the page that says: Welcome to our server The website is currently being setup under this address. For help and support, please contact: [email protected] I have forwarded 443 on my router etc. and can see that page when I try and access remotely but if I try and set up something like couch potato then I still see the same page even though the url shows the login information that you'd normally see for couch potato. Quote Link to comment
CHBMB Posted February 21, 2017 Share Posted February 21, 2017 Unless you post your config then we can't point out what's wrong. Quote Link to comment
allanp81 Posted February 21, 2017 Share Posted February 21, 2017 1 hour ago, CHBMB said: Unless you post your config then we can't point out what's wrong. I've managed to get it working now using the following guide: http://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ Quote Link to comment
Niallain Posted February 21, 2017 Share Posted February 21, 2017 Trying to get this setup but the container stops as soon as it is started. I'm seeing the below in syslog. Anyone have any ideas? Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state Feb 21 20:10:13 Perks-NAS kernel: device veth847b694 entered promiscuous mode Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state Feb 21 20:10:14 Perks-NAS kernel: eth0: renamed from veth5c8720b Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state Quote Link to comment
CHBMB Posted February 21, 2017 Share Posted February 21, 2017 9 minutes ago, Niallain said: Trying to get this setup but the container stops as soon as it is started. I'm seeing the below in syslog. Anyone have any ideas? Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state Feb 21 20:10:13 Perks-NAS kernel: device veth847b694 entered promiscuous mode Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state Feb 21 20:10:13 Perks-NAS kernel: docker0: port 1(veth847b694) entered disabled state Feb 21 20:10:14 Perks-NAS kernel: eth0: renamed from veth5c8720b Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered blocking state Feb 21 20:10:14 Perks-NAS kernel: docker0: port 1(veth847b694) entered forwarding state That all looks normal to me, post your docker run command, link in my sig. Quote Link to comment
Niallain Posted February 21, 2017 Share Posted February 21, 2017 (edited) 32 minutes ago, CHBMB said: That all looks normal to me, post your docker run command, link in my sig. Command: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name="letsencrypt" Edited February 21, 2017 by Niallain removing sensitive information Quote Link to comment
CHBMB Posted February 21, 2017 Share Posted February 21, 2017 (edited) 39 minutes ago, Niallain said: Command: root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="Europe/London" -e HOST_OS="unRAID" -e "EMAIL"="xxxxxxxx" -e "URL"="xxxxxxxxxx" -e "SUBDOMAINS"="www,request,stats,cp,sb,sr" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt 9755b3c412186846761ab161d81924628705180b92bafa4be47029fb69c76852 The command finished successfully! Can you post you docker log. Edited February 21, 2017 by CHBMB Quote Link to comment
Niallain Posted February 21, 2017 Share Posted February 21, 2017 6 minutes ago, CHBMB said: Can you post you docker log. My bad, didn't open the port on my router. Fixed now. Quote Link to comment
CHBMB Posted February 21, 2017 Share Posted February 21, 2017 11 minutes ago, Niallain said: My bad, didn't open the port on my router. Fixed now. Bloody Welsh.... (More than a touch of Welsh in me, so I think I'm allowed to say this.) Quote Link to comment
jfrancais Posted February 21, 2017 Share Posted February 21, 2017 6 hours ago, jfrancais said: Anyone got stream working? All my searching still seems to point to stream module not enabled. OK, I made some head way on stream. I was able to enable stream by adding the following to my nginx.conf file: load_module "modules/ngx_stream_module.so"; Now I'm able to flow my VNC traffic thru. Unfortunately it doesnt help my with my overall goal. I was hoping to do tcp forwarding based on the hostname (IE vnc.address.com and vnc2.address.com would both go to nginx and forward to the appropriate vnc backend. Looks like I need nginx 1.11.5 before I can continue on that path: http://stackoverflow.com/questions/34741571/nginx-tcp-forwarding-based-on-hostname Quote Link to comment
squirrellydw Posted February 21, 2017 Share Posted February 21, 2017 So would anyone like to help me setup Lets Encrypt? I just can't figure it out. We could use Team Viewer. Thinking Thursday sometime if that would work for anyone. I live in the USA on the east coast. Just let me know ahead of time what information you might need so I can have it all ready to go. Feel free to PM if you want. Thanks Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.