[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I am new with Unraid and Docker (since one week). 

 

I guess you mean the docker exec section which is displayed when installing or changing a docker within unraid and not the web-config-section?

 

If yes, where can I find how the docker was started without modifying the docker?

 

I know stupid questions... but I am learning.

Link to comment
1 minute ago, CHBMB said:

Either would do, but edit the container, make a change to a parameter, add and delete a space and click apply.  

 

haha, sometimes it is too simple...

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="none" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="my-domain.at" -e "SUBDOMAINS"="nextcloud,wordpress," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -v "/mnt/user/appdata/letsencrypt":"/config":rw --network homenet --ip 192.168.1.250 linuxserver/letsencrypt
7febf75fc4495e72d6ab452387cd1c6fda9ebffb2f4bf23afdc89f1b1e8df271

 

Link to comment
13 minutes ago, ebnerjoh said:

Yes, this is clear. First I wanted to get wordpress working before going ahead with joomla.

 

The question is: How would the site-conf look like for Wordpress if the wordpress is in the "wordpress"-subdirectory of the www directory.

 

Br,

johannes

 

Create a new file called wordpress in appdata/letsencrypt/nginx/site-confs/ then just use a copy of defaults and change the servername to wordpress.server.com after that it should be the same as any other nginx install of wordpress.

 

Link to comment

No success at all.

 

I made now the following tests:

 

1) Copied default to wordpress and changed servername and directory --> letsencrypt didnt start and got errormessage "duplicate default server"

2) removed default and moved wordpress to default --> got at least somehow the wordpress page but completley unformated

3) recovered original default and took the receipt and saved as wordpress. changed servername and directory and CGI part (as this is different to the letsencrypt-Docker). After accessing the site I am always getting the index.html from the /config/www, instead of /config/www/wordpress...

 

This is driving me crazy...

Link to comment

I have done this...

 

# Upstream to abstract backend connection(s) for php
upstream php {
        server unix:/tmp/php-cgi.socket;
        server 127.0.0.1:9000;
}

server {
        ## Your website name goes here.
        server_name wordpress.my-domain.at;
        ## Your only path reference.
        root /var/www/wordpress;
        ## This should be in your http block and if it is, it's not needed here.
        index index.php;

        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location / {
                # This is cool because no php is touched for static content.
                # include the "?$args" part so non-default permalinks doesn't break when using query string
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                #include fastcgi.conf;
                #fastcgi_intercept_errors on;
                #fastcgi_pass php;
                #fastcgi_split_path_info ^(.+\.php)(/.+)$;
                # With php7-cgi alone:
                fastcgi_pass 127.0.0.1:9000;
                # With php7-fpm:
                #fastcgi_pass unix:/var/run/php7-fpm.sock;
                fastcgi_index index.php;
                include /etc/nginx/fastcgi_params;

        }

        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
                expires max;
                log_not_found off;
        }
}

 

Link to comment

You can't just copy and paste the whole config.  You need to edit it to reflect your config.

 

Wordpress isn't in the root so location \ is wrong.  You need something like this.

 

location /wordpress {
        try_files $uri $uri/ /wordpress/index.php?$args;
}

location ~ \.php$ {
        fastcgi_split_path_info ^(/wordpress)(/.*)$;
}

I know that it's possible to do as I've done so in the past.  And get rid of that initial php block.

Edited by CHBMB
Link to comment

If you're serving a few different subdomains, you may even want to change the

root /config/www to something like
root/config/www/default

root /config/www/wordpress 
root /config/www/joomla

to avoid confusion between the directories and alter your directory structure as such

Link to comment

Hi,

 

This is my default "default" file:

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
#server {
#       listen 80;
#       server_name _;
#       return 301 https://$host$request_uri;
#}

# main server block
server {
        listen 443 ssl default_server;

        root /config/www;
        index index.html index.htm index.php;

        server_name _;

        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;

        client_max_body_size 0;

        location / {
                try_files $uri $uri/ /index.html /index.php?$args =404;
        }

        location ~ \.php$ {
                fastcgi_split_path_info ^(.+\.php)(/.+)$;
                # With php7-cgi alone:
                fastcgi_pass 127.0.0.1:9000;
                # With php7-fpm:
                #fastcgi_pass unix:/var/run/php7-fpm.sock;
                fastcgi_index index.php;
                include /etc/nginx/fastcgi_params;
        }

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#       location ^~ /cp {
#               auth_basic "Restricted";
#               auth_basic_user_file /config/nginx/.htpasswd;
#               include /config/nginx/proxy.conf;
#               proxy_pass http://192.168.1.50:5050/cp;
#       }

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#       listen 443 ssl;
#
#       root /config/www;
#       index index.html index.htm index.php;
#
#       server_name cp.*;
#
#       ssl_certificate /config/keys/letsencrypt/fullchain.pem;
#       ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
#       ssl_dhparam /config/nginx/dhparams.pem;
#       ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
#       ssl_prefer_server_ciphers on;
#
#       client_max_body_size 0;
#
#       location / {
#               auth_basic "Restricted";
#               auth_basic_user_file /config/nginx/.htpasswd;
#               include /config/nginx/proxy.conf;
#               proxy_pass http://192.168.1.50:5050;
#       }
#}

 

Here is now my updated "wordpress" file:

server {
        ## Your website name goes here.
        server_name wordpress.my-domain.at;
        ## Your only path reference.
        root /var/www/wordpress;
        ## This should be in your http block and if it is, it's not needed here.
        index index.php;

        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;

        location = /favicon.ico {
                log_not_found off;
                access_log off;
        }

        location = /robots.txt {
                allow all;
                log_not_found off;
                access_log off;
        }

        location /wordpress {
                # This is cool because no php is touched for static content.
                # include the "?$args" part so non-default permalinks doesn't break when using query string
                try_files $uri $uri/ /index.php?$args;
        }

        location ~ \.php$ {
                #NOTE: You should have "cgi.fix_pathinfo = 0;" in php.ini
                #include fastcgi.conf;
                #fastcgi_intercept_errors on;
                #fastcgi_pass php;
                #fastcgi_split_path_info ^(.+\.php)(/.+)$;
                fastcgi_split_path_info ^(/wordpress)(/.*)$;
                # With php7-cgi alone:
                fastcgi_pass 127.0.0.1:9000;
                # With php7-fpm:
                #fastcgi_pass unix:/var/run/php7-fpm.sock;
                fastcgi_index index.php;
                include /etc/nginx/fastcgi_params;

        }

        location ~* \.(js|css|png|jpg|jpeg|gif|ico)$ {
                expires max;
                log_not_found off;
        }
}

 

Still getting connected to the default index.html.

Link to comment

Call this file wordpress....

 

server {
        listen 80;
        server_name wordpress.server.com;
        return 301 https://server.com$request_uri;
}

server {

	listen 443 ssl;
	server_name wordpress.server.com;

	add_header Front-End-Https on;

	root /config/www/wordpress;
	index index.html index.htm index.php;

        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        ssl_dhparam /config/nginx/dhparams.pem;
        ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		# With php5-cgi alone:
		fastcgi_pass 127.0.0.1:9000;
		# With php5-fpm:
		#fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
	
	location / {
        try_files $uri $uri/ /wordpress/index.php?$args;
	}

	location ~ \.php$ {
        fastcgi_split_path_info ^(/wordpress)(/.*)$;
	}
}

Easy.....

Edited by CHBMB
Link to comment

Hi,

 

Ok, one step ahead.

 

I can access the website now but it is not correctly formated.

It seems when using without SSL everything is correctly formated, but when using SSL then not...

 

I will send you the real link per PM. Maybe you have an idea?

 

Br,

Johannes

Link to comment
1 hour ago, ebnerjoh said:

Many, many thanks again!

 

One last question: I tried to do a Media-Upload in Wordpress. It tells me that there is a 2MB Upload Limit. 

I guess this is set somewhere in nginx?

 

Br,

Johannes

 

 

In addition to my "upload_max_filesize" question I have now another question:

 

I want to run on my nginx-instance also phpmyadmin to configure my MySQL-DB. This website shouldnt be exposed to the public network.

If I store phpmyadmin to /config/www/phpmyadmin can I access it then via "https://internal-ip/phpmyadmin"? 

As it is internal I do not care about the certificate.

 

I guess this is working with "location" but to be honest, I still do not understand the concept of nginx.

 

I tried to add the following to my default site-conf:

 

        location /phpmyadmin {
				root /config/www/phpmyadmin;
                try_files $uri $uri/ /index.html /index.php?$args =404;
        }

but then I get the default page.

 

Br,

Johannes

Link to comment
12 hours ago, ebnerjoh said:

Many, many thanks again!

 

One last question: I tried to do a Media-Upload in Wordpress. It tells me that there is a 2MB Upload Limit. 

I guess this is set somewhere in nginx?

 

Br,

Johannes

 

Not sure, you sure it's not a setting in WP?

Link to comment

Still having trouble with this.

THESE are my current domain settings.  I've tried having both 'www' and '@' before .mydomain.com and still noting.

This is my default config:

server {
    listen 443 ssl;
    
    root /config/www/unifi;
    index index.html index.htm index.php;
    
    server_name unifi.*;
    
    ssl_certificate LOCATION_REDACTED;    
    ssl_certificate_key LOCATION_REDACTED;    
    ssl_dhparam LOCATION_REDACTED;    
    ssl_ciphers 'CIPHER_REDACTED';    
    ssl_prefer_server_ciphers on; 
    
    client_max_body_size 0;
    
    location = / {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.2.100:8443/manage/account/login;
    }
}


EDIT:

So I added the CNAME records for www + unifi and sending them to @.  I then pulled up http://unifi.mydomain.com/ on my mac and get nothing.  I tried my phone on wifi and it timed out.  I tried my phone on 4G and am getting THIS:

Outdated Browser
You are using an outdated browser. Please upgrade your browser to improve your experience.

{{toast.message}}

Partial success as it's prompting to open the unifi app....now how do I get it to work?

Edited by poldim
Link to comment

Thanks for all of the work here.  I've got nextcloud/letsencrypt working with duckdns, which I wouldn't have tried without the support here and tutorials.  One annoyance - is there an easy way to get unset urls (https://mydomain.duckdns.org/random_garbage) to map to 404 instead of the default "Welcome to our server?"

 

Google searches for 404 and "welcome to our server" don't help...

Link to comment
Thanks for all of the work here.  I've got nextcloud/letsencrypt working with duckdns, which I wouldn't have tried without the support here and tutorials.  One annoyance - is there an easy way to get unset urls (https://mydomain.duckdns.org/random_garbage) to map to 404 instead of the default "Welcome to our server?"
 
Google searches for 404 and "welcome to our server" don't help...


Google nginx 404 redirect
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.