[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I do have that, pfsense does it for me. I can do a nslookup from outside my home network and it will reply with the correct ip. But when the docket runs it just says no valid ip for my Google domains.  

If you need help setting this up with Google Domains let me know. I just switched my domains to Google and took me a about a day to figure things out. All good now though

Link to comment
7 hours ago, jrdnlc said:

If you need help setting this up with Google Domains let me know. I just switched my domains to Google and took me a about a day to figure things out. All good now though

 

sure send me the info, i like to use the domain i paid for.

 

Link to comment
7 hours ago, jrdnlc said:

If you need help setting this up with Google Domains let me know. I just switched my domains to Google and took me a about a day to figure things out. All good now though

Thanks!  I'm going to try what ijuarez suggested, but I think it should all be pretty automated right?  I mean, I run a ddclient docker to update my google domain with my current IP.  Then the letsencrypt docker should reference that domain and be good to go.  Right now I'd have to do it manually every time the IP changes.  Appreciate seeing how you managed it!

Link to comment
2 hours ago, ChaOConnor said:

Thanks!  I'm going to try what ijuarez suggested, but I think it should all be pretty automated right?  I mean, I run a ddclient docker to update my google domain with my current IP.  Then the letsencrypt docker should reference that domain and be good to go.  Right now I'd have to do it manually every time the IP changes.  Appreciate seeing how you managed it!

 

I don't use the ddclient docker. I use my router dynamic dns service to update my IP. Let me know how that goes. Feel free to message me

  • Upvote 1
Link to comment

thanks to aptalca for the link, it took me several reads to understand how he set it up but i finally got it. No ip needed.

 

 

on goolge domains, select the domain you want to use, select DNS, create a dynamic dns entry for you domain.

 

us the @. whatever your domain is and add it

 

then create a cname record

 

www cname 1H  yourdomain,com then add it.

 

For DynamicDNS, setup whatever you want router, ddclient, whatever and use the new creds for the dynamic dns

 

run the docker and boom its good

 

 

  • Upvote 1
Link to comment
On 7/4/2017 at 1:12 PM, Ezro said:

Does anyone know how to get this to work with the gitlab docker? (https://forums.lime-technology.com/topic/48653-support-gitlab-ce/)

 

I set my letsencrypt\nginx\site-confs to the following


  location /gitlab {
    include /config/nginx/proxy.conf;
    proxy_pass http://192.168.1.207:9080/gitlab;
  }

 

When I go to my server.duckdns.org/gitlab, I get a '404 not found' error.

 

Anyone have an idea how to fix this?

 

Sorry to bump, but I'm still having issues with Gitlab routing.

 

Also, I tried getting Nextcloud to work using this guide, and when I try to access https://192.168.1.207:444 I receive an "Insecure Connection" error. When I try to access server.duckdns.org/nextcloud/ I get a 502 bad gateway.

 

Does anyone know what I should look at in order to fix the Nextcloud routing?

Link to comment

I want to restart nginx, without restarting the whole docker, prefferably by using 

docker exec letsencrypt nginx -s reload

But all i get is 

nginx: [error] open() "/run/nginx/nginx.pid" failed (2: No such file or directory)

Is there any easy fix i can do on my end?

Link to comment
I want to restart nginx, without restarting the whole docker, prefferably by using 
docker exec letsencrypt nginx -s reload

But all i get is 

nginx: [error] open() "/run/nginx/nginx.pid" failed (2: No such file or directory)

Is there any easy fix i can do on my end?



s6-svc -h /var/run/s6/services/nginx
Link to comment

All,

First of all ThanX!, I have been watching this thread for a while. it has helped me get letsencrypt/nginx running on my (Unraid)server with no real issues till now. I have a working nextcloud confg and I can get to my index page. (which I have modified slightly just so I know its mine) and can get my instance of couch potato running on my server. So now I am having issues with getting a rev proxy to my instance of home-assistant, I followed a thread bite from feb 17 about this but have tried the included config file with no success. So just looking for a little help. So here is what I have also done: copied my working nextcloud file an changed it accordingly. added the necessary stuff to the ha config file.

 

Now what I get is "502 Bad Gateway" when I go to https://subdomain.my_server.com

 

Here is a portion from the error log file:

2017/07/10 14:47:06 [error] 347#347: *1 SSL_do_handshake() failed (SSL: error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number) while SSL handshaking to upstream, client: ISP, server: SUBDOMAIN.myserver.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://0.0.0.0:port/favicon.ico", host: "SUBDOMAIN.myserver.com", referrer: "https://SUBDOMAIN.myserver.com/"

 

And here is the "site-confs" file:( just the one that seems to be the issue):

# This is the virtual host part that allows a subdomain include

server {  
    listen 443 ssl;
    server_name subdomain.my_server.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'there is really a key here';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://0.0.0.0:port/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

 

hopefully I didn't redact too much info for it to make sense but here it is. I am sure it is something that I missed, so I would appreciate some extra eyes. 

 

ThanX in advance 

Mikey

Link to comment
19 hours ago, mikeyw said:

All,

First of all ThanX!, I have been watching this thread for a while. it has helped me get letsencrypt/nginx running on my (Unraid)server with no real issues till now. I have a working nextcloud confg and I can get to my index page. (which I have modified slightly just so I know its mine) and can get my instance of couch potato running on my server. So now I am having issues with getting a rev proxy to my instance of home-assistant, I followed a thread bite from feb 17 about this but have tried the included config file with no success. So just looking for a little help. So here is what I have also done: copied my working nextcloud file an changed it accordingly. added the necessary stuff to the ha config file.

 

Now what I get is "502 Bad Gateway" when I go to https://subdomain.my_server.com

 

Here is a portion from the error log file:


2017/07/10 14:47:06 [error] 347#347: *1 SSL_do_handshake() failed (SSL: error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number) while SSL handshaking to upstream, client: ISP, server: SUBDOMAIN.myserver.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://0.0.0.0:port/favicon.ico", host: "SUBDOMAIN.myserver.com", referrer: "https://SUBDOMAIN.myserver.com/"

 

And here is the "site-confs" file:( just the one that seems to be the issue):


# This is the virtual host part that allows a subdomain include

server {  
    listen 443 ssl;
    server_name subdomain.my_server.com;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'there is really a key here';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://0.0.0.0:port/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

 

hopefully I didn't redact too much info for it to make sense but here it is. I am sure it is something that I missed, so I would appreciate some extra eyes. 

 

ThanX in advance 

Mikey

 

A couple of thing I noticed. . .

I am not sure if 0.0.0.0 is the real ip you are trying to reverse proxy or if that's your redaction. If former, that is incorrect. 0.0.0.0 in net=bridge will refer only to the letsencrypt container, not the host and not other containers. You can use the server ip to connect to a different container.

 

Also, you are trying to reverse proxy an https page. That is likely the reason you are getting the ssl handshake error (or a combination with a nonexistent service on 0.0.0.0 as referenced above). Try to use an http address for the reverse proxy.

Edited by aptalca
Link to comment
15 hours ago, mattekure said:

I just read that LetsEncrypt recently announced that starting in Jan 2018, they will offer wildcard certificates for free.  so you could have one for all the subdomains

 

https://arstechnica.com/information-technology/2017/07/lets-encrypt-to-start-offering-free-wildcard-certificates-for-https/

 

DNS challenge only :|

 

https://community.letsencrypt.org/t/wildcard-certificates-coming-january-2018/37567/8

Link to comment

I just switched back to unRAID, and am working on getting the LE+Nginx docker setup. Nginx starts, but the logs are constantly being populated with the following:

2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:82 failed (98: Address in use)
2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:444 failed (98: Address in use)

No matter what I put the port to in the docker config, or in the nginx.conf, these errors just stream across with the port I specified. Nothing is using those ports except for nginx. I'm able to access most of the proxy_pass (except plex, working on that too), but within just a few minutes, my error.log is growing huge. Anyone come across this before?

Link to comment
I just switched back to unRAID, and am working on getting the LE+Nginx docker setup. Nginx starts, but the logs are constantly being populated with the following:
2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:82 failed (98: Address in use)2017/07/11 16:25:04 [emerg] 366#366: bind() to 0.0.0.0:444 failed (98: Address in use)

No matter what I put the port to in the docker config, or in the nginx.conf, these errors just stream across with the port I specified. Nothing is using those ports except for nginx. I'm able to access most of the proxy_pass (except plex, working on that too), but within just a few minutes, my error.log is growing huge. Anyone come across this before?



I suspect you highly modified the nginx. conf and perhaps removed the "daemon off" setting so it's trying to launch a second instance unsuccessfully.

Did you by any chance copy your nginx settings over from another install? If so, go back to defaults by deleting them and restarting the container. Then modify the defaults as needed.

If that doesn't work, post your container settings along with nginx and site configs and we'll take a look.
  • Upvote 1
Link to comment
1 hour ago, aptalca said:

 


I suspect you highly modified the nginx. conf and perhaps removed the "daemon off" setting so it's trying to launch a second instance unsuccessfully.

Did you by any chance copy your nginx settings over from another install? If so, go back to defaults by deleting them and restarting the container. Then modify the defaults as needed.

If that doesn't work, post your container settings along with nginx and site configs and we'll take a look.

 

 

Should I not be editing the nginx.conf then? Just put my config in the site-confs/default? I use a subdomain map for my proxy pass, with some nifty logic that has worked on other boxes, e.g.:

 

        map $subdomain $proxy_url {
                pr      "http://192.168.1.103:3000";
                py      "http://192.168.1.103:8181";
                cp      "http://192.168.1.103:5050";
                pms     "http://192.168.1.103:32400";
                nzb     "http://192.168.1.103:6789";
                down    "http://192.168.1.103:9091";
        }
  
                 if ($host ~* ^([a-z0-9-\.]+)\.mydomain.tld$) {
                        set $subdomain $1;
                }


                location / {
                    proxy_set_header Host $host;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";

                    if ($subdomain) {
                        proxy_pass $proxy_url;
                    }
                }

                if ($subdomain = "pms") {
                        rewrite ^/$ $1/web;
                }

                if ($subdomain = "down") {
                        rewrite ^/$ $1/transmission;
                }

This has worked on other servers no problem, although I'm not used to running things in a docker, and haven't used unRAID in almost a year.

Edited by sethrd
Link to comment

You can edit the nginx.conf but don't overwrite it with a config from another server or you'll break it. Nginx package from the ubuntu repo has very different defaults than this container which is alpine based, and uses s6 as the supervisor.

What you posted is just a snippet of the site config. And not related to the error you're getting.

  • Upvote 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.