[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

11 minutes ago, aptalca said:

 

I don't experience it. 

Please post your container settings and we'll take a look

 

Thanks!

 

Network Type: bridge

Privileged: on

http: 81

https: 444

email: registered email address for DuckDNS

Domain Name: duckdns.org

Subdomain(s): test

Only Subdomains: true

Diffle Hellman: 2048

AppData Config Path: /mnt/user/appdata/letsencrypt

PUID: 99

PGID: 100

 

all ports are being forwarded correctly, and the duckdns docker is set up correctly as well.

Link to comment
2 hours ago, jamesp469 said:

 

Thanks!

 

Network Type: bridge

Privileged: on

http: 81

https: 444

email: registered email address for DuckDNS

Domain Name: duckdns.org

Subdomain(s): test

Only Subdomains: true

Diffle Hellman: 2048

AppData Config Path: /mnt/user/appdata/letsencrypt

PUID: 99

PGID: 100

 

all ports are being forwarded correctly, and the duckdns docker is set up correctly as well.

 

Try restarting the container (not reinstall). There is an intermittent bug that pops up every once in a while on first boot, but works on a reboot. If that doesn't work, post the full container log

Link to comment
On 7/21/2017 at 1:05 PM, aptalca said:

 

Try restarting the container (not reinstall). There is an intermittent bug that pops up every once in a while on first boot, but works on a reboot. If that doesn't work, post the full container log

 

This didn't work initially, but I just recently updated the container and now have the following in my letsencrypt log file:

 

<------------------------------------------------->

<------------------------------------------------->
cronjob running on Tue Jul 25 02:08:00 PDT 2017
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/box3.duckdns.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/box3.duckdns.org/fullchain.pem (skipped)
No renewals were attempted.
No hooks were run.

I'm also getting the following readout in the nginx error log file (real IP address hidden):

2017/07/23 18:41:23 [crit] 742#742: *663 SSL_do_handshake() failed (SSL: error:14037085:SSL routines:ACCEPT_SR_KEY_EXCH:ccs received early) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443

 

Link to comment
 
This didn't work initially, but I just recently updated the container and now have the following in my letsencrypt log file:
 
<-------------------------------------------------><------------------------------------------------->cronjob running on Tue Jul 25 02:08:00 PDT 2017Running certbot renewSaving debug log to /var/log/letsencrypt/letsencrypt.log-------------------------------------------------------------------------------Processing /etc/letsencrypt/renewal/box3.duckdns.org.conf-------------------------------------------------------------------------------Cert not yet due for renewalThe following certs are not due for renewal yet: /etc/letsencrypt/live/box3.duckdns.org/fullchain.pem (skipped)No renewals were attempted.No hooks were run.

I'm also getting the following readout in the nginx error log file (real IP address hidden):

2017/07/23 18:41:23 [crit] 742#742: *663 SSL_do_handshake() failed (SSL: error:14037085:SSL routines:ACCEPT_SR_KEY_EXCH:ccs received early) while SSL handshaking, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443

 

I don't understand what the issue is. The certs are there, and the nightly renewal script is running successfully. So the container is running fine.

The nginx error log has to do with a client that tried to access your site. It could be an issue on their end or an issue with your site config or contents. I have no information to determine that.
Link to comment

im getting this error on fix common problems

Template URL for docker application letsencrypt is not the as what the template author specified.

The template URL the author specified is https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/letsencrypt.xml. The template can be updated automatically with the correct URL.  , applying the fix dont fix it

 

anyone please know how to fix it, thanks in advanced

Link to comment

Hi, 

 

Hoping someone can help me with regards to an ssl certificate problem I seem to have when using this docker to get certified. 

 

I used this docker to generate a ssl certificate for my duckdns address and everything went as planned. Even when I use various ssl certificate checking websites, they all show that the link is secure.

 

However, when I access my home through VPN using chrome, the green padlock does not show and I'm left with an (information logo inchrome) which shows I may be at risk. 

 

Does anyone know how I can resolve this issue? 

 

FYI, the domain address for me is [email protected] 

 

Can I also add that when I try to  access unraid locally at home, I don't get a 'green padlock' then either. I figure that doesn't matter since I'm at home locally but would love to have that special 'green padlock' when I try to access from elsewhere. 

 

Thanks a lot for the help :)

Link to comment

That's the thing. I don't know how to get it to go to https:// on the docker install page of letsencrypt. 

 

I've attached my settings with this post. 

 

Of course, when I try to go to https:\\192. bla bla when connected to the VPN that page doesn't load. 

 

But when I type in just the IP of my server, it goes to it just fine (but at the cost of not being secure)

letsencrypt setup.PNG

Link to comment
42 minutes ago, CHBMB said:

I don't think you really understand what this does.  It installs an externally facing nginx webserver with certs from letsencrypt.

 

It's got nothing to do with local ip addresses like 192.168.... 

 

 

I used this video posted by a popular member on this forum to setup a VPN to my home network so I can conect to unraid. 

For the latter half of the video, because I do not have my own domain name, I used duckdns and lets encrypt to create an SSL certificate. The docker did the job fine for what I needed it to do, I just needed advice on how to get the green lock when accessing my server from outside home.... I hope that makes sense :)

Edited by entourage2111
Link to comment
1 minute ago, CHBMB said:

Ok, so that's not an issue with LE, you need to copy the certs to wherever you want and then specify that location in your VPN.

 

I actually have done that and according to every cert checking website, the domain hamza219421.duckdns.org has a fully verified SSL certificate. Problem is, when I try to VPN into the server though, I still don't get the green lock despite the certificate being verified by every website I check. 

Link to comment

Then you don't have it set up right, but got no idea what you've done or what you're using, and it's more of an issue for the VPN than this container.

 

But without knowing what VPN you're using or how the hell you set it up, couldn't say.

Link to comment
 
I actually have done that and according to every cert checking website, the domain hamza219421.duckdns.org has a fully verified SSL certificate. Problem is, when I try to VPN into the server though, I still don't get the green lock despite the certificate being verified by every website I check. 

I don't quite understand where you expect to see the padlock icon in vpn.

Your server is set up at the address: https://hamza219421.duckdns.org
That is the address the cert checking websites are checking. That has nothing to do with vpn. Just go to that address in your browser while you're away from home and you'll see your website and the green padlock. If you want to access other services through that address, you'll have to set them up through reverse proxy. There is plenty of info on that in this thread.
Link to comment

Hi Guys, 


This is my ngix/letsencrypt site-conf default. I am trying to get Ombi remotely accessible using letsencrypt certificate. I have duckdns working properly with the default ngix page. I would like to craft a custom page with a link to the Ombi service (running locally at 192.168.1.225) and working fine

 

Here is the modified config; Any tweaks would be greatly appreciated as well

 

Thanks in advnace! 

upstream backend {
    server 192.168.1.255:19999;
    keepalive 64;
}
server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;
    server_name _;
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
    client_max_body_size 0;
    
    # PlexRequest
    location /ombi {
        # plex media request
        proxy_pass http://192.168.2.255:3579;
    }
    
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

 

Edited by riopgtmn
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.