[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

59 minutes ago, CHBMB said:

AFAIK only port 443 is required

Sent from my LG-H815 using Tapatalk
 

Ok. I know this is beyond the scope of support for this docker, so any help would be appreciated.

 

I have a domain with namecheap and an A record pointing to my IP address. Would having a URL redirect record https://mydomain.com suffice? Reason I'm asking is because I'm getting a "connection refused" error and even though my ISP blocks port 80, I thought redirecting to https would force port 443 (which is open on my server)

Link to comment
On 6/19/2017 at 3:40 PM, poldim said:

 

 

I discovered that my problem was appending the URL with the final destination.  IE:


proxy_pass https://192.168.2.100:32400/web/index.html;

does not work, but removing  "/web/index.html" makes it happy:


proxy_pass https://192.168.2.100:8443;

 

 

I've now got access to both my unifi and plex interface on my phone while on 4G.  BUT, I'm still unable to connect while connected to the WIFI in the house.  

 

Are there some kind of additional settings in nginx to allow it to route the connection between VLANs?  My wifi is on a separate VLAN but I have no issues hitting the direct IP of the interfaces.  When trying to access the subdomain.domain.com I get the following error:  ERR_EMPTY_RESPONSE or ERR_CONNECTION_TIMED_OUT

 

how did you get unifi to pass? i've tried with no luck? same with plexpy

 

upstream backend {
	server 10.1.40.6:19999;
	keepalive 64;
}

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location = / {
		return 301 /plex;
	}

	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://10.1.40.6:8989/sonarr;
	}
	
	location /unifi {
		include /config/nginx/proxy.conf;
		proxy_pass http://10.1.40.6:8443;
	}

	location /sabnzb {
		include /config/nginx/proxy.conf;
		proxy_pass http://10.1.40.6:8082/sabnzb;
	}

	
	location /downloads {
		include /config/nginx/proxy.conf;
		proxy_pass  http://10.1.40.6:8112/;
		proxy_set_header  X-Deluge-Base "/downloads/";
	}
	
	#PLEX
	location /web {
		# serve the CSS code
		proxy_pass http://10.1.40.6:32400;
	}

	# Main /plex rewrite
	location /plex {
		# proxy request to plex server
		proxy_pass http://10.1.40.6:32400/web;
	}

	location /plexpy {
		include /config/nginx/proxy.conf;
		proxy_pass https://10.1.40.6:8181;
	}
	
	location ~ /netdata/(?<ndpath>.*) {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://backend/$ndpath$is_args$args;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
	}
}

 

Link to comment

I mean it's up to you, but why the hell would you want something like Unifi which interfaces directly with your firewall accessible from WAN?

As you can tell I'm a big fan of keeping any network management stuff like router, firewall, access points very much inaccessible from WAN.

Sent from my LG-H815 using Tapatalk

Link to comment
I mean it's up to you, but why the hell would you want something like Unifi which interfaces directly with your firewall accessible from WAN?

As you can tell I'm a big fan of keeping any network management stuff like router, firewall, access points very much inaccessible from WAN.

Sent from my LG-H815 using Tapatalk



It's really an OCD thing. I was trying to get rid of the self a signed Certs so that error goes away when you first sign in.

I do have their cloud system enabled two axis from the wan side.

Was trying to do something like this


But I do see your point


Sent from my iPhone using Tapatalk
Link to comment

Capture.thumb.JPG.202c7d9f39e9f30a3dc5217f1ae2b113.JPG


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d sub1.domain.com -d sub2.domain.com
E-mail address entered: 
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
tls-sni-01 challenge for sub1.domain.com
tls-sni-01 challenge for sub2.domain.com
Waiting for verification...
Performing the following challenges:
tls-sni-01 challenge for domain.com
tls-sni-01 challenge for sub1.domain.com
tls-sni-01 challenge for sub2.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: sub1.domain.com
Type: connection
Detail: Connection refused

Domain: sub2.domain.com
Type: connection
Detail: Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Link to comment
Capture.thumb.JPG.202c7d9f39e9f30a3dc5217f1ae2b113.JPG
Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d sub1.domain.com -d sub2.domain.comE-mail address entered: Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [sUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Performing the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Cleaning up challengesFailed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refusedIMPORTANT NOTES:- The following errors were reported by the server:Domain: sub1.domain.comType: connectionDetail: Connection refusedDomain: sub2.domain.comType: connectionDetail: Connection refusedTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting.

 

Assuming the ip is correct, your router seems to be not forwarding the request on port 443 to the container properly
Link to comment
11 minutes ago, aptalca said:
2 hours ago, surfshack66 said:
Capture.thumb.JPG.202c7d9f39e9f30a3dc5217f1ae2b113.JPG


Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d sub1.domain.com -d sub2.domain.comE-mail address entered: Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [sUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Performing the following challenges:tls-sni-01 challenge for domain.comtls-sni-01 challenge for sub1.domain.comtls-sni-01 challenge for sub2.domain.comWaiting for verification...Cleaning up challengesFailed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refusedIMPORTANT NOTES:- The following errors were reported by the server:Domain: sub1.domain.comType: connectionDetail: Connection refusedDomain: sub2.domain.comType: connectionDetail: Connection refusedTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting.
 

 

Assuming the ip is correct, your router seems to be not forwarding the request on port 443 to the container properly

 

 

I thought so too but I just checked my firewall logs.Capture.thumb.JPG.033e6e0a326e8581b90b78a65fa3f6db.JPG

Link to comment
1 minute ago, surfshack66 said:

No thats not my NAT rule. Thats my permit inbound traffic rule. The source IP (lets encrypt) is accessing my webserver. The rule allows IPs originating from North America.

Capture.JPG

Ahh, my bad. If you stop letsencrypt and fire up a different container on the same internal port and IP, can you access it from outside your firewall on <externalip>:443?

Link to comment
1 hour ago, jonathanm said:

Ahh, my bad. If you stop letsencrypt and fire up a different container on the same internal port and IP, can you access it from outside your firewall on <externalip>:443?

Yes I can. I stopped letsencrypt and started an nginx container. When the letsencrypt container is started "canyouseeme.org" does not connect to 443, but the nginx container does connect.

Capture.JPG.e7d8cde550bf47b1d0179f4e75ffb12a.JPG

Edited by surfshack66
Link to comment
53 minutes ago, CHBMB said:

If canyouseeme.org thinks the port is closed, it's closed, whether the container can see the outside world or not is immaterial.  Also I'd get rid of that URL redirect in namecheap.

 

Its odd that the port is open when the nginx container is started but closed when the letsencrypt container is started. I'm at a loss.

 

Also, I removed the URL redirect but then received a different error from letsencrypt below.

 

FYI - Port 80 is definitely blocked by my ISP, so the domain won't reach my IP then.

 

Failed authorization procedure. sub1.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for sub1.domain.com, sub2.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for sub2.domain.com

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: sub1.domain.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for sub1.domain.com

Domain: sub2.domain.com
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for sub2.domain.com

 

Link to comment

I'm having some trouble getting some of my subdomains to work and not sure how I get the subdomain validation to work. Here's the logs from the container.

 

This is for a separate server to my unRAID box, as you can probably tell I'm setting up Exchange. I can see it's because it returns a self signed cert which isn't trusted but how do you get around this?

 

ErrorWarningSystemArrayLogin


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.example.com -d owa.example.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Congratulations! You have successfully revoked the certificate that was located
at /config/etc/letsencrypt/live/example.com/fullchain.pem

-------------------------------------------------------------------------------
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for example.com
tls-sni-01 challenge for www.example.com
tls-sni-01 challenge for owa.example.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. owa.example.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 70bc3ea9bdbbebb547c5b6291867e1af.68ceb6d13597d02bd0af560fd307b3d8.acme.invalid from 210.54.38.248:443. Received 1 certificate(s), first certificate had names "autodiscover.example.com, owa.example.com"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: owa.example.com
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
70bc3ea9bdbbebb547c5b6291867e1af.68ceb6d13597d02bd0af560fd307b3d8.acme.invalid
from 210.54.38.248:443. Received 1 certificate(s), first
certificate had names "autodiscover.example.com,
owa.example.com"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

 

Link to comment
Only if that's how you configure the default file in nginx.

Disregard for some reason wants to work now.

I did find something. I guess there is a limit on how many certificates are handed out. I nuke the docket too many times and won’t work with a sub.

How it reads I have to wait 1 week and try again
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.