aptalca Posted September 13, 2017 Share Posted September 13, 2017 4 hours ago, sevenz said: Hide contents ErrorWarningSystemArrayLogin[s6-init] making user provided files available at /var/run/s6/etc...exited 0.[s6-init] ensuring user provided files have correct perms...exited 0.[fix-attrs.d] applying ownership & permissions fixes...[fix-attrs.d] done.[cont-init.d] executing container initialization scripts...[cont-init.d] 10-adduser: executing...-------------------------------------_ _ _| |___| (_) ___| / __| | |/ _ \| \__ \ | | (_) ||_|___/ |_|\___/|_|Brought to you by linuxserver.ioWe gratefully accept donations at:https://www.linuxserver.io/donations/-------------------------------------GID/UID-------------------------------------User uid: 99User gid: 100-------------------------------------[cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d www.sevenz.ddns.net:23689E-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificateAn unexpected error occurred:The request message was malformed :: Error creating new authz :: Invalid character in DNS namePlease see the logfiles in /var/log/letsencrypt for more details.IMPORTANT NOTES:- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. and this Hide contents [cont-init.d] 10-adduser: exited 0.[cont-init.d] 20-config: executing...[cont-init.d] 20-config: exited 0.[cont-init.d] 30-keygen: executing...using keys found in /config/keys[cont-init.d] 30-keygen: exited 0.[cont-init.d] 50-config: executing...2048 bit DH parameters presentSUBDOMAINS entered, processingSub-domains processed are: -d www.sevenz.ddns.netE-mail address entered: [email protected]Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be createdusage:certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,it will attempt to use a webserver both for obtaining and installing thecert.certbot: error: argument --cert-path: No such file or directoryGenerating new certificateSaving debug log to /var/log/letsencrypt/letsencrypt.logObtaining a new certificatePerforming the following challenges:tls-sni-01 challenge for sevenz.ddns.nettls-sni-01 challenge for www.sevenz.ddns.netWaiting for verification...Cleaning up challengesFailed authorization procedure. www.sevenz.ddns.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.sevenz.ddns.netIMPORTANT NOTES:- The following errors were reported by the server:Domain: www.sevenz.ddns.netType: connectionDetail: DNS problem: NXDOMAIN looking up A for www.sevenz.ddns.netTo fix these errors, please make sure that your domain name wasentered correctly and the DNS A record(s) for that domaincontain(s) the right IP address. Additionally, please check thatyour computer has a publicly routable IP address and that nofirewalls are preventing the server from communicating with theclient. If you're using the webroot plugin, you should also verifythat you are serving files from the webroot path you provided.- Your account credentials have been saved in your Certbotconfiguration directory at /etc/letsencrypt. You should make asecure backup of this folder now. This configuration directory willalso contain certificates and private keys obtained by Certbot somaking regular backups of this folder is ideal./var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory[cont-init.d] 50-config: exited 1.[cont-finish.d] executing container finish scripts...[cont-finish.d] done.[s6-finish] syncing disks.[s6-finish] sending all processes the TERM signal.[s6-finish] sending all processes the KILL signal and exiting. Here it is. I have no idea how to remove the port number from the nextcloud ddns (its forwarded via vpn). There is no dns entry for the www subdomain. Either create it, or remove the subdomain setting from container settings. I don't know what you mean by the port number with nextcloud ddns and the vpn Quote Link to comment
sevenz Posted September 13, 2017 Share Posted September 13, 2017 Alright, let me try again and read up and see where I go. What I meant by port number with nextcloud vpn is that I can't use port 443, so I forwarded port 443 inside with the vpn port 23689. You can try accessing my nextcloud at https://sevenz.ddns.net:23689 (what I want to achieve is https://sevenz.ddns.net/nextcloud) Quote Link to comment
aptalca Posted September 14, 2017 Share Posted September 14, 2017 On 9/12/2017 at 3:59 PM, MowMdown said: Are there any resources I can read up on to figure out this application? I definitely didn't learn this stuff in my CSC courses and it's a real pain in the rear... Want me to build/compile a custom Linux kernel... done! Build a custom android rom from source... done! Reverse engineer an android bootloader...done Reverse proxy a docker... help!!!! You can also check out this guide: https://forums.lime-technology.com/topic/54206-the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ 1 Quote Link to comment
FreeMan Posted September 14, 2017 Share Posted September 14, 2017 On 9/12/2017 at 3:59 PM, MowMdown said: Are there any resources I can read up on to figure out this application? I definitely didn't learn this stuff in my CSC courses and it's a real pain in the rear... Want me to build/compile a custom Linux kernel... done! Build a custom android rom from source... done! Reverse engineer an android bootloader...done Reverse proxy a docker... help!!!! I didn't learn anything about reverse proxies in school either, but I read the first 5 or so pages here over & over until I got it working. You can do it!!! Quote Link to comment
CHBMB Posted September 14, 2017 Share Posted September 14, 2017 I've had no formal IT education whatsoever, other than using some Nimbus computers at school over 25 years ago..... I don't work in IT at all Want me to build/compile a custom Linux kernel... done! (Learnt this in the last couple of years) Build a custom android rom from source... not done! Reverse engineer an android bootloader... not done Reverse proxy a docker... Learnt this in the last couple of years Morale of this, if I can do it, anyone can! 1 1 Quote Link to comment
MowMdown Posted September 14, 2017 Share Posted September 14, 2017 So far only Deluge loads correctly. Sonarr however only loads a blank page with "Sonarr Ver" at the top left corner... What confuses me is how am I supposed to know what all I need to include inside the block? Every docker container requires quite a bit of different code to get them to work. location ^~ /sonarr { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; proxy_pass http://192.168.1.200:8989/sonarr; include /config/nginx/proxy.conf; } Quote Link to comment
FreeMan Posted September 14, 2017 Share Posted September 14, 2017 You need only change 2 lines of that portion of the file location ^~ /server_name_here { proxy_pass http://192.168.1.200:port_of_the_server_you're_giving_access_to/you_may_or_may_not_need_to_provide_this_path; You change the underlined portions only and it should work. At least, it did for me... Quote Link to comment
aptalca Posted September 15, 2017 Share Posted September 15, 2017 5 hours ago, MowMdown said: So far only Deluge loads correctly. Sonarr however only loads a blank page with "Sonarr Ver" at the top left corner... What confuses me is how am I supposed to know what all I need to include inside the block? Every docker container requires quite a bit of different code to get them to work. location ^~ /sonarr { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; proxy_pass http://192.168.1.200:8989/sonarr; include /config/nginx/proxy.conf; } Can you access http://192.168.1.200:8989/sonarr directly? Does it work fine? Most of the container guis work with this basic config. The only ones I tried that need custom settings are nextcloud, emby and plex Quote Link to comment
lzrdking71 Posted September 15, 2017 Share Posted September 15, 2017 (edited) I may be reading something incorrectly but it doesn't look like the enabled fail2ban filters in the container are working properly according to the logs on a fresh docker install. 2017-09-14 23:21:53,943 fail2ban.utils [266]: ERROR ip6tables -w -N f2b-nginx-http-auth ip6tables -w -A f2b-nginx-http-auth -j RETURN ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- stderr: 2017-09-14 23:21:53,943 fail2ban.utils [266]: ERROR -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory" 2017-09-14 23:21:53,943 fail2ban.utils [266]: ERROR -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)" 2017-09-14 23:21:53,943 fail2ban.utils [266]: ERROR -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.' 2017-09-14 23:21:53,944 fail2ban.utils [266]: ERROR -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory" 2017-09-14 23:21:53,944 fail2ban.utils [266]: ERROR -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)" 2017-09-14 23:21:53,944 fail2ban.utils [266]: ERROR -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.' 2017-09-14 23:21:53,944 fail2ban.utils [266]: ERROR -- stderr: 'Could not open socket to kernel: Address family not supported by protocol' 2017-09-14 23:21:53,944 fail2ban.utils [266]: ERROR ip6tables -w -N f2b-nginx-http-auth ip6tables -w -A f2b-nginx-http-auth -j RETURN ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- returned 1 2017-09-14 23:21:53,944 fail2ban.actions [266]: ERROR Failed to start jail 'nginx-http-auth' action 'iptables-multiport': Error starting action Jail('nginx-http-auth')/iptables-multiport 2017-09-14 23:21:53,981 fail2ban.utils [266]: ERROR ip6tables -w -N f2b-nginx-badbots ip6tables -w -A f2b-nginx-badbots -j RETURN ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- stderr: 2017-09-14 23:21:53,982 fail2ban.utils [266]: ERROR -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory" 2017-09-14 23:21:53,982 fail2ban.utils [266]: ERROR -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)" 2017-09-14 23:21:53,983 fail2ban.utils [266]: ERROR -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.' 2017-09-14 23:21:53,983 fail2ban.utils [266]: ERROR -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory" 2017-09-14 23:21:53,983 fail2ban.utils [266]: ERROR -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)" 2017-09-14 23:21:53,984 fail2ban.utils [266]: ERROR -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.' 2017-09-14 23:21:53,984 fail2ban.utils [266]: ERROR -- stderr: 'Could not open socket to kernel: Address family not supported by protocol' 2017-09-14 23:21:53,985 fail2ban.utils [266]: ERROR ip6tables -w -N f2b-nginx-badbots ip6tables -w -A f2b-nginx-badbots -j RETURN ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- returned 1 2017-09-14 23:21:53,985 fail2ban.actions [266]: ERROR Failed to start jail 'nginx-badbots' action 'iptables-multiport': Error starting action Jail('nginx-badbots')/iptables-multiport 2017-09-14 23:21:53,997 fail2ban.utils [266]: ERROR ip6tables -w -N f2b-nginx-botsearch ip6tables -w -A f2b-nginx-botsearch -j RETURN ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- stderr: 2017-09-14 23:21:53,998 fail2ban.utils [266]: ERROR -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory" 2017-09-14 23:21:53,998 fail2ban.utils [266]: ERROR -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)" 2017-09-14 23:21:53,999 fail2ban.utils [266]: ERROR -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.' 2017-09-14 23:21:53,999 fail2ban.utils [266]: ERROR -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory" 2017-09-14 23:21:53,999 fail2ban.utils [266]: ERROR -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)" 2017-09-14 23:21:54,000 fail2ban.utils [266]: ERROR -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.' 2017-09-14 23:21:54,000 fail2ban.utils [266]: ERROR -- stderr: 'Could not open socket to kernel: Address family not supported by protocol' 2017-09-14 23:21:54,000 fail2ban.utils [266]: ERROR ip6tables -w -N f2b-nginx-botsearch ip6tables -w -A f2b-nginx-botsearch -j RETURN ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- returned 1 2017-09-14 23:21:54,000 fail2ban.actions [266]: ERROR Failed to start jail 'nginx-botsearch' action 'iptables-multiport': Error starting action Jail('nginx-botsearch')/iptables-multiport Edited September 15, 2017 by lzrdking71 Quote Link to comment
strike Posted September 15, 2017 Share Posted September 15, 2017 Edit ../fail2ban/action.d/iptables-common.conf and comment out the last section so it looks like this: [Init?family=inet6] # Option: blocktype (ipv6) # Note: This is what the action does with rules. This can be any jump target # as per the iptables man page (section 8). Common values are DROP # REJECT, REJECT --reject-with icmp6-port-unreachable # Values: STRING #blocktype = REJECT --reject-with icmp6-port-unreachable # Option: iptables (ipv6) # Notes.: Actual command to be executed, including common to all calls options # Values: STRING #iptables = ip6tables <lockingopt> Restart the container Quote Link to comment
MowMdown Posted September 15, 2017 Share Posted September 15, 2017 (edited) 7 hours ago, aptalca said: Can you access http://192.168.1.200:8989/sonarr directly? Does it work fine? Most of the container guis work with this basic config. The only ones I tried that need custom settings are nextcloud, emby and plex I can't remember off the top of my head to give you a solid answer, but what I can tell you is I've also tried it by leaving "/sonar" off the end and I either get a 404 nginx error page or just the blank white page that says "Sonarr Ver." in the upper left corner. Could it be due to the fact that I using Privoxy (Sonarr with proxy enabled)? Edited September 15, 2017 by MowMdown Quote Link to comment
lzrdking71 Posted September 15, 2017 Share Posted September 15, 2017 (edited) Thanks for the help, the below fixed it. Quote Edit ../fail2ban/action.d/iptables-common.conf and comment out the last section so it looks like this: [Init?family=inet6] # Option: blocktype (ipv6) # Note: This is what the action does with rules. This can be any jump target # as per the iptables man page (section 8). Common values are DROP # REJECT, REJECT --reject-with icmp6-port-unreachable # Values: STRING #blocktype = REJECT --reject-with icmp6-port-unreachable # Option: iptables (ipv6) # Notes.: Actual command to be executed, including common to all calls options # Values: STRING #iptables = ip6tables <lockingopt> Restart the container Edited September 15, 2017 by lzrdking71 Quote Link to comment
strike Posted September 15, 2017 Share Posted September 15, 2017 8 minutes ago, MowMdown said: or just the blank white page that says "Sonarr Ver." in the upper left corner. I don't use sonarr, but I had the same problem with radarr the first time I set up this container. Turned out I forgot to set the "URL Base" in the webui settings for radarr. 1 Quote Link to comment
Nomad007 Posted September 15, 2017 Share Posted September 15, 2017 Hi guys struggling a little trying to get some basic services to run. I followed this guide So far port 443 is open and I see the nginx web page but I cant get sonarr and/or radarr to work. Typing https://DOMAIN.duckdns.org/sonarr and https://DOMAIN.duckdns.org/radarr show the same default nginx page. URL base for sonarr is “/sonarr” URL base for radarr is “/radarr” both services have been restarted. Here is the cut down default file I currently am using. Which is based off the guide. Quote upstream backend { server 192.168.2.27:19999; keepalive 64; } server { listen 443 ssl default_server; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name _; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location = / { return 301 /sonarr; } location /sonarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.2.27:8989/sonarr; } location /radarr { include /config/nginx/proxy.conf; proxy_pass http://192.168.2.27:7878/radarr; } } Im sure its something simple i am missing but i cant see it. any advice? Quote Link to comment
Muff Posted September 15, 2017 Share Posted September 15, 2017 Hi everyone! I'm trying to configure forwarding for some dockers on my unRaid server but I get 502 Bad Gateway on 3 of my sites and the last I get a blank page: I've been folloing the following guid: https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/ This is my config (Path: /mnt/user/appdata/letsencrypt/nginx/site-confs): Please see default.txt And this is my config.php file in /mnt/user/appdata/nextcloud/www/nextcloud/config : Please see config.txt I've been sitting with this for awhile and in need of a new fresh pair of eyes Thank you! default.txt config.txt Quote Link to comment
CHBMB Posted September 15, 2017 Share Posted September 15, 2017 For Nextcloud I'd suggest my guide tbh. Can find it on the ls.io site. 1 Quote Link to comment
isvein Posted September 15, 2017 Share Posted September 15, 2017 hello So I try to put a Minio docker behind the reverse proxy of letsencrypt and have got that working just fine, but how can I connect the login logs to fail2ban to protect against brute force attacks? Quote Link to comment
localhost Posted September 15, 2017 Share Posted September 15, 2017 Hi, Been running letsencrypt for the last few days now, all working smoothly with the single domain I set it up on. I would like to add another domain now but can't see how. Just from looking around all I can see in the files config wise is a file called 'donoteditthisfile.conf' otherwise all the files look default. In this file there is a param 'ORIGEXTRA_DOMAINS=""' I'm wondering can it be as simple as adding it here? I've found loads of tutorials for how to do this but they're all installs in a full operating system environment and the setup looks quite difference using the unraid docker. Thanks Quote Link to comment
isvein Posted September 15, 2017 Share Posted September 15, 2017 localhost: another domain or subdomain? As far as I can see, one letsencrypt docker can only be used for 1domain and its subdomains. Quote Link to comment
localhost Posted September 15, 2017 Share Posted September 15, 2017 Yes another domain, I already have multiple working subdomains. I have seen people using nginx with multiple subdomains, just not sure if its the same process here. I might try creating a file and replacing the default in the site-config dir. I hope nginx in this form can still do this. Quote Link to comment
aptalca Posted September 15, 2017 Share Posted September 15, 2017 8 hours ago, Nomad007 said: Hi guys struggling a little trying to get some basic services to run. I followed this guide So far port 443 is open and I see the nginx web page but I cant get sonarr and/or radarr to work. Typing https://DOMAIN.duckdns.org/sonarr and https://DOMAIN.duckdns.org/radarr show the same default nginx page. URL base for sonarr is “/sonarr” URL base for radarr is “/radarr” both services have been restarted. Here is the cut down default file I currently am using. Which is based off the guide. Im sure its something simple i am missing but i cant see it. any advice? Clear your browser cache. The = in location blocks results in permanent redirects. Your browser may have cached that from before Quote Link to comment
aptalca Posted September 15, 2017 Share Posted September 15, 2017 3 hours ago, localhost said: Hi, Been running letsencrypt for the last few days now, all working smoothly with the single domain I set it up on. I would like to add another domain now but can't see how. Just from looking around all I can see in the files config wise is a file called 'donoteditthisfile.conf' otherwise all the files look default. In this file there is a param 'ORIGEXTRA_DOMAINS=""' I'm wondering can it be as simple as adding it here? I've found loads of tutorials for how to do this but they're all installs in a full operating system environment and the setup looks quite difference using the unraid docker. Thanks Dude, the file is literally named "donoteditthisfile.conf" so no, do not edit it, lol. Check the docker hub or the github page for this image. It tells you how to add additional domains (hint: optional settings) Quote Link to comment
aptalca Posted September 15, 2017 Share Posted September 15, 2017 2 hours ago, isvein said: localhost: another domain or subdomain? As far as I can see, one letsencrypt docker can only be used for 1domain and its subdomains. Support for multiple domains was added in July 1 Quote Link to comment
DZMM Posted September 16, 2017 Share Posted September 16, 2017 On 2/17/2017 at 10:35 PM, ritalin said: Home-Assistant Docker with LetsEncrypt Docker setup on a sub domain Considering I spend/wasted a good deal of time running around in circles trying to get this working and looking at various locations for info, I thought it would be nice to share my setup just incase someone else is going through the same thing. Here is how I have my sub domain encrypted and setup as a reverse proxy through nginx in LetsEncrypt. My letsencrypt docker setup My Router's Firewall The configuration.yaml HTML section for Home-Assistant http: api_password: MyPassWord base_url: 192.168.1.2:8123 A secondary file named "ha" in the /nginx/site-confs directory containing the following code. map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { # Update this line to be your domain server_name SUB.MYDOMAIN.com; # These shouldn't need to be changed listen 80 default_server; #listen [::]:80 default_server ipv6only=on; return 301 https://$host$request_uri; } server { # Update this line to be your domain server_name SUB.MYDOMAIN.com; # Ensure these lines point to your SSL certificate and key ssl_certificate /config/etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem; ssl_certificate_key /config/etc/letsencrypt/live/MYDOMAIN.COM/privkey.pem; # Use these lines instead if you created a self-signed certificate # ssl_certificate /etc/nginx/ssl/cert.pem; # ssl_certificate_key /etc/nginx/ssl/key.pem; # Ensure this line points to your dhparams file ssl_dhparam /config/nginx/dhparams.pem; # These shouldn't need to be changed listen 443 ssl ; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; proxy_buffering off; location / { # Update this line to be your HA servers local ip and port proxy_pass http://192.168.1.2:8123; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } Startup your HA and LetsEncrypt Docker and you should now be able to securely access Home-Assistant from outside your network. Thank you again to Tyler, Aptalca and CHBMB for your help. Can you help me out please as this didn't quite work for me. Here's what I have: http: api_password: redacted # Uncomment this if you are using SSL/TLS, running in Docker container, etc. base_url: redacted.duckdns.org:8123 use_x_forwarded_for: True ip_ban_enabled: True login_attempts_threshold: 5 map $http_upgrade $connection_upgrade { default upgrade; '' close; } server { # Update this line to be your domain server_name redacted.duckdns.org; # These shouldn't need to be changed listen 80 default_server; #listen [::]:80 default_server ipv6only=on; return 301 https://$host$request_uri; } server { # Update this line to be your domain server_name redacted.duckdns.org; # Ensure these lines point to your SSL certificate and key ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; # Use these lines instead if you created a self-signed certificate # ssl_certificate /etc/nginx/ssl/cert.pem; # ssl_certificate_key /etc/nginx/ssl/key.pem; # Ensure this line points to your dhparams file ssl_dhparam /config/nginx/dhparams.pem; # These shouldn't need to be changed listen 443 ssl ; add_header Strict-Transport-Security "max-age=31536000; includeSubdomains"; ssl on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; proxy_buffering off; location / { # Update this line to be your HA servers local ip and port proxy_pass http://xxx.xx.xx.2:8123; proxy_set_header Host $host; proxy_redirect http:// https://; proxy_http_version 1.1; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $connection_upgrade; } } For the certificate addresses, I copied the lines from default - was this right? Thanks in advance Quote Link to comment
strike Posted September 16, 2017 Share Posted September 16, 2017 (edited) 16 hours ago, isvein said: hello So I try to put a Minio docker behind the reverse proxy of letsencrypt and have got that working just fine, but how can I connect the login logs to fail2ban to protect against brute force attacks? First, you need to add a path in you docker template and point it to where your log is. Then you need to add a new jail to ../fail2ban/jail.local and just point the logpath to the path you just created. That’s about it. You might wanna adjust the bantime, findtime and maxretry too. The default bantime is just 10 min which is too low IMO. If you use nginx auth there's already jails in place to monitor your nginx log so you don't need to add that. Edit: I forgot that you'll need to add a filter to ../fail2ban/filter.d Just call it minio.conf or something.This is my filter for my emby server: # Fail2Ban filter for emby # [INCLUDES] # Read common prefixes. If any customizations available -- read them from # common.local before = common.conf [Definition] _daemon = emby-server failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None ignoreregex = # DEV Notes: # # Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords # Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames # # Author: [email protected] Edited September 16, 2017 by strike 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.