[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

4 hours ago, sevenz said:

 

  Hide contents

 


ErrorWarningSystemArrayLogin


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.sevenz.ddns.net:23689
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
An unexpected error occurred:
The request message was malformed :: Error creating new authz :: Invalid character in DNS name
Please see the logfiles in /var/log/letsencrypt for more details.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
 

 

 

and this

 

  Hide contents

 

 


[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.sevenz.ddns.net
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for sevenz.ddns.net
tls-sni-01 challenge for www.sevenz.ddns.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.sevenz.ddns.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.sevenz.ddns.net
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.sevenz.ddns.net
Type: connection
Detail: DNS problem: NXDOMAIN looking up A for www.sevenz.ddns.net

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
 

 

 

 

Here it is. I have no idea how to remove the port number from the nextcloud ddns (its forwarded via vpn).

 

There is no dns entry for the www subdomain. Either create it, or remove the subdomain setting from container settings. 

 

I don't know what you mean by the port number with nextcloud ddns and the vpn

Link to comment
On 9/12/2017 at 3:59 PM, MowMdown said:

Are there any resources I can read up on to figure out this application?

 

I definitely didn't learn this stuff in my CSC courses and it's a real pain in the rear...

 

Want me to build/compile a custom Linux kernel... done!

Build a custom android rom from source... done!

Reverse engineer an android bootloader...done

Reverse proxy a docker... help!!!!

 

You can also check out this guide: https://forums.lime-technology.com/topic/54206-the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/

 

  • Upvote 1
Link to comment
On 9/12/2017 at 3:59 PM, MowMdown said:

Are there any resources I can read up on to figure out this application?

 

I definitely didn't learn this stuff in my CSC courses and it's a real pain in the rear...

 

Want me to build/compile a custom Linux kernel... done!

Build a custom android rom from source... done!

Reverse engineer an android bootloader...done

Reverse proxy a docker... help!!!!

I didn't learn anything about reverse proxies in school either, but I read the first 5 or so pages here over & over until I got it working.

 

You can do it!!!

Link to comment

I've had no formal IT education whatsoever, other than using some Nimbus computers at school over 25 years ago..... 

I don't work in IT at all

 

Want me to build/compile a custom Linux kernel... done! (Learnt this in the last couple of years)

Build a custom android rom from source...  not done!

Reverse engineer an android bootloader... not done

Reverse proxy a docker... Learnt this in the last couple of years

 

Morale of this, if I can do it, anyone can!  :D

  • Like 1
  • Thanks 1
Link to comment

So far only Deluge loads correctly.

 

Sonarr however only loads a blank page with "Sonarr Ver" at the top left corner...

 

What confuses me is how am I supposed to know what all I need to include inside the block? Every docker container requires quite a bit of different code to get them to work.

	location ^~ /sonarr {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
		proxy_pass http://192.168.1.200:8989/sonarr;
		include /config/nginx/proxy.conf;
	}

 

Link to comment

You need only change 2 lines of that portion of the file

 

location ^~ /server_name_here {

proxy_pass http://192.168.1.200:port_of_the_server_you're_giving_access_to/you_may_or_may_not_need_to_provide_this_path;

 

You change the underlined portions only and it should work. At least, it did for me... :)

 

Link to comment
5 hours ago, MowMdown said:

So far only Deluge loads correctly.

 

Sonarr however only loads a blank page with "Sonarr Ver" at the top left corner...

 

What confuses me is how am I supposed to know what all I need to include inside the block? Every docker container requires quite a bit of different code to get them to work.


	location ^~ /sonarr {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
		proxy_pass http://192.168.1.200:8989/sonarr;
		include /config/nginx/proxy.conf;
	}

 

 

Can you access http://192.168.1.200:8989/sonarr directly? Does it work fine? 

 

Most of the container guis work with this basic config. The only ones I tried that need custom settings are nextcloud, emby and plex

Link to comment

I may be reading something incorrectly but it doesn't look like the enabled fail2ban filters in the container are working properly according to the logs on a fresh docker install.

 

2017-09-14 23:21:53,943 fail2ban.utils          [266]: ERROR   ip6tables -w -N f2b-nginx-http-auth
ip6tables -w -A f2b-nginx-http-auth -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- stderr:
2017-09-14 23:21:53,943 fail2ban.utils          [266]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-14 23:21:53,943 fail2ban.utils          [266]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-14 23:21:53,943 fail2ban.utils          [266]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-14 23:21:53,944 fail2ban.utils          [266]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-14 23:21:53,944 fail2ban.utils          [266]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-14 23:21:53,944 fail2ban.utils          [266]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-14 23:21:53,944 fail2ban.utils          [266]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-14 23:21:53,944 fail2ban.utils          [266]: ERROR   ip6tables -w -N f2b-nginx-http-auth
ip6tables -w -A f2b-nginx-http-auth -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- returned 1
2017-09-14 23:21:53,944 fail2ban.actions        [266]: ERROR   Failed to start jail 'nginx-http-auth' action 'iptables-multiport': Error starting action Jail('nginx-http-auth')/iptables-multiport
2017-09-14 23:21:53,981 fail2ban.utils          [266]: ERROR   ip6tables -w -N f2b-nginx-badbots
ip6tables -w -A f2b-nginx-badbots -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- stderr:
2017-09-14 23:21:53,982 fail2ban.utils          [266]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-14 23:21:53,982 fail2ban.utils          [266]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-14 23:21:53,983 fail2ban.utils          [266]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-14 23:21:53,983 fail2ban.utils          [266]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-14 23:21:53,983 fail2ban.utils          [266]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-14 23:21:53,984 fail2ban.utils          [266]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-14 23:21:53,984 fail2ban.utils          [266]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-14 23:21:53,985 fail2ban.utils          [266]: ERROR   ip6tables -w -N f2b-nginx-badbots
ip6tables -w -A f2b-nginx-badbots -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- returned 1
2017-09-14 23:21:53,985 fail2ban.actions        [266]: ERROR   Failed to start jail 'nginx-badbots' action 'iptables-multiport': Error starting action Jail('nginx-badbots')/iptables-multiport
2017-09-14 23:21:53,997 fail2ban.utils          [266]: ERROR   ip6tables -w -N f2b-nginx-botsearch
ip6tables -w -A f2b-nginx-botsearch -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- stderr:
2017-09-14 23:21:53,998 fail2ban.utils          [266]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-14 23:21:53,998 fail2ban.utils          [266]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-14 23:21:53,999 fail2ban.utils          [266]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-14 23:21:53,999 fail2ban.utils          [266]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-14 23:21:53,999 fail2ban.utils          [266]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-14 23:21:54,000 fail2ban.utils          [266]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-14 23:21:54,000 fail2ban.utils          [266]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-14 23:21:54,000 fail2ban.utils          [266]: ERROR   ip6tables -w -N f2b-nginx-botsearch
ip6tables -w -A f2b-nginx-botsearch -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- returned 1
2017-09-14 23:21:54,000 fail2ban.actions        [266]: ERROR   Failed to start jail 'nginx-botsearch' action 'iptables-multiport': Error starting action Jail('nginx-botsearch')/iptables-multiport

 

Edited by lzrdking71
Link to comment

Edit ../fail2ban/action.d/iptables-common.conf and comment out the last section so it looks like this:

 

[Init?family=inet6]

# Option:  blocktype (ipv6)
# Note:    This is what the action does with rules. This can be any jump target
#          as per the iptables man page (section 8). Common values are DROP
#          REJECT, REJECT --reject-with icmp6-port-unreachable
# Values:  STRING
#blocktype = REJECT --reject-with icmp6-port-unreachable

# Option:  iptables (ipv6)
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
#iptables = ip6tables <lockingopt>

Restart the container

Link to comment
7 hours ago, aptalca said:

 

Can you access http://192.168.1.200:8989/sonarr directly? Does it work fine? 

 

Most of the container guis work with this basic config. The only ones I tried that need custom settings are nextcloud, emby and plex

 

I can't remember off the top of my head to give you a solid answer, but what I can tell you is I've also tried it by leaving "/sonar" off the end and I either get a 404 nginx error page or just the blank white page that says "Sonarr Ver." in the upper left corner.

 

Could it be due to the fact that I using Privoxy (Sonarr with proxy enabled)?

Edited by MowMdown
Link to comment

Thanks for the help, the below fixed it.

Quote

Edit ../fail2ban/action.d/iptables-common.conf and comment out the last section so it looks like this:

 


[Init?family=inet6]

# Option:  blocktype (ipv6)
# Note:    This is what the action does with rules. This can be any jump target
#          as per the iptables man page (section 8). Common values are DROP
#          REJECT, REJECT --reject-with icmp6-port-unreachable
# Values:  STRING
#blocktype = REJECT --reject-with icmp6-port-unreachable

# Option:  iptables (ipv6)
# Notes.:  Actual command to be executed, including common to all calls options
# Values:  STRING
#iptables = ip6tables <lockingopt>

Restart the container

 

Edited by lzrdking71
Link to comment
8 minutes ago, MowMdown said:

or just the blank white page that says "Sonarr Ver." in the upper left corner.

 

I don't use sonarr, but I had the same problem with radarr the first time I set up this container. Turned out I forgot to set the "URL Base" in the webui settings for radarr.  

  • Upvote 1
Link to comment

Hi guys struggling a little trying to get some basic services to run. I followed this guide

 

So far port 443 is open and I see the nginx web page but I cant get sonarr and/or radarr to work.

Typing https://DOMAIN.duckdns.org/sonarr and  https://DOMAIN.duckdns.org/radarr show the same default nginx page.

URL base for sonarr is “/sonarr”
URL base for radarr is “/radarr”

both services have been restarted.

 

Here is the cut down default file I currently am using. Which is based off the guide.

Quote

upstream backend {
    server 192.168.2.27:19999;
    keepalive 64;
}

server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location = / {
        return 301 /sonarr;
    }

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.2.27:8989/sonarr;
    }
    
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.2.27:7878/radarr;
    }

}
 

 

Im sure its something simple i am missing but i cant see it. any advice?

Link to comment

Hi everyone!

I'm trying to configure forwarding for some dockers on my unRaid server but I get 502 Bad Gateway on 3 of my sites and the last I get a blank page:
image.png.709211b3f7332c541e99e6b3c94568f2.png

 

I've been folloing the following guid: https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/

 

This is my config (Path: /mnt/user/appdata/letsencrypt/nginx/site-confs): Please see default.txt

And this is my config.php file in /mnt/user/appdata/nextcloud/www/nextcloud/config : Please see config.txt

 

I've been sitting with this for awhile and in need of a new fresh pair of eyes :)

 

Thank you!

default.txt

config.txt

Link to comment

Hi,

 

Been running letsencrypt for the last few days now, all working smoothly with the single domain I set it up on.

I would like to add another domain now but can't see how. Just from looking around all I can see in the files config wise is a file called 'donoteditthisfile.conf' otherwise all the files look default.

In this file there is a param 'ORIGEXTRA_DOMAINS=""' I'm wondering can it be as simple as adding it here?

 

I've found loads of tutorials for how to do this but they're all installs in a full operating system environment and the setup looks quite difference using the unraid docker.

 

Thanks

Link to comment
8 hours ago, Nomad007 said:

Hi guys struggling a little trying to get some basic services to run. I followed this guide

 

So far port 443 is open and I see the nginx web page but I cant get sonarr and/or radarr to work.

Typing https://DOMAIN.duckdns.org/sonarr and  https://DOMAIN.duckdns.org/radarr show the same default nginx page.

URL base for sonarr is “/sonarr”
URL base for radarr is “/radarr”

both services have been restarted.

 

Here is the cut down default file I currently am using. Which is based off the guide.

 

Im sure its something simple i am missing but i cant see it. any advice?

 

Clear your browser cache. The = in location blocks results in permanent redirects. Your browser may have cached that from before

Link to comment
3 hours ago, localhost said:

Hi,

 

Been running letsencrypt for the last few days now, all working smoothly with the single domain I set it up on.

I would like to add another domain now but can't see how. Just from looking around all I can see in the files config wise is a file called 'donoteditthisfile.conf' otherwise all the files look default.

In this file there is a param 'ORIGEXTRA_DOMAINS=""' I'm wondering can it be as simple as adding it here?

 

I've found loads of tutorials for how to do this but they're all installs in a full operating system environment and the setup looks quite difference using the unraid docker.

 

Thanks

 

Dude, the file is literally named "donoteditthisfile.conf" so no, do not edit it, lol.

 

Check the docker hub or the github page for this image. It tells you how to add additional domains (hint: optional settings) 

Link to comment
On 2/17/2017 at 10:35 PM, ritalin said:

Home-Assistant Docker with LetsEncrypt Docker setup on a sub domain

 

Considering I spend/wasted a good deal of time running around in circles trying to get this working and looking at various locations for info, I thought it would be nice to share my setup just incase someone else is going through the same thing.

 

Here is how I have my sub domain encrypted and setup as a  reverse proxy through nginx in LetsEncrypt.

 

My letsencrypt docker setup

Letsencrypt_docker.jpg

 

My Router's Firewall

Port_Forward.jpg

 

The configuration.yaml HTML section for Home-Assistant

 


http:
  api_password: MyPassWord
  base_url: 192.168.1.2:8123
 

 

 

A secondary file named "ha" in the /nginx/site-confs directory containing the following code.

 


    map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }

    server {
        # Update this line to be your domain
        server_name SUB.MYDOMAIN.com;

        # These shouldn't need to be changed
        listen 80 default_server;
        #listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;
    }

    server {
        # Update this line to be your domain
        server_name SUB.MYDOMAIN.com;

        # Ensure these lines point to your SSL certificate and key
        ssl_certificate /config/etc/letsencrypt/live/MYDOMAIN.COM/fullchain.pem;
        ssl_certificate_key /config/etc/letsencrypt/live/MYDOMAIN.COM/privkey.pem;
        # Use these lines instead if you created a self-signed certificate
        # ssl_certificate /etc/nginx/ssl/cert.pem;
        # ssl_certificate_key /etc/nginx/ssl/key.pem;

        # Ensure this line points to your dhparams file
        ssl_dhparam /config/nginx/dhparams.pem;


        # These shouldn't need to be changed
        listen 443 ssl ;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

        proxy_buffering off;

        location / {
            # Update this line to be your HA servers local ip and port
            proxy_pass http://192.168.1.2:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }
 

 

 

Startup your HA and LetsEncrypt Docker and you should now be able to securely access Home-Assistant from outside your network.

 

Thank you again to Tyler, Aptalca and CHBMB for your help.

Can you help me out please as this didn't quite work for me.  Here's what I have:

 

http:
   api_password: redacted
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
   base_url: redacted.duckdns.org:8123
   use_x_forwarded_for: True
   ip_ban_enabled: True
   login_attempts_threshold: 5
map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
    server {
        # Update this line to be your domain
        server_name redacted.duckdns.org;
        # These shouldn't need to be changed
        listen 80 default_server;
        #listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;
    }
    server {
        # Update this line to be your domain
        server_name redacted.duckdns.org;
        # Ensure these lines point to your SSL certificate and key
        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        # Use these lines instead if you created a self-signed certificate
        # ssl_certificate /etc/nginx/ssl/cert.pem;
        # ssl_certificate_key /etc/nginx/ssl/key.pem;
        # Ensure this line points to your dhparams file
        ssl_dhparam /config/nginx/dhparams.pem;

        # These shouldn't need to be changed
        listen 443 ssl ;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        proxy_buffering off;
        location / {
            # Update this line to be your HA servers local ip and port
            proxy_pass http://xxx.xx.xx.2:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

For the certificate addresses, I copied the lines from default - was this right?

 

Thanks in advance

Link to comment
16 hours ago, isvein said:

hello :)
So I try to put a Minio docker behind the reverse proxy of letsencrypt and have got that working just fine, but how can I connect the login logs to fail2ban to protect against brute force attacks?

 

First, you need to add a path in you docker template and point it to where your log is. Then you need to add a new jail to ../fail2ban/jail.local and just point the logpath to the path you just created. That’s about it. You might wanna adjust the bantime, findtime and maxretry too. The default bantime is just 10 min which is too low IMO.

 

If you use nginx auth there's already jails in place to monitor your nginx log so you don't need to add that. 

 

Edit: I forgot that you'll need to add a filter to ../fail2ban/filter.d Just call it minio.conf or something.This is my filter for my emby server: 

 

# Fail2Ban filter for emby
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]

_daemon = emby-server

failregex = Info HttpServer: HTTP Response 401 to <HOST>.*authenticatebyname
            Info HttpServer: HTTP Response 500 to <HOST>.*mediabrowser/Users/None

ignoreregex =

# DEV Notes:
#
#       Matching on http 401 with a trailing url including 'authenticatebyname' to catch incorrect passwords
#       Matching on http 500 with a trailing url including 'mediabrowser/Users/None' to catch incorrect usernames
#
# Author: [email protected]

 

Edited by strike
  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.