[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I't trying to set letsencrypt up in conjunction with duckdns, organizr, and my own personal domain. I am following this  guide. 

 

I have my domain through namecheap and their dns was not working correctly for some reason with letsencrypt. 

 

I went ahead and created a DuckDNS subdomain to use directly with letsencrypt and then just insert a CNAME into namecheap that is the DuckDNS subdomain. (I think that will work) 

 

My main issues right now is I cannot get the NGINX splash to come up when i go to http://MYSERVER:81 but it will come up when i navigate to https://192.168.1.105. And it wont work when i navigate to my purchased domain. 

 

I have very little knowledge when it comes to web hosting and that is my main issue. 

 

IMGUR POST WITH ALL SETTINGS

Docker settings.PNG

namecheap settings.PNG

port forward.PNG

Link to comment
5 minutes ago, CHBMB said:

Try creating A-Names with Dynamic DNS address.  Then you won't have to use DuckDNS

I tried that but it wasn't working well for me. I will try it again though. Do the other settings look right?

Edited by dranani
Link to comment

I'm going to assume your domain name is dranani.com , so this is how I'd set it up...

 

Top URL = dranani.com

Subdomains = www

Certs for certain subdomains = false

 

EDIT:  Turn off DNSSEC, you've put internal IP addresses in there anyway, so that won't work.

 

How are you updating your dynamic DNS records with Namecheap?

Edited by CHBMB
Link to comment
2 minutes ago, CHBMB said:

I'm going to assume your domain name is dranani.com , so this is how I'd set it up...

 

Top URL = dranani.com

Subdomains = www

Certs for certain subdomains = false

stupid question, how should i forward my IP? just [Aname --@--public IP] & [Aname --www--public IP]?

Link to comment
1 minute ago, CHBMB said:

If you have a dynamic IP then you need some way of monitoring that and notifying namecheap if it changes.

 

Do you have a dynamic IP or Static?

I'm fairly certain it is static but have never paid much attention

Link to comment
1 minute ago, CHBMB said:

If it's static then just put the IP into namecheap and no need to worry about it as it won't change.

10-4

 

Now I am just waiting on DNS to update to see if letsencrypt will work 

Link to comment
1 minute ago, CHBMB said:

It should work as long as your ports are forwarded correctly.

in the picture above in one of my earlier posts the layout is Internal - External

 

So i think they are

Link to comment
1 minute ago, CHBMB said:

I mean on your router not the container/host ports

yeah, these are my forwarded port. I didnt explain that very well

port forward.PNG

Edited by dranani
Link to comment

Gotcha, my eyes thought that was part of the namecheap screen.  One thing you may want to do now is change 443 on the host and router to 442, as future releases of Unraid will be able to use 443 to connect to the webui using https (internally)

 

Then on your router forward external 443 => 442 on 192.168.1.105

 

Just a thought

Link to comment
4 minutes ago, CHBMB said:

Gotcha, my eyes thought that was part of the namecheap screen.  One thing you may want to do now is change 443 on the host and router to 442, as future releases of Unraid will be able to use 443 to connect to the webui using https (internally)

 

Then on your router forward external 443 => 442 on 192.168.1.105

 

Just a thought

Went ahead and did just that

Link to comment
20 hours ago, DZMM said:

Can you help me out please as this didn't quite work for me.  Here's what I have:

 


http:
   api_password: redacted
  # Uncomment this if you are using SSL/TLS, running in Docker container, etc.
   base_url: redacted.duckdns.org:8123
   use_x_forwarded_for: True
   ip_ban_enabled: True
   login_attempts_threshold: 5

map $http_upgrade $connection_upgrade {
        default upgrade;
        ''      close;
    }
    server {
        # Update this line to be your domain
        server_name redacted.duckdns.org;
        # These shouldn't need to be changed
        listen 80 default_server;
        #listen [::]:80 default_server ipv6only=on;
        return 301 https://$host$request_uri;
    }
    server {
        # Update this line to be your domain
        server_name redacted.duckdns.org;
        # Ensure these lines point to your SSL certificate and key
        ssl_certificate /config/keys/letsencrypt/fullchain.pem;
        ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
        # Use these lines instead if you created a self-signed certificate
        # ssl_certificate /etc/nginx/ssl/cert.pem;
        # ssl_certificate_key /etc/nginx/ssl/key.pem;
        # Ensure this line points to your dhparams file
        ssl_dhparam /config/nginx/dhparams.pem;

        # These shouldn't need to be changed
        listen 443 ssl ;
        add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
        ssl on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
        ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;
        proxy_buffering off;
        location / {
            # Update this line to be your HA servers local ip and port
            proxy_pass http://xxx.xx.xx.2:8123;
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_http_version 1.1;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
        }
    }

For the certificate addresses, I copied the lines from default - was this right?

 

Thanks in advance

shamelessly bumping

Link to comment
On 2017-09-15 at 7:42 PM, CHBMB said:

For Nextcloud I'd suggest my guide tbh.  Can find it on the ls.io site.

 

Hi,

 

I suppose you are talking about this guide?
https://www.linuxserver.io/2016/07/28/installing-nextcloud-on-unraid/
https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

 

I just got NextCloud working. I forgot this part:
image.png.36f4e147acf376ace1965616cbb008a0.png

Changing the default file of nextcloud ¬¬

 

I thank everyone who helped me with this :)

Link to comment

Hello everyone,

 

Recently, I have remarked a bunch of bot entries in my nginx access log file. Before that, fail2ban bot filter seemed to work fine. So I have looked in my fail2ban log file and it's full of error. It is the config by default, I've never modified it. I've tried to update fail2ban and ip6tables, but I cant find any package manager in the docker. I wonder if anyone know how to fix that. Here the error message: 

2017-09-21 16:13:21,035 fail2ban.server         [261]: INFO    --------------------------------------------------
2017-09-21 16:13:21,035 fail2ban.server         [261]: INFO    Starting Fail2ban v0.10.0a1
2017-09-21 16:13:21,035 fail2ban.server         [261]: INFO    Daemon started
2017-09-21 16:13:21,038 fail2ban.database       [261]: INFO    Connected to fail2ban persistent database '/config/fail2ban/fail2ban.sqlite3'
2017-09-21 16:13:21,039 fail2ban.jail           [261]: INFO    Creating new jail 'nginx-http-auth'
2017-09-21 16:13:21,040 fail2ban.jail           [261]: INFO    Jail 'nginx-http-auth' uses poller
2017-09-21 16:13:21,041 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,041 fail2ban.jail           [261]: INFO    Initiated 'polling' backend
2017-09-21 16:13:21,042 fail2ban.filter         [261]: INFO    Added logfile = /config/log/nginx/error.log (pos = 7134, hash = e98d121622aabfa4a1a34b1d636c2af5)
2017-09-21 16:13:21,043 fail2ban.filter         [261]: INFO    Set maxRetry = 5
2017-09-21 16:13:21,043 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,044 fail2ban.actions        [261]: INFO    Set banTime = 600
2017-09-21 16:13:21,044 fail2ban.filter         [261]: INFO    Set findtime = 600
2017-09-21 16:13:21,047 fail2ban.jail           [261]: INFO    Creating new jail 'nginx-botsearch'
2017-09-21 16:13:21,047 fail2ban.jail           [261]: INFO    Jail 'nginx-botsearch' uses poller
2017-09-21 16:13:21,047 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,048 fail2ban.jail           [261]: INFO    Initiated 'polling' backend
2017-09-21 16:13:21,049 fail2ban.filter         [261]: INFO    Added logfile = /config/log/nginx/access.log (pos = 480286, hash = 7cdbb6fa5cd3b6fb68a493f221b06792)
2017-09-21 16:13:21,049 fail2ban.filter         [261]: INFO    Set maxRetry = 2
2017-09-21 16:13:21,050 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,050 fail2ban.actions        [261]: INFO    Set banTime = 600
2017-09-21 16:13:21,050 fail2ban.filter         [261]: INFO    Set findtime = 600
2017-09-21 16:13:21,054 fail2ban.jail           [261]: INFO    Creating new jail 'nginx-badbots'
2017-09-21 16:13:21,054 fail2ban.jail           [261]: INFO    Jail 'nginx-badbots' uses poller
2017-09-21 16:13:21,054 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,054 fail2ban.jail           [261]: INFO    Initiated 'polling' backend
2017-09-21 16:13:21,055 fail2ban.filter         [261]: INFO    Added logfile = /config/log/nginx/access.log (pos = 480286, hash = 7cdbb6fa5cd3b6fb68a493f221b06792)
2017-09-21 16:13:21,056 fail2ban.filter         [261]: INFO    Set maxRetry = 2
2017-09-21 16:13:21,056 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,057 fail2ban.actions        [261]: INFO    Set banTime = 600
2017-09-21 16:13:21,057 fail2ban.filter         [261]: INFO    Set findtime = 600
2017-09-21 16:13:21,065 fail2ban.jail           [261]: INFO    Jail 'nginx-http-auth' started
2017-09-21 16:13:21,066 fail2ban.jail           [261]: INFO    Jail 'nginx-botsearch' started
2017-09-21 16:13:21,068 fail2ban.jail           [261]: INFO    Jail 'nginx-badbots' started
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-http-auth
ip6tables -w -A f2b-nginx-http-auth -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- stderr:
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-http-auth
ip6tables -w -A f2b-nginx-http-auth -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- returned 1
2017-09-21 16:13:21,114 fail2ban.actions        [261]: ERROR   Failed to start jail 'nginx-http-auth' action 'iptables-multiport': Error starting action Jail('nginx-http-auth')/iptables-multiport
2017-09-21 16:13:21,125 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-botsearch
ip6tables -w -A f2b-nginx-botsearch -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- stderr:
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-botsearch
ip6tables -w -A f2b-nginx-botsearch -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- returned 1
2017-09-21 16:13:21,126 fail2ban.actions        [261]: ERROR   Failed to start jail 'nginx-botsearch' action 'iptables-multiport': Error starting action Jail('nginx-botsearch')/iptables-multiport
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-badbots
ip6tables -w -A f2b-nginx-badbots -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- stderr:
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-21 16:13:21,139 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-badbots
ip6tables -w -A f2b-nginx-badbots -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- returned 1
2017-09-21 16:13:21,139 fail2ban.actions        [261]: ERROR   Failed to start jail 'nginx-badbots' action 'iptables-multiport': Error starting action Jail('nginx-badbots')/iptables-multiport

EDIT: Those errors are present since 2017-07-25 at least (no more log after this date).

Edited by matthope
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.