[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

7 hours ago, matthope said:

Hello everyone,

 

Recently, I have remarked a bunch of bot entries in my nginx access log file. Before that, fail2ban bot filter seemed to work fine. So I have looked in my fail2ban log file and it's full of error. It is the config by default, I've never modified it. I've tried to update fail2ban and ip6tables, but I cant find any package manager in the docker. I wonder if anyone know how to fix that. Here the error message: 


2017-09-21 16:13:21,035 fail2ban.server         [261]: INFO    --------------------------------------------------
2017-09-21 16:13:21,035 fail2ban.server         [261]: INFO    Starting Fail2ban v0.10.0a1
2017-09-21 16:13:21,035 fail2ban.server         [261]: INFO    Daemon started
2017-09-21 16:13:21,038 fail2ban.database       [261]: INFO    Connected to fail2ban persistent database '/config/fail2ban/fail2ban.sqlite3'
2017-09-21 16:13:21,039 fail2ban.jail           [261]: INFO    Creating new jail 'nginx-http-auth'
2017-09-21 16:13:21,040 fail2ban.jail           [261]: INFO    Jail 'nginx-http-auth' uses poller
2017-09-21 16:13:21,041 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,041 fail2ban.jail           [261]: INFO    Initiated 'polling' backend
2017-09-21 16:13:21,042 fail2ban.filter         [261]: INFO    Added logfile = /config/log/nginx/error.log (pos = 7134, hash = e98d121622aabfa4a1a34b1d636c2af5)
2017-09-21 16:13:21,043 fail2ban.filter         [261]: INFO    Set maxRetry = 5
2017-09-21 16:13:21,043 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,044 fail2ban.actions        [261]: INFO    Set banTime = 600
2017-09-21 16:13:21,044 fail2ban.filter         [261]: INFO    Set findtime = 600
2017-09-21 16:13:21,047 fail2ban.jail           [261]: INFO    Creating new jail 'nginx-botsearch'
2017-09-21 16:13:21,047 fail2ban.jail           [261]: INFO    Jail 'nginx-botsearch' uses poller
2017-09-21 16:13:21,047 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,048 fail2ban.jail           [261]: INFO    Initiated 'polling' backend
2017-09-21 16:13:21,049 fail2ban.filter         [261]: INFO    Added logfile = /config/log/nginx/access.log (pos = 480286, hash = 7cdbb6fa5cd3b6fb68a493f221b06792)
2017-09-21 16:13:21,049 fail2ban.filter         [261]: INFO    Set maxRetry = 2
2017-09-21 16:13:21,050 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,050 fail2ban.actions        [261]: INFO    Set banTime = 600
2017-09-21 16:13:21,050 fail2ban.filter         [261]: INFO    Set findtime = 600
2017-09-21 16:13:21,054 fail2ban.jail           [261]: INFO    Creating new jail 'nginx-badbots'
2017-09-21 16:13:21,054 fail2ban.jail           [261]: INFO    Jail 'nginx-badbots' uses poller
2017-09-21 16:13:21,054 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,054 fail2ban.jail           [261]: INFO    Initiated 'polling' backend
2017-09-21 16:13:21,055 fail2ban.filter         [261]: INFO    Added logfile = /config/log/nginx/access.log (pos = 480286, hash = 7cdbb6fa5cd3b6fb68a493f221b06792)
2017-09-21 16:13:21,056 fail2ban.filter         [261]: INFO    Set maxRetry = 2
2017-09-21 16:13:21,056 fail2ban.filter         [261]: INFO    Set jail log file encoding to UTF-8
2017-09-21 16:13:21,057 fail2ban.actions        [261]: INFO    Set banTime = 600
2017-09-21 16:13:21,057 fail2ban.filter         [261]: INFO    Set findtime = 600
2017-09-21 16:13:21,065 fail2ban.jail           [261]: INFO    Jail 'nginx-http-auth' started
2017-09-21 16:13:21,066 fail2ban.jail           [261]: INFO    Jail 'nginx-botsearch' started
2017-09-21 16:13:21,068 fail2ban.jail           [261]: INFO    Jail 'nginx-badbots' started
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-http-auth
ip6tables -w -A f2b-nginx-http-auth -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- stderr:
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,113 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-21 16:13:21,114 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-http-auth
ip6tables -w -A f2b-nginx-http-auth -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth -- returned 1
2017-09-21 16:13:21,114 fail2ban.actions        [261]: ERROR   Failed to start jail 'nginx-http-auth' action 'iptables-multiport': Error starting action Jail('nginx-http-auth')/iptables-multiport
2017-09-21 16:13:21,125 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-botsearch
ip6tables -w -A f2b-nginx-botsearch -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- stderr:
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-21 16:13:21,126 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-botsearch
ip6tables -w -A f2b-nginx-botsearch -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-botsearch -- returned 1
2017-09-21 16:13:21,126 fail2ban.actions        [261]: ERROR   Failed to start jail 'nginx-botsearch' action 'iptables-multiport': Error starting action Jail('nginx-botsearch')/iptables-multiport
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-badbots
ip6tables -w -A f2b-nginx-badbots -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- stderr:
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "modprobe: can't change directory to '/lib/modules': No such file or directory"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: "ip6tables v1.6.1: can't initialize ip6tables table `filter': Table does not exist (do you need to insmod?)"
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: 'Perhaps ip6tables or your kernel needs to be upgraded.'
2017-09-21 16:13:21,138 fail2ban.utils          [261]: ERROR    -- stderr: 'Could not open socket to kernel: Address family not supported by protocol'
2017-09-21 16:13:21,139 fail2ban.utils          [261]: ERROR   ip6tables -w -N f2b-nginx-badbots
ip6tables -w -A f2b-nginx-badbots -j RETURN
ip6tables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-badbots -- returned 1
2017-09-21 16:13:21,139 fail2ban.actions        [261]: ERROR   Failed to start jail 'nginx-badbots' action 'iptables-multiport': Error starting action Jail('nginx-badbots')/iptables-multiport

EDIT: Those errors are present since 2017-07-25 at least (no more log after this date).

 

We have a PR waiting to be merged to fix that. Until then, see here: 

 

  • Upvote 1
Link to comment

Letsencrypt docker won't start on 6.4.0-rc9f. I just get a fail to start message. I imagine this might have something to do with how unraid is starting to integrate certs as well.

 

Any useful information I can provide to troubleshoot this?

 

Edit: For anyone who runs into this, the issue is that under Settings > Identification unraid is binding port 80 and port 443 and Letsencrypt was set to also use 443. I changed the unraid port to resolve this.

Edited by wreave
Link to comment
48 minutes ago, CHBMB said:

That's an issue with docker I think.  Switch advanced on in the webui. Delete any letsencrypt containers & images including any orphan containers and try pulling again.

Removing the container and image (without orphan containers) and reinstalling worked. Although now I think I am having trouble with the built-in https support of 6.4.0.rc9f.

Link to comment
3 hours ago, realies said:

Removing the container and image (without orphan containers) and reinstalling worked. Although now I think I am having trouble with the built-in https support of 6.4.0.rc9f.

 

Did you change the ports for the docker container to something like 80 -> 81 and 443 -> 444 (then forward ports 81 & 444 instead of 80 & 443)?

Link to comment

Has anyone got the reverse proxy working with Piwigo?  I'll admit, I'm far from understanding the proxy directives but the Google is failing me.  I suspect it's because of the missing base directory for the Piwigo URL but I han't found how to change that either.

 

Thanks

 

Edit, this works but I still need to change the Piwigo root URL:

	location /piwigo {
		proxy_pass http://*unraid IP*:*piwigo port*/;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $scheme;
	}

 

Edited by Gog
Link to comment
1 hour ago, IamSpartacus said:

Has anyone successfully converted a letsencrypt cert file for a subdomain (ie. emby.domain.com) into a pfx file for use with Emby https?  First off, where are the subdomain cert keys even stored in the config as I'm having trouble finding it.

 

I just use a script in the user.scripts plugin to copy the LE cert to my Emby appdata once a day.

 

cp /mnt/cache/.appdata/nginx/keys/letsencrypt/privkey.pfx /mnt/cache/.appdata/emby/ssl/privkey.pfx

Then in server setup in Emby, go to Expert => Advanced under custom certificate path use

 

/config/ssl/privkey.pfx

And specify your domain in External domain a little further down the page.

Link to comment
4 minutes ago, CHBMB said:

 

I just use a script in the user.scripts plugin to copy the LE cert to my Emby appdata once a day.

 


cp /mnt/cache/.appdata/nginx/keys/letsencrypt/privkey.pfx /mnt/cache/.appdata/emby/ssl/privkey.pfx

Then in server setup in Emby, go to Expert => Advanced under custom certificate path use

 


/config/ssl/privkey.pfx

And specify your domain in External domain a little further down the page.

 

How did you go about getting the .pfx file created in the first place?

Link to comment

Ok I see it.

 

Ok so I have the .pfx file now, I've copied it to my emby directory, and set that path in Emby > Advanced as well as my domain.  Still unable to connect to my server though.  I know it's a cert issue because I've confirmed a DNS lookup of my domain emby.mydomain.com resolves to my external IP and I see the connection passing through my firewall via the https port.  Yet it never makes it to the Emby log which I'm told means it's a cert issue.  This is from the Android app.  If I just put in https://emby.mydomain.com into a browser it works fine.

 

Was there anything else I haven't mentioned that you needed to setup to get this working through Emby apps?

Edited by IamSpartacus
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.