[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

On 10/9/2017 at 12:09 AM, FreeMan said:

I'm getting very slow response times from my LE/NGINX server. Slow to the point that it times out.

 

I have shows.mydomain.ddns.us pointed at my binhex-libresonic docker on port 4040. That times out before I ever get the NGNIX login. However, when I reopen port 4040 at the router and direct it to my server, I get near instant access to my music/video library on my phone with WiFi turned off (i.e., ensuring I'm accessing externally) or with the phone on WiFi. Therefore I believe that it's an issue with the LE/N container, not with my internet connection in general (though Comcrap has been less than reliable the last couple of weeks), my internal network, or the server itself.

 

I have it working (some installation issues were resolved around pages 30-32ish), and I've accessed it via my phone and my computer at work, however, it's always been sluggish.

 

I'm not sure what you might need for diagnosis, so I'm attaching Diagnostics, let me know what else might be needed for trouble shooting.

 

 

nas-diagnostics-20171009-1808.zip

 

You can start by posting your site config. And then provide more concrete info such as what address you're trying to access, domain or ip. Also clarify whether it's timing out every time, which would mean no access as opposed to slow loading. Also try each case through lan and wan to make sure it's not a dns loopback issue. 

 

There are too many possibilities and not enough info to diagnose. 

Link to comment

 

7 minutes ago, aptalca said:

 

You can start by posting your site config. And then provide more concrete info such as what address you're trying to access, domain or ip. Also clarify whether it's timing out every time, which would mean no access as opposed to slow loading. Also try each case through lan and wan to make sure it's not a dns loopback issue. 

 

There are too many possibilities and not enough info to diagnose. 

 

Default and specific shows configs attached.

URL: shows.bds.ddns.us

 

It started out being reachable but slow - I've been able to access via my phone & desktop machine at home via WiFi & wired networks. I've also been able to access via phone & work computer from off the home network. For the last couple of weeks, it's been totally unreachable - a timeout every time.

 



The connection has timed out

The server at shows.bds.ddns.us is taking too long to respond.

 

This is what I'm getting from my wired PC on the home network and on my phone via cell service (WiFi off).

default

shows

Link to comment
3 hours ago, FreeMan said:

 

 

Default and specific shows configs attached.

URL: shows.bds.ddns.us

 

It started out being reachable but slow - I've been able to access via my phone & desktop machine at home via WiFi & wired networks. I've also been able to access via phone & work computer from off the home network. For the last couple of weeks, it's been totally unreachable - a timeout every time.

 

 

 

 

This is what I'm getting from my wired PC on the home network and on my phone via cell service (WiFi off).

default

shows

 

If you go to http://192.168.1.5:4040 on lan, it connects fine? 

 

Nothing jumps out at me in the site config. You should check the nginx logs in the config folder to see what's going on

Link to comment

Correct - no issues from 192.168.1.5:4040.

Also, no issues and speedy response when accessing the Libresonic server via the Ultrasonic (so many sonics!) client app on my phone either on the home network or away from home (when I've opened the port at the router).

 

Attaching the access.log, in which I see the following lines that give me pause:

Quote

 


155.94.88.58 - - [08/Oct/2017:02:24:22 -0400] "GET / HTTP/1.0" 301 185 "-" "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)"

67.229.34.210 - - [08/Oct/2017:10:04:49 -0400] "POST https://unite.nike.com/loginWithSetCookie?appVersion=315&experienceVersion=276&uxid=com.nike.commerce.snkrs.web&locale=zh_CN&backendEnvironment=identity&browser=Google Inc.&os=undefined&mobile=false&native=false&visit=1&visitor=ae1c713a-b9e0-4f44-bdfe-df2891d2d3e9&lifetime=session HTTP/1.1" 405 575 "https://www.nike.com/cn/launch/t/nikecourt-zoom-vapor-rf-aj3-atmos" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.101 Safari/537.36"
62.210.209.201 - - [08/Oct/2017:10:15:23 -0400] "POST //%63%67%69%2D%62%69%6E/%70%68%70?%2D%64+%61%6C%6C%6F%77%5F%75%72%6C%5F%69%6E%63%6C%75%64%65%3D%6F%6E+%2D%64+%73%61%66%65%5F%6D%6F%64%65%3D%6F%66%66+%2D%64+%73%75%68%6F%73%69%6E%2E%73%69%6D%75%6C%61%74%69%6F%6E%3D%6F%6E+%2D%64+%64%69%73%61%62%6C%65%5F%66%75%6E%63%74%69%6F%6E%73%3D%22%22+%2D%64+%6F%70%65%6E%5F%62%61%73%65%64%69%72%3D%6E%6F%6E%65+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%64+%63%67%69%2E%66%6F%72%63%65%5F%72%65%64%69%72%65%63%74%3D%30+%2D%64+%63%67%69%2E%72%65%64%69%72%65%63%74%5F%73%74%61%74%75%73%5F%65%6E%76%3D%30+%2D%64+%61%75%74%6F%5F%70%72%65%70%65%6E%64%5F%66%69%6C%65%3D%70%68%70%3A%2F%2F%69%6E%70%75%74+%2D%6E HTTP/1.1" 301 185 "-" "-"

164.52.0.141 - - [08/Oct/2017:12:06:19 -0400] "USER test +iw test :Test Wuz Here" 400 173 "-" "-"

54.81.171.165 - - [09/Oct/2017:21:16:55 -0400] "GET / HTTP/1.1" 301 185 "-" "Cloud mapping experiment searching for shoutcast servers. Contact [email protected]"

185.84.137.56 - - [10/Oct/2017:15:11:27 -0400] "GET /index.php?m=Home&c=Index&a=login&language=zh-cn HTTP/1.1" 301 185 "-" "-"

67.229.34.210 - - [10/Oct/2017:21:22:06 -0400] "GET https://api.nike.com/deliver/available_skus/v1/?filter=productIds(5c24911c-6161-5dc2-8bfb-b96fccb7c5af) HTTP/1.1" 200 430 "https://www.nike.com/cn/launch/t/air-jordan-1-retro-high-flyknit-black-game-royal" "Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36"
 

 

 

I don't know enough about these logs to know if I should be seriously concerned, since they're in the access.log.

This one: "sysscan/1.0 (https://github.com/robertdavidgraham/sysscan)" occurs several times. There doesn't appear to be a "robertdavidgraham" on github, but there are 4 results for sysscan. I didn't look into any of the 4, so I'm not sure what's there.

I don't think any of my family would be shopping at nike.com - none of us are big fans of Nike, but, of course, those are inbound attempts, not outbound.

 

Also attaching error.log and error.log.1 - there's not much in either for the last 2 weeks or so.

 

All assistance is appreciated! Anything further I can provide?

access.log

error.log

error.log.1

Edited by FreeMan
Link to comment

Hi guys,

 

If anyone here uses Nginx as reverse proxy for dockerized Krusader or DokuWiki, can you please share your config?
For Krusader I have the following:

location /krusader {
        include /config/nginx/proxy.conf;
        rewrite ^/krusader$ /krusader/ redirect;
        proxy_pass http://XXX.XXX.XX.XXX:8084/;
        }

and all I get is a page with a rolling gear

 

For DokuWIki I have:

location /dokuwiki/ {
        index doku.php;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Proxy "";
        include /config/nginx/proxy.conf;
        proxy_pass http://XXX.XXX.XX.XXX:8087/;
        }

I see the landing page (doku.php), but there is no CSS and none of the links work :(

 

Please help!

Link to comment

Alright, apparently I need more help. Previous post still applies, but I now switched from aptalca's old container to the new one and I can't seem to get certificates issued. Here is what I see in the logs:

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.mynetgear.com
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.mynetgear.com
tls-sni-01 challenge for www.mydomain.mynetgear.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. www.mydomain.mynetgear.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.mydomain.mynetgear.com

here is the docker run command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/Los_Angeles" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.mynetgear.com" -e "SUBDOMAINS"="www," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p 8083:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

mydomain.mynetgear.com is a fake domain, but the real one exists and worked fine with the old container. router is configured with dyndns and can see it. port 443 is forwarded on the router. what could be the problem?!

Link to comment
2 hours ago, izarkhin said:

Alright, apparently I need more help. Previous post still applies, but I now switched from aptalca's old container to the new one and I can't seem to get certificates issued. Here is what I see in the logs:


[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.mynetgear.com
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for mydomain.mynetgear.com
tls-sni-01 challenge for www.mydomain.mynetgear.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. www.mydomain.mynetgear.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.mydomain.mynetgear.com

here is the docker run command:


root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/Los_Angeles" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.mynetgear.com" -e "SUBDOMAINS"="www," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p 8083:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

mydomain.mynetgear.com is a fake domain, but the real one exists and worked fine with the old container. router is configured with dyndns and can see it. port 443 is forwarded on the router. what could be the problem?!

 

I don't see anything wrong with the container settings. Likely a dns setting issue. Both containers use the same exact method to validate

Link to comment
21 minutes ago, aptalca said:

 

I don't see anything wrong with the container settings. Likely a dns setting issue. Both containers use the same exact method to validate

I don't think so. I just created a new DNS record with noip.com: https://www.whatsmydns.net/#A/izarkhin.hopto.org. And in the log i still see:

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for izarkhin.hopto.org
tls-sni-01 challenge for www.izarkhin.hopto.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. izarkhin.hopto.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for izarkhin.hopto.org, www.izarkhin.hopto.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: DNS problem: NXDOMAIN looking up A for www.izarkhin.hopto.org

Any other ideas?

Link to comment

I am interested in setting up logic for a php script to execute every time this particular docker starts, including when it is started, restarted, updated with or without dynamix.docker.manager.  I want the docker to wait until certain parameters are returned to start then run through its initialization.

 

Is there a way for me to set this up only for this containers and not for all dockers in my instance?

 

Thanks!

 

Link to comment
On 10/21/2017 at 9:12 AM, Leondre said:

Would you be able to enable the Exif and XMLReader PHP extensions?

I second this!
I use nginx a lot and this docker is pretty awesome (thank you), but I don't just use nginx as a reverse proxy... Yes I could use another docker for nextcloud, however this docker is small and practically complete (I can completely go nuts with what I want to do when I want).

I am unsure of what PHP modules are installed within but it would be total goodness not having to do:

docker exec -it letsencrypt apk --no-cache add php7-xmlreader

As well as other PHP mod extensions that a lot of PHP web apps would commonly use :)

Keep up the good work!

Edited by Deadpan110
Link to comment

So I upgraded to the beta to try it out and of course with the SSL features in that it broke my letsencrypt docker.  I tried to turn SSL/TLS to No and even changed the SSL port to 445 (for unraid) but it seems like its still holding 443 for some reason.  Anyone else run into this?

 

Edit:  I'm an idiot, I had 445 already in use for something else lol.  All good... Move along.

Edited by RAINMAN
Link to comment

Does anyone have LE running with a pihole (pi-hole) container?

 

I'm trying to get something like this  https://hub.docker.com/r/diginc/pi-hole/ running but not sure how to setup LE / nginx config to prevent breaking my existing forwards.  I have a wordpress site that externally hosted on 80 and also want to have the pihole 

 

Quote
  • Port 80 is highly recommended because if you have another site/service using port 80 by default then the ads may not transform into blank ads correctly. To make sure docker-pi-hole plays nicely with an existing webserver you run you'll probably need a reverse proxy webserver config if you don't have one already. Pi-Hole has to be the default web app on said proxy e.g. if you goto your host by IP instead of domain then pi-hole is served out instead of any other sites hosted by the proxy. This is the 'default_server' in nginx or 'default' virtual host in Apache and is taken advantage of so any undefined ad domain can be directed to your webserver and get a 'blocked' response instead of ads.
  • You can still map other ports to pi-hole port 80 using docker's port forwarding like this -p 8080:80, but again the ads won't render propertly. Changing the inner port 80 shouldn't be required unless you run docker host networking mode.
  • Here is an example of running with jwilder/proxy (an nginx auto-configuring docker reverse proxy for docker) on my port 80 with pihole on another port. Pi-hole needs to be DEFAULT_HOST env in jwilder/proxy and you need to set the matching VIRTUAL_HOST for the pihole's container. Please read jwilder/proxy readme for more info if you have trouble. I tested this basic example which is based off what I run.

 

Link to comment
2 hours ago, poldim said:

Does anyone have LE running with a pihole (pi-hole) container?

 

I'm trying to get something like this  https://hub.docker.com/r/diginc/pi-hole/ running but not sure how to setup LE / nginx config to prevent breaking my existing forwards.  I have a wordpress site that externally hosted on 80 and also want to have the pihole 

 

 

 

Why not reverse proxy both on port 80?

Link to comment
5 hours ago, aptalca said:

 

Why not reverse proxy both on port 80?

 

I'd love to do that, but I can't seem to get it working.  Basically it would be two services that come in on port 80 but would need to go to two different locations.

 

Do you have any hints/guides/examples?

Link to comment
7 hours ago, poldim said:

 

I'd love to do that, but I can't seem to get it working.  Basically it would be two services that come in on port 80 but would need to go to two different locations.

 

Do you have any hints/guides/examples?

 

The services would be at different ports. Port 80 would go to the letsencrypt container. Based on the address, subdomain.yourdomain.com or yourdomain.com/yourapp the requests would be forwarded to those services. This thread has a ton of info on that. I suggest starting with Googling nginx reverse proxy to get the general idea, then read through this thread to figure out how to configure it

Link to comment
On 26/10/2017 at 10:12 PM, endiz said:

Anyone have a working config entry for organizr?

 

#ORGANIZR UPSTREAM
upstream organizr-upstream {

	#This is the local ip and port to Organizr
	server 192.168.1.7:9512;
    	keepalive 32;
}

 

And in the main server block:

#Custom Organizr error pages
   	error_page 400 401 402 403 404 500 502 /error.php?error=$status;

#Authentication
	location /auth-admin {
            internal;
            proxy_pass http://192.168.1.7:9512/auth.php?admin;
            proxy_set_header Content-Length "";
    	}

    	location /auth-user {
            internal;
            proxy_pass http://192.168.1.7:9512/auth.php?user;
            proxy_set_header Content-Length "";
    	}


#ORGANIZR CONTAINER
    	location / {
        	proxy_pass http://organizr-upstream;
        	include /config/nginx/proxy.conf;
   	 }

 

Link to comment

Hi,

 

I took a look at the logs of the letsencrypt docker and noticed a lot of these:

 

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)

 

constantly. The thing is it works perfectly fine and any changes I make to the listen directives makes it change there as well. All the servers work and I have tested each one individually so I'm not sure what is going on and how to get rid of these. As far as I can tell there are no issues.

 

I even changed each listen directive to a different port and it just throws one for each port I state.

Edited by phiyuku
Link to comment
1 hour ago, phiyuku said:

Hi,

 

I took a look at the logs of the letsencrypt docker and noticed a lot of these:

 

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)
nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)

 

constantly. The thing is it works perfectly fine and any changes I make to the listen directives makes it change there as well. All the servers work and I have tested each one individually so I'm not sure what is going on and how to get rid of these. As far as I can tell there are no issues.

 

I even changed each listen directive to a different port and it just throws one for each port I state.

 

What exactly are you doing? It seems like you're trying to start up a second instance of nginx

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.