[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

5 minutes ago, aptalca said:

I will only post this once. Feel free to refer folks to this post.

 

A few points of clarification:

 

The last update of this image didn't break things. Letsencrypt abruptly disabled the authentication method previously used by this image (tls over port 443) due to a security vulnerability. It is unclear whether they will ever re-enable it again. 

 

So we added the option of validating  over port 80, via setting the HTTPVAL variable to true. But you have to make sure port 80 is forwarded to the container from your router. 

 

Keep in mind that unraid gui runs on port 80, so you should map port 80 on your router to any other port, ie. 85. Then in the container settings, map port 85 to port 80.

 

Unraid template has been updated to include this new variable setting, and I think the brand new unraid stable as well as the previous betas will automatically add that variable to your settings (not 100% sure because I'm still on 6.3.5). Either way, check your settings. 

 

If your isp blocks port 80, there's nothing we can do as it is the only port letsencrypt will validate through at this point. 

 

Someone mentioned dns validation. It's not gonna happen as it is. It requires a script to change dns settings on your dns provider. Since all the dns providers have different api's for this process, we cannot automate it for you, therefore we will not add dns validation (unless there is a standardized way to update dns entries in the future but I wouldn't hold my breath). 

 

And one last thing, the error message about the directory not existing is harmless, it just means that you didn't have a letsencrypt cert the last time the container was started, probably because the validation had failed. 

 

Thanks! Changing HTTP to port 80, setting the HTTPVAL variable to true and port forwarding 80 > 81 on the unraid server worked.

Link to comment
7 minutes ago, FreeMan said:

I went ahead and removed the extra "Hosts" parameter and LE is running, however, I'm still unable to get through to emby

image.png.29a242a24eb8f548dacb70572f18e917.png

 

It seems that I'm having a non-fatal error on startup:

 

 

 

Here's the run command:

 

 

 

The new run command:

 

 

 

Carp, is this the issue?

image.png.b22383ccba887a20b4889be596ec26fa.png

 

Check your settings, you have two HTTPVAL directives, second one is setting it to false

Edited by aptalca
Link to comment
11 minutes ago, aptalca said:

I will only post this once. Feel free to refer folks to this post.

 

A few points of clarification:

 

The last update of this image didn't break things. Letsencrypt abruptly disabled the authentication method previously used by this image (tls over port 443) due to a security vulnerability. It is unclear whether they will ever re-enable it again. 

 

So we added the option of validating  over port 80, via setting the HTTPVAL variable to true. But you have to make sure port 80 is forwarded to the container from your router. 

 

Keep in mind that unraid gui runs on port 80, so you should map port 80 on your router to any other port, ie. 85. Then in the container settings, map port 85 to port 80.

 

Unraid template has been updated to include this new variable setting, and I think the brand new unraid stable as well as the previous betas will automatically add that variable to your settings (not 100% sure because I'm still on 6.3.5). Either way, check your settings. 

 

If your isp blocks port 80, there's nothing we can do as it is the only port letsencrypt will validate through at this point. 

 

Someone mentioned dns validation. It's not gonna happen as it is. It requires a script to change dns settings on your dns provider. Since all the dns providers have different api's for this process, we cannot automate it for you, therefore we will not add dns validation (unless there is a standardized way to update dns entries in the future but I wouldn't hold my breath). 

 

And one last thing, the error message about the directory not existing is harmless, it just means that you didn't have a letsencrypt cert the last time the container was started, probably because the validation had failed. 

 

Awesome write-up.  Unfortunately it doesn't seem like this crappy C2000T router from CL will let me do port translation, so seems like I'm out of luck.

Link to comment

After applying the HTTPVAL fix, Ombi became completely inaccessible. I've mapped the ports (internal port 81 -> external 80, 443->443) and forwarded them on my router, and this setup had been working for almost a year before this.. Also, for some reason, I can't access nextcloud on my PC (timeout), but it works on my phone using the same URL.. Also had some friends test this with no errors on their phones and/or PCs..

Link to comment
7 minutes ago, Muff said:

 

How did you do that?

 

In the container map port 80 to some other port (8083 in this case):

image.png.31538e8dbb2a388d9e3b456297fa1eb9.png

 

In the container advanced settings set HTTPVAL to true:

image.png.2fee82201c9ef0c3105d0c027ef91ce1.png

 

On the router forward port 80 to the same port you mapped your container's port 80 to (port 8083 ion this case):

image.thumb.png.7a4ecde95921a0c7efab647d7581bfa2.png

 

Link to comment
10 minutes ago, Dhagon said:

After applying the HTTPVAL fix, Ombi became completely inaccessible. I've mapped the ports (internal port 81 -> external 80, 443->443) and forwarded them on my router, and this setup had been working for almost a year before this.. Also, for some reason, I can't access nextcloud on my PC (timeout), but it works on my phone using the same URL.. Also had some friends test this with no errors on their phones and/or PCs..

 

Absolutely nothing anyone can do to help with the information you've provided.

Link to comment
2 minutes ago, CHBMB said:

 

Absolutely nothing anyone can do to help with the information you've provided.


All right, sorry, I just didn't want to flood you various logs and screenshots right away, as I'm not entirely sure that it's caused by this container, apart from ombi being inaccessible..

 

What additional information would you need to assist me? I don't really know which logs would be useful..

Link to comment
24 minutes ago, Dhagon said:


All right, sorry, I just didn't want to flood you various logs and screenshots right away, as I'm not entirely sure that it's caused by this container, apart from ombi being inaccessible..

 

What additional information would you need to assist me? I don't really know which logs would be useful..

 

Scroll up to my last set of posts in this thread helping another user.  Docker run command as my sig demonstrates and LE logs

Link to comment
2 hours ago, aptalca said:

 

Check your settings, you have two HTTPVAL directives, second one is setting it to false

 

Thanks - the penny dropped when you said that...

 

I believe I've got everything set correctly , but I'm still getting errors and not getting access via the domain, while internally via the IP works fine.

 

My docker settings:

image.thumb.png.acc01d576d3b87aaaa5e25b0aff6a18c.png

 

I hit the "advanced view" and put the "-e "HTTPVAL"="true"" in there while not hitting the "Advanced settings" to realize that it had been added to the container - that's why I had 2 conflicting settings in the run command. I've rectified that and now my run command is:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.us" -e "SUBDOMAINS"="books,cp,emby,photos,sab,shows,sick" -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true" -p

81:81/tcp -p 443:443/tcp -v "/mnt/cache/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

I'm confused by the port mapping of 81:81 - I thought it should be 80:81 (or vice versa) since I'm forwarding external port 80 to internal port 81 and LE should be listening on that. Here's the router settings showing that:

image.thumb.png.0f8786184b0e5d0be6aa39e1593888fd.png

 

And yet the LE log shows:

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: photos.mydomain.us
Type: connection
Detail: Fetching
http://photos.mydomain.us/.well-known/acme-challenge/MnhfHpAVNOCCW7o1D8UMwqy5AzUUNr9QPfjbhwl-k1M:
Connection refused

Domain: cp.mydomain.us
Type: connection
Detail: Fetching
http://cp.mydomain.us/.well-known/acme-challenge/Flk3oN3gS8SyH--pD6pnLawz4Ukf0cE0Xq-lcia-N_8:
Connection refused

 

etc...

 

In my ...\nginx\site-confs\default I have:



# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
server {
    listen 80;
    server_name _;
    return 301 https://$host$request_uri;

}

# main server block
server {
    listen 443 ssl default_server;

    root /config/www;
    index index.html index.htm index.php;

    add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
    add_header Content-Security-Policy "frame-ancestors bds.ddns.us emby.bds.ddns.us;";
    add_header Referrer-Policy "no-referrer";
    
    server_name _;

#SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
#Diffie-Hellman key exchange
    ssl_dhparam /config/nginx/dhparams.pem;
#SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

###Extra Settings###
    ssl_session_cache shared:SSL:10m;

### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        try_files $uri $uri/ /index.html /index.php?$args =404;
    }

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # With php7-cgi alone:
        fastcgi_pass 127.0.0.1:9000;
        # With php7-fpm:
        #fastcgi_pass unix:/var/run/php7-fpm.sock;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

}

to redirect HTTP to HTTPS.

 

Do I now need to remove this section in blue in order to make validation work? If so, do I need to do it only in "default" since that's the only one of the config files that listens on 80? (All the rest only have a server { listen 443 ssl; ...} section.)

 

I've read and re-read the last 4 pages or so of complaints, attempts, and fixes, I've thought they made sense and I've attempted to apply what I learned, but I'm still stuck...

 

 

Link to comment
3 hours ago, aptalca said:

 

You do not need to make changes to your nginx site config and you do not need to enable listening on port 80. Validation is done through a separate web server temporarily put up during validation and is not affected by your nginx config. 

 

Link to comment

OK, so what's causing these errors in the log and causing me not to be able to access my server?

 

Failed authorization procedure. photos.bds.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://photos.mydomain.us/.well-known/acme-challenge/MnhfHpAVNOCCW7o1D8UMwqy5AzUUNr9QPfjbhwl-k1M: Connection refused, cp.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cp.mydomain.us/.well-known/acme-challenge/Flk3oN3gS8SyH--pD6pnLawz4Ukf0cE0Xq-lcia-N_8:

 

Based on the lack of other feedback, I'd presume that all the configuration info I showed appears to be correct. Like I said, I've read through several pages of posts and tried to put it all together. This is the best I've come up with and it's still not working. You may have to break out the crayons and color me a picture 'cause I'm missing something.

Link to comment
35 minutes ago, FreeMan said:

OK, so what's causing these errors in the log and causing me not to be able to access my server?

 

Failed authorization procedure. photos.bds.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://photos.mydomain.us/.well-known/acme-challenge/MnhfHpAVNOCCW7o1D8UMwqy5AzUUNr9QPfjbhwl-k1M: Connection refused, cp.mydomain.us (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://cp.mydomain.us/.well-known/acme-challenge/Flk3oN3gS8SyH--pD6pnLawz4Ukf0cE0Xq-lcia-N_8:

 

Based on the lack of other feedback, I'd presume that all the configuration info I showed appears to be correct. Like I said, I've read through several pages of posts and tried to put it all together. This is the best I've come up with and it's still not working. You may have to break out the crayons and color me a picture 'cause I'm missing something.

 

You need to map port 80 INSIDE the docker container to port 81 on Unraid

 

Like this.....

nfPkg6W.png&key=dbb896b9c557a63938ab491b

Edited by CHBMB
Link to comment

Any idea what's gone wrong?  I've been using this successfully for a while, but after upgrading from RC21 to 6.4 it's stopped working.  I've tried a fresh install, but it still won't work:

 


DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Sub-domains processed are: -d REDACTED
EXTRA_DOMAINS entered, processing
Extra domains processed are: REDACTED
E-mail address entered: REDACTED
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
1 hour ago, CHBMB said:

 

You need to map port 80 INSIDE the docker container to port 81 on Unraid

 

Like this.....

nfPkg6W.png&key=dbb896b9c557a63938ab491b

 

Like this?

image.png.075adc915e83d7d292e07ab7f3eaa4b0.png

 

That's how it's currently set (and hasn't been changed), but it is yielding this run command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.us" -e "SUBDOMAINS"="books,cp,emby,photos,sab,shows,sick" -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -e "HTTPVAL"="true"

-p 81:81/tcp -p 443:443/tcp -v "/mnt/cache/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

When I clicked on the Edit button from the first picture, it shows me this:

image.png.1b5df380b4d862dee31bc2c92c82e1ac.png

 

Which looks very much borked!  Time for a reinstall?

Link to comment
17 minutes ago, DZMM said:

Any idea what's gone wrong?  I've been using this successfully for a while, but after upgrading from RC21 to 6.4 it's stopped working.  I've tried a fresh install, but it still won't work:

 

psst... read the last 4 pages or so...

 

Heck, just read my 2 posts above yours...

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.