[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 hour ago, BrandonG777 said:

 

The LE container is directly replaceable by the LSIO nginx container. Probably just need to comment out your cert paths in the nginx configuration and then it will start and you can shell into the container and use the script I linked to. Unfortunately I do not have the time right now to write up a good step by step guide. I really don't have the time to deal with this in general at the moment but being I left autoupdate enabled I pretty much brought this on myself and just have to deal with the fallout.

 

Thank you for the short pointer. I have it working. Not automatically, but I'll see how this goes when it comes time for renewal.

 

The way their DNS API integration is written I don't think it would be too difficult to implement. As long as the user has a supported API all the user should need to do is specify which API they want to use and add the required variables to the Docker template.

Link to comment
7 hours ago, Taddeusz said:

 

Thank you for the short pointer. I have it working. Not automatically, but I'll see how this goes when it comes time for renewal.

 

The way their DNS API integration is written I don't think it would be too difficult to implement. As long as the user has a supported API all the user should need to do is specify which API they want to use and add the required variables to the Docker template.

 

All dns provides use different apis. The users would need custom scripts specific to each dns provider. It's not as simple as setting your variables. You need to have a custom script for your provider. We can't write scripts for all the hundreds of different dns provider apis. 

Link to comment
9 hours ago, aptalca said:

 

All dns provides use different apis. The users would need custom scripts specific to each dns provider. It's not as simple as setting your variables. You need to have a custom script for your provider. We can't write scripts for all the hundreds of different dns provider apis. 

 

This is true if you are on a provider that doesn't already have a supported API. If you look at the instructions for the acme.sh script to use the automated DNS validation you run it with the --dns <apiscript> parameter and select which api you wish to use (this can easily be a template variable). Prior to running the script, each supported provider API script has environment variables that must be set. All of this could easily be scripted. In the case of supported API's the user would just need to add the required environment variables to their Docker tempate. That's exactly what I did to get mine validated and working with regular nginx container.

 

I don't understand why it's so impossible. It's just not as plug and play and requires the user to look at the acme.sh script's documentation to figure out which api to select and which environment variables they need to add to their docker template. I do understand that from a support perspective it would be more of a burden because it's easier to get wrong. However, the alternative for many people whose ISP's block port 80 DNS validation is the only reasonable option.

 

If I had the time I would be willing to do the modification and do a pull request myself but my time is limited.

Link to comment
9 hours ago, aptalca said:

 

All dns provides use different apis. The users would need custom scripts specific to each dns provider. It's not as simple as setting your variables. You need to have a custom script for your provider. We can't write scripts for all the hundreds of different dns provider apis. 

 

I think it's possible to implement a variable/parameter that could be passed for DNS validation (similar to the HTTPVAL one)  and the user supplies the script for the provider via /config mount? Understandable you can't write a silver bullet script to handle hundreds if not thousands of DNS providers but maybe throw out an example for a couple of the big ones. Of course all of this is probably for naught because when I did DNS validation it told me it couldn't be automated and I should find another way to validate. Again, I'm no expert, just stumbling through this issue like all the other Cox/Comcast users.

Link to comment
1 hour ago, BrandonG777 said:

 

I think it's possible to implement a variable/parameter that could be passed for DNS validation (similar to the HTTPVAL one)  and the user supplies the script for the provider via /config mount? Understandable you can't write a silver bullet script to handle hundreds if not thousands of DNS providers but maybe throw out an example for a couple of the big ones. Of course all of this is probably for naught because when I did DNS validation it told me it couldn't be automated and I should find another way to validate. Again, I'm no expert, just stumbling through this issue like all the other Cox/Comcast users.

 

Cox customer as well. I have nothing important to add. Watching this thread closely hoping someone figures it out.

Link to comment

I am aware of the recent changes over at Letsencrypt. (Excited for their Wildcard certification support soon!)

And have set HTTPVAL to true, and set up the relevant portforwarding.

 

But I wanted to move over from a VM Webserver to the Docker setup on my Unraid server.

 

I am encountering this error:

Domain: my.domain.com
Type: unauthorized
Detail: Invalid response from
http://my.domain.com/.well-known/acme-challenge/7t5nkAv26TjUNRAID_VcdhSLnimTj7deWwj-c5cVV7oc:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

So Nginx seems to be running, but I cannot figure out why Letsencrypt does not or cannot create the folders and files under the www folder.

Or at least, since it is returning a 404 error, I must assume that the files were not created at that instance anyways. (And they do not seem to exist now either, neither do the folders)

 

Am I missing something, should I create folders myself or do some additional configuration on nginx?

 

Edit:

Tried again with the folders created under /www but no dice, was worth a shot.

Edited by Arndroid
Link to comment
3 minutes ago, CHBMB said:

 

@Arndroid ^^^

"And one last thing, the error message about the directory not existing is harmless, it just means that you didn't have a letsencrypt cert the last time the container was started, probably because the validation had failed."

 

Missed that part, sorry.
 

Regardless, does it mean that, at least for now, I cannot obtain a ssl certificate through this docker then?

Because the (sub)domain is not yet setup with a ssl certificate it seems. (Or at least, "the connection is not private")

Edited by Arndroid
Link to comment
Just now, Arndroid said:

"And one last thing, the error message about the directory not existing is harmless, it just means that you didn't have a letsencrypt cert the last time the container was started, probably because the validation had failed."

 

Missed that part, sorry.
 

Regardless, does it mean that, at least for now, I cannot obtain a ssl certificate through this docker then?

Because the (sub)domain is not yet setup with a ssl certificate it seems.

 

I refer you to my above post :)

 

Link to comment
5 minutes ago, CHBMB said:

 

I refer you to my above post :)

 

I feel like apologizing, I think I am missing something obvious.

 

Your post however explicitly stated that I should post more info, here are some screenshots:

Docker info:

EF0382r.png

 

uVpEhL7.png

 

LT1Iyd3.png

 

Port forwaring, for now I actually port forwarded both 80, 81 and 443, 444. I only should forward 81 and 444, but I wanted to exclude that form the equation. (192.168.0.100 is my Unraid server)

uq5O5K9.png

 

Docker run:

sxNkssj.png

 

Rest of the Docker log:

OopnLeb.png

 

I hope I didn't misunderstand! :)

Link to comment

True, I just think my Port forwarding setup was wrong, I used it similarity for my webserver through the VM. I always tell myself to not ignore or exclude a problem, but yet every time... :P 

 

If I may be so bold, the search function didn't return much about this. (Might be just my search terms)

How are Virtual Hosts set up with a certificate? (Different domains then set up initially in the docker, must it be done manually in through the docker console?)

Link to comment
Thanks, working wonders, pretty cool!
 
I think I should have only one more question and I should be set, it might be a stupid one at that.
Is it possible to use the mail function of PHP? (sendmail)
 
Or is it best to use a available mail server docker and try to let it work together?
A long time ago I played with sendmail and php and managed to send an email from the terminal but I can remember nothing about it....

Sent from my LG-H815 using Tapatalk

Link to comment

I did a reverse DNS lookup on my modem, and noticed that my provider has created a unique host name for me. Quite awesome! But it is a long string of characters, so I created an "@" CNAME record at Hover for mydomain.com to point to the unique host name from my provider.

 

I installed Let's Encrypt, and am able to load NextCloud's WebUI from cloud.mydomain.com.

 

But, I am not able to load any of my other container's WebUIs using mydomain.com:xxxx, instead, I must use the unique host name from my provider, longstringofcharacters.provider.com:xxxx. I would like to used mydomain.com:xxxx.

 

Any ideas about how to get this to work? I can ping mydomain.com and get the correct IP. I can even ssh into mydomain.com. 

 

 

Link to comment

Hello guys, Letsencrypt goes down on me suddenly, I don't recall on making changes on UnRaid (only adding new HDD and SSD) and I haven't upgraded to 6.4.0 yet.

 

Browsing through the thread, I don't see anyone with similar log to mine (or I missed it).

 

Here is the log.

 

5a5fdbf438b14_letsencrypterror.png.ad3e977b5d6dfb412d0ce0f2ab9e4198.png

 

I notice because Nextcloud stopped working this morning. Everything was working before then.

Link to comment
1 hour ago, sevenz said:

Hello guys, Letsencrypt goes down on me suddenly, I don't recall on making changes on UnRaid (only adding new HDD and SSD) and I haven't upgraded to 6.4.0 yet.

 

Browsing through the thread, I don't see anyone with similar log to mine (or I missed it).

 

Here is the log.

 

5a5fdbf438b14_letsencrypterror.png.ad3e977b5d6dfb412d0ce0f2ab9e4198.png

 

I notice because Nextcloud stopped working this morning. Everything was working before then.

 

exact same problem here too, after updating the letsencrypt container.

the solution is posted a couple posts below.

tl:dr = letsencrypt changed something (auth method over port 443 disabled)

1. you have to make sure now that tcp port 80 is forwarded on your router (internet gateway) to your unraid server (be aware that unraid uses default tcp 80 for its webinterface, so map tcp port 80 extern to something else intern like tcp 81)

2. edit/update the container settings > edit letsencrypt in the unraid docker tab and set the http port to 81 or whatever to used for your portmapping on your router.

3. also change the variable HTTPVAL from false to true, its found in " show more settings"

HTTPVAL: true
Flag to switch validation method to HTTP (over port 80) if set to 'true'
Edited by [email protected]
typo
  • Upvote 1
Link to comment

Ahh alright, thanks for the TL;DR! I will read back again a couple post behind when  I got home from work.

 

EDIT: I remote to my VM to do it and it works now!

 

38 minutes ago, [email protected] said:

 

exact same problem here too, after updating the letsencrypt container.

the solution is posted a couple posts below.

tl:dr = letsencrypt changed something (auth method over port 443 disabled)

1. you have to make sure now that tcp port 80 is forwarded on your router (internet gateway) to your unraid server (be aware that unraid uses default tcp 80 for its webinterface, so map tcp port 80 extern to something else intern like tcp 81)

2. edit/update the container settings > edit letsencrypt in the unraid docker tab and set the http port to 81 or whatever to used for your portmapping on your router.

3. also change the variable HTTPVAL from false to true, its found in " show more settings"

 

HTTPVAL: true
Flag to switch validation method to HTTP (over port 80) if set to 'true'

 

Edited by sevenz
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.