[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, aptalca said:

It was a connection error to letsencrypt servers. Hopefully it was a temporary outage. 

 

If you continue having that problem, look into your internet connection, something in your network might be blocking the request (pihole?) 

 

Turns out my docker couldn't communicate out to the internet. I reset the network settings under the docker LAN settings and that fixed it.

Link to comment

So I'm trying to migrate from a standalone instance of this container to the unraid container now that I can assign IP addresses directly to containers. I'm running into an issue where the container doesn't seem to be able to reach the host(where all the services being reverse-proxied live). The container can talk to other systems on the same network with no issue but not the unraid host it is running on.

 

# letsencrypt container to an nzbget container on unRAID
root@73977ce49f97:/root$ nc -vz 192.168.1.10 6789
nc: 192.168.1.10 (192.168.1.10:6789): Host is unreachable
root@73977ce49f97:/root$

# nzbget container accessible from another system on my network
nc -vz 192.168.1.10 6789
Connection to 192.168.1.10 6789 port [tcp/*] succeeded!

# letsencrypt container can talk to systems that aren't unraid on the network
root@73977ce49f97:/root$ nc -vz 192.168.1.11 5000
192.168.1.11 (192.168.1.11:5000) open
root@73977ce49f97:/root$

Am I missing something in my configuration to make them able to talk to each other over the network? here is my container config in unraid

 

5a851f334e1b5_ScreenShot2018-02-14at10_46_37PM.thumb.png.d4730d5c96215641cd68e532998896a0.png

Link to comment
14 minutes ago, rjorgenson said:

So I'm trying to migrate from a standalone instance of this container to the unraid container now that I can assign IP addresses directly to containers. I'm running into an issue where the container doesn't seem to be able to reach the host(where all the services being reverse-proxied live). The container can talk to other systems on the same network with no issue but not the unraid host it is running on.

 


# letsencrypt container to an nzbget container on unRAID
root@73977ce49f97:/root$ nc -vz 192.168.1.10 6789
nc: 192.168.1.10 (192.168.1.10:6789): Host is unreachable
root@73977ce49f97:/root$

# nzbget container accessible from another system on my network
nc -vz 192.168.1.10 6789
Connection to 192.168.1.10 6789 port [tcp/*] succeeded!

# letsencrypt container can talk to systems that aren't unraid on the network
root@73977ce49f97:/root$ nc -vz 192.168.1.11 5000
192.168.1.11 (192.168.1.11:5000) open
root@73977ce49f97:/root$

Am I missing something in my configuration to make them able to talk to each other over the network? here is my container config in unraid

 

 

 

That is how the security works when making macvlan in docker. The container can't talk to host. Only way around it is to set up some routing if I remember correctly. Don't know how, so use the search function of the forum to find it. 

Link to comment
15 minutes ago, saarg said:

 

That is how the security works when making macvlan in docker. The container can't talk to host. Only way around it is to set up some routing if I remember correctly. Don't know how, so use the search function of the forum to find it. 

 

Yeah I was just reading about that shortly after I posted. I had some spare NIC's on the box so I was able setup a second interface solely for use with docker which has allowed the container to communicate with the host. Thanks for the quick reply =]

Link to comment
8 hours ago, loomitz said:

Thanks, but how i do that i have serching how to do it on the site and google and i cant fount how, i mount the folder but give me error.

 

 

 

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder

 

If you want to see how the sausage is made: https://github.com/linuxserver/docker-baseimage-nginx-armhf/pull/18/files

  • Like 3
Link to comment
On 2/12/2018 at 5:04 PM, saarg said:

 

Your Wan port forward is wrong for port 80. Change it from 81 to 80.

 

I'm running into the same issue as deadnote. My LetsEncrypt was working fine prior to updating, but the container update seems to have broken it.

 

My port forwarding is set to port 80, and I have 80->81 in the container.

 

Does anyone know what else I can try?

Link to comment
9 minutes ago, Ezro said:

 

I'm running into the same issue as deadnote. My LetsEncrypt was working fine prior to updating, but the container update seems to have broken it.

 

My port forwarding is set to port 80, and I have 80->81 in the container.

 

Does anyone know what else I can try?

 

As far as I'm aware all the issues have fallen into 2 categories.  Those whose ISP blocks port 80 and those who haven't configured the container correctly

 

So post your docker logs, docker run command and screenshot of your port forwarding settings in your router and maybe we can help.  All we know from the info you've given is it isn't working, which isn't really enough to go on.

Link to comment
30 minutes ago, CHBMB said:

 

As far as I'm aware all the issues have fallen into 2 categories.  Those whose ISP blocks port 80 and those who haven't configured the container correctly

 

So post your docker logs, docker run command and screenshot of your port forwarding settings in your router and maybe we can help.  All we know from the info you've given is it isn't working, which isn't really enough to go on.

 

That makes sense.

 

Here's my setup:

Docker Settings

image.thumb.png.d99cbc1c8e8c91051c28d336fe422a7a.png

 

Docker Command

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/Los_Angeles" -e HOST_OS="unRAID" -e "EMAIL"="..." -e "URL"="duckdns.org" -e "SUBDOMAINS"="..." -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "VALIDATION"="http" -e "DNSPLUGIN"="" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

Docker Log

-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Backwards compatibility check. . .
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d domain.duckdns.org -d subdomain.domain.duckdns.org
E-mail address entered: ...
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.duckdns.org
http-01 challenge for subdomain.domain.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. subdomain.domain.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://subdomain.domain.duckdns.org/.well-known/acme-challenge/KuPVPz-1dTvVdvyW6XP2zYitXLgejpWJoblhVxuYUiU [100.2.67.27]: 401, domain.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.duckdns.org/.well-known/acme-challenge/iknfqFylSG_2b4MGv1uEkubeRgaHO6OzVJPmOqDM2u8 [100.2.67.27]: 401
- The following errors were reported by the server:

Domain: subdomain.domain.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://subdomain.domain.duckdns.org/.well-known/acme-challenge/KuPVPz-1dTvVdvyW6XP2zYitXLgejpWJoblhVxuYUiU
[100.2.67.27]: 401

Domain: domain.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://domain.duckdns.org/.well-known/acme-challenge/iknfqFylSG_2b4MGv1uEkubeRgaHO6OzVJPmOqDM2u8
[100.2.67.27]: 401

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Port Forwarding

image.png.16b04d2548b6504b6fe41fba55862988.png
 

Edited by Ezro
Adding docker log
Link to comment
14 minutes ago, Ezro said:

 

That makes sense.

 

Here's my setup:

Docker Settings

image.thumb.png.d99cbc1c8e8c91051c28d336fe422a7a.png

 

Docker Command

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/Los_Angeles" -e HOST_OS="unRAID" -e "EMAIL"="..." -e "URL"="duckdns.org" -e "SUBDOMAINS"="..." -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "VALIDATION"="http" -e "DNSPLUGIN"="" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

Docker Log

-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Backwards compatibility check. . .
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d domain.duckdns.org -d subdomain.domain.duckdns.org
E-mail address entered: ...
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for domain.duckdns.org
http-01 challenge for subdomain.domain.duckdns.org
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
Failed authorization procedure. subdomain.domain.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://subdomain.domain.duckdns.org/.well-known/acme-challenge/KuPVPz-1dTvVdvyW6XP2zYitXLgejpWJoblhVxuYUiU [100.2.67.27]: 401, domain.duckdns.org (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://domain.duckdns.org/.well-known/acme-challenge/iknfqFylSG_2b4MGv1uEkubeRgaHO6OzVJPmOqDM2u8 [100.2.67.27]: 401
- The following errors were reported by the server:

Domain: subdomain.domain.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://subdomain.domain.duckdns.org/.well-known/acme-challenge/KuPVPz-1dTvVdvyW6XP2zYitXLgejpWJoblhVxuYUiU
[100.2.67.27]: 401

Domain: domain.duckdns.org
Type: unauthorized
Detail: Invalid response from
http://domain.duckdns.org/.well-known/acme-challenge/iknfqFylSG_2b4MGv1uEkubeRgaHO6OzVJPmOqDM2u8
[100.2.67.27]: 401

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Port Forwarding

image.png.16b04d2548b6504b6fe41fba55862988.png
 

 

As the others, your port forward is wrong. You need to forward 80 external to 81 on the IP you have unraid. 

Link to comment
49 minutes ago, saarg said:

 

As the others, your port forward is wrong. You need to forward 80 external to 81 on the IP you have unraid. 

 

I think I understand.

 

I updated my router to forward to 81:

image.png.67977c5add0440c84ccd482bc0eaf6a0.png

 

But now I'm running into an error with finding my 'default' file:

 

Docker Log

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] open() "/config/nginx/common" failed (2: No such file or directory) in /config/nginx/site-confs/default:8

 

Edit: Disregard. I copied my common file over and now everything's working!

 

Thanks saarg / CHBMB!

Edited by Ezro
Link to comment

Struggling with an issue around htpasswd, no matter what I do the auth fails.

 

Here is my latest test I tried

- Create plaintext .htpasswd for testing 

root@1f99f655951c:/config/nginx$ htpasswd -cpb .htpasswd test test
Warning: storing passwords as plain text might just not work on this platform.
Adding password for user test

- verify .htpassword 

root@1f99f655951c:/config/nginx$ cat .htpasswd
test:test

- test the user:pass (with inline password and without)

root@1f99f655951c:/config/nginx$ htpasswd -vb .htpasswd test test
password verification failed

I've gone as far as running chmod 777 .htpasswd, nothing seems to fix this.

 

Anyone have any ideas?

Link to comment

I have a question about multiple local ip's working with my website.

 

eg. i have unraid on two servers. one at 192.168.1.11 running most dockers. and a second unraid server at 192.168.1.17 running a few more dockers (cameras mostly)

 

Is it possible to connect to both internal ip's using letsencrypt on my 192.168.1.11 server?

 

I have all dockers on 192.168.1.11 working fine, but i tried to add a *.17 and it doesn't seem to work.  let me post my config file.

 

it's the /security entry specifically. I'm trying to connect to motioneye for my cameras.

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location = / {
		return 301 /htpc;
	}

	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:8989/sonarr;
	}    
		
	location /radarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:7878/radarr;
	}
	
	location /ombi {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:3579/ombi;
	}

	location /plexpy {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:8181/plexpy;
	}
	
	location /booksonic {
		include /config/nginx/proxy.conf;
		proxy_pass  http://192.168.1.11:4040/booksonic;
	}
	
	location /airsonic {
		include /config/nginx/proxy.conf;
		proxy_pass  http://192.168.1.11:5050/airsonic;
	}
	
	location /security {
		include /config/nginx/proxy.conf;
		proxy_pass  http://192.168.1.17:8765;
	}
	
	#PLEX
	location /web {
		# serve the CSS code
		proxy_pass http://192.168.1.11:32400;
	}

	# Main /plex rewrite
	location /plex {
		# proxy request to plex server
		proxy_pass http://192.168.1.11:32400/web;
	}

	location /nextcloud {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.1.11:4343/nextcloud;
	}
	
	#NZBGET rewrite-command
	location ~ ^/nzbget($|./*) {
			rewrite /nzbget/(.*) /$1 break;
			proxy_pass http://192.168.1.11:6789;
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	location ~ ^/nzbget$ {
		return 302 $scheme://$host$request_uri/;
	}
	
	location ~ /netdata/(?<ndpath>.*) {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://backend/$ndpath$is_args$args;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
	}
}

 

Link to comment
13 hours ago, munit85 said:

I have a question about multiple local ip's working with my website.

 

eg. i have unraid on two servers. one at 192.168.1.11 running most dockers. and a second unraid server at 192.168.1.17 running a few more dockers (cameras mostly)

 

Is it possible to connect to both internal ip's using letsencrypt on my 192.168.1.11 server?

 

I have all dockers on 192.168.1.11 working fine, but i tried to add a *.17 and it doesn't seem to work.  let me post my config file.

 

it's the /security entry specifically. I'm trying to connect to motioneye for my cameras.


server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location = / {
		return 301 /htpc;
	}

	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:8989/sonarr;
	}    
		
	location /radarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:7878/radarr;
	}
	
	location /ombi {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:3579/ombi;
	}

	location /plexpy {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.11:8181/plexpy;
	}
	
	location /booksonic {
		include /config/nginx/proxy.conf;
		proxy_pass  http://192.168.1.11:4040/booksonic;
	}
	
	location /airsonic {
		include /config/nginx/proxy.conf;
		proxy_pass  http://192.168.1.11:5050/airsonic;
	}
	
	location /security {
		include /config/nginx/proxy.conf;
		proxy_pass  http://192.168.1.17:8765;
	}
	
	#PLEX
	location /web {
		# serve the CSS code
		proxy_pass http://192.168.1.11:32400;
	}

	# Main /plex rewrite
	location /plex {
		# proxy request to plex server
		proxy_pass http://192.168.1.11:32400/web;
	}

	location /nextcloud {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.1.11:4343/nextcloud;
	}
	
	#NZBGET rewrite-command
	location ~ ^/nzbget($|./*) {
			rewrite /nzbget/(.*) /$1 break;
			proxy_pass http://192.168.1.11:6789;
			proxy_set_header Host $host;
			proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	}
	location ~ ^/nzbget$ {
		return 302 $scheme://$host$request_uri/;
	}
	
	location ~ /netdata/(?<ndpath>.*) {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://backend/$ndpath$is_args$args;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
	}
}

 

 

Different IP shouldn't cause any issue. Your problem is likely due to your proxied app not using a base url

Link to comment
On 2/21/2018 at 7:14 AM, aptalca said:

 

Different IP shouldn't cause any issue. Your problem is likely due to your proxied app not using a base url

Thank you.

 

The app deprecated the base url and instead stopped using absolute url's which they say solves the problem. I'll have a look around for solutions.

 

edit// turns out the trailing slashes are very important. for anyone who comes across this.

cams needs that trailing slash as well as the trailing slash after the port #

 

	location /cams/ {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.17:8765/;
	}

 

 

Edited by munit85
fixed issue
Link to comment
2 hours ago, munit85 said:

Thank you.

 

The app deprecated the base url and instead stopped using absolute url's which they say solves the problem. I'll have a look around for solutions.

 

 

 

You can try proxying it from either the root location or from a subdomain to test if it is indeed a base url issue

Link to comment

I'm getting the following error after trying to login to my nextcloud. This was all working sometime last week, I don't believe I changed anything. Ports 80 and 443  are forwarded from my router

 

EDIT: Ended up just blowing it up and re-doing and all is working now.

2018/02/22 08:11:15 [error] 385#385: *9699 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.2.1, server: mydomain.com, request: "GET /status.php HTTP/1.1", upstream: "https://192.168.2.10:444/status.php", host: "mydomain.com"
server {
    listen 443 ssl;
    server_name mydomain.com;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers
'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-$
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
    client_max_body_size 0;
    location / {
        proxy_pass https://192.168.2.10:444/;
        proxy_max_temp_file_size 4096m;
        include /config/nginx/proxy.conf;
    }
}

 

Edited by ffhelllskjdje
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.