[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

31 minutes ago, CHBMB said:

 

Yeah it works fine with other stuff as subfolders, but you'll still have the issue with hairpin NAT.

 

Hmmm I wouldnt even know where to start with hairpin NAT. I use an ASUS RT AC68U. not sure if you have any experience with them that you might be able to point me in the right direction?

 

EDIT

Also just out of curiosity why is this an issue with nextcloud and not my other containers? And only since going through letsencrypt and not while using duckdns. sorry if this is a stupid question, just trying to learn a bit.

 

EDIT

Sorry just one other thing. I dont mind having to manually put in the internal url to access this as long as i can get the android and ios apps working right. 

Edited by tazire
Link to comment
1 hour ago, aptalca said:

 

DMZ means opening up every single port. No firewall. Don't do it. 

 

Forward a single port (443) if you're using dns validation or 80 and 443 if using http validation, to letsencrypt on unraid and reverse proxy everything else. Configure the built in fail2ban for additional security like against ddos and brute force attempts (recidive does wonders) 

I have a pivpn in my dmz and my unraid in my servers-zone. My pivpn uses port 443/tcp.

 

Would it be possible for my pi to hide behind the LE/nginx?

Should I move the pivpn in the servers-zone to get it to work?  

  

At this point, I got my nextcloud working by following chbmb guide https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

However, I have not tried to deal with my pivpn situation yet since I could not get the emby to work. My emby container has its own ip. When I added a new location for my emby which is in the same zone (servers-zone) with different ip address, it broke it again. The emby is not a big deal for me. But the pivpn is more important than emby. At this point, I cannot vpn in because the port 443 is being used by LE.

 

At first, I tried to create a multiple .conf (e.g. nextcloud.domain.com.conf, vpn.domain.com.conf, emby.domain.com.conf) files in the /mnt/cache/appdata/letsencrypt/nginx/site-confs/ 

This did not work. I realized that I can only use one file and the name has to be "default". Now, I added a 2nd 'location' and point it to my emby, and broke it again.

 

This is the config that I had

server {
    listen 443 ssl;
    server_name nextcloud.domain.com emby.domain.com;
...
...
    #nextcloud
    location /nextcloud {
        proxy_pass https://10.0.7.12:444;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }

    #emby
    location /emby {
        proxy_pass https://10.0.7.10:8920;
    }
}

I thought of getting emby to work to test the multiple target locations in the same zone before going to different firewall zone. At this point, I am completely lost. I did some digging about openvpn behind nginx. It seems to be possible, and the stream module will be needed. I have no idea what an stream module is and how am I going to get it involve with my settings.
 

 

Edited by pingmanping
Link to comment
1 hour ago, CHBMB said:

You can use multiple files, as long as you own the domain, have setup the subdomain and got certs for it.

Yes, I got my domain at namesilo and added some subdomain entries, but somehow when I renamed the default file I get this logs

 

nginx: [emerg] the size 10485760 of shared memory zone "SSL" conflicts with already declared size 52428800 in /config/nginx/site-confs/nextcloud.mydomain.com.conf:20

When I renamed it again back to 'default', it works again.

Link to comment
4 hours ago, pingmanping said:

I have a pivpn in my dmz and my unraid in my servers-zone. My pivpn uses port 443/tcp.

 

Would it be possible for my pi to hide behind the LE/nginx?

Should I move the pivpn in the servers-zone to get it to work?  

  

At this point, I got my nextcloud working by following chbmb guide https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

However, I have not tried to deal with my pivpn situation yet since I could not get the emby to work. My emby container has its own ip. When I added a new location for my emby which is in the same zone (servers-zone) with different ip address, it broke it again. The emby is not a big deal for me. But the pivpn is more important than emby. At this point, I cannot vpn in because the port 443 is being used by LE.

 

At first, I tried to create a multiple .conf (e.g. nextcloud.domain.com.conf, vpn.domain.com.conf, emby.domain.com.conf) files in the /mnt/cache/appdata/letsencrypt/nginx/site-confs/ 

This did not work. I realized that I can only use one file and the name has to be "default". Now, I added a 2nd 'location' and point it to my emby, and broke it again.

 

This is the config that I had


server {
    listen 443 ssl;
    server_name nextcloud.domain.com emby.domain.com;
...
...
    #nextcloud
    location /nextcloud {
        proxy_pass https://10.0.7.12:444;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }

    #emby
    location /emby {
        proxy_pass https://10.0.7.10:8920;
    }
}

I thought of getting emby to work to test the multiple target locations in the same zone before going to different firewall zone. At this point, I am completely lost. I did some digging about openvpn behind nginx. It seems to be possible, and the stream module will be needed. I have no idea what an stream module is and how am I going to get it involve with my settings.
 

 

 

You can use multiple site config files, it's just that one of them has to be named default

 

If you validate through http,you don't need to use 443 for https on le. Switch it to any other port you like. Then you'll have to use the port number with the domain url to access your rp

 

For emby, your issue may have been that emby isn't using a base url. You can try the subdomain method for it

Link to comment
15 minutes ago, pingmanping said:

There is no other file in /mnt/cache/appdata/letsencrypt/nginx/site-confs/

 

 

The container will create the default file if its missing. So just comment every line in default and add nextcloud.mydomain.com

 

This is how my site-conf folder looks like 
https://github.com/gilbN/Nostromo/tree/master/Server/nginx/site-confs

 

Edited by GilbN
Link to comment
25 minutes ago, GilbN said:

 

The container will create the default file if its missing. So just comment every line in default and add nextcloud.mydomain.com

 

This is how my site-conf folder looks like 
https://github.com/gilbN/Nostromo/tree/master/Server/nginx/site-confs

 

 

That fixed one problem. I renamed the current default to nextcloud and restarted LE. When it generated a default file, I follow your instruction and commented the entire file, and it worked.

 

The main question now is how can I get my pivpn https://github.com/pivpn/pivpn to work behind the linuxservers' letsencrypt container.

I have my unraid in servers-zone and I have my pivpn in the dmz. Both LE and pivpn use 443/tcp and I only have one dynamic IP from ISP, so I can only do one destination NAT.

 

I can change the port of the pivpn, but my issue with these is at work the guest network only allows 443, 80 and 53. I wanted to keep the port set to 443/tcp as much possible.

 

How hard would it be to get the LE to work with pivpn or any VPN?

As you may guess I am having a hardtime already with the previous issue, and I am pretty sure this LE and VPN stuff will be harder. 

Link to comment
5 hours ago, CHBMB said:

 

Yeah it works fine with other stuff as subfolders, but you'll still have the issue with hairpin NAT.

I managed to get a hold of a custom firmware from merlin and tried changing the NAT loopback from asus's to the maplin loopback and still no joy on this. I cant find anything that indicated NAT hairpin unfortunately. Do my configs at least look ok?

Link to comment
4 hours ago, pingmanping said:

 

That fixed one problem. I renamed the current default to nextcloud and restarted LE. When it generated a default file, I follow your instruction and commented the entire file, and it worked.

 

The main question now is how can I get my pivpn https://github.com/pivpn/pivpn to work behind the linuxservers' letsencrypt container.

I have my unraid in servers-zone and I have my pivpn in the dmz. Both LE and pivpn use 443/tcp and I only have one dynamic IP from ISP, so I can only do one destination NAT.

 

I can change the port of the pivpn, but my issue with these is at work the guest network only allows 443, 80 and 53. I wanted to keep the port set to 443/tcp as much possible.

 

How hard would it be to get the LE to work with pivpn or any VPN?

As you may guess I am having a hardtime already with the previous issue, and I am pretty sure this LE and VPN stuff will be harder. 

 

You can use nginx stream module https://docs.nginx.com/nginx/admin-guide/load-balancer/tcp-udp-load-balancer/

 

You can have port 443 to go letsencrypt, which will proxy vpn connections to your pivpn through the stream module

Link to comment
On 28. 02. 2018. at 5:52 AM, Living Legend said:

I did a search on this thread for "mqtt" and "mosquitto", but yielded no results.

 

I currently use spants/mqtt docker in conjunction with homeassistant/home-assistant docker.

 

All of my remote accessing is done through this docker, linuxserver/letsencrypt.

 

Because of this, I've been able to greatly reduce the ports I have open on my router.

 

I currently have 5.  The basic 80, 8080, 443.  And then 32400 for Plex and 1194 for OpenVPN as I have found no other way to get this working without doing so.

 

I'm using OwnTracks on an Android OS phone to remotely send device location via MQTT.  Because of this, I need to be able to access this docker remotely.

 

I tried the most generic change to the default file under "site-confs":
 


location /mqtt {
        proxy_pass http://192.168.1.3:1883/;
        include /config/nginx/proxy.conf;
    }

Unfortunately, this does not work.

 

Any experience with a similar setup that could possibly point me in the right direction so I can try to avoid opening up more ports on my router?

I'm trying to get mqtt to work through one of the duckdns subdomains I have certified through letsencrypt, proxied through nginx. My nextcloud is accessible through its own subdomain, hassio ui through its own, I just can't get mqtt to work. What's different from your case is the fact I'm using a duckdns docker and a letsencrypt docker on unraid and trying to get through to a mqtt server / addon on hassio, running on a separate pi. Also, I don't know about you, but I'd like the decryption to happen on the letsencrypt docker and the local connection to the mqtt server to be unencrypted. 

 

Before I forget, a word of caution, I'm a total noob, some/most/all of the things I write might be total bs, I don't know almost anything on the subject, also - it's seven hours past my bedtim; (re)investigate everything for yourself.

Back to the point. First of all, it seems "sites-whatever" isn't meant for non-https proxying with nginx. And mqtt isn't http(s). As far as I could gather from a couple of posts I've dug up on the subject is you have to use something called "stream(s)" to accomplish proxying mqtt (tcp) to your server and the "config" for that has to be in the same folder nginx.conf is (the parent folder of "sites-whatever").
Here is a link or two I found on the subject... I plan on fiddling with it saturday afternoon, if I manage to get it working, I'll let you know. The links: https://community.home-assistant.io/t/mqtt-through-nginx-and-owntracks/4943/35 , http://akeil.de/posts/mqtt-bridge-with-mosquitto-and-nginx.html,  https://www.nginx.com/blog/nginx-and-iot-adding-protocol-awareness-for-mqtt/ , https://www.nginx.com/blog/nginx-plus-iot-load-balancing-mqtt/ ,  https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru there's also this one if you're planing to use websockets https://community.home-assistant.io/t/mqtt-through-nginx-and-owntracks/4943/8

Edited by sinbrkatetete
Link to comment
  •  
listen 443 ssl;
    server_name remote.mydomanename.com.au;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
# cancelled the following line after upgrade to nextcloud 13
#    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
 client_max_body_size 0;
# the next 2 lines allowed exchange in small business server send emails externally.  The rest of this template is otherwise unchanged.
 proxy_request_buffering off;
    proxy_buffering off;
     
    location / {
        proxy_pass https://192.168.10.21:443/;
     proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
 
I'm still having no luck resolving this issue.
The above config is for the Small business server part of my LE docker.
It worked prior to TLS-SNi being turned off.
 
I originally blamed having to map port 80 to the docker to make the certificates work, however on reflection, I don't think this has anything to do with the problem.
All certificates are generating without errors and the other dockers are working perfectly with their certificates.
 
The anomaly with the SBS config is that it has to  map to port 443.
So in the router, port 443 maps to the LE docker, then the reverse proxy in the LE docker points to the Small business server on Port 443.
 
Could this be the problem?
ie LE and SBS having the same port number? (443)
It worked before. 
Then there was a LE update.
Is it possible NGINX is no longer letting me point to 443 for the SBS server?
 
 
 
Link to comment
1 hour ago, sinbrkatetete said:

I'm trying to get mqtt to work through one of the duckdns subdomains I have certified through letsencrypt, proxied through nginx. My nextcloud is accessible through its own subdomain, hassio ui through its own, I just can't get mqtt to work. What's different from your case is the fact I'm using a duckdns docker and a letsencrypt docker on unraid and trying to get through to a mqtt server / addon on hassio, running on a separate pi. Also, I don't know about you, but I'd like the decryption to happen on the letsencrypt docker and the local connection to the mqtt server to be unencrypted. 

 

Before I forget, a word of caution, I'm a total noob, some/most/all of the things I write might be total bs, I don't know almost anything on the subject, also - it's seven hours past my bedtim; (re)investigate everything for yourself.

Back to the point. First of all, it seems "sites-whatever" isn't meant for non-https proxying with nginx. And mqtt isn't http(s). As far as I could gather from a couple of posts I've dug up on the subject is you have to use something called "stream(s)" to accomplish proxying mqtt (tcp) to your server and the "config" for that has to be in the same folder nginx.conf is (the parent folder of "sites-whatever").
Here is a link or two I found on the subject... I plan on fiddling with it saturday afternoon, if I manage to get it working, I'll let you know. The links: https://community.home-assistant.io/t/mqtt-through-nginx-and-owntracks/4943/35 , http://akeil.de/posts/mqtt-bridge-with-mosquitto-and-nginx.html,  https://www.nginx.com/blog/nginx-and-iot-adding-protocol-awareness-for-mqtt/ , https://www.nginx.com/blog/nginx-plus-iot-load-balancing-mqtt/ ,  https://serversforhackers.com/c/tcp-load-balancing-with-nginx-ssl-pass-thru there's also this one if you're planing to use websockets https://community.home-assistant.io/t/mqtt-through-nginx-and-owntracks/4943/8

 

I think I have a very similar setup to you.  Nextcloud is done through its own sub domain.  Home Assistant is also done through its own sub domain.  I'm using a duckdns docker and a letsencrypt docker on unRAID.  The only difference is I'm running an MQTT docker, and Home Assistant as a docker as well.  I'm considering going back to my Pi and installing Hass.io so I'm not solely dependent on my server, but to date, everything has run rather smooth.

 

Your point on the  "site-confs" folder makes sense since this isn't a https connection.

 

In my futile efforts the other day I think I skimmed through nearly all of the links you provided.  I also noticed the usage of streams, but did not spend enough time to figure out how to get it working.  I may tinker a little more with it now.

 

Keep me in the loop on your progress.  I'll do the same.

 

Good luck.

Link to comment
1 hour ago, Jessie said:
  •  
listen 443 ssl;
    server_name remote.mydomanename.com.au;
    root /config/www;
    index index.html index.htm index.php;
    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
# cancelled the following line after upgrade to nextcloud 13
#    ssl_session_cache shared:SSL:10m;
        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
 client_max_body_size 0;
# the next 2 lines allowed exchange in small business server send emails externally.  The rest of this template is otherwise unchanged.
 proxy_request_buffering off;
    proxy_buffering off;
     
    location / {
        proxy_pass https://192.168.10.21:443/;
     proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
 
I'm still having no luck resolving this issue.
The above config is for the Small business server part of my LE docker.
It worked prior to TLS-SNi being turned off.
 
I originally blamed having to map port 80 to the docker to make the certificates work, however on reflection, I don't think this has anything to do with the problem.
All certificates are generating without errors and the other dockers are working perfectly with their certificates.
 
The anomaly with the SBS config is that it has to  map to port 443.
So in the router, port 443 maps to the LE docker, then the reverse proxy in the LE docker points to the Small business server on Port 443.
 
Could this be the problem?
ie LE and SBS having the same port number? (443)
It worked before. 
Then there was a LE update.
Is it possible NGINX is no longer letting me point to 443 for the SBS server?
 
 
 

 

You never said what the problem is

Link to comment

image.png.e1ffac170cc998598853edd482558bef.png

image.thumb.png.a05ac77e37ce9a2aa8c1e62244e7f7cd.png

image.png.2075bb1c0e6a4008329166ab22cbdc0b.png

As far as I can tell the settings are correct based off of what I've seen recently in this thread, and it's about the same as when it was working before the 6.4 update. Last week I got a week long ban because I kept trying to fix this and tried 5 times in an hour so I know my server is reaching out fine. Port forwarded correctly too. Unraid is not running on port 80 or 443 so not sure if that might be causing the issue since that's the only thing I can think of that is different, especially since apparently the httpval thing is no longer required from what I can infer, although really tired right now so I may just be really stupid. Already tried 4 times recently so I'm gonna have to wait to try again but figured I might be able to get some input while I wait. Thanks

Edited by Server1Alpha
Link to comment
2 hours ago, Server1Alpha said:

image.png.e1ffac170cc998598853edd482558bef.png

image.thumb.png.a05ac77e37ce9a2aa8c1e62244e7f7cd.png

image.png.2075bb1c0e6a4008329166ab22cbdc0b.png

As far as I can tell the settings are correct based off of what I've seen recently in this thread, and it's about the same as when it was working before the 6.4 update. Last week I got a week long ban because I kept trying to fix this and tried 5 times in an hour so I know my server is reaching out fine. Port forwarded correctly too. Unraid is not running on port 80 or 443 so not sure if that might be causing the issue since that's the only thing I can think of that is different, especially since apparently the httpval thing is no longer required from what I can infer, although really tired right now so I may just be really stupid. Already tried 4 times recently so I'm gonna have to wait to try again but figured I might be able to get some input while I wait. Thanks

Change Container port 80 to 81 or 8088. (whichever is not used elsewhere in the unraid server)

 

In your router Forward port 443 to your unraid server

In your router point external port 80 to internal port 81 or 8088 (Which ever you chose in the first line above) and forward to your unraid server.

 

Restart letsencrypt.

 

 

Link to comment

I finally got nextcloud with letsencrypt running following @CHBMB guide on ls.io with nextcloud.mydomain.com subdomain.

 

I would like to change subdomain from nextcloud.mydomain.com to just cloud.mydomain.com. Does it suffice to change all references of nextcloud.mydomain.com to cloud.mydomain.com in site nginx/site-confs/nextcloud and nextcloud's /config/www/nextcloud/config/config.php.

 

Let's assume that I added cloud as an additional subdomain to letsencrypt docker and fixed DNS record.

 

Do I need to change anything else?

 

 

Edited by sse450
Link to comment
5 minutes ago, sse450 said:

I finally got nextcloud with letsencrypt running following @CHBMB guide with nextcloud.mydomain.com subdomain.

 

I would like to change subdomain from nextcloud.mydomain.com to just cloud.mydomain.com. Does it suffice to change all references of nextcloud.mydomain.com to cloud.mydomain.com in site nginx/site-confs/nextcloud and nextcloud's /config/www/nextcloud/config/config.php.

 

Or do I need to change anything else?

 

 

Sounds good.

Also need to create an A record for cloud in your domain settings 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.