[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

So I got the basics setup with the cyanlabs guide, cool stuff. I used the command on github to create the htpasswd file, it does ask for name and password, appears to accept it, then gives me a 403 forbidden error afterwards. Ombi isn't using it in favor of app based auth and is working fine. 

 

 

2018/04/22 12:46:59 [error] 378#378: *37 open() "/config/.htpasswd" failed (2: No such file or directory), client: xx.xx.xxx.xxx, server: _, request: "GET /movies HTTP/1.1", host: "xxx.duckdns.org"
2018/04/22 12:47:05 [error] 378#378: *37 open() "/config/.htpasswd" failed (2: No such file or directory), client: xx.xx.xxx.xxx, server: _, request: "GET /tv HTTP/1.1", host: "xxx.duckdns.org"
2018/04/22 12:49:04 [error] 378#378: *68 open() "/config/.htpasswd" failed (2: No such file or directory), client: xx.xx.xxx.xxx, server: _, request: "GET /movies HTTP/1.1", host: "xxx.duckdns.org" 

 

My default looks like this. 

location /movies {
        auth_basic "Restricted";
        auth_basic_user_file /config/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.3:7878/movies;


 

 

Did I miss a step with the htpasswd file?

Edited by Traxxus
Link to comment
5 hours ago, Traxxus said:

So I got the basics setup with the cyanlabs guide, cool stuff. I used the command on github to create the htpasswd file, it does ask for name and password, appears to accept it, then gives me a 403 forbidden error afterwards. Ombi isn't using it in favor of app based auth and is working fine. 

 

 

2018/04/22 12:46:59 [error] 378#378: *37 open() "/config/.htpasswd" failed (2: No such file or directory), client: xx.xx.xxx.xxx, server: _, request: "GET /movies HTTP/1.1", host: "xxx.duckdns.org"
2018/04/22 12:47:05 [error] 378#378: *37 open() "/config/.htpasswd" failed (2: No such file or directory), client: xx.xx.xxx.xxx, server: _, request: "GET /tv HTTP/1.1", host: "xxx.duckdns.org"
2018/04/22 12:49:04 [error] 378#378: *68 open() "/config/.htpasswd" failed (2: No such file or directory), client: xx.xx.xxx.xxx, server: _, request: "GET /movies HTTP/1.1", host: "xxx.duckdns.org" 

 

My default looks like this. 

location /movies {
        auth_basic "Restricted";
        auth_basic_user_file /config/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.3:7878/movies;


 

 

Did I miss a step with the htpasswd file?

 

Pretty obvious error. failed (2: No such file or directory

 

Sure the .htpasspw is not in /config/nginx/.htpasswd ?

Link to comment
13 hours ago, GilbN said:

For Ombi you can setup .htpasswd and have fail2ban ban the ip after x amount of failed logins. Fail2ban is already setup to do that with [nginx-http-auth]. I would add ignoreip = x.x.x.x/24 so you don't ban yourself. Like this.

I already have my jail.local configured, as present in my original post.  It's just a matter on turning it on.

  • Would .htpasswd be recommended on top of Ombi using Plex account sign in? 
  • Would turning on .htpasswd with PLex user authentication in Ombi cause my users to have to sign in twice?  If so would .htpasswd be recommended over Ombi Plex user sign on?
13 hours ago, GilbN said:

Or you could setup Organizr and use server authentication so that only users that are logged in to organizr can access domain.com/ombi. And setup fail2ban on the organizr login page.

With Organizr users that log in will automatically be logged into ombi/plex using SSO.  https://imgur.com/a/rcwq6rg

 

You can also setup geoblocking, that will block any country of your choosing.

Not sure about organizr, just started looking into it, and it's intriguing, but not quite ready to undertake that project yet..

Referenced in my original post I've setup as subdomain. Not sure how that would play out with your suggestion as domain.com/ombi, and prefer not to use my base business domain.

 

geoblocking is definitely a must, and thank you for referencing this.  I had no idea it existed, and will get implemented asap.

 

 

 

Link to comment
9 hours ago, Drider said:

I already have my jail.local configured, as present in my original post.  It's just a matter on turning it on.

  • Would .htpasswd be recommended on top of Ombi using Plex account sign in? 
  • Would turning on .htpasswd with PLex user authentication in Ombi cause my users to have to sign in twice?  If so would .htpasswd be recommended over Ombi Plex user sign on?

Not sure about organizr, just started looking into it, and it's intriguing, but not quite ready to undertake that project yet..

Referenced in my original post I've setup as subdomain. Not sure how that would play out with your suggestion as domain.com/ombi, and prefer not to use my base business domain.

 

geoblocking is definitely a must, and thank you for referencing this.  I had no idea it existed, and will get implemented asap.

 

 

 

 

Domain.com/ombi was just an example. Ombi.domain.com works just fine.

 

Adding.htpasspw will make users have to log in twice yes. Using organizr they will only log in once with their plex credentials. 

Link to comment
13 hours ago, GilbN said:

Domain.com/ombi was just an example. Ombi.domain.com works just fine.

 

Adding.htpasspw will make users have to log in twice yes. Using organizr they will only log in once with their plex credentials. 

I've been going through your blogs, and I must say thank you.  You have a TON of good information in there.  It looks like I'll be following 90% of what you've posted, as you're setup is pretty much what I desire.  I've installed Organizr, and I've been playing with it a bit, look slike I'll be jumping on the bandwagon.

 

I only have a couple problems with organizr:

  • I get this error at the top of my homepage if I have Ombi request turned on, I'm not sure if it's because Ombi needs an update.
  • (It's the only answer I've found as of end of March 2018 from support posts on GitHub)
Notice: Undefined offset: 0 in /config/www/Dashboard/functions.php on line 5067 Notice: Undefined offset: 0 in /config/www/Dashboard/functions.php on line 5067

 

  • I'm trying to use unBlurr vBeta as a Theme, and all work except when I try to add:

                    For Plex Users who want the chat button to go to the chat tab instead of the chat sidebar

It places a bar over the entire homepage blocking the top of the page and specifically the save button.  I have to use adblocker to kill the item in order to regain control.

 

Sorry for the off topic questions, I know they should be placed elsewhere. 

It looks lie I have a lot more reading, trial and error to go through, but at least I have a good reference point.

Don't you take down that blog anytime soon!

 

 

 

@aptalca

I'm still a bit puzzled on how to get DDNS to update directly to cloudflare, if you could be so kind as to answer:

  • Is there a docker or plugin that I need to install specifically for this, or will I be be needing to go a custom script route?
  • Should I be using a service like DNS-O-Matic ?

Maybe I'm just missing it within the LetEncrypt container..

Edited by Drider
Link to comment
13 minutes ago, Drider said:

I've been going through your blogs, and I must say thank you.  You have a TON of good information in there.  It looks like I'll be following 90% of what you've posted, as you're setup is pretty much what I desire.  I've installed Organizr, and I've been playing with it a bit, look slike I'll be jumping on the bandwagon.

 

I only have a couple problems with organizr:

  • I get this error at the top of my homepage if I have Ombi request turned on, I'm not sure if it's because Ombi needs an update.
  • (It's the only answer I've found as of end of March 2018 from support posts on GitHub)

Notice: Undefined offset: 0 in /config/www/Dashboard/functions.php on line 5067 Notice: Undefined offset: 0 in /config/www/Dashboard/functions.php on line 5067

 

  • I'm trying to use unBlurr vBeta as a Theme, and all work except when I try to add:

                    For Plex Users who want the chat button to go to the chat tab instead of the chat sidebar

It places a bar over the entire homepage blocking the top of the page and specifically the save button.  I have to use adblocker to kill the item in order to regain control.

 

Sorry for the off topic questions, I know they should be placed elsewhere. 

It looks lie I have a lot more reading, trial and error to go through, but at least I have a good reference point.

Don't you take down that blog anytime soon!

 

 

 

@aptalca

I'm still a bit puzzled on how to get DDNS to update directly to cloudflare, if you could be so kind as to answer:

  • Is there a docker or plugin that I need to install specifically for this, or will I be be needing to go a custom script route?
  • Should I be using a service like DNS-O-Matic ?

Maybe I'm just missing it within the LetEncrypt container..

 

To update ip on cloudflare, you need to use a separate app, script or device. I believe you said you had ddwrt on your router. That probably handles that. If not, we have a ddclient docker that will do it.

 

Letsencrypt doesn't update your ip on cloudflare, but it can use cloudflare api to verify domain ownership so you can get letsencrypt certs

  • Upvote 1
Link to comment
1 hour ago, aptalca said:

To update ip on cloudflare, you need to use a separate app, script or device. I believe you said you had ddwrt on your router. That probably handles that. If not, we have a ddclient docker that will do it.

I do have DD-WRT, but as much as I wish I knew the script to place in the router, it looks like I'll go with DDClient, as I'm sure it will be more my pace of understanding to configure.

Unless of course you could point me in the right direction ... ?  O.o

 

Thanks!

Link to comment

I never resolved my issue with the letsencrypt docker and sbs server.  ie it stopped after they banned tls-sni.

What I haven't tried yet is the dns approach to authentication.

I read somewhere today that this approach might be as simple as placing a txt record in DNS.

Could it be that simple?

If so, how do I derive/configure the txt string that would work?

 

My other option would be to try to configure letsencrypt via pfsense.  Not sure how that would go.

 

Link to comment
48 minutes ago, Jessie said:

I never resolved my issue with the letsencrypt docker and sbs server.  ie it stopped after they banned tls-sni.

What I haven't tried yet is the dns approach to authentication.

I read somewhere today that this approach might be as simple as placing a txt record in DNS.

Could it be that simple?

If so, how do I derive/configure the txt string that would work?

 

My other option would be to try to configure letsencrypt via pfsense.  Not sure how that would go.

 

 

It is described in the docker description and the github readme

Link to comment
5 hours ago, Drider said:

I do have DD-WRT, but as much as I wish I knew the script to place in the router, it looks like I'll go with DDClient, as I'm sure it will be more my pace of understanding to configure.

Unless of course you could point me in the right direction ... ?  O.o

 

Thanks!

 

You have to wait until I add the template to our repository. For some reason I forgot to add it. 

Link to comment
On 21/04/2018 at 6:41 PM, dalben said:

Is it possible to get the UNRAID GUI working through this letsencrypt / nginx reverse proxy ?  I tried but there were some pretty bad formatting errors that made it unusable.

 

Is it possible to add the UNRaid GUI through this letsencrypt/nginx reverse proxy?  I've tried but the formatting is all out of whack.  I also need to turn off restricted and rely on the unraid WebGui for authentication.

Link to comment
7 hours ago, Drider said:

I've been going through your blogs, and I must say thank you.  You have a TON of good information in there.  It looks like I'll be following 90% of what you've posted, as you're setup is pretty much what I desire.  I've installed Organizr, and I've been playing with it a bit, look slike I'll be jumping on the bandwagon.

 

I only have a couple problems with organizr:

  • I get this error at the top of my homepage if I have Ombi request turned on, I'm not sure if it's because Ombi needs an update.
  • (It's the only answer I've found as of end of March 2018 from support posts on GitHub)

Notice: Undefined offset: 0 in /config/www/Dashboard/functions.php on line 5067 Notice: Undefined offset: 0 in /config/www/Dashboard/functions.php on line 5067

 

  • I'm trying to use unBlurr vBeta as a Theme, and all work except when I try to add:

                    For Plex Users who want the chat button to go to the chat tab instead of the chat sidebar

It places a bar over the entire homepage blocking the top of the page and specifically the save button.  I have to use adblocker to kill the item in order to regain control.

 

Sorry for the off topic questions, I know they should be placed elsewhere. 

It looks lie I have a lot more reading, trial and error to go through, but at least I have a good reference point.

Don't you take down that blog anytime soon!

 

 

 

@aptalca

I'm still a bit puzzled on how to get DDNS to update directly to cloudflare, if you could be so kind as to answer:

  • Is there a docker or plugin that I need to install specifically for this, or will I be be needing to go a custom script route?
  • Should I be using a service like DNS-O-Matic ?

Maybe I'm just missing it within the LetEncrypt container..

 

For ombi you need version 3.0.2165 or later. Are you sure the ombi api key is correct?

 

And did you try and add the url base if you use that?

 

 

You did add it to custom html and not css right?

 

For Organizr support I highly recommend joining the discord. https://organizr.us/discord much easier to support live ?

Link to comment
1 hour ago, GilbN said:

For ombi you need version 3.0.2165 or later. Are you sure the ombi api key is correct?

 

And did you try and add the url base if you use that?

 

 

You did add it to custom html and not css right?

 

For Organizr support I highly recommend joining the discord. https://organizr.us/discord much easier to support live ?

I'm sorry I should've been more clear:

I'm not sure if the repo is due for an update.  I found a bunch of posts saying they have the same error, and the, (Devs?), replies are it's an Ombi issue and under fix.

 

I am running v3.0.3185, and API key verified correct.

 

No URL Base as I use subdomains, and for now I'm just testing locally, ... (Haven't even gotten to remote testing ¬¬

 

I might have added to css ...  yup .. looking at it, definitely added to css.  I may need to slow down just a little.., or less coffee at +2:30AM 

 

I believe I will be taking up your discord offer some point this weekend.  I love to learn, and grasp on my own, gives a great feeling of accomplishment, but this is just taking too damn long..

 

 

Edited by Drider
Link to comment
On 24.4.2018 at 7:41 AM, dalben said:

 

Is it possible to add the UNRaid GUI through this letsencrypt/nginx reverse proxy?  I've tried but the formatting is all out of whack.  I also need to turn off restricted and rely on the unraid WebGui for authentication.

 

Yes it's possible. But it's not secure at all. You should use a VPN much safer. But if you absolutely want to.

 

```nginx

##UNRAID INTERFACE

## https://lime-technology.com/forums/topic/49997-reverse-proxy-unraid-dashboard-and-others/

#

## REDIRECT HTTP TRAFFIC TO https://domain.com

#server {

#    listen 80;

#    server_name unraid.domain.com;

#    return 301 https://$host$request_uri;

#    }

#    

#server {

#  listen 443 ssl http2;

#  server_name unraid.domain.com;

#  include /config/nginx/strong-ssl.conf;

#

#  location / {

#    include /config/nginx/basicauth.conf;

#    include /config/nginx/proxy.conf;

#    

#    proxy_pass http://int.ern.al.ip/;

#    

#    # unraid logs do not work if buffering is enabled

#    proxy_buffering off;

#    

#    # see http://shairosenfeld.blogspot.com/2011/03/authorization-header-in-nginx-for.html

#    proxy_set_header Authorization "Basic redactedbase64code"; # https://www.base64decode.org

#

#    # If you are proxying unRAID 6.4+, uncomment the following lines to support WebSockets

#    proxy_set_header Upgrade $http_upgrade;

#    proxy_set_header Connection "upgrade";

#  }

#}

 

 

Edited by GilbN
Link to comment

Trying to connect mariadb database and was checking the logs.  I found this error log from nginx error log folder.

 

can someone explain this error to me and how to resolve it:

  thrown in /config/www/bacmedia/index.php on line 35" while reading response header from upstream, client: 192.168.1.1, server: bacnet.duckdns.org, request: "GET /bacmedia/index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bacnet.duckdns.org", referrer: "https://bacnet.duckdns.org/bacmedia/index.php"
2018/04/27 23:34:43 [error] 378#378: *921 FastCGI sent in stderr: "PHP message: PHP Warning:  mysqli_connect(): php_network_getaddresses: getaddrinfo failed: Name does not resolve in /config/www/bacmedia/index.php on line 20
PHP message: PHP Warning:  mysqli_connect(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name does not resolve in /config/www/bacmedia/index.php on line 20
PHP message: PHP Notice:  Trying to get property of non-object in /config/www/bacmedia/index.php on line 22
PHP message: PHP Fatal error:  Uncaught Error: Call to a member function query() on boolean in /config/www/bacmedia/index.php:35
Stack trace:

Link to comment
1 hour ago, sgt_spike said:

Trying to connect mariadb database and was checking the logs.  I found this error log from nginx error log folder.

 

can someone explain this error to me and how to resolve it:

  thrown in /config/www/bacmedia/index.php on line 35" while reading response header from upstream, client: 192.168.1.1, server: bacnet.duckdns.org, request: "GET /bacmedia/index.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "bacnet.duckdns.org", referrer: "https://bacnet.duckdns.org/bacmedia/index.php"
2018/04/27 23:34:43 [error] 378#378: *921 FastCGI sent in stderr: "PHP message: PHP Warning:  mysqli_connect(): php_network_getaddresses: getaddrinfo failed: Name does not resolve in /config/www/bacmedia/index.php on line 20
PHP message: PHP Warning:  mysqli_connect(): (HY000/2002): php_network_getaddresses: getaddrinfo failed: Name does not resolve in /config/www/bacmedia/index.php on line 20
PHP message: PHP Notice:  Trying to get property of non-object in /config/www/bacmedia/index.php on line 22
PHP message: PHP Fatal error:  Uncaught Error: Call to a member function query() on boolean in /config/www/bacmedia/index.php:35
Stack trace:

You didn't enter the right address for mariadb? 

 

I don't know, it's your website code. 

Link to comment
7 hours ago, aptalca said:

You didn't enter the right address for mariadb? 

 

I don't know, it's your website code. 

 

Not sure what other ip to use.  I used the tower's ip for the hostname

 

For the looks of it I am getting a successful connection just cannot query the database I created.

 

			<?php

				$sql = "SELECT * FROM movies";
				$result = $dbconnect->query($sql);
				
				if ($result->num_rows > 0) {
					echo "<table><tr><th>Movie_ID</th><th>Movie Name</th><th>Media</th></tr>";
					// output data of each row
					while($row = $result->fetch_assoc()) {
						echo "<tr><td>" . $row["movie_id"]. "</td><td>" . $row["title"]. " " . $row["media"]. "</td></tr>";
				}
					echo "</table>";
				} else {
					echo "0 results";
				}

				$conn->close();
			?>

perhaps I have the code wrong here

NotQuerying.PNG

connectionresults.PNG

Link to comment
18 minutes ago, sgt_spike said:

 

Not sure what other ip to use.  I used the tower's ip for the hostname

 

For the looks of it I am getting a successful connection just cannot query the database I created.

 


			<?php

				$sql = "SELECT * FROM movies";
				$result = $dbconnect->query($sql);
				
				if ($result->num_rows > 0) {
					echo "<table><tr><th>Movie_ID</th><th>Movie Name</th><th>Media</th></tr>";
					// output data of each row
					while($row = $result->fetch_assoc()) {
						echo "<tr><td>" . $row["movie_id"]. "</td><td>" . $row["title"]. " " . $row["media"]. "</td></tr>";
				}
					echo "</table>";
				} else {
					echo "0 results";
				}

				$conn->close();
			?>

perhaps I have the code wrong here

NotQuerying.PNG

connectionresults.PNG

Remove https from hostname. Only put in ip:port

Link to comment

Hey all.. I've been running this image for a while now without issue. But, I decided to try changing to a wildcard cert today. I pulled the most recent image, updated my docker compose and dns config and updated the container.

 

It appears to work, but then throws an error saying to check the validation error above - but there are no validation errors.

 

build_version: Linuxserver.io version:- 139 Build-date:- April-27-2018-22:06:54-UTC
 

Any ideas?

 

le log (I've attached the full le log here as well).

le             | 2018-04-29T16:54:15.228690086Z Performing the following challenges:
le             | 2018-04-29T16:54:15.238047339Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238085071Z dns-01 challenge for mydomain
le             | 2018-04-29T16:54:15.238090178Z Unsafe permissions on credentials configuration file: /config/dns-conf/digitalocean.ini
le             | 2018-04-29T16:54:16.523142000Z Waiting 10 seconds for DNS changes to propagate
le             | 2018-04-29T16:54:26.534836161Z Waiting for verification...
le             | 2018-04-29T16:54:30.185131883Z Cleaning up challenges
le             | 2018-04-29T16:54:46.170727929Z IMPORTANT NOTES:
le             | 2018-04-29T16:54:46.250348556Z  - Congratulations! Your certificate and chain have been saved at:
le             | 2018-04-29T16:54:46.250445899Z    /etc/letsencrypt/live/mydomain/fullchain.pem
le             | 2018-04-29T16:54:46.253021957Z    Your key file has been saved at:
le             | 2018-04-29T16:54:46.253059746Z    /etc/letsencrypt/live/mydomain/privkey.pem
le             | 2018-04-29T16:54:46.253064950Z    Your cert will expire on 2018-07-28. To obtain a new or tweaked
le             | 2018-04-29T16:54:46.253069538Z    version of this certificate in the future, simply run certbot
le             | 2018-04-29T16:54:46.253073599Z    again. To non-interactively renew *all* of your certificates, run
le             | 2018-04-29T16:54:46.253077573Z    "certbot renew"
le             | 2018-04-29T16:54:46.253088918Z  - If you like Certbot, please consider supporting our work by:
le             | 2018-04-29T16:54:46.253097379Z 
le             | 2018-04-29T16:54:46.253101610Z    Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
le             | 2018-04-29T16:54:46.253106190Z    Donating to EFF:                    https://eff.org/donate-le
le             | 2018-04-29T16:54:46.253110181Z 
le             | 2018-04-29T16:54:46.261602398Z ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/digitalocean.ini file.

 

The docker compose file:

  letsencrypt:
    image: linuxserver/letsencrypt
    container_name: le
    ports:
      - 443:443
      - 80:80
    volumes:
      - /opt/appdata/letsencrypt:/config
      - /opt/appdata/organizr/www:/fail2ban:ro
    restart: always
    depends_on:
      - tautulli
      - nzbget
      - sonarr
      - radarr
      - delugevpn
    environment:
      - PUID=1002
      - PGID=1002
      - EMAIL=my@email
      - URL=myserver
      - SUBDOMAINS=wildcard
      - ONLY_SUBDOMAINS=true
      - VALIDATION=dns
      - DNSPLUGIN=digitalocean
      - DHLEVEL=4096
      - TZ=America/New_York


 

le.log

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.