[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I had to add

#!/usr/bin/with-contenv bash

 

on top of the file which I found after a few tries!

Thanks for the tip :)

 

I figured also how to move the thumbnail cache to an external from the photos source folder so I am now going to try and strengthen security.

I have already enabled 2-factor login

 

My options

1) VPN and blocking all other access from WAN but I will lose let's encrypt which also would be useless as VPN encrypts everything.

2) allowing through firewall access to my IP addresses AND let's encrypt servers (need to find them) and block everything else

3) Allow all WAN from firewall and add .htaccess as well the extra 2-factor login

 

I will host personal file so I think the option #2 is a good compromise.

 

Any ideas?

Link to comment

Another question!

 

In Filerun I can only have one folder per user.

So for user Teo I have mapped /files/ (inside docker)

And from container settings I have mapped /mnt/user/Filerun:/files/

 

I also need Filerun to access /mnt/user/Photos

so I added as Read Only  /mnt/user/Photos:/files/photos/:ro

 

I just need a confirmation that its a viable solution!

Edited by karateo
Link to comment

I have been trying to get Plex SSO working with Ombi V3 and Organizr V2.

 

I have configured my reverse proxy according to https://github.com/causefx/Organizr/wiki/Plex-SSO.

 

When I go to https://domain.com/plex I get a 401 error.

 

If I go to https://domain.com/plex/web/index.html I am able to successfully reach plex.

 

Any ideas as to what may be going on here?

 

If it helps I've been following these guides:

https://technicalramblings.com/blog/how-to-setup-organizr-with-letsencrypt-on-unraid/

https://technicalramblings.com/blog/installing-ombi-v3-beta-on-unraid-setting-up-sso-with-plex-and-ombi/

 

Thanks

Link to comment
34 minutes ago, jbear said:

LETSENCRYPT Docker Question:

 

My ISP blocks port 80 inbound, can I pull a cert using a different --preferred-challenges?  Possibly tls-sni (port 443) instead of http (port 80).  If so, how can I modify this docker to make it work, right now when I start the docker, it's try to pull a cert on port 80 everytime.

 

Failed authorization procedure. jsbear.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jsbear.duckdns.org/.well-known/acme-challenge/5lYNDmQrZ7t7idpDLwGznLFtteLxkbUYPPrTPhVa2mg: Timeout during connect (likely firewall problem)

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Something like certbot certonly --standalone --preferred-challenges tls-sni -d example.com

 

 

This has been discussed to death in this thread. starting at around page 45 or so.

 

Read the "important notice" on this page that is linked in the first post of this thread.

https://hub.docker.com/r/linuxserver/letsencrypt/

  • Like 1
Link to comment

I'm trying to setup my Nextcloud to work with Letsencrypt. (disclaimer : I am very new to this. Willing to learn but the learning curve seems a bit steep...)

 

The problem I am facing is that I have forwarded the needed ports in my router and setup everything as explained in this video

 

Yet, I cannot access my Nextcloud.

 

In the logs of Letsencrypt, there is the following content

Quote

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=*firstnamelastname*.net
SUBDOMAINS=cloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=*myemailaddress*
STAGING=

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d cloud.*firstnamelastname*.net
E-mail address entered: *myemailaddress*
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for cloud.*firstnamelastname*.net
http-01 challenge for *firstnamelastname*.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. mydomainname (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from mydomainname/.well-known/acme-challenge/c5ExrCYBltBQXThW2cgXibAto8FKit42sn_IbvIctGk: "<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html>
<head>
<title></title>
<meta name=", mydomainname (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from mydomainname/.well-known/acme-challenge/KRzuKlcmy7Z0fHcfYMQgLVOr1F079Tp1OIXwxGX70fA: "<html xml:lang="fr-FR" lang="fr-FR">
<head>
<title qtlid="28806">F\xe9licitations ! Votre domaine a bien \xe9t\xe9 cr\xe9\xe9 chez OVH !</"
IMPORTANT NOTES:
Error in atexit._run_exitfuncs:
Traceback (most recent call last):
File "/usr/lib/python2.7/atexit.py", line 24, in _run_exitfuncs
func(*targs, **kargs)
File "/usr/lib/python2.7/site-packages/certbot/util.py", line 665, in _atexit_call
func(*args, **kwargs)
File "/usr/lib/python2.7/site-packages/certbot/reporter.py", line 98, in print_messages
next_wrapper.fill(line) for line in lines[1:]))
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 600: ordinal not in range(128)
Error in sys.exitfunc:
An unexpected error occurred:
- The following errors were reported by the server:
UnicodeEncodeError: 'ascii' codec can't encode character u'\xe9' in position 600: ordinal not in range(128)
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I've read different posts on different websites and I think I am supposed to add a file or folder somewhere but I didn't understand what and where (it was related to a folder named something along  "well-known acme")

 

When trying to access nextcloud from outside the network, I am getting a timeout error.

 

Could you please help me out? I'm having a hard time figuring out what this means and what I'm supposed to do to solve it. :( 

 

Thank you in advance

Edited by CiaoCiao
Link to comment
4 hours ago, CiaoCiao said:

I'm trying to setup my Nextcloud to work with Letsencrypt. (disclaimer : I am very new to this. Willing to learn but the learning curve seems a bit steep...)

 

The problem I am facing is that I have forwarded the needed ports in my router and setup everything as explained in this video

 

Yet, I cannot access my Nextcloud.

 

In the logs of Letsencrypt, there is the following content

 

I've read different posts on different websites and I think I am supposed to add a file or folder somewhere but I didn't understand what and where (it was related to a folder named something along  "well-known acme")

 

When trying to access nextcloud from outside the network, I am getting a timeout error.

 

Could you please help me out? I'm having a hard time figuring out what this means and what I'm supposed to do to solve it. :( 

 

Thank you in advance

 

Your domain is not forwarded to your unraid. It is showing the hosting page at ovh

Link to comment

Hi, re-visiting nextcloud and still trying to get it to work properly. I can access from IE after I get a page saying "there is a problem with this website's security certificate" and I press continue on.

Likewise, when I access from my iphone, it seems to work correctly, albeit after seeing this page first:

 

875332081_nextcloudiphone.thumb.jpg.ad99fd61d50b1dcf7180b2326ec75754.jpg

 

However, when I try to log on in chrome, I get this and can't get past it to the log-on page. Any ideas? Is it a letsencrypt issue? Thank you!

 

1561144773_nextcloudchrome.thumb.jpg.c31f88ceee3857083f09f93a61f38925.jpg

Edited by puncho
Link to comment
3 minutes ago, puncho said:

Hi, re-visiting nextcloud and still trying to get it to work properly. I can access from IE after I get a page saying "there is a problem with this website's security certificate" and I press continue on.

Likewise, when I access from my iphone, it seems to work correctly, albeit after seeing this page first:

 

875332081_nextcloudiphone.thumb.jpg.ad99fd61d50b1dcf7180b2326ec75754.jpg

 

However, when I try to log on in chrome, I get this and can't get past it to the log-on page. Any ideas? Is it a letsencrypt issue? Thank you!

 

1561144773_nextcloudchrome.thumb.jpg.c31f88ceee3857083f09f93a61f38925.jpg

 

You enabled hsts so Chrome refuses to connect unless the cert is valid. 

 

Post your logs and reverse proxy configs and we'll take a look. 

Link to comment
2 minutes ago, aptalca said:

 

You enabled hsts so Chrome refuses to connect unless the cert is valid. 

 

Post your logs and reverse proxy configs and we'll take a look. 

 

Thanks for your help!

 

Here's the letsencrypt log

Quote

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=
URL=duckdns.org
SUBDOMAINS=test
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d test.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; attempting renewal
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Jun 21 04:32:03 UTC 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/test.duckdns.org.conf
-------------------------------------------------------------------------------
Cert not yet due for renewal
Plugins selected: Authenticator standalone, Installer None

-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
/etc/letsencrypt/live/test.duckdns.org/fullchain.pem expires on 2018-09-07 (skipped)
No renewals were attempted.
No hooks were run.
-------------------------------------------------------------------------------
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

The letsencrypt config is as follows:

Quote

upstream backend {
    server 192.168.0.100:19999;
    keepalive 64;
}

server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;

    server_name test.duckdns.org;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location = / {
        return 301 /htpc;
    }

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.100:8989/sonarr;
    }

    location /hydra {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.100:5075/hydra;
    }    
    
    location /nzbget {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.100:6789/nzbget;
    }
    
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.100:7878/radarr;
    }

    location /request {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.100:3579/request;
    }
    
    location /htpc {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.100:8085/htpc;
    }

    location /cops {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.100:88/cops;
    }
    
    location /books {
        proxy_bind $server_addr;
        proxy_pass http://192.168.0.100:8083;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;
        proxy_set_header X-Script-Name /books;
    }
    
    location /plexpy {
        proxy_pass http://192.168.0.100:8181;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_read_timeout 90;
        proxy_set_header X-Forwarded-Proto $scheme;
        set $xforwardedssl "off";
        if ($scheme = https) {
            set $xforwardedssl "on";
        }
        proxy_set_header X-Forwarded-Ssl $xforwardedssl;
        proxy_redirect ~^(http(?:s)?://)([^:/]+)(?::\d+)?(/.*)?$ $1$2:$server_port$3;
    }    
    
    location /downloads {
        include /config/nginx/proxy.conf;
        proxy_pass  http://192.168.0.100:8112/;
        proxy_set_header  X-Deluge-Base "/downloads/";
    }
    
    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.0.100:32400;
    }

    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.0.100:32400/web;
    }
    
    location /nextcloud {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.0.100:444/nextcloud;
    }
    
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

 

Link to comment
14 minutes ago, puncho said:

 

Thanks for your help!

 

Here's the letsencrypt log

 

The letsencrypt config is as follows:

 

 

Your cert doesn't cover a "nextcloud" subdomain. In fact it doesn't cover any subdomains underneath the custom one you got from duckdns. You probably should have read the instructions in the container settings right underneath the url and subdomains fields

Link to comment

I think I fixed it, it works now without any messages in chrome/iphone/IE. I had originally followed cyanlabs so I didn't enter the nextcloud subdomain in the container settings. Sorry, pretty noob at this and just follow tutorials to get things up and running.

 

Here's the new logs...not sure what the new error is about? Thanks again

 

Quote

ErrorWarningSystemArrayLogin


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=duckdns.org
SUBDOMAINS=test,nextcloud.test,
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d test.duckdns.org -d nextcloud.test.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
You should register before running non-interactively, or provide --agree-tos and --email <email_address> flags.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.test.duckdns.org
http-01 challenge for test.duckdns.org
Waiting for verification...
Cleaning up challenges
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=duckdns.org
SUBDOMAINS=test,nextcloud.test,
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d test.duckdns.org -d nextcloud.test.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; attempting renewal
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Jun 21 00:30:44 PDT 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/test.duckdns.org.conf
-------------------------------------------------------------------------------

Traceback (most recent call last):
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 63, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python2.7/site-packages/certbot/storage.py", line 415, in __init__
"file reference".format(self.configfile))
CertStorageError: renewal config file {} is missing a required file reference
Renewal configuration file /etc/letsencrypt/renewal/test.duckdns.org.conf is broken. Skipping.

-------------------------------------------------------------------------------

No renewals were attempted.
No hooks were run.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/test.duckdns.org.conf (parsefail)
-------------------------------------------------------------------------------
0 renew failure(s), 1 parse failure(s)
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

Link to comment
4 hours ago, puncho said:

I think I fixed it, it works now without any messages in chrome/iphone/IE. I had originally followed cyanlabs so I didn't enter the nextcloud subdomain in the container settings. Sorry, pretty noob at this and just follow tutorials to get things up and running.

 

Here's the new logs...not sure what the new error is about? Thanks again

 

 

 

Again, please read the instructions. 

 

It literally says underneath that field that if you're using a dynamic dns address, the URL should be customsubdomain.domain.url so for you it would be test.duckdns.org and for SUBDOMAINS you can put nextcloud and anything else you like. Also uncheck subdomains only because you want the cert to cover the url as well. 

 

I'm not sure what the error was, but it could be due to inputting the subdomain like that. 

Link to comment
9 hours ago, aptalca said:

 

Your domain is not forwarded to your unraid. It is showing the hosting page at ovh

 

I think it's redirected though? I just tried to go to myip:444 on my smartphone not through WiFi so as to access from outside the network. But it does not work either.

Link to comment
4 hours ago, CiaoCiao said:

 

I think it's redirected though? I just tried to go to myip:444 on my smartphone not through WiFi so as to access from outside the network. But it does not work either.

 

Why ip? You need to set the A record for your domain name so it forwards to your home ip. Then this container will be able to validate the certs and only then nginx will start working and start responding to requests. Right now the webserver is down due to missing cert

Link to comment
19 hours ago, aptalca said:

 

Again, please read the instructions. 

 

It literally says underneath that field that if you're using a dynamic dns address, the URL should be customsubdomain.domain.url so for you it would be test.duckdns.org and for SUBDOMAINS you can put nextcloud and anything else you like. Also uncheck subdomains only because you want the cert to cover the url as well. 

 

I'm not sure what the error was, but it could be due to inputting the subdomain like that. 

 

Thank you, seems to be all working error free now :)

Link to comment

HI guys,

 

Has anyone managed to get this working with the home assistant docker for the reverse proxy.  I have tried the following

 

    location /ha {
        proxy_pass http://192.168.0.24:8123;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";  
    }

 

but I just get :( anyone got any ideas? Thanks!

 

502 Bad Gateway


nginx/1.12.2
Link to comment
4 hours ago, schford said:

HI guys,

 

Has anyone managed to get this working with the home assistant docker for the reverse proxy.  I have tried the following

 

    location /ha {
        proxy_pass http://192.168.0.24:8123;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";  
    }

 

but I just get :( anyone got any ideas? Thanks!

 

502 Bad Gateway


nginx/1.12.2

 

Did you try to Google it? Look at the bottom of the nginx config in this link https://www.home-assistant.io/docs/ecosystem/nginx/

  • Like 1
Link to comment
14 hours ago, saarg said:

 

Did you try to Google it? Look at the bottom of the nginx config in this link https://www.home-assistant.io/docs/ecosystem/nginx/

 

I tried many variations of home assistant docker, lets encrypt etc when googling but didn't actually search for NGINX - doh!!!! Thank you so much for the link cant believe it was documented on HASS pages - right off to play and thanks once more ?

Link to comment

SO Just in case any one else is looking ? I had to add  the below to get it working, it wont work with anything but the root rather than location / hass or something which I woudl prefer but can live with this unless anyone has any suggestions :)

 

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

 

    location / {
        proxy_pass http://192.168.0.23:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

 

Link to comment
On 3/17/2017 at 4:06 AM, dmacias said:

This works for me. Add the real ip lines to the nginx default site-confs for the nextcloud docker. Then restart the nextcloud docker.


server {
  listen 443 ssl;
  server_name _;

  real_ip_header X-Forwarded-For;
  set_real_ip_from 172.17.0.0/16;
  real_ip_recursive on;

 

 

I'm trying to do something similar here, but have been unable to get it to work.  I'm trying to get Fail2ban working with DelugeVPN, using LetsEncrypt reverse proxy.

 

Everything is setup and functional, but in the DelugeVPN logs, I get 172.17.0.0/16 ips listed from the docker bridge.

******

2018-06-25 13:55:28,812 DEBG 'deluge-web-script' stderr output:
[ERROR   ] 13:55:28 auth:330 Login failed (ClientIP 172.17.0.1)

******

 

I've set up the real ip stuff that I've seen in this thread

******

server {
    listen 443 ssl;
    server_name deluge.domain.com;
    
    set_real_ip_from 172.17.0.0/16;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
        
    location / {
        proxy_pass  http://192.168.50.50:8112/;

    }
}

******

 

Not sure how to get the clients actual IP to populate in the delugevpn logs instead of the bridge IPs.  Anyone have an idea?

Link to comment
4 hours ago, smakdafrog said:

 

I'm trying to do something similar here, but have been unable to get it to work.  I'm trying to get Fail2ban working with DelugeVPN, using LetsEncrypt reverse proxy.

 

Everything is setup and functional, but in the DelugeVPN logs, I get 172.17.0.0/16 ips listed from the docker bridge.

******

2018-06-25 13:55:28,812 DEBG 'deluge-web-script' stderr output:
[ERROR   ] 13:55:28 auth:330 Login failed (ClientIP 172.17.0.1)

******

 

I've set up the real ip stuff that I've seen in this thread

******

server {
    listen 443 ssl;
    server_name deluge.domain.com;
    
    set_real_ip_from 172.17.0.0/16;
    real_ip_header X-Forwarded-For;
    real_ip_recursive on;
        
    location / {
        proxy_pass  http://192.168.50.50:8112/;

    }
}

******

 

Not sure how to get the clients actual IP to populate in the delugevpn logs instead of the bridge IPs.  Anyone have an idea?

 

? Delugevpn uses its vpn tunnel for incoming connections. They don't come through the wan. Not sure how the host iptables would block that. It may be possible, but I'm not a networking guru 

Link to comment
14 hours ago, aptalca said:

 

? Delugevpn uses its vpn tunnel for incoming connections. They don't come through the wan. Not sure how the host iptables would block that. It may be possible, but I'm not a networking guru 

 

Even for just the website?  (not actual download/upload traffic).  Figured if I went to domain.com/deluge, my external IP hitting that site should be able to get logged correctly because its going through Nginx reverse proxy to get there.

 

I mainly just want to stop anyone from brute forcing their way into my deluge client.

 

Edited by smakdafrog
Link to comment
On 6/26/2018 at 2:56 PM, smakdafrog said:

 

Even for just the website?  (not actual download/upload traffic).  Figured if I went to domain.com/deluge, my external IP hitting that site should be able to get logged correctly because its going through Nginx reverse proxy to get there.

 

I mainly just want to stop anyone from brute forcing their way into my deluge client.

 

 

Easier to just use basic auth then. Fail2ban is already pre configured to ban failed auths with basic http authentication. 

Or if you want to get "fancy", lock it behind organizr server auth and setup fail2ban on organizr. 

Edited by GilbN
  • Like 1
Link to comment

I am trying to get nextcloud to work under nextcloud.xxxxx.com 

 

I have sonarr, ombi, etc... working fine under their respective subdomains, but for nextcloud I keep getting a 502 Bad Gateway error nginx/1.12.2 

I have followed the guide on linuxserver.io, including amending /config/www/nextcloud/config/config.php

 

When accessing the nextcloud docker from within unraid [unraid IP adress:444], I do get the message that safari cannot access the page securely.

Letsencrypt wise, the certificate is available. 

Link to comment
4 hours ago, bmdegraaf said:

I am trying to get nextcloud to work under nextcloud.xxxxx.com 

 

I have sonarr, ombi, etc... working fine under their respective subdomains, but for nextcloud I keep getting a 502 Bad Gateway error nginx/1.12.2 

I have followed the guide on linuxserver.io, including amending /config/www/nextcloud/config/config.php

 

When accessing the nextcloud docker from within unraid [unraid IP adress:444], I do get the message that safari cannot access the page securely.

Letsencrypt wise, the certificate is available. 

 

There is also a preset proxy conf in there for nextcloud on a subdomain. They are under /config/nginx/proxy-confs

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.