[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hello everyone, I was wandering if there was a tutorial on how to install and run a wordpress site using the lextsencrypt container? i am already using it as reverse proxy on sub-domains now but want to host the main domain i own. i am new to the unraid community but am really enjoying the software, great job!!! any help would be appreciated. 

 

Thanks

Link to comment
On 11/22/2018 at 4:18 PM, crgcputech79 said:

Hello everyone, I was wandering if there was a tutorial on how to install and run a wordpress site using the lextsencrypt container? i am already using it as reverse proxy on sub-domains now but want to host the main domain i own. i am new to the unraid community but am really enjoying the software, great job!!! any help would be appreciated. 

 

Thanks

No need for a tutorial. Download the wordpress files into the www folder and navigate to the configuration page. Follow the steps on the wordpress website

Link to comment

Suddenly my configuration is not working. I use this to connect to my Home Assistant from outside my home network. I didn't make any changes and the only thing recently did was to update this container to the latest version.

 

Anyone can help me out to figure out this issue?

 

Here is the log file:

 

<------------------------------------------------->
cronjob running on Sun Nov 25 21:48:37 CST 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xx.my.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xx.my.duckdns.org
http-01 challenge for yy.my.duckdns.org
Performing the following challenges:
http-01 challenge for xx.my.duckdns.org
http-01 challenge for yy.my.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (xx.my.duckdns.org) from /etc/letsencrypt/renewal/xx.myduckdns.org.conf produced an unexpected error: Failed authorization procedure. xx.my.duckdns.org (http-01): urn: ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xx.my.duckdns.org/.well-known/acme-challenge/[tokencode]: Timeout during connect (likely firewall problem), yy.my.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://yy.my.duckdns.org/.well-known/acme-challenge/[tokencode]: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xx.my.duckdns.org/fullchain.pem (failure)

 


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xx.test.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1
Error output from if:

 

cat: {privkey,fullchain}.pem: No such file or directory

Link to comment
42 minutes ago, stlrox said:

Suddenly my configuration is not working. I use this to connect to my Home Assistant from outside my home network. I didn't make any changes and the only thing recently did was to update this container to the latest version.

 

Anyone can help me out to figure out this issue?

 

Here is the log file:

 

<------------------------------------------------->
cronjob running on Sun Nov 25 21:48:37 CST 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/xx.my.duckdns.org.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Running pre-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -d /var/run/s6/services/nginx; fi
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for xx.my.duckdns.org
http-01 challenge for yy.my.duckdns.org
Performing the following challenges:
http-01 challenge for xx.my.duckdns.org
http-01 challenge for yy.my.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (xx.my.duckdns.org) from /etc/letsencrypt/renewal/xx.myduckdns.org.conf produced an unexpected error: Failed authorization procedure. xx.my.duckdns.org (http-01): urn: ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xx.my.duckdns.org/.well-known/acme-challenge/[tokencode]: Timeout during connect (likely firewall problem), yy.my.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://yy.my.duckdns.org/.well-known/acme-challenge/[tokencode]: Timeout during connect (likely firewall problem). Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xx.my.duckdns.org/fullchain.pem (failure)

 


- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/xx.test.duckdns.org/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem
Hook command "if ps aux | grep 's6-supervise nginx' | grep -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: && sleep 1 && cat {privkey,fullchain}.pem > priv-fullchain-bundle.pem" returned error code 1
Error output from if:

 

cat: {privkey,fullchain}.pem: No such file or directory

Either your ip on duckdns is wrong, or your port forwarding for 80 is wrong (or your isp blocks port 80)

Link to comment
6 minutes ago, aptalca said:

Either your ip on duckdns is wrong, or your port forwarding for 80 is wrong (or your isp blocks port 80)

I have Duckdns container and it's running to update any changes to IP address. Also verified IP address from my router to the IP address at the duckdns page and they both match. 

 

And my ISP doesn't block port 80.

 

This issue happening since last week and the only thing that was changed was an update to this container.

Link to comment
8 hours ago, stlrox said:

I have Duckdns container and it's running to update any changes to IP address. Also verified IP address from my router to the IP address at the duckdns page and they both match. 

 

And my ISP doesn't block port 80.

 

This issue happening since last week and the only thing that was changed was an update to this container.

Actually, it was something you did within the last 2-3 months. The update only caused a forced validation due to expiring certs, and that process failed. 

 

Check your port forwarding on your router

Link to comment
14 hours ago, aptalca said:

Actually, it was something you did within the last 2-3 months. The update only caused a forced validation due to expiring certs, and that process failed. 

 

Check your port forwarding on your router

Is there any way to renew from the command line?

 

Earlier I used Letsencrypt along with Home Assistant on Raspberry Pi and every three months I used to renew Letsencrypt certs manually.

Link to comment

Hi, I was wondering if anyone knows if it's possible to use the reverse proxy aspect of this docker to open a webpage hosted on a VM in unraid. so, for example, say I hosted a website or installed GitLab in a VM would I be able to reverse proxy to it with a subdomain. (not sure if i'm explaining this correctly. this field is really not my element of study)

 

Regards,

Bilal Yassine

Link to comment
4 hours ago, Bilal Yassine said:

Hi, I was wondering if anyone knows if it's possible to use the reverse proxy aspect of this docker to open a webpage hosted on a VM in unraid. so, for example, say I hosted a website or installed GitLab in a VM would I be able to reverse proxy to it with a subdomain. (not sure if i'm explaining this correctly. this field is really not my element of study)

 

Regards,

Bilal Yassine

Sure, you just use the ip of the vm in the proxy_pass directive

Link to comment
16 minutes ago, aptalca said:

Sure, you just use the ip of the vm in the proxy_pass directive

cool thanks I will give it a shot. as a side question. if I had something running on a raspberry pi so obviously not on my unraid box could I do the same thing to have reverse proxy working for it or is this docker just for things running on unraid?

Link to comment
3 hours ago, Bilal Yassine said:

cool thanks I will give it a shot. as a side question. if I had something running on a raspberry pi so obviously not on my unraid box could I do the same thing to have reverse proxy working for it or is this docker just for things running on unraid?

No, you can reverse proxy anything through the ip address.

Link to comment

 

Oh, thanks, I just watch it and followed it but I'm stuck when I try to change my dockers to the "proxynet" network. previously they were "custom:bro" or "bridge"

 

I get an error like this
 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Radarr' --net='proxynet' --ip='192.168.1.205' --cpuset-cpus='4,6,5,7' -e TZ="Europe/Paris" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '7878:7878/tcp' -v '/mnt/user/Storage/Downloads/':'/downloads':'rw' -v '/mnt/user/Storage/Movies/':'/movies':'rw' -v '/mnt/user/Docker/Radarr':'/config':'rw' 'linuxserver/radarr'

c034520ca18928484bd0140c2cc31100864be179d22fdcee0f7c8fd761191cc1
/usr/bin/docker: Error response from daemon: user specified IP address is supported only when connecting to networks with user configured subnets.

how can I fix it?

 

When I dont place a fix IP and I just let fix IP address empty and network type "custom: proxynet" I get this

imagen.png.c24e147ed38594841701f1f930bdbb5a.png

There is nothing in port mappings so it doesn't work either

 

Then is possible to do the same with a webserver that I have in a virtual machine o unraid?

 

 

Edited by L0rdRaiden
Link to comment
34 minutes ago, L0rdRaiden said:

 

Oh, thanks, I just watch it and followed it but I'm stuck when I try to change my dockers to the "proxynet" network. previously they were "custom:bro" or "bridge"

 

I get an error like this
 


root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Radarr' --net='proxynet' --ip='192.168.1.205' --cpuset-cpus='4,6,5,7' -e TZ="Europe/Paris" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '7878:7878/tcp' -v '/mnt/user/Storage/Downloads/':'/downloads':'rw' -v '/mnt/user/Storage/Movies/':'/movies':'rw' -v '/mnt/user/Docker/Radarr':'/config':'rw' 'linuxserver/radarr'

c034520ca18928484bd0140c2cc31100864be179d22fdcee0f7c8fd761191cc1
/usr/bin/docker: Error response from daemon: user specified IP address is supported only when connecting to networks with user configured subnets.

how can I fix it?

 

When I dont place a fix IP and I just let fix IP address empty and network type "custom: proxynet" I get this

imagen.png.c24e147ed38594841701f1f930bdbb5a.png

There is nothing in port mappings so it doesn't work either

 

Then is possible to do the same with a webserver that I have in a virtual machine o unraid?

 

 

First set it to the regular bridge and set up your port forwards if you like. Save and exit. Go into the container settings one more time, change it to proxynet, don't enter an ip and hit save. 

 

Unraid doesn't recognize your proxynet as a custom bridge network (assumes it is macvlan) so if you try to change port mappings after selecting proxynet, unraid won't do it properly.

  • Like 1
Link to comment
59 minutes ago, aptalca said:

First set it to the regular bridge and set up your port forwards if you like. Save and exit. Go into the container settings one more time, change it to proxynet, don't enter an ip and hit save. 

 

Unraid doesn't recognize your proxynet as a custom bridge network (assumes it is macvlan) so if you try to change port mappings after selecting proxynet, unraid won't do it properly.

Thanks it works now :)

The only issue is that my docker container has a capital leter "Netdata" and only works if I call it "netdata" instead. In the nginx conf file doesn't make any difference if I call it "Netdata"

Quote

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_netdata Netdata;
        proxy_pass http://$upstream_netdata:19999;

It doesn't bother me a lot but it is possible to have a capital letter in the docker name and change the conf file accordingly?

Edited by L0rdRaiden
Link to comment
4 hours ago, L0rdRaiden said:

Thanks it works now :)

The only issue is that my docker container has a capital leter "Netdata" and only works if I call it "netdata" instead. In the nginx conf file doesn't make any difference if I call it "Netdata"

It doesn't bother me a lot but it is possible to have a capital letter in the docker name and change the conf file accordingly?

That's a dns hostname resolution thing. Not nginx's fault. Use all lowercase in container names or define a network alias for the container

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.