Coolsaber57 Posted December 16, 2018 Share Posted December 16, 2018 22 hours ago, aptalca said: Sounds like you just had to retrace your steps to identify the issue. Glad it works now Heh yep, now I'm trying to figure out how to set up services that don't have any of the sample proxy.confs, e.g: Unraid GUI (maybe) OnlyOffice Community and Document Servers Quote Link to comment
teh0wner Posted December 16, 2018 Share Posted December 16, 2018 I've been trying to set-up nginx to work with .htpasswrd so I can leverage fail2ban (and make the whole reverse proxy business more secure) but can't seem to get it working. I followed the below steps : 1 - Uncomment the lines in the auth_basic and auth_basic_user_file in letsencrypt/nginx/proxy-conf/ 2 - Used the following command to generate and add a username/password to .htpasswd "docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd <username>" However, I keep getting the username/password prompt, as if the username/password I enter is incorrect. Also, I'm trying to find out whether fail2ban works properly as it seems I might have blocked my IP (oops) but can't figure out how to list banned IPs (and unban them) - I've had to resort testing from my 4G network. Any help appreciated (and any more tips how to make a reverse proxy more secure, greatly appreciated) Thanks Quote Link to comment
strike Posted December 17, 2018 Share Posted December 17, 2018 You're probably missing something in your site config like the include syntax. Anyways, everything you want to know is in here: https://technicalramblings.com/blog/banning-with-http-auth-and-fail2ban/ He also has a guide on how to use geo IP database to block IP's based on contries which I think you should check out. Quote Link to comment
Coolsaber57 Posted December 17, 2018 Share Posted December 17, 2018 (edited) Hmm, I thought I had this working before, but I'm having a little trouble getting Sabnzbd to work. I've got the CNAME set up already, and here's my proxy-conf fro Sab: server { listen 443 ssl; listen [::]:443 ssl; server_name sabnzbd.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sabnzbd binhex-sabnzbd; proxy_pass http://$upstream_sabnzbd:8800; } location ~ (/sabnzbd)?/api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sabnzbd binhex-sabnzbd; proxy_pass http://$upstream_sabnzbd:8800; } } Note that my Sabnzbd port is 8800, and not 8080. I keep getting 502 bad gateway when attempting to access the site using the reverse proxy. Anything I should check? Edit: Posting in these threads apparently is the magic step, because I just realized I need to keep the Port at 8080 because it's the Docker network I created where it's looking for the Sab GUI. Edited December 17, 2018 by Coolsaber57 Quote Link to comment
teh0wner Posted December 17, 2018 Share Posted December 17, 2018 (edited) I've been trying to get auto-redirect from http to https (including subdomains) all night but can't seem to get it working. It seems going from http://subdomain.mydomain.com always redirects to https://mydomain.com. For example I'd like http://sonarr.mydomain.com to automatically redirect to https://sonarr.mydomain.com I've added the following in nginx.conf in the http block just below the brace: server { listen 80; server_name mydomain.com; return 301 https://$server_name$request_uri; } In whole, here's my nginx.conf - nothing else has been modified besides the "custom" stuff ## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf user abc; worker_processes 4; pid /run/nginx.pid; include /etc/nginx/modules/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Custom ## server { listen 80; server_name mydomain.com; return 301 https://$server_name$request_uri; } # don't send the nginx version number in error pages and Server header server_tokens off; # config to don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options add_header X-Frame-Options SAMEORIGIN; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, # to disable content-type sniffing on some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 add_header X-Content-Type-Options nosniff; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for # this particular website if it was disabled by the user. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers add_header X-XSS-Protection "1; mode=block"; # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.owasp.org/index.php/Content_Security_Policy # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; } Thanks Edited December 18, 2018 by teh0wner Quote Link to comment
aptalca Posted December 17, 2018 Share Posted December 17, 2018 (edited) 14 hours ago, teh0wner said: I've been trying to get auto-redirect from http to https (including subdomains) all night but can't seem to get it working. It seems going from http://subdomain.mydomain.com always redirects to https://mydomain.com. For example I'd like http://sonarr.mydomain.com to automatically redirect to https://sonarr.mydomain.com ## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf user abc; worker_processes 4; pid /run/nginx.pid; include /etc/nginx/modules/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Custom ## server { listen 80; server_name mydomain.com; return 301 https://$server_name$request_uri; } # don't send the nginx version number in error pages and Server header server_tokens off; # config to don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options add_header X-Frame-Options SAMEORIGIN; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, # to disable content-type sniffing on some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 add_header X-Content-Type-Options nosniff; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for # this particular website if it was disabled by the user. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers add_header X-XSS-Protection "1; mode=block"; # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.owasp.org/index.php/Content_Security_Policy # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; } Thanks Remove that bit from nginx.conf, open the default site config and you'll see the message about https redirect at the top Edited December 18, 2018 by aptalca Quote Link to comment
teh0wner Posted December 18, 2018 Share Posted December 18, 2018 11 hours ago, aptalca said: Remove that bit from nginx.conf, open the default site config and you'll see the message about https redirect at the top That did the trick! Thanks! Quote Link to comment
teh0wner Posted December 18, 2018 Share Posted December 18, 2018 On 12/17/2018 at 3:27 AM, strike said: You're probably missing something in your site config like the include syntax. Anyways, everything you want to know is in here: https://technicalramblings.com/blog/banning-with-http-auth-and-fail2ban/ He also has a guide on how to use geo IP database to block IP's based on contries which I think you should check out. Thanks for that - managed to get it working. Now trying to get GeoIP to work, but banging my head against the wall. Followed his instructions step by step, but everything seems to come thru regardless of location. My nginx.conf looks as follows : ## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf user abc; worker_processes 4; pid /run/nginx.pid; include /etc/nginx/modules/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Custom ## geoip_country /config/geoip/GeoIPv6.dat; # LOCAL IP ALLOW GEO BLOCK geo $lan-ip { default no; 192.168.1.0/24 yes; } # GEO IP BLOCK SITE 1 map $geoip_country_code $allowed_country { default no; UK yes; } # don't send the nginx version number in error pages and Server header server_tokens off; # config to don't allow the browser to render the page inside an frame or iframe # and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking # if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri # https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options add_header X-Frame-Options SAMEORIGIN; # when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header, # to disable content-type sniffing on some browsers. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers # currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx # http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx # 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020 add_header X-Content-Type-Options nosniff; # This header enables the Cross-site scripting (XSS) filter built into most recent web browsers. # It's usually enabled by default anyway, so the role of this header is to re-enable the filter for # this particular website if it was disabled by the user. # https://www.owasp.org/index.php/List_of_useful_HTTP_headers add_header X-XSS-Protection "1; mode=block"; # with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy), # you can tell the browser that it can only download content from the domains you explicitly allow # http://www.html5rocks.com/en/tutorials/security/content-security-policy/ # https://www.owasp.org/index.php/Content_Security_Policy # I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval' # directives for css and js(if you have inline css or js, you will need to keep it too). # more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'"; ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} daemon off; My default as follows : ## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default # listening on port 80 disabled by default, remove the "#" signs to enable # redirect all traffic to https server { listen 80; server_name _; return 301 https://$host$request_uri; } # main server block server { # LOCAL IP ALLOW GEO BLOCK if ($lan-ip = yes) { set $allowed_country yes; } # COUNTRY GEO BLOCK if ($allowed_country = no) { return 403; } listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; server_name _; # enable subfolder method reverse proxy confs include /config/nginx/proxy-confs/*.subfolder.conf; #Custom add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive"; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; # enable for ldap auth #include /config/nginx/ldap.conf; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub # location ^~ /cp { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050/cp; # } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl; # # root /config/www; # index index.html index.htm index.php; # # server_name cp.*; # # include /config/nginx/ssl.conf; # # client_max_body_size 0; # # location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050; # } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl; # # root /config/www; # index index.html index.htm index.php; # # server_name heimdall.*; # # include /config/nginx/ssl.conf; # # include /config/nginx/ldap.conf; # # client_max_body_size 0; # # location / { # # the next two lines will enable ldap auth along with the included ldap.conf in the server block # auth_request /auth; # error_page 401 =200 /login; # # include /config/nginx/proxy.conf; # resolver 127.0.0.11 valid=30s; # set $upstream_heimdall heimdall; # proxy_pass https://$upstream_heimdall:443; # } #} # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m; I've tried placing the if blocks in various parts in the server block but no matter where I put them, it won't work. I'm also 100% sure /config/geoip/GeoIPv6.dat; exists with 911 permissions. Any ideas? Quote Link to comment
strike Posted December 18, 2018 Share Posted December 18, 2018 (edited) Try to move the geoIP part away from your main server block to after the location ~ \.php$ part in your default site config so it looks like this: Location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # LOCAL IP ALLOW GEO BLOCK if ($lan-ip = yes) { set $allowed_country yes; } # COUNTRY GEO BLOCK if ($allowed_country = no) { return 403; } Edit: And remember to restart the container Edited December 18, 2018 by strike Quote Link to comment
teh0wner Posted December 18, 2018 Share Posted December 18, 2018 13 minutes ago, strike said: Try to move the geoIP part away from your main server block to after the location ~ \.php$ part in your default site config so it looks like this: Location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # LOCAL IP ALLOW GEO BLOCK if ($lan-ip = yes) { set $allowed_country yes; } # COUNTRY GEO BLOCK if ($allowed_country = no) { return 403; } Edit: And remember to restart the container Thanks for this. No luck unfortunately; gets me straight through to the login prompt Quote Link to comment
strike Posted December 18, 2018 Share Posted December 18, 2018 How are you testing to check if you get blocked or not? Remember you told it to ignore your LAN IP so you must test from outside your LAN. I can't see any obvious reason why it won't work. Quote Link to comment
teh0wner Posted December 18, 2018 Share Posted December 18, 2018 56 minutes ago, strike said: How are you testing to check if you get blocked or not? Remember you told it to ignore your LAN IP so you must test from outside your LAN. I can't see any obvious reason why it won't work. I've tried various ways including using a VPN connected to a 'blocked' country, using a proxy and an online proxy website. All while accessing my domain. Quote Link to comment
teh0wner Posted December 19, 2018 Share Posted December 19, 2018 I've destroyed the container and created one from scratch - and still have the exact same issue. I've followed the steps for a reverse proxy from SpaceInvader One's video (https://www.youtube.com/watch?v=I0lhZc25Sro) and GeoIP set-up from https://technicalramblings.com/blog/blocking-countries-with-geoip2-using-the-letsencrypt-docker-container/ Quote Link to comment
Gobs Posted December 19, 2018 Share Posted December 19, 2018 On 11/5/2018 at 3:08 PM, Gobs said: @happyagnostic So I tried that (adding port forward 32400, protocol = TCP) and adding the lines that you wrote. The good news: I can actually open the Plex GUI now, but I just get a page saying: Plex is not reachable. Make sure your server has an internet connection and any firewalls or other programs are set to allow access. So back to square one. (This is when I run it in custom bridge mode - if I run it in host mode, I can at least access my files but still get complaints about not being able to reach Plex and I can't sign in). @happyagnostic So I only just found out what was wrong - having done what you suggested (port forwarding parameters + using Plex with the custom network) I was able to reach my plex, but it still said server unreachable. This was because I use uMatrix to prevent websites from loading scripts, and it was preventing access to plex.tv, so I disabled this and everything works fine now, I'm so happy! I'm still a bit confused as to how the port forwarding works. If I understand correctly, I request goes to plex.mydomain.com through port 443, which is then forwarded to port 1443 by my router, letsencrypt / nginx recieves this request then forwards it to port 32400 on the plex docker? Does that sound about right? Quote Link to comment
strike Posted December 19, 2018 Share Posted December 19, 2018 45 minutes ago, teh0wner said: I've destroyed the container and created one from scratch - and still have the exact same issue. I've followed the steps for a reverse proxy from SpaceInvader One's video (https://www.youtube.com/watch?v=I0lhZc25Sro) and GeoIP set-up from https://technicalramblings.com/blog/blocking-countries-with-geoip2-using-the-letsencrypt-docker-container/ Since you started from scratch, please post your nginx.conf and your default site config again. Quote Link to comment
strike Posted December 19, 2018 Share Posted December 19, 2018 Anyone using ldap authentication here? Are there any security benefits from using ldap auth vs basic auth? Quote Link to comment
aptalca Posted December 19, 2018 Share Posted December 19, 2018 27 minutes ago, strike said: Anyone using ldap authentication here? Are there any security benefits from using ldap auth vs basic auth? Not sure about security but the main benefit of ldap is you can have different authentication levels for users and groups easily Quote Link to comment
strike Posted December 19, 2018 Share Posted December 19, 2018 34 minutes ago, aptalca said: Not sure about security but the main benefit of ldap is you can have different authentication levels for users and groups easily Got it, thanks. Quote Link to comment
teh0wner Posted December 19, 2018 Share Posted December 19, 2018 2 hours ago, strike said: Since you started from scratch, please post your nginx.conf and your default site config again. It looks very similar to the last one but here they are : nginx.conf: ## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf user abc; worker_processes 4; pid /run/nginx.pid; include /etc/nginx/modules/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Custom ## geoip_country /config/geoip/GeoIPv6.dat; geo $lan-ip { default no; 192.168.1.0/24 yes; } map $geoip_country_code $allowed_country { default no; UK yes; } ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; ## # nginx-naxsi config ## # Uncomment it if you installed nginx-naxsi ## #include /etc/nginx/naxsi_core.rules; ## # nginx-passenger config ## # Uncomment it if you installed nginx-passenger ## #passenger_root /usr; #passenger_ruby /usr/bin/ruby; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} daemon off; default: ## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default # listening on port 80 disabled by default, remove the "#" signs to enable # redirect all traffic to https server { listen 80; server_name _; return 301 https://$host$request_uri; } # main server block server { listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; server_name _; # enable subfolder method reverse proxy confs include /config/nginx/proxy-confs/*.subfolder.conf; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; # enable for ldap auth #include /config/nginx/ldap.conf; client_max_body_size 0; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # LOCAL IP ALLOW GEO BLOCK if ($lan-ip = yes) { set $allowed_country yes; } # COUNTRY GEO BLOCK if ($allowed_country = no) { return 444; } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub # location ^~ /cp { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050/cp; # } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl; # # root /config/www; # index index.html index.htm index.php; # # server_name cp.*; # # include /config/nginx/ssl.conf; # # client_max_body_size 0; # # location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050; # } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl; # # root /config/www; # index index.html index.htm index.php; # # server_name heimdall.*; # # include /config/nginx/ssl.conf; # # include /config/nginx/ldap.conf; # # client_max_body_size 0; # # location / { # # the next two lines will enable ldap auth along with the included ldap.conf in the server block # auth_request /auth; # error_page 401 =200 /login; # # include /config/nginx/proxy.conf; # resolver 127.0.0.11 valid=30s; # set $upstream_heimdall heimdall; # proxy_pass https://$upstream_heimdall:443; # } #} # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m; Thanks in advance. Really appreciate your efforts to help me out. Quote Link to comment
strike Posted December 19, 2018 Share Posted December 19, 2018 Hmm.. I still can't see anything wrong with that. No errors in the log either? It's a long shot, but the only thing I can think of is to remove the comment before geoip_country /config/geoip/GeoIPv6.dat; in your nginx.conf, restart the container and test again. It says in the guide you should put the geo ip part right after http { But then again I can't see why comments should affect that either, as I said a long shot. If all else fail you can try to put it in your proxy conf files instead of the default site config and see if that makes a difference. Quote Link to comment
teh0wner Posted December 19, 2018 Share Posted December 19, 2018 (edited) 1 hour ago, strike said: Hmm.. I still can't see anything wrong with that. No errors in the log either? It's a long shot, but the only thing I can think of is to remove the comment before geoip_country /config/geoip/GeoIPv6.dat; in your nginx.conf, restart the container and test again. It says in the guide you should put the geo ip part right after http { But then again I can't see why comments should affect that either, as I said a long shot. If all else fail you can try to put it in your proxy conf files instead of the default site config and see if that makes a difference. Removing the comment didn't seem to work. A few things that might trigger a few thoughts : Running nginx -t when I connect to the docker container gives me : root@f973a7ead368:/$ nginx -t nginx: the configuration file /etc/nginx/nginx.conf syntax is ok nginx: [emerg] open() "/run/nginx/nginx.pid" failed (2: No such file or directory) nginx: configuration file /etc/nginx/nginx.conf test failed I've tried a small test to see if default even gets triggered, but it looks like it doesn't.. Is that even possible? I've changed my default to (see below), but it goes thru to sonar just fine without returning the code and message. ## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default # listening on port 80 disabled by default, remove the "#" signs to enable # redirect all traffic to https server { listen 80; server_name _; return 301 https://$host$request_uri; } # main server block server { location / { return 200 "Country code is : $geoip_country_code"; #try_files $uri $uri/ /index.html /index.php?$args =404; } listen 443 ssl default_server; root /config/www; index index.html index.htm index.php; server_name _; # enable subfolder method reverse proxy confs include /config/nginx/proxy-confs/*.subfolder.conf; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; # enable for ldap auth #include /config/nginx/ldap.conf; client_max_body_size 0; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # LOCAL IP ALLOW GEO BLOCK if ($lan-ip = yes) { set $allowed_country yes; } # COUNTRY GEO BLOCK if ($allowed_country = no) { return 444; } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub # location ^~ /cp { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050/cp; # } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl; # # root /config/www; # index index.html index.htm index.php; # # server_name cp.*; # # include /config/nginx/ssl.conf; # # client_max_body_size 0; # # location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050; # } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl; # # root /config/www; # index index.html index.htm index.php; # # server_name heimdall.*; # # include /config/nginx/ssl.conf; # # include /config/nginx/ldap.conf; # # client_max_body_size 0; # # location / { # # the next two lines will enable ldap auth along with the included ldap.conf in the server block # auth_request /auth; # error_page 401 =200 /login; # # include /config/nginx/proxy.conf; # resolver 127.0.0.11 valid=30s; # set $upstream_heimdall heimdall; # proxy_pass https://$upstream_heimdall:443; # } #} # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m; However, putting it in my sonar config server block, returns 200 with the country code just fine.. Edit: For completeness sake, here's my sonarr.subdomain.conf which seems to work. # make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url server { listen 443 ssl; listen [::]:443 ssl; server_name sonarr.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # LOCAL IP ALLOW GEO BLOCK if ($lan-ip = yes) { set $allowed_country yes; } # COUNTRY GEO BLOCK if ($allowed_country = no) { return 444; } location / { # enable the next two lines for http auth auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sonarr sonarr; proxy_pass http://$upstream_sonarr:8989; } location ~ (/sonarr)?/api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_sonarr sonarr; proxy_pass http://$upstream_sonarr:8989; } } Edited December 19, 2018 by teh0wner Quote Link to comment
microservices Posted December 20, 2018 Share Posted December 20, 2018 Hello, I know this image is alpine based but I was wondering if TLSv1.3 support is enabled yet? Thanks for the wonderful container and the work the team at @linuxserver.io do to maintain it! Quote Link to comment
nekromantik Posted December 21, 2018 Share Posted December 21, 2018 I know its probably not going to happen but would there be any chance to create a version of this container with naxsi module built in? Quote Link to comment
aptalca Posted December 21, 2018 Share Posted December 21, 2018 4 hours ago, microservices said: Hello, I know this image is alpine based but I was wondering if TLSv1.3 support is enabled yet? Thanks for the wonderful container and the work the team at @linuxserver.io do to maintain it! I believe you can just enable in the ssl.conf Quote Link to comment
aptalca Posted December 21, 2018 Share Posted December 21, 2018 58 minutes ago, nekromantik said: I know its probably not going to happen but would there be any chance to create a version of this container with naxsi module built in? No naxsi package module in alpine 3.8 repo Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.