[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

34 minutes ago, dbinott said:

I thought I saw somewhere that the certs are supposed to be auto-updated, but I keep getting emails from LE that it's going to expire and now expires in 10 days. Is there a way to just do it manually?

Read the last few posts

Link to comment
4 hours ago, blaine07 said:

Certs this time aren't expired; last time when they were due up for renewal they didnt renew but that was resolved by addition of fictitious site, starting up and errors, removing and restarting and certs renewed. Seems like a lot are having some issue at some capacity with certs not auto renewing for some reason though.

You keep insinuating that a lot of people are having renewal issues, therefore there must be something wrong with the image. However,

1) Users aren't even checking whether their certs are really expiring, which can be easily done in a browser by clicking on the lock icon, but instead rely on an e-mail that is non-specific and may not even be about the cert that is currently used (you included)

2) Nobody's checking their logs to see what the issues may be that cause a non-renewal (also you included)

 

The logs are rotated weekly and 52 log files are kept. That means you have up to a year's worth of renewal attempt logs. Feel free to go back and find the ones that failed and if you really do identify a bug with the image, we'll fix it.

Link to comment
You keep insinuating that a lot of people are having renewal issues, therefore there must be something wrong with the image. However,
1) Users aren't even checking whether their certs are really expiring, which can be easily done in a browser by clicking on the lock icon, but instead rely on an e-mail that is non-specific and may not even be about the cert that is currently used (you included)
2) Nobody's checking their logs to see what the issues may be that cause a non-renewal (also you included)
 
The logs are rotated weekly and 52 log files are kept. That means you have up to a year's worth of renewal attempt logs. Feel free to go back and find the ones that failed and if you really do identify a bug with the image, we'll fix it.


I never said their was anything wrong with the image at all. Ray Charles could see all the comments with people having issues getting them to renew though; consensus on WHY I haven’t a clue. I wouldn’t have any idea if their was something wrong with the image; way beyond my skill set, and I know that, so who would I be to say their is definitively something wrong with image? I DID say certs not renewing seems to be common; I didn’t further specify it was images fault or the end users fault.

Wasn’t aware logs are kept 52 weeks, thanks! Mine is due to expire in October so I’ll see what happens there. I just know last time it was to renew it didn’t do it on its own, and I had to do as I mentioned above to get them renewed. Perhaps a one time fluke for all I know, but seeing others having issues getting them to renew piqued my interest.

You mentioned a lot of users jack with port 80 or DNS mappings and I asked how one would know they had as its entirely possible I unknowingly did. Still not sure where or in what config those get changed in.

Regardless, calm down, I’m grateful for all the work that goes into building and maintaining these dockers. I’m not retarded, it’s a lot of time, work and effort to maintain these. I’m also well aware about 4.9/5 of all the issues you guys deal with in relation to these are end user idiocracy problems. I’m not positive if you felt I was being rude or what the deal is but I most certainly wasn’t intending to be.
Link to comment

Okay. I'm stumped...

 

I can't get letsencrypt to see port 80 or 443. Ports are forwarded correctly. (just replaced router too....) Turned in Suddenlink modem and bought my own (Netgear CM700 which I have had for about a year actually and never activated and finally have). Called "tech support" 4 times now just to be told they don't block ports. Ports are blocked by their modem and if I have my own no ports are blocked. Yet both ports are closed.

 

I set up a ubuntu vm with owncloud which would redirect but only listened to port 443 even though I forwarded both those ports to the vm.

 

Not sure if it makes any since but even when I try to use my domain i get "Refused to connect". 

Any Ideas where I should be looking. 

 

Am I missing something?

 

 

nstatunraid.png

portfoward.png

letsencryptlog.png

letsencryptcontainer.png

Link to comment
It's all working from here. Check your sonarr if you don't believe me you really should password protect those services
The faster the better otherwise the interwebs will have their way with you. And leave you without a lobster dinner and an almost empty jar of Vaseline.

Sent from my SM-N960U using Tapatalk

  • Like 1
Link to comment

Hey guys,

 

I have a little problem with my reverse-proxy config for dokuwiki. I am using the new ls.io dokuwiki docker and I am not sure what I am doing wrong. I have used the sample config and modified it to my needs.

You can find it here: DokuWiki Nginx Conf

 

The docker container has the name "dokuwiki" and the network interface is changed to my user defined proxynet. Port does also match. CNAME is registered, too and working since I get a 502 from nginx. That's why I think it should be something with the config.

 

Dokuwiki docker is running fine and I can reach it locally. Other containers like collabora, nextcloud or ombi work totally fine this way.

 

I hope someone has an idea.

 

Thx.

dokuwiki_container_config.png

Link to comment
11 hours ago, aptalca said:

It's all working from here. Check your sonarr if you don't believe me 😁 you really should password protect those services

Hahhaha, Thanks for that, I just realised you have to type https in the header

 

Update, Now using cloudflare dns I can access it without typing https in the header

 

However I do have a quick question which is can I make my heimdall container, go to www.mydomain.com or server.mydomain.com rather than heimdall.mydomain.com

Edited by Guest
Link to comment
2 hours ago, MarkPla7z said:

Hahhaha, Thanks for that, I just realised you have to type https in the header

 

Update, Now using cloudflare dns I can access it without typing https in the header

 

However I do have a quick question which is can I make my heimdall container, go to www.mydomain.com or server.mydomain.com rather than heimdall.mydomain.com

Yup, edit the heimdall subdomain conf and change the server name directive to www.* or server.*

Link to comment
5 hours ago, darkreeper said:

Hey guys,

 

I have a little problem with my reverse-proxy config for dokuwiki. I am using the new ls.io dokuwiki docker and I am not sure what I am doing wrong. I have used the sample config and modified it to my needs.

You can find it here: DokuWiki Nginx Conf

 

The docker container has the name "dokuwiki" and the network interface is changed to my user defined proxynet. Port does also match. CNAME is registered, too and working since I get a 502 from nginx. That's why I think it should be something with the config.

 

Dokuwiki docker is running fine and I can reach it locally. Other containers like collabora, nextcloud or ombi work totally fine this way.

 

I hope someone has an idea.

 

Thx.

dokuwiki_container_config.png

Don't change the port in the proxy confs

Link to comment
2 minutes ago, aptalca said:

Yup, edit the heimdall subdomain conf and change the server name directive to www.* or server.*

Ok, Perfect Thank you so much

Link to comment

@deepthought

 

I changed those settings and I'm still getting the same issue on my end, I guess the next step would be to revert to default settings and see if that fixes the issue?

 

Also just to confirm I have the right ports, I did attach a screenshot of my letsencrypt docker ports

 

edit:  Another thing I just noticed, is that if I type my normal duckdns URL without the /sonarr behind it, it does bring me to my router settings from inside my network and doesn't give me any errors.

 

Edit2:  I did reset everything to default and kept the same settings as I posted with no fixes.  :(

 

Screen Shot 2019-07-04 at 12.29.02 PM.png

Screen Shot 2019-07-04 at 12.26.20 PM.png

Screen Shot 2019-07-04 at 12.36.50 PM.png

Edited by kelmino
edit
Link to comment

I could use a little help. I've got the LetsEncrypt docker setup and it's working for things like Emby no problem.

 

No I am trying to setup some websites for testing. I managed to get a wordpress site working with .conf file in the site-confs folder so that it uses a subdomain of my domain. So that much works. I've also tried setting up a phpBB forum on it's own subdomain, but that isn't working. I add the .conf file for nginx that comes with phpBB to the site-confs folder (modified with my domain details) and I just get an error that it can't connect the default site and the wordpress site stop working as well. 

 

I've tried searching but have not come across anything that has worked so far. Any one who has successfully gotten phpBB to work with this docker have any ideas?

Link to comment
1 hour ago, kelmino said:

@deepthought

 

I changed those settings and I'm still getting the same issue on my end, I guess the next step would be to revert to default settings and see if that fixes the issue?

 

Also just to confirm I have the right ports, I did attach a screenshot of my letsencrypt docker ports

 

edit:  Another thing I just noticed, is that if I type my normal duckdns URL without the /sonarr behind it, it does bring me to my router settings from inside my network and doesn't give me any errors.

 

Edit2:  I did reset everything to default and kept the same settings as I posted with no fixes.  :(

 

I was experiencing similar redirections before I got this working, so it still sounds like a similar issue.  My first thought was to have you delete and re-create the port forwards while the LAN interface option is set correctly - I'm not sure if the loopback stuff is set correctly if the rules are created while other parameters are bad.  But if you started from a fresh default config then there's no point in trying again I guess.

 

I'll post my edgeos and docker configs later this evening and you can compare yours to mine.  

 

 

Link to comment

@kelmino

 

See below for my edgeos config and letsencrypt settings.  Might be helpful to compare our edgeos configs - mine is only very mildly modified from the default config created via the Basic Setup wizard. 

 

One thing I notice is that your network type for letsencrypt differs from mine - you're using the default bridge mode instead of a custom proxy network.  The Spaceinvader One tutorial I followed had a section on this, and while I won't pretend to understand the specifics of it, here is the link for that portion of the video:  https://youtu.be/I0lhZc25Sro?t=692.  Might be worth checking out.

 

 

firewall {
    all-ping enable
    broadcast-ping disable
    ipv6-name WANv6_IN {
        default-action drop
        description "WAN inbound traffic forwarded to LAN"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    ipv6-name WANv6_LOCAL {
        default-action drop
        description "WAN inbound traffic to the router"
        enable-default-log
        rule 10 {
            action accept
            description "Allow established/related sessions"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
        rule 30 {
            action accept
            description "Allow IPv6 icmp"
            protocol ipv6-icmp
        }
        rule 40 {
            action accept
            description "allow dhcpv6"
            destination {
                port 546
            }
            protocol udp
            source {
                port 547
            }
        }
    }
    ipv6-receive-redirects disable
    ipv6-src-route disable
    ip-src-route disable
    log-martians enable
    name WAN_IN {
        default-action drop
        description "WAN to internal"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    name WAN_LOCAL {
        default-action drop
        description "WAN to router"
        rule 10 {
            action accept
            description "Allow established/related"
            state {
                established enable
                related enable
            }
        }
        rule 20 {
            action drop
            description "Drop invalid state"
            state {
                invalid enable
            }
        }
    }
    receive-redirects disable
    send-redirects enable
    source-validation disable
    syn-cookies enable
}
interfaces {
    ethernet eth0 {
        address dhcp
        description Internet
        duplex auto
        firewall {
            in {
                ipv6-name WANv6_IN
                name WAN_IN
            }
            local {
                ipv6-name WANv6_LOCAL
                name WAN_LOCAL
            }
        }
        speed auto
    }
    ethernet eth1 {
        description Desktop
        duplex auto
        speed auto
    }
    ethernet eth2 {
        description Server
        duplex auto
        speed auto
    }
    ethernet eth3 {
        description unplugged
        duplex auto
        speed auto
    }
    ethernet eth4 {
        description "WiFi AP"
        duplex auto
        poe {
            output off
        }
        speed auto
    }
    loopback lo {
    }
    switch switch0 {
        address 192.168.1.1/24
        description Local
        mtu 1500
        switch-port {
            interface eth1 {
            }
            interface eth2 {
            }
            interface eth3 {
            }
            interface eth4 {
            }
            vlan-aware disable
        }
    }
}
port-forward {
    auto-firewall enable
    hairpin-nat enable
    lan-interface switch0
    rule 1 {
        description plex
        forward-to {
            address 192.168.1.38
            port 32400
        }
        original-port 32400
        protocol tcp_udp
    }
    rule 2 {
        description openvpn
        forward-to {
            address 192.168.1.38
            port 1194
        }
        original-port 1194
        protocol udp
    }
    rule 3 {
        description "letsencrypt 80"
        forward-to {
            address 192.168.1.38
            port 180
        }
        original-port 80
        protocol tcp_udp
    }
    rule 4 {
        description "letsencrypt 443"
        forward-to {
            address 192.168.1.38
            port 1443
        }
        original-port 443
        protocol tcp_udp
    }
    wan-interface eth0
}
service {
    dhcp-server {
        disabled false
        hostfile-update disable
        shared-network-name comnetdhcp {
            authoritative disable
            subnet 192.168.1.0/24 {
                default-router 192.168.1.1
                dns-server 192.168.1.1
                lease 86400
                start 192.168.1.100 {
                    stop 192.168.1.199
                }
                static-mapping cc-ultra {
                    ip-address 192.168.1.40
                    mac-address 
                }
                static-mapping ipad1 {
                    ip-address 192.168.1.52
                    mac-address 
                }
                static-mapping lap1 {
                    ip-address 192.168.1.53
                    mac-address 
                }
                static-mapping phone2 {
                    ip-address 192.168.1.51
                    mac-address 
                }
                static-mapping server {
                    ip-address 192.168.1.38
                    mac-address 
                }
                static-mapping desktop {
                    ip-address 192.168.1.69
                    mac-address 
                }
                static-mapping phone1 {
                    ip-address 192.168.1.61
                    mac-address 
                }
                static-mapping vm {
                    ip-address 192.168.1.42
                    mac-address 
                }
                static-mapping wifi-ap-1 {
                    ip-address 192.168.1.10
                    mac-address 
                }
            }
        }
        static-arp disable
        use-dnsmasq disable
    }
    dns {
        forwarding {
            cache-size 150
            listen-on switch0
        }
    }
    gui {
        http-port 80
        https-port 443
        older-ciphers enable
    }
    nat {
        rule 5010 {
            description "masquerade for WAN"
            outbound-interface eth0
            type masquerade
        }
    }
    ssh {
        port 22
        protocol-version v2
    }
    unms {
        connection 
    }
}
system {
    host-name comnet
    ipv6 {
        disable
    }
    login {
        user admin {
            authentication {
                encrypted-password 
                plaintext-password ""
            }
            level admin
        }
    }
    name-server 1.1.1.1
    ntp {
        server 0.ubnt.pool.ntp.org {
        }
        server 1.ubnt.pool.ntp.org {
        }
        server 2.ubnt.pool.ntp.org {
        }
        server 3.ubnt.pool.ntp.org {
        }
    }
    syslog {
        global {
            facility all {
                level notice
            }
            facility protocols {
                level debug
            }
        }
    }
    time-zone America/New_York
}

image.thumb.png.efdd60429dd08124ea1f6971a47f3ede.png

Edited by deepthought
Link to comment

@deepthought


Whelp, I think I'm about done with this.  It's not worth the time I keep putting into this, I'll just make new bookmarks for internal links and be done with it.  Everything works from outside the network, and that's the main thing, the rest I can just deal with.

 

I did end up changing it over to custom proxy network and it didn't seem to help, I ended up following the video through the end going the steps that related to that and sonarr to see if it would work.  With the same end results.

 

@deepthought I really do appreciate all of the work that you've done with this and with helping me as much as you have, I've spent probably 5 hours on this particular issue over the course of all of this, and it's really just not worth it for me to put anymore time in for me.  If I find a solution later then cool, if not ¯\_(ツ)_/¯  . not a huge deal I have other things to work on with the server that I'd rather spend time on, maybe I'll come back to this later when everything else is done (lol like I'm ever going to truly ever be done :D )

Link to comment
On 7/1/2019 at 9:47 PM, aptalca said:

Open your domain in a better and click on the lock to see if it really expired

 

If so, check the log in the config folder under letsencrypt to see why the renewal failed

 

Yes. that is where I was noticing that they had expired. In the lock in the browser.

The certificate expired on 02 June 2019, 11:01. The current time is 06 July 2019, 15:17. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

 

No activity in the log file for a while it seems.

 

This is the contents of the file... I've edited and removed my domain and replaced with "private".

 

Quote

<------------------------------------------------->

<------------------------------------------------->
cronjob running on Sat Feb 23 02:08:00 GMT 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/private.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/private/fullchain.pem expires on 2019-05-18 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Fri Mar 1 02:08:00 GMT 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/private.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/private.me/fullchain.pem expires on 2019-05-18 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Sun Mar 10 02:08:00 GMT 2019
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/private.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/private/fullchain.pem expires on 2019-06-02 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

 

Link to comment
1 hour ago, Lien1454 said:

 

Yes. that is where I was noticing that they had expired. In the lock in the browser.

The certificate expired on 02 June 2019, 11:01. The current time is 06 July 2019, 15:17. Error code: SEC_ERROR_EXPIRED_CERTIFICATE

 

No activity in the log file for a while it seems.

 

This is the contents of the file... I've edited and removed my domain and replaced with "private".

 

 

Those logs are from March and they are several days apart. I'm guessing you shut down the container at night, which is when it's supposed to renew the certs

Link to comment
10 minutes ago, aptalca said:

Those logs are from March and they are several days apart. I'm guessing you shut down the container at night, which is when it's supposed to renew the certs

 

Do you know at what time the cron job runs or how I can find out?

 

Thanks

 

Link to comment

Hey, I have a problem since last Wednesday. I didn't touch anything with Unraid (I was happy for now with my configuration) but my applications suddenly became unvailable from external network. There is my configuration and logs from Let'sEncrypt docker (I've redacted my email and domain name):

Let'sEncrypt docker conf:
letsencrypt.thumb.png.28bb52fdeefe34530f9ae383a0ef87c4.png

 

Let'sEncrypt log:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Warsaw
URL=[domain]
SUBDOMAINS=homeassistant,plex,minecraft
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=[email]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d homeassistant.[domain] -d plex.[domain] -d minecraft.[domain]
E-mail address entered: [email]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/[domain]/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for homeassistant.[domain]
http-01 challenge for minecraft.[domain]
http-01 challenge for [domain]
http-01 challenge for plex.[domain]
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[domain]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[domain]/privkey.pem
Your cert will expire on 2019-10-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

Nginx site-confs/default (I didn't edit any other file):

upstream backend {
    server 192.168.1.116:19999;
    keepalive 64;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

server {
    listen 443 ssl default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name _;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.116:82/;
    }

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.116:8989/sonarr;
    }
   
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.116:7878/radarr;
    }
   
    location /downloads {
        include /config/nginx/proxy.conf;
        proxy_pass  http://192.168.1.116:8112/;
        proxy_set_header  X-Deluge-Base "/downloads/";
    }
}

server {
    listen 443 ssl http2;
    server_name homeassistant.[domain];

    root /config/www;
    index index.html index.htm index.php;

    location / {
        proxy_pass http://192.168.1.116:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

server {
    listen 443 ssl http2;
    server_name plex.[domain];

    proxy_set_header X-Real-IP $remote_addr;

    location / {
        proxy_pass http://192.168.1.116:32400/;
        proxy_http_version 1.1;
        proxy_redirect off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    listen 443 ssl http2;
    server_name minecraft.[domain];

    proxy_set_header X-Real-IP $remote_addr;

    location / {
        proxy_pass http://192.168.1.116:25565/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout  90;
    }
}

 

and my router conf:

router.png.fb61c773c83429929db86c4cd198eb1b.png

 

I've also needed to set this:

image.png.7894f510029a4bb8d87c46b87ccc6d15.png

(in order to access my apps from local network using "nice" addresses, because the way my ISP configures public IP address is that you can't access it from your local network)

 

Again, I didn't change a thing and this configuration worked for months until last Wednesday. I can see an error in letsencrypt log but I've found information in this thread that it is unrelated to my issues. Please help?

Link to comment
8 hours ago, Essaith said:

Hey, I have a problem since last Wednesday. I didn't touch anything with Unraid (I was happy for now with my configuration) but my applications suddenly became unvailable from external network. There is my configuration and logs from Let'sEncrypt docker (I've redacted my email and domain name):

Let'sEncrypt docker conf:
letsencrypt.thumb.png.28bb52fdeefe34530f9ae383a0ef87c4.png

 

Let'sEncrypt log:


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Warsaw
URL=[domain]
SUBDOMAINS=homeassistant,plex,minecraft
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=[email]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d homeassistant.[domain] -d plex.[domain] -d minecraft.[domain]
E-mail address entered: [email]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/[domain]/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for homeassistant.[domain]
http-01 challenge for minecraft.[domain]
http-01 challenge for [domain]
http-01 challenge for plex.[domain]
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/[domain]/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/[domain]/privkey.pem
Your cert will expire on 2019-10-07. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

Nginx site-confs/default (I didn't edit any other file):


upstream backend {
    server 192.168.1.116:19999;
    keepalive 64;
}

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

server {
    listen 443 ssl default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name _;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.116:82/;
    }

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.116:8989/sonarr;
    }
   
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.116:7878/radarr;
    }
   
    location /downloads {
        include /config/nginx/proxy.conf;
        proxy_pass  http://192.168.1.116:8112/;
        proxy_set_header  X-Deluge-Base "/downloads/";
    }
}

server {
    listen 443 ssl http2;
    server_name homeassistant.[domain];

    root /config/www;
    index index.html index.htm index.php;

    location / {
        proxy_pass http://192.168.1.116:8123;
        proxy_set_header Host $host;
        proxy_redirect http:// https://;
        proxy_http_version 1.1;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }
}

server {
    listen 443 ssl http2;
    server_name plex.[domain];

    proxy_set_header X-Real-IP $remote_addr;

    location / {
        proxy_pass http://192.168.1.116:32400/;
        proxy_http_version 1.1;
        proxy_redirect off;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forward-Proto http;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-NginX-Proxy true;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

server {
    listen 443 ssl http2;
    server_name minecraft.[domain];

    proxy_set_header X-Real-IP $remote_addr;

    location / {
        proxy_pass http://192.168.1.116:25565/;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_read_timeout  90;
    }
}

 

and my router conf:

router.png.fb61c773c83429929db86c4cd198eb1b.png

 

I've also needed to set this:

image.png.7894f510029a4bb8d87c46b87ccc6d15.png

(in order to access my apps from local network using "nice" addresses, because the way my ISP configures public IP address is that you can't access it from your local network)

 

Again, I didn't change a thing and this configuration worked for months until last Wednesday. I can see an error in letsencrypt log but I've found information in this thread that it is unrelated to my issues. Please help?

Could be DNS issue (check IP), could be port forwarding (router setting looks correct as long as you moved unraid to a different port) or maybe your ISP just started blocking ports 80 and 443.

 

See here to further troubleshoot (article not published yet but here's a preview): https://blog.linuxserver.io/p/3959a1d3-d70d-4d1d-a4ef-4dcdc0bcfd94/

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.