[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

4 hours ago, HarryHeck said:

Exchange sever you need to use SAN certs without ips or it will complain. So the docker needs to go out on mail.domain.com for letsencrypt then be able to change url and resolve mail.domain.local. Thats good to know on the bridge setup. I would prefer a separate vlan for letsencrypt/nginx.

I have no knowledge of exchange.

Link to comment
7 hours ago, saarg said:

I have no knowledge of exchange.

That's fine my question has to do with this docker or dockers in general maybe. I'm new to it so sorry about my lack of knowledge.

 

1. How do I add a dns entry to this docker? i.e. mail.domain.com already resolves but I need mail.domain.local to resolve as well to it's private ip. Can I add mail.domain.local to this docker only? Or do need to manually add at host level? That create my own internal dns?

 

2. Can letsencrypt docker rewrite mail.domain.com to mail.domain.local when a request comes in? If so do you have a guide or link so I can try?

Link to comment
42 minutes ago, HarryHeck said:

That's fine my question has to do with this docker or dockers in general maybe. I'm new to it so sorry about my lack of knowledge.

 

1. How do I add a dns entry to this docker? i.e. mail.domain.com already resolves but I need mail.domain.local to resolve as well to it's private ip. Can I add mail.domain.local to this docker only? Or do need to manually add at host level? That create my own internal dns?

 

2. Can letsencrypt docker rewrite mail.domain.com to mail.domain.local when a request comes in? If so do you have a guide or link so I can try?

1.) you'd have to add this to your local dns server (if you have one setup)

2.) you'd need to read the nginx documentation on how to redirect this.

Link to comment
On 5/5/2019 at 6:48 AM, hernandito said:

Thank you.... EDITED - created the variable and it worked perfectly. 

 

Now, can anyone help on my first issue?

 

thanks!!!

 

h.

I've been looking for this thanks.  If it had just been included as an option in the container would have been easier, but gotta manually add it.  Will be trying it now.  Only thing is I assume all subdomains for the first domain will also need to be registered for the second domain?

Link to comment

I am having some trouble config how to get letsencrypt with my own domain. I have followed spaceInvader as a reference.

 

I have my own domain with google which then I created a subdomain of type "A" because I have a static IP. Then followed the steps of spaceInvaders tutorial but I can't seem to get it resolved. One thing I am unsure of is what the ldap URL is/how to find out..

Link to comment
On 9/10/2019 at 3:26 AM, Idolwild said:

I know it's been awhile, I have the same use-case (need NGINX to forward to internal IIS server - care to share any pointers? Thanks!

Sorry bud, I didn't even know you'd posted a response - I haven't had any notifications from the forum and only noticed when I popped on to ask a question about Grafana.

 

I can't remember what is was that I had a problem with for this container, let me post this and I'll have a scroll back and edit this once I've remembered!

 

-- EDIT

 

Well I looked back and I haven't got a clue what i was on about!

I do have everything setup and functioning so I would be happy to answer any specific questions you might have re the setup I use at this point.

Edited by Saldash
Link to comment

Apologies if these have been answered previously.

 

As use of fail2ban requires the container be started with NET_ADMIN privileges, to what extent is this practically a security trade off? As I understand it, compromise of a NET_ADMIN container makes it considerably easier to pivot to the host (even given that unraid does not utilize subuid/guids). What are you opinions on using NET_ADMIN to gain fail2ban capability? Worthwhile given this potential trade-off?

 

Second, since the switch to the geoip2 database, every restart of the container involves 3-5 minutes of "Building the geoip database" which makes experimenting with new configurations extremely onerous. Is something mis-configured on my end/can I prevent this from happening at each restart, particularly as I do not need to use this feature?

 

Thank you!

 

Link to comment
7 hours ago, kyle1 said:

Apologies if these have been answered previously.

 

As use of fail2ban requires the container be started with NET_ADMIN privileges, to what extent is this practically a security trade off? As I understand it, compromise of a NET_ADMIN container makes it considerably easier to pivot to the host (even given that unraid does not utilize subuid/guids). What are you opinions on using NET_ADMIN to gain fail2ban capability? Worthwhile given this potential trade-off?

 

Second, since the switch to the geoip2 database, every restart of the container involves 3-5 minutes of "Building the geoip database" which makes experimenting with new configurations extremely onerous. Is something mis-configured on my end/can I prevent this from happening at each restart, particularly as I do not need to use this feature?

 

Thank you!

 

Not sure why it's taking 3-5 minutes for you but it essentially downloads the new geoip database if it's a newly created container.

 

I'll change it so the database resides in the config folder so it would only download once.

 

Until then, you can map an empty file here and it won't download: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/etc/cont-init.d/50-config#L253

Link to comment
3 hours ago, kyle1 said:

Thanks, worked a treat.

 

I assume I'm totally off base with the NET_ADMIN concern? Very possible!

Not off base, it's a valid argument, but not a simple one.

 

I personally think the benefit of fail2ban far outweighs the potential risk. I mean, I heavily rely on fail2ban for ddos and brute force protection by using http auth with most of my proxied apps. Fail2ban reduces the likelihood of my server getting pawned. As long as I'm not pawned, I don't have to worry about net admin.

 

Also keep in mind that most web servers run nginx directly on the host OS, and it already has net admin capability plus a whole lot more. Nginx service runs as root (the workers run as unrpivilieged users). Here at least nginx is somewhat sandboxed inside a container.

  • Like 1
Link to comment

Hi All,

 

Ive been a convert to Unraid for around 8 months and so far its all been good.

One of my first adventures has been into the excelent docker containers from LinuxServerIO (Thanks)

 

I had a fully working Letsencrypt until some point this weekend when something strange happened. The server suddenly reported the cache drive as "read only". A reboot seemed to sort this and i thought all had gone back to normal.

 

However this morning I have encountered errors with the Letsencrypt docker. Trying to fix this I deleted the container and the image, also deleting the appdata folder then a complete re-install.

 

I now have the following error -

nginx: [emerg] PEM_read_bio_DHparams("/config/nginx/dhparams.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS)

 

Putting this into google I found a thread which suggested running this command

openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

however running this gets the following error

Can't open /etc/nginx/ssl/dhparam.pem for writing, No such file or directory
22358693844800:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/nginx/ssl/dhparam.pem','w')
22358693844800:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

 

Now I am out of my depth and would appreciate some assistance please

 

Thanks

 

Link to comment
2 hours ago, dgs2001 said:

Hi All,

 

Ive been a convert to Unraid for around 8 months and so far its all been good.

One of my first adventures has been into the excelent docker containers from LinuxServerIO (Thanks)

 

I had a fully working Letsencrypt until some point this weekend when something strange happened. The server suddenly reported the cache drive as "read only". A reboot seemed to sort this and i thought all had gone back to normal.

 

However this morning I have encountered errors with the Letsencrypt docker. Trying to fix this I deleted the container and the image, also deleting the appdata folder then a complete re-install.

 

I now have the following error -


nginx: [emerg] PEM_read_bio_DHparams("/config/nginx/dhparams.pem") failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: DH PARAMETERS)

 

Putting this into google I found a thread which suggested running this command


openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048

however running this gets the following error


Can't open /etc/nginx/ssl/dhparam.pem for writing, No such file or directory
22358693844800:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/nginx/ssl/dhparam.pem','w')
22358693844800:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

 

Now I am out of my depth and would appreciate some assistance please

 

Thanks

 

Ok,

 

did some more digging, deleted the "dhparams.pem" file in the /letsencrypt/nginx folder and letsencrypt has now restarted successfully and regenerated a new dhparams.pem file

 

I would like to try and understand what had happened though? any insight or pointers would be most appreciated.

 

Thanks

  • Like 1
Link to comment
1 hour ago, dgs2001 said:

Ok,

 

did some more digging, deleted the "dhparams.pem" file in the /letsencrypt/nginx folder and letsencrypt has now restarted successfully and regenerated a new dhparams.pem file

 

I would like to try and understand what had happened though? any insight or pointers would be most appreciated.

 

Thanks

Dhparams file is created during container start if it doesn't already exist. It can take a very long time. I guess if the process is somehow disturbed during that time, you may end up with an empty or a corrupted file. Nginx fails to start because it can't read the file.

Link to comment
2 minutes ago, aptalca said:

Dhparams file is created during container start if it doesn't already exist. It can take a very long time. I guess if the process is somehow disturbed during that time, you may end up with an empty or a corrupted file. Nginx fails to start because it can't read the file.

Thanks for the response. Its all a little odd really, probably a server/hardware issue initially which somehow corrupted the letsencrypt instance. Either that or somebody was trying to hack me!

 

All is working as expected again now so thanks for the excellent docker container, along with several other of yours I use :)

 

  • Like 1
Link to comment

Hi, I'm trying to set up a docker that isn't listed as one of the presets and I can't get it to work (the predone configs work great).

 

The docker container in question is teamspeak-alpine by fithwum.

 

I attached my subdomain.conf file. The ip next to proxy_pass is the ip I use to connect to the unraid web ui, but I also tried the docker container's ip and that didn't seem to work either.

 

I already have a CNAME record for ts3.mydomain.com set up. And I also added ts3 to the approved subdomains in the letsencrypt container.

 

What am I missing here?

teamspeak.subdomain.conf

Edited by hotdog218
Link to comment

 

So i am trying to set up a reverse proxy for a few docker containers on my unraid server, but i haven't had any luck. I was following spaceinvader's tutorial, but it just doesn't seem to work for me. I am trying to setup for sonarr, home assistant, nextcloud. Everything looks fine, its just the links dont actually work. Usually it will redirect me to /htpc and a blank page. But occasionally it will just take me to a 404 nginx error. Any ideas what could be wrong? Also i cant seem to connect home assistant to my custom docker network as it doesnt support connecting to a bridge network instead of host.

Tips would be appreciated.

 

Thanks

Gershy13

Link to comment

I updated letsecrypt this morning and i cant reach Nextcloud. I have looked through the thread and cant find anyone having the same problem. After the update i cannot go to my nextcloud using the web browser. "Your connection is not private" and "NET::ERR_CERT_REVOKED". Can someone help me please or direct me to someone that was having the issue and have fixed it. Thank you guys.

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL= Server address is correct.
SUBDOMAINS=
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL= My email address is correct.
STAGING=

2048 bit DH parameters present
No subdomains defined
E-mail address entered: My email address is correct.
http validation is selected
Certificate exists; parameters unchanged; starting nginx
creating GeoIP2 database
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')
Server ready

 

image.thumb.png.66c999f624a9a14bfbdc3027308feb85.png

Link to comment
On 9/5/2019 at 10:39 AM, MothyTim said:

I found this on Ubiquity’s website, not sure what I need from it to make UNMS work? Like I said previously I can get the GUI page but can’t see my devices, that was by editing the UniFi template!

 

Hoping that someone with mor knowledge can help?


map $http_upgrade $connection_upgrade {
  default upgrade;
  ''      close;
}

server {
  listen 80;
  server_name unms.example.com;

  client_max_body_size 4G;

  location / {
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:8080/;
  }
}

server {
  listen 443 ssl http2;
  server_name unms.example.com;

  ssl_certificate     /etc/letsencrypt/live/unms.example.com/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/unms.example.com/privkey.pem;

  ssl on;

  set $upstream 127.0.0.1:8443;

  location / {
    proxy_pass     https://$upstream;
    proxy_redirect https://$upstream https://$server_name;

    proxy_cache off;
    proxy_store off;
    proxy_buffering off;
    proxy_http_version 1.1;
    proxy_read_timeout 36000s;

    proxy_set_header Host $http_host;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header Referer "";

    client_max_body_size 0;
  }
}

 

Have you found a solution for this I also have been trying to solve it and tried these options without luck. One thing I found out is that you can manually test the websocket call via this command: curl --insecure --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Host: example.com:80" --header "Origin: http://example.com:80" --header "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" --header "Sec-WebSocket-Version: 13" https://192.168.x.x:443/

 

(Found it on this page https://help.ubnt.com/hc/en-us/articles/115015690147-UNMS-Device-Discovery#blocking discover)

 

And I noticed that the websocket call does not work going through the nginx proxy. I can make it work if I go directly to the unms server and port. And I also can access the UI, just the registry does not work due to the websocket calls not going though the nginx/letsencrypt reverse proxy. 

Any one else have any luck with unms ?

Edited by dandiodati
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.