[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Since the latest update, my reverse proxies aren't working. I can confirm using external IP works, like http://external.ip/emby. I can ping mydomain.net. Internal IP of course works.

 

The log doesn't indicate any problems.

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=advurt.net
SUBDOMAINS=www
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=4096
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

4096 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.net
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
creating GeoIP2 database
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

Edited by vurt
Link to comment
16 hours ago, dandiodati said:

Have you found a solution for this I also have been trying to solve it and tried these options without luck. One thing I found out is that you can manually test the websocket call via this command: curl --insecure --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Host: example.com:80" --header "Origin: http://example.com:80" --header "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" --header "Sec-WebSocket-Version: 13" https://192.168.x.x:443/

 

(Found it on this page https://help.ubnt.com/hc/en-us/articles/115015690147-UNMS-Device-Discovery#blocking discover)

 

And I noticed that the websocket call does not work going through the nginx proxy. I can make it work if I go directly to the unms server and port. And I also can access the UI, just the registry does not work due to the websocket calls not going though the nginx/letsencrypt reverse proxy. 

Any one else have any luck with unms ?

This is the config I've ended up with after much eperimentation! Devices show up and I'm able to add them and manage them!

Cheers,

Tim

# make sure that your dns has a cname set for unms and that your unms container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name unms.YOURDOMAIN.com;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_unms unms;
        proxy_pass https://$upstream_unms:443;
        proxy_cache off;
    	proxy_store off;
    	proxy_buffering off;
        
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    	proxy_set_header X-Forwarded-Proto $scheme;
    	proxy_set_header Referer "";

    	client_max_body_size 0;
    }

}

 

Link to comment

hey guys, great forum.  Just bought a domain to use with my server.  Basically just using Letsencrypt to access Sonarr, Radarr, Nextcloud.  Do i need to buy Positive SLL from Namecheap?  i already did as i didn't know any better. I will never be running a website, etc.. just using it for domain name and custom email.  Any help would be appreciated.

Edited by xman111
Link to comment
hey guys, great forum.  Just bought a domain to use with my server.  Basically just using Letsencrypt to access Sonarr, Radarr, Nextcloud.  Do i need to buy Positive SLL from Namecheap?  i already did as i didn't know any better. I will never be running a website, etc.. just using it for domain name and custom email.  Any help would be appreciated.
You don't need an SSL letsencrypt will get one for you

Sent from my SM-N960U using Tapatalk

Link to comment

guys, just got Letsencrypt working with sonarr, radarr, nextcloud.   What I am confused about is can anyone just go to my page at radarr.mydomain.cc and get into my system?   or even worse nextcloud.mydomain.cc?   It's great for me to get to it from anywhere, just want to check how safe it is facing outward as I normally only use OpenVPN.

Link to comment
1 hour ago, xman111 said:

guys, just got Letsencrypt working with sonarr, radarr, nextcloud.   What I am confused about is can anyone just go to my page at radarr.mydomain.cc and get into my system?   or even worse nextcloud.mydomain.cc?   It's great for me to get to it from anywhere, just want to check how safe it is facing outward as I normally only use OpenVPN.

Everyone can access that address, so it's good to set a password and/or activate fail2ban or other security measures.

Do not leave any services open if you reverse proxy them.

Link to comment
3 minutes ago, saarg said:

Everyone can access that address, so it's good to set a password and/or activate fail2ban or other security measures.

Do not leave any services open if you reverse proxy them.

thanks for the response.  i guess i will have to look into this further.  Someone would have to guess the address first thought i guess.  i might just turn off the reverse proxy on a few things.

Link to comment

Hi - I hope someone can help... I have been trying to setup a reverse proxy (following SpaceInvader Ones excellent video)... but when I create a docker network called "ProxyNet" - it doesn't appear in the config page for setting up LetsEncrypt. Its definitely there as I can view it from terminal, but it just isnt listed in the drop down box. I am using UnRAID 6.5.0. Attached are a couple of pictures, one showing the options I have in the LetsEncrypt setup page and one showing "ProxyNet" exists when I list the docker networks in terminal.

 

Any thoughts?

 

Thanks

UnRAID-LetsEncrypt 1.jpg

UnRAID-LetsEncrypt 2.jpg

Link to comment
1 hour ago, SliMat said:

Hi - I hope someone can help... I have been trying to setup a reverse proxy (following SpaceInvader Ones excellent video)... but when I create a docker network called "ProxyNet" - it doesn't appear in the config page for setting up LetsEncrypt. Its definitely there as I can view it from terminal, but it just isnt listed in the drop down box. I am using UnRAID 6.5.0. Attached are a couple of pictures, one showing the options I have in the LetsEncrypt setup page and one showing "ProxyNet" exists when I list the docker networks in terminal.

 

Any thoughts?

 

Thanks

UnRAID-LetsEncrypt 1.jpg

UnRAID-LetsEncrypt 2.jpg

Update to latest unraid first, then come if you have the same issue.

Link to comment
46 minutes ago, j0nnymoe said:

Update to latest unraid first, then come if you have the same issue.

Thanks - but I am reluctant to upgrade as the server is an HP DL380p G8 in a remote datacenter and when I upgraded to the latest version I had massive problems (no mouse or keyboard control in ILO) ending up with the machine falling over and I had to drive to the DC, remove it, roll back to 6.5.0 to get it working then drive it back to the DC. Apart from changing the onboard P420i RAID controller to work in HBA mode rather than RAID I have done nothing to comfort me that I won't get the same problem again if I upgrade.

 

All I have on the machine, which I am using, is a number of VMs (Ubuntu Webservers / Exchange Server), then 2 dockers MariaDB and NextCloud. But am keen to get reverse proxy working.

 

Thanks - any other pointers would be well appreciated.

Link to comment
1 hour ago, SliMat said:

Thanks - but I am reluctant to upgrade as the server is an HP DL380p G8 in a remote datacenter and when I upgraded to the latest version I had massive problems (no mouse or keyboard control in ILO) ending up with the machine falling over and I had to drive to the DC, remove it, roll back to 6.5.0 to get it working then drive it back to the DC. Apart from changing the onboard P420i RAID controller to work in HBA mode rather than RAID I have done nothing to comfort me that I won't get the same problem again if I upgrade.

 

All I have on the machine, which I am using, is a number of VMs (Ubuntu Webservers / Exchange Server), then 2 dockers MariaDB and NextCloud. But am keen to get reverse proxy working.

 

Thanks - any other pointers would be well appreciated.

wow, that sucks..

Link to comment
1 hour ago, SliMat said:

Thanks - but I am reluctant to upgrade as the server is an HP DL380p G8 in a remote datacenter and when I upgraded to the latest version I had massive problems (no mouse or keyboard control in ILO) ending up with the machine falling over and I had to drive to the DC, remove it, roll back to 6.5.0 to get it working then drive it back to the DC. Apart from changing the onboard P420i RAID controller to work in HBA mode rather than RAID I have done nothing to comfort me that I won't get the same problem again if I upgrade.

 

All I have on the machine, which I am using, is a number of VMs (Ubuntu Webservers / Exchange Server), then 2 dockers MariaDB and NextCloud. But am keen to get reverse proxy working.

 

Thanks - any other pointers would be well appreciated.

I would say that your issue isn't a container issue but a bug within unraid 6.5 itself, I would contact lime tech about it or search the forum to see if someone else has had this issue (I suspect someone has).

Link to comment
On 9/17/2019 at 10:06 AM, phreeq said:
 

Did yours renew after adding the line? I'm asking because mine is failing renewal and I do have the dns_cloudflare_credentials = /config/dns-conf/cloudflare.ini line in the conf file.

 

**Update**

I found that my cloudflare.ini file didn't have my data in it. I had a problem with all of my dockers due to a bad upgrade to my cache drive a while back, so I guess the problem was me. I'll check back in tomorrow to see if the renewal goes right.

Just am seeing this after an extended time off of the forums. Yes it did happen to work and continues to do so. Not sure why that had happened but backed up as soon as I had it working correctly just in case. (Do weekly backups regularly)

  • Like 1
Link to comment
Just am seeing this after an extended time off of the forums. Yes it did happen to work and continues to do so. Not sure why that had happened but backed up as soon as I had it working correctly just in case. (Do weekly backups regularly)
After all the headaches I had, I did start doing weekly backups for my containers. Learned that lesson the hard way

Sent from my ONEPLUS A5010 using Tapatalk

Link to comment
1 hour ago, slimshizn said:

Just am seeing this after an extended time off of the forums. Yes it did happen to work and continues to do so. Not sure why that had happened but backed up as soon as I had it working correctly just in case. (Do weekly backups regularly)

Just catching up on this, are you saying people using cloudflare for DNS need to add an extra line?  (Trying to go back through the thread to find)....

Link to comment
12 hours ago, xman111 said:

wow, that sucks..

Yep 🙄

14 hours ago, j0nnymoe said:

Update to latest unraid first, then come if you have the same issue.

OK, I consider this solved now... not ideal, but in case anyone else finds this thread @j0nnymoe seems to be correct.

 

I also had an HP Microserver running 6.5.0 at home, because it had the same issues with the new version as the machine in the DC... so, as it's here and I can easily access it, I just upgraded from 6.5.0 to 6.7.2 and now I do see the custom network in the settings for LetsEncrypt - so this certainly does look like a bug with 6.5.0. I will monitor this machine and see if it behaves with 6.7.2!

 

So, it looks like I'll have to schedule a visit to the DC and then try the upgrade on the DC machine the night before - that way if I lose connection I will be able to pop in the next day to fix it, rather than having it offline while I wait for a slot to get in 😑

 

Thanks for the advice @j0nnymoe

 

UnRAID-LetsEncrypt 3.jpg

Edited by SliMat
Link to comment

hey guys, how to i stop an app from using letsencrypt?  i have about 5 apps using it but there are a few that aren't really needed.  I deleted the sub domains on the properties of the letsencrypt container but everything keeps working.  Funny is was pretty hard to get it working, seems equally as hard to stop it from working, lol.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.