[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

hey guys, how to i stop an app from using letsencrypt?  i have about 5 apps using it but there are a few that aren't really needed.  I deleted the sub domains on the properties of the letsencrypt container but everything keeps working.  Funny is was pretty hard to get it working, seems equally as hard to stop it from working, lol.
Did you disabled the proxy conf files?

Sent from my MI 6 using Tapatalk (paid twice for vip, thx Tapatalk)

Link to comment
Quote

Github and docker hub pages linked in the first post have the most up to date info

 

You can also check out this blog article for some examples: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

@aptalca just moving this to the right thread.

To recap, I wanted to set up letsencrypt to be used as an internal reverse proxy without exposing it outside my lan. Accordingly I cannot use http validation .. and attempted using duckdns validation. So here is what I have done:

  • create a custom user network
  • moved sonarr to the new custom network
  • set up the letsencrypt container with the following params:
    • Network: new custom network
    • domain name: XYZ.duckdns.org
    • subdomains: wildcard
    • Only subdomains: true
    • validation: duckdns
    • DUCKDNSTOKEN: my duckdns token
  • added a sonarr.subdomain.conf to proxy-confs (made sure it points to the correct sonarr container name)

The log from the letsencrypt container looks fine. I don't see errors basically. Trying to access sonarr.XYZ.duckdns.org yields nothing (not found). Am I missing anything? (one thing that I can think of, is that when a reverse proxy is setup for external access, requests are routed to the reverse proxy. In this case, there are no external requests, what directs the requests to the reverse proxy? Also do I need to add any DNS records to my duckdns domain?)

 

Link to comment
1 hour ago, Jenardo said:

@aptalca just moving this to the right thread.

To recap, I wanted to set up letsencrypt to be used as an internal reverse proxy without exposing it outside my lan. Accordingly I cannot use http validation .. and attempted using duckdns validation. So here is what I have done:

  • create a custom user network
  • moved sonarr to the new custom network
  • set up the letsencrypt container with the following params:
    • Network: new custom network
    • domain name: XYZ.duckdns.org
    • subdomains: wildcard
    • Only subdomains: true
    • validation: duckdns
    • DUCKDNSTOKEN: my duckdns token
  • added a sonarr.subdomain.conf to proxy-confs (made sure it points to the correct sonarr container name)

The log from the letsencrypt container looks fine. I don't see errors basically. Trying to access sonarr.XYZ.duckdns.org yields nothing (not found). Am I missing anything? (one thing that I can think of, is that when a reverse proxy is setup for external access, requests are routed to the reverse proxy. In this case, there are no external requests, what directs the requests to the reverse proxy? Also do I need to add any DNS records to my duckdns domain?)

 

On the duckdns website, set the IP to the local IP of your unraid server

Link to comment
On 9/30/2019 at 7:01 PM, j0nnymoe said:

Update to latest unraid first, then come if you have the same issue.

Hi @j0nnymoe

 

Just some more feedback - after upgrading my Microserver to 6.7.2 yesterday, it looks like my concerns are well founded... I have just gone to reboot and now it won't see the UnRAID USB key, so the machine wont boot without me physically downgrading to an earlier version 😞 

 

In case your interested this was the thread I posted about the last issue, which has now reappeared after upgrading to 6.7.x again... 

 

 

Glad I haven't risked upgrading the machine in the datacenter as it would cost me a 240 mile journey to fix it ;-)

 

 

Link to comment
21 hours ago, aptalca said:

On the duckdns website, set the IP to the local IP of your unraid server

@aptalca Now it works except that everything goes to the main unraid UI.

XYZ.duckdns.org

sonarr.XYZ.duckdns.org

bla123.XYZ.duckdns.org

Basically, anything ending in "XYZ.duckdns.org" goes to the unraid's main web page.

Is this because of the "wildcard" that I set for subdomains in the docker's configuration?

By the way, I am using the subdomain conf files as I have described in the previous post.

 

Link to comment
3 hours ago, Jenardo said:

@aptalca Now it works except that everything goes to the main unraid UI.

XYZ.duckdns.org

sonarr.XYZ.duckdns.org

bla123.XYZ.duckdns.org

Basically, anything ending in "XYZ.duckdns.org" goes to the unraid's main web page.

Is this because of the "wildcard" that I set for subdomains in the docker's configuration?

By the way, I am using the subdomain conf files as I have described in the previous post.

 

If your unraid gui is using ports 80 and 443, then http and https connections to your domain will go there. Change those ports and map letsencrypt to those ports

Link to comment

Hi,

 

I've just started using Docker with my transition to Unraid as I've up until now have been running the VMware suite, "full-VM setup" and a self-configured nginx reverse proxy setup for my public services.

 

As I haven't used Docker before, there's probably something obvious I'm missing, but here goes;

 

Two main problems/questions:

 

1. In the case where I'd like to proxy a docker that's NOT on the 'proxynet' but instead connected to one of my actual LAN-networks (i.e. VLAN50/subnet: 10.10.50.0/24), I'm not able to do this successfully. 
I've made sure that I've made the corresponding changes to the nginx proxy conf (i.e. home-assistant docker) and its 'upstream_address' (<docker-name> -> <local IP>). I'm able to access it via the <host_IP>:<docker_port>, and even though this is a match in the config-file, It still doesn't pass through the traffic properly (bad gateway). Any ideas of what I might be missing out on? (I've tried this with several docker-containers unsuccessfully).

This is also highly relevant as I want to be able to proxy 'anything' with the letsencrypt-docker :)

 

2. How do you (others) have pfsense setup to port forward specific traffic, via a specific gateway to a docker-container with the 'proxynet' setup? (see my last bullet point below)

 

Some background info:

- letsencrypt-docker is confirmed working and is working very well

- I configured it with the help of SpaceinvaderOne's Youtube-guide and the 'proxynet' setup

- I use sub-domains and not sub-folders

- All Dockers that are connected to my 'proxynet' are successfully being proxied

- I have a fairly advanced local network which is segmented into different vlans

- I run a pfsense instance with an active OpenVPN-client connected to a VPN-service, where I've excluded specific VM-traffic via changing the gateway specific traffic is running over, when the need have arised to use my public IP.

I might've missed some crucial info that would help you to help me, but just let me know what you need if that's the case. There's a lot of new stuff I'm poking around with (unraid and docker) and although there's been some hiccups such as this, it's still a lovely experience. Great job with the letsencrypt-container, it's truly awesome! :)

Edited by sebstrgg
Link to comment
On 9/28/2019 at 8:20 AM, MothyTim said:

This is the config I've ended up with after much eperimentation! Devices show up and I'm able to add them and manage them!

Cheers,

Tim


# make sure that your dns has a cname set for unms and that your unms container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name unms.YOURDOMAIN.com;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_unms unms;
        proxy_pass https://$upstream_unms:443;
        proxy_cache off;
    	proxy_store off;
    	proxy_buffering off;
        
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    	proxy_set_header X-Forwarded-Proto $scheme;
    	proxy_set_header Referer "";

    	client_max_body_size 0;
    }

}

 

HI Tim thanks for the response, I just got a chance to try it and did not work for me. When I make the websocket CURL request the letsencrypt nginx server just gives me the default page. Getting very frustrated since i can hit the unms port directly and it works just not through this reverse proxy.

 

If you do this call does it work for you ?

 

curl --insecure --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Host: example.com:80" --header "Origin: http://example.com:80" --header "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" --header "Sec-WebSocket-Version: 13" https://unms.yourserver.com

(Change the unms.yourserver.com to yours, reset does not matter)

 

Edited by dandiodati
Link to comment
3 hours ago, sebstrgg said:

Hi,

 

I've just started using Docker with my transition to Unraid as I've up until now have been running the VMware suite, "full-VM setup" and a self-configured nginx reverse proxy setup for my public services.

 

As I haven't used Docker before, there's probably something obvious I'm missing, but here goes;

 

Two main problems/questions:

 

1. In the case where I'd like to proxy a docker that's NOT on the 'proxynet' but instead connected to one of my actual LAN-networks (i.e. VLAN50/subnet: 10.10.50.0/24), I'm not able to do this successfully. 
I've made sure that I've made the corresponding changes to the nginx proxy conf (i.e. home-assistant docker) and its 'upstream_address' (<docker-name> -> <local IP>). I'm able to access it via the <host_IP>:<docker_port>, and even though this is a match in the config-file, It still doesn't pass through the traffic properly (bad gateway). Any ideas of what I might be missing out on? (I've tried this with several docker-containers unsuccessfully).

This is also highly relevant as I want to be able to proxy 'anything' with the letsencrypt-docker :)

 

2. How do you (others) have pfsense setup to port forward specific traffic, via a specific gateway to a docker-container with the 'proxynet' setup? (see my last bullet point below)

 

Some background info:

- letsencrypt-docker is confirmed working and is working very well

- I configured it with the help of SpaceinvaderOne's Youtube-guide and the 'proxynet' setup

- I use sub-domains and not sub-folders

- All Dockers that are connected to my 'proxynet' are successfully being proxied

- I have a fairly advanced local network which is segmented into different vlans

- I run a pfsense instance with an active OpenVPN-client connected to a VPN-service, where I've excluded specific VM-traffic via changing the gateway specific traffic is running over, when the need have arised to use my public IP.

I might've missed some crucial info that would help you to help me, but just let me know what you need if that's the case. There's a lot of new stuff I'm poking around with (unraid and docker) and although there's been some hiccups such as this, it's still a lovely experience. Great job with the letsencrypt-container, it's truly awesome! :)

Thanks for the kind words.

 

1) proxy_pass should use the host_ip:port for bridged containers and IP:port for any other service that may also be on a remote machine, but I have a feeling you're using macvlan (docker container has its own IP) and if that's the case, macvlan blocks connections between the container and the host (and any other container or service that is using the host's IP) as a security feature so it won't work.

2) If you're referring to incoming connections, then they all should go through letsencrypt reverse proxy. If you're referring to outgoing, then I'm currently putting them on macvlan so they have their own IP and set a LAN rule on pfsense to route their IP (source) through the WAN gateway. But I only have a couple of those (duplicati and rclone) and I don't/can't reverse proxy them due to the macvlan restriction I mentioned above.

Link to comment

Hi everyone, my Nginx reverse proxy isn't working again. I can ping mydomain.net and I can access my external IP. I can also access my sites with internal.ip/sub.

 

PING mydomain.net (157.131.207.164): 56 data bytes
64 bytes from 157.131.207.164: icmp_seq=0 ttl=62 time=3.517 ms
64 bytes from 157.131.207.164: icmp_seq=1 ttl=62 time=3.480 ms
64 bytes from 157.131.207.164: icmp_seq=2 ttl=62 time=3.650 ms
64 bytes from 157.131.207.164: icmp_seq=3 ttl=62 time=3.880 ms
64 bytes from 157.131.207.164: icmp_seq=4 ttl=62 time=3.466 ms
64 bytes from 157.131.207.164: icmp_seq=5 ttl=62 time=3.857 ms
64 bytes from 157.131.207.164: icmp_seq=6 ttl=62 time=6.915 ms
64 bytes from 157.131.207.164: icmp_seq=7 ttl=62 time=3.207 ms
64 bytes from 157.131.207.164: icmp_seq=8 ttl=62 time=4.056 ms
^C
--- mydomain.net ping statistics ---
9 packets transmitted, 9 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.207/4.003/6.915/1.058 ms

 

The log doesn't indicate anything out of the ordinary:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=mydomain.net
SUBDOMAINS=www
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=4096
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

4096 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.net
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
4096 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.net
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

and I checked but there aren't new updates to the container I can try (last time this happened, an update got it working).

 

Any ideas how I can troubleshoot here or what else I can provide for help? TIA.

 

EDIT: Found nginx's error.log:

 

2019/09/29 02:23:18 [error] 446#446: *832 connect() failed (111: Connection refused) while connecting to upstream, client: 66.249.69.19, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/29 02:54:19 [error] 446#446: *836 connect() failed (111: Connection refused) while connecting to upstream, client: 34.202.162.164, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 03:48:12 [error] 446#446: *841 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 03:48:13 [error] 446#446: *843 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 05:42:08 [error] 446#446: *851 connect() failed (111: Connection refused) while connecting to upstream, client: 139.162.113.204, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 12:21:24 [error] 446#446: *874 connect() failed (111: Connection refused) while connecting to upstream, client: 51.159.0.165, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/09/29 17:26:06 [error] 446#446: *884 connect() failed (111: Connection refused) while connecting to upstream, client: 193.106.29.210, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 20:47:29 [error] 446#446: *898 connect() failed (111: Connection refused) while connecting to upstream, client: 184.105.247.195, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 21:50:21 [error] 446#446: *914 connect() failed (111: Connection refused) while connecting to upstream, client: 145.239.107.251, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164", referrer: "http://157.131.207.164:80/"
2019/09/29 21:56:44 [error] 446#446: *917 connect() failed (111: Connection refused) while connecting to upstream, client: 145.239.107.251, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 23:25:22 [error] 446#446: *923 connect() failed (111: Connection refused) while connecting to upstream, client: 1.192.193.15, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164:443"
2019/09/30 02:52:41 [error] 446#446: *935 connect() failed (111: Connection refused) while connecting to upstream, client: 198.108.66.240, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164", referrer: "http://157.131.207.164:80/"
2019/09/30 06:01:04 [error] 446#446: *945 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.209.242, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 07:46:55 [error] 446#446: *950 connect() failed (111: Connection refused) while connecting to upstream, client: 213.159.213.137, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/09/30 09:35:11 [error] 446#446: *962 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.209.154, server: _, request: "GET /jira/secure/ContactAdministrators!default.jspa HTTP/1.1", upstream: "http://192.168.1.252:8282/jira/secure/ContactAdministrators!default.jspa", host: "157.131.207.164"
2019/09/30 11:27:33 [error] 446#446: *967 connect() failed (111: Connection refused) while connecting to upstream, client: 144.91.64.209, server: _, request: "GET /0015650000000.cfg HTTP/1.1", upstream: "http://192.168.1.252:8282/0015650000000.cfg", host: "157.131.207.164"
2019/09/30 11:53:00 [error] 446#446: *971 connect() failed (111: Connection refused) while connecting to upstream, client: 144.91.64.209, server: _, request: "GET /0015650000000.cfg HTTP/1.1", upstream: "http://192.168.1.252:8282/0015650000000.cfg", host: "157.131.207.164:443"
2019/09/30 14:53:39 [error] 446#446: *991 connect() failed (111: Connection refused) while connecting to upstream, client: 198.46.131.130, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 15:54:03 [error] 446#446: *994 connect() failed (111: Connection refused) while connecting to upstream, client: 198.46.131.130, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 16:51:37 [error] 446#446: *996 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.134.134, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 17:48:19 [error] 446#446: *1007 connect() failed (111: Connection refused) while connecting to upstream, client: 184.105.139.68, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 18:18:02 [error] 446#446: *1012 connect() failed (111: Connection refused) while connecting to upstream, client: 173.212.214.2, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 18:18:02 [error] 446#446: *1014 connect() failed (111: Connection refused) while connecting to upstream, client: 173.212.214.2, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 18:24:19 [error] 446#446: *1017 connect() failed (111: Connection refused) while connecting to upstream, client: 54.36.148.104, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 21:43:57 [error] 446#446: *1023 connect() failed (111: Connection refused) while connecting to upstream, client: 157.55.39.27, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 21:46:48 [error] 446#446: *1027 connect() failed (111: Connection refused) while connecting to upstream, client: 157.55.39.27, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 21:49:20 [error] 446#446: *1030 connect() failed (111: Connection refused) while connecting to upstream, client: 157.55.39.27, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 22:02:06 [error] 446#446: *1034 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 185.136.167.216, server: _, request: "GET /wordpress/wp-admin/install.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "mydomain.net"
2019/09/30 23:52:11 [error] 446#446: *1045 connect() failed (111: Connection refused) while connecting to upstream, client: 198.108.66.224, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164", referrer: "http://157.131.207.164:80/"
2019/09/30 23:55:32 [error] 446#446: *1048 connect() failed (111: Connection refused) while connecting to upstream, client: 169.197.108.6, server: _, request: "GET /secure/ContactAdministrators!default.jspa HTTP/1.1", upstream: "http://192.168.1.252:8282/secure/ContactAdministrators!default.jspa", host: "157.131.207.164", referrer: "http://157.131.207.164/secure/ContactAdministrators!default.jspa"
2019/10/01 00:33:56 [error] 446#446: *1052 connect() failed (111: Connection refused) while connecting to upstream, client: 64.233.172.146, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/10/01 01:01:21 [error] 446#446: *1055 connect() failed (111: Connection refused) while connecting to upstream, client: 198.108.66.161, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 01:42:22 [error] 446#446: *1059 connect() failed (111: Connection refused) while connecting to upstream, client: 159.203.201.208, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 03:50:11 [error] 446#446: *1065 connect() failed (111: Connection refused) while connecting to upstream, client: 75.126.154.10, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/10/01 03:50:12 [error] 446#446: *1068 connect() failed (111: Connection refused) while connecting to upstream, client: 75.126.154.10, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/10/01 05:21:12 [error] 446#446: *1079 connect() failed (111: Connection refused) while connecting to upstream, client: 212.83.166.80, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 08:16:35 [error] 446#446: *1097 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.209.178, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 09:26:40 [error] 446#446: *1105 connect() failed (111: Connection refused) while connecting to upstream, client: 144.91.64.209, server: _, request: "GET /aastra.cfg HTTP/1.1", upstream: "http://192.168.1.252:8282/aastra.cfg", host: "157.131.207.164:443"
2019/10/02 04:28:39 [error] 362#362: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 77.247.108.110, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.205.0"
2019/10/02 07:26:18 [error] 362#362: *16 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 177.36.8.226, server: _, request: "GET /wp-login.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "157-131-205-0.fiber.dynamic.sonic.net", referrer: "http://157-131-205-0.fiber.dynamic.sonic.net/wp-login.php"
2019/10/02 07:26:18 [error] 362#362: *18 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 177.36.8.226, server: _, request: "GET /wp-login.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "157-131-205-0.static.sonic.net", referrer: "http://157-131-205-0.static.sonic.net/wp-login.php"
2019/10/02 12:01:30 [error] 362#362: *31 connect() failed (111: Connection refused) while connecting to upstream, client: 178.73.215.171, server: _, request: "GET / HTTP/1.0", upstream: "http://192.168.1.252:8282/"
2019/10/02 12:36:06 [error] 362#362: *36 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.205.0"
2019/10/02 12:36:07 [error] 362#362: *38 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.205.0"
2019/10/02 20:51:04 [error] 362#362: *57 connect() failed (111: Connection refused) while connecting to upstream, client: 169.197.108.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 04:56:00 [error] 362#362: *74 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 04:56:00 [error] 362#362: *76 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 07:21:46 [error] 362#362: *88 connect() failed (111: Connection refused) while connecting to upstream, client: 222.165.216.42, server: _, request: "GET /struts2-rest-showcase/orders.xhtml HTTP/1.1", upstream: "http://192.168.1.252:8282/struts2-rest-showcase/orders.xhtml", host: "135.180.100.98", referrer: "http://135.180.100.98:80/struts2-rest-showcase/orders.xhtml"
2019/10/03 07:21:47 [error] 362#362: *88 connect() failed (111: Connection refused) while connecting to upstream, client: 222.165.216.42, server: _, request: "GET /index.action HTTP/1.1", upstream: "http://192.168.1.252:8282/index.action", host: "135.180.100.98", referrer: "http://135.180.100.98:80/index.action"
2019/10/03 07:21:47 [error] 362#362: *88 connect() failed (111: Connection refused) while connecting to upstream, client: 222.165.216.42, server: _, request: "GET /index.do HTTP/1.1", upstream: "http://192.168.1.252:8282/index.do", host: "135.180.100.98", referrer: "http://135.180.100.98:80/index.do"
2019/10/03 10:30:15 [error] 362#362: *96 connect() failed (111: Connection refused) while connecting to upstream, client: 159.203.201.88, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 15:47:15 [error] 362#362: *107 connect() failed (111: Connection refused) while connecting to upstream, client: 77.247.108.162, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 18:24:10 [error] 362#362: *120 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.252:8282/favicon.ico", host: "135.180.100.98"
2019/10/03 18:24:15 [error] 362#362: *122 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *135 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *137 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /sitemap.xml HTTP/1.1", upstream: "http://192.168.1.252:8282/sitemap.xml", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *139 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /.well-known/security.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/.well-known/security.txt", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *141 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.252:8282/favicon.ico", host: "135.180.100.98"
2019/10/03 19:11:47 [error] 365#365: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 19:11:47 [error] 365#365: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.252:8282/favicon.ico", host: "135.180.100.98"

 

Edited by vurt
Link to comment
16 hours ago, aptalca said:

Thanks for the kind words.

 

1) proxy_pass should use the host_ip:port for bridged containers and IP:port for any other service that may also be on a remote machine, but I have a feeling you're using macvlan (docker container has its own IP) and if that's the case, macvlan blocks connections between the container and the host (and any other container or service that is using the host's IP) as a security feature so it won't work.

2) If you're referring to incoming connections, then they all should go through letsencrypt reverse proxy. If you're referring to outgoing, then I'm currently putting them on macvlan so they have their own IP and set a LAN rule on pfsense to route their IP (source) through the WAN gateway. But I only have a couple of those (duplicati and rclone) and I don't/can't reverse proxy them due to the macvlan restriction I mentioned above.

Hi,

 

Thanks for your reply!

 

1) Ok, so what you're saying is that my letsencrypt docker which have the following settings: custom network: proxynet (172.18.0.0/16) -> which automatically gets bridged to host_ip:180/1443, won't be able to communicate with anything on my lan via the host ip, but only other dockers connected to the same internal network of the docker host?

 

Is there any way I can make it possible to use my letsencrypter-docker for ALL things I'd like to proxy then?

I'm not 100% sure of what you mean by the macvlan, but I suppose you're referring to the internal lan inside the docker host?

Edited by sebstrgg
Link to comment
On 10/3/2019 at 7:02 PM, vurt said:

Hi everyone, my Nginx reverse proxy isn't working again. I can ping mydomain.net and I can access my external IP. I can also access my sites with internal.ip/sub.

 


PING mydomain.net (157.131.207.164): 56 data bytes
64 bytes from 157.131.207.164: icmp_seq=0 ttl=62 time=3.517 ms
64 bytes from 157.131.207.164: icmp_seq=1 ttl=62 time=3.480 ms
64 bytes from 157.131.207.164: icmp_seq=2 ttl=62 time=3.650 ms
64 bytes from 157.131.207.164: icmp_seq=3 ttl=62 time=3.880 ms
64 bytes from 157.131.207.164: icmp_seq=4 ttl=62 time=3.466 ms
64 bytes from 157.131.207.164: icmp_seq=5 ttl=62 time=3.857 ms
64 bytes from 157.131.207.164: icmp_seq=6 ttl=62 time=6.915 ms
64 bytes from 157.131.207.164: icmp_seq=7 ttl=62 time=3.207 ms
64 bytes from 157.131.207.164: icmp_seq=8 ttl=62 time=4.056 ms
^C
--- mydomain.net ping statistics ---
9 packets transmitted, 9 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 3.207/4.003/6.915/1.058 ms

 

The log doesn't indicate anything out of the ordinary:


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=mydomain.net
SUBDOMAINS=www
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=4096
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

4096 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.net
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
4096 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.mydomain.net
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

and I checked but there aren't new updates to the container I can try (last time this happened, an update got it working).

 

Any ideas how I can troubleshoot here or what else I can provide for help? TIA.

 

EDIT: Found nginx's error.log:

 


2019/09/29 02:23:18 [error] 446#446: *832 connect() failed (111: Connection refused) while connecting to upstream, client: 66.249.69.19, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/29 02:54:19 [error] 446#446: *836 connect() failed (111: Connection refused) while connecting to upstream, client: 34.202.162.164, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 03:48:12 [error] 446#446: *841 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 03:48:13 [error] 446#446: *843 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 05:42:08 [error] 446#446: *851 connect() failed (111: Connection refused) while connecting to upstream, client: 139.162.113.204, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 12:21:24 [error] 446#446: *874 connect() failed (111: Connection refused) while connecting to upstream, client: 51.159.0.165, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/09/29 17:26:06 [error] 446#446: *884 connect() failed (111: Connection refused) while connecting to upstream, client: 193.106.29.210, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 20:47:29 [error] 446#446: *898 connect() failed (111: Connection refused) while connecting to upstream, client: 184.105.247.195, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 21:50:21 [error] 446#446: *914 connect() failed (111: Connection refused) while connecting to upstream, client: 145.239.107.251, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164", referrer: "http://157.131.207.164:80/"
2019/09/29 21:56:44 [error] 446#446: *917 connect() failed (111: Connection refused) while connecting to upstream, client: 145.239.107.251, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/29 23:25:22 [error] 446#446: *923 connect() failed (111: Connection refused) while connecting to upstream, client: 1.192.193.15, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164:443"
2019/09/30 02:52:41 [error] 446#446: *935 connect() failed (111: Connection refused) while connecting to upstream, client: 198.108.66.240, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164", referrer: "http://157.131.207.164:80/"
2019/09/30 06:01:04 [error] 446#446: *945 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.209.242, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 07:46:55 [error] 446#446: *950 connect() failed (111: Connection refused) while connecting to upstream, client: 213.159.213.137, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/09/30 09:35:11 [error] 446#446: *962 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.209.154, server: _, request: "GET /jira/secure/ContactAdministrators!default.jspa HTTP/1.1", upstream: "http://192.168.1.252:8282/jira/secure/ContactAdministrators!default.jspa", host: "157.131.207.164"
2019/09/30 11:27:33 [error] 446#446: *967 connect() failed (111: Connection refused) while connecting to upstream, client: 144.91.64.209, server: _, request: "GET /0015650000000.cfg HTTP/1.1", upstream: "http://192.168.1.252:8282/0015650000000.cfg", host: "157.131.207.164"
2019/09/30 11:53:00 [error] 446#446: *971 connect() failed (111: Connection refused) while connecting to upstream, client: 144.91.64.209, server: _, request: "GET /0015650000000.cfg HTTP/1.1", upstream: "http://192.168.1.252:8282/0015650000000.cfg", host: "157.131.207.164:443"
2019/09/30 14:53:39 [error] 446#446: *991 connect() failed (111: Connection refused) while connecting to upstream, client: 198.46.131.130, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 15:54:03 [error] 446#446: *994 connect() failed (111: Connection refused) while connecting to upstream, client: 198.46.131.130, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 16:51:37 [error] 446#446: *996 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.134.134, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 17:48:19 [error] 446#446: *1007 connect() failed (111: Connection refused) while connecting to upstream, client: 184.105.139.68, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 18:18:02 [error] 446#446: *1012 connect() failed (111: Connection refused) while connecting to upstream, client: 173.212.214.2, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 18:18:02 [error] 446#446: *1014 connect() failed (111: Connection refused) while connecting to upstream, client: 173.212.214.2, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/09/30 18:24:19 [error] 446#446: *1017 connect() failed (111: Connection refused) while connecting to upstream, client: 54.36.148.104, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 21:43:57 [error] 446#446: *1023 connect() failed (111: Connection refused) while connecting to upstream, client: 157.55.39.27, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 21:46:48 [error] 446#446: *1027 connect() failed (111: Connection refused) while connecting to upstream, client: 157.55.39.27, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 21:49:20 [error] 446#446: *1030 connect() failed (111: Connection refused) while connecting to upstream, client: 157.55.39.27, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "mydomain.net"
2019/09/30 22:02:06 [error] 446#446: *1034 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 185.136.167.216, server: _, request: "GET /wordpress/wp-admin/install.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "mydomain.net"
2019/09/30 23:52:11 [error] 446#446: *1045 connect() failed (111: Connection refused) while connecting to upstream, client: 198.108.66.224, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164", referrer: "http://157.131.207.164:80/"
2019/09/30 23:55:32 [error] 446#446: *1048 connect() failed (111: Connection refused) while connecting to upstream, client: 169.197.108.6, server: _, request: "GET /secure/ContactAdministrators!default.jspa HTTP/1.1", upstream: "http://192.168.1.252:8282/secure/ContactAdministrators!default.jspa", host: "157.131.207.164", referrer: "http://157.131.207.164/secure/ContactAdministrators!default.jspa"
2019/10/01 00:33:56 [error] 446#446: *1052 connect() failed (111: Connection refused) while connecting to upstream, client: 64.233.172.146, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/10/01 01:01:21 [error] 446#446: *1055 connect() failed (111: Connection refused) while connecting to upstream, client: 198.108.66.161, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 01:42:22 [error] 446#446: *1059 connect() failed (111: Connection refused) while connecting to upstream, client: 159.203.201.208, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 03:50:11 [error] 446#446: *1065 connect() failed (111: Connection refused) while connecting to upstream, client: 75.126.154.10, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/10/01 03:50:12 [error] 446#446: *1068 connect() failed (111: Connection refused) while connecting to upstream, client: 75.126.154.10, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "mydomain.net"
2019/10/01 05:21:12 [error] 446#446: *1079 connect() failed (111: Connection refused) while connecting to upstream, client: 212.83.166.80, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 08:16:35 [error] 446#446: *1097 connect() failed (111: Connection refused) while connecting to upstream, client: 128.14.209.178, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.207.164"
2019/10/01 09:26:40 [error] 446#446: *1105 connect() failed (111: Connection refused) while connecting to upstream, client: 144.91.64.209, server: _, request: "GET /aastra.cfg HTTP/1.1", upstream: "http://192.168.1.252:8282/aastra.cfg", host: "157.131.207.164:443"
2019/10/02 04:28:39 [error] 362#362: *5 connect() failed (111: Connection refused) while connecting to upstream, client: 77.247.108.110, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.205.0"
2019/10/02 07:26:18 [error] 362#362: *16 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 177.36.8.226, server: _, request: "GET /wp-login.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "157-131-205-0.fiber.dynamic.sonic.net", referrer: "http://157-131-205-0.fiber.dynamic.sonic.net/wp-login.php"
2019/10/02 07:26:18 [error] 362#362: *18 FastCGI sent in stderr: "Primary script unknown" while reading response header from upstream, client: 177.36.8.226, server: _, request: "GET /wp-login.php HTTP/1.1", upstream: "fastcgi://127.0.0.1:9000", host: "157-131-205-0.static.sonic.net", referrer: "http://157-131-205-0.static.sonic.net/wp-login.php"
2019/10/02 12:01:30 [error] 362#362: *31 connect() failed (111: Connection refused) while connecting to upstream, client: 178.73.215.171, server: _, request: "GET / HTTP/1.0", upstream: "http://192.168.1.252:8282/"
2019/10/02 12:36:06 [error] 362#362: *36 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.205.0"
2019/10/02 12:36:07 [error] 362#362: *38 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.205.0"
2019/10/02 20:51:04 [error] 362#362: *57 connect() failed (111: Connection refused) while connecting to upstream, client: 169.197.108.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 04:56:00 [error] 362#362: *74 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 04:56:00 [error] 362#362: *76 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 07:21:46 [error] 362#362: *88 connect() failed (111: Connection refused) while connecting to upstream, client: 222.165.216.42, server: _, request: "GET /struts2-rest-showcase/orders.xhtml HTTP/1.1", upstream: "http://192.168.1.252:8282/struts2-rest-showcase/orders.xhtml", host: "135.180.100.98", referrer: "http://135.180.100.98:80/struts2-rest-showcase/orders.xhtml"
2019/10/03 07:21:47 [error] 362#362: *88 connect() failed (111: Connection refused) while connecting to upstream, client: 222.165.216.42, server: _, request: "GET /index.action HTTP/1.1", upstream: "http://192.168.1.252:8282/index.action", host: "135.180.100.98", referrer: "http://135.180.100.98:80/index.action"
2019/10/03 07:21:47 [error] 362#362: *88 connect() failed (111: Connection refused) while connecting to upstream, client: 222.165.216.42, server: _, request: "GET /index.do HTTP/1.1", upstream: "http://192.168.1.252:8282/index.do", host: "135.180.100.98", referrer: "http://135.180.100.98:80/index.do"
2019/10/03 10:30:15 [error] 362#362: *96 connect() failed (111: Connection refused) while connecting to upstream, client: 159.203.201.88, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 15:47:15 [error] 362#362: *107 connect() failed (111: Connection refused) while connecting to upstream, client: 77.247.108.162, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 18:24:10 [error] 362#362: *120 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.252:8282/favicon.ico", host: "135.180.100.98"
2019/10/03 18:24:15 [error] 362#362: *122 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *135 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /robots.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/robots.txt", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *137 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /sitemap.xml HTTP/1.1", upstream: "http://192.168.1.252:8282/sitemap.xml", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *139 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /.well-known/security.txt HTTP/1.1", upstream: "http://192.168.1.252:8282/.well-known/security.txt", host: "135.180.100.98"
2019/10/03 18:24:20 [error] 362#362: *141 connect() failed (111: Connection refused) while connecting to upstream, client: 71.6.147.254, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.252:8282/favicon.ico", host: "135.180.100.98"
2019/10/03 19:11:47 [error] 365#365: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "135.180.100.98"
2019/10/03 19:11:47 [error] 365#365: *6 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.1, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.252:8282/favicon.ico", host: "135.180.100.98"

 

Anyone? Is reverse proxy working for everyone? Because it isn't with mine and I haven't touched my config. It just decided to stop working.

 

Log from today:

 

2019/10/06 08:00:15 [error] 362#362: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.10, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "192.168.1.252", referrer: "http://tower.local/Docker"
2019/10/06 08:00:15 [error] 362#362: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.10, server: _, request: "GET /favicon.ico HTTP/1.1", upstream: "http://192.168.1.252:8282/favicon.ico", host: "192.168.1.252"
2019/10/06 08:00:23 [error] 362#362: *9 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.10, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "192.168.1.252", referrer: "http://tower.local/Docker"

 

 

My reverse proxy config:

 

# redirect all traffic to https
server {
	listen 80;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

#	location / {
#		try_files $uri $uri/ /index.html /index.php?$args =404;
#	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		# With php5-cgi alone:
		fastcgi_pass 127.0.0.1:9000;
		# With php5-fpm:
		#fastcgi_pass unix:/var/run/php5-fpm.sock;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}



#Config for Calibre Web
location /calibre {
		auth_basic "Restricted";
 	    auth_basic_user_file /config/nginx/.htpasswd;
 	    include /config/nginx/proxy.conf;
		proxy_pass              http://192.168.1.252:8083;
		proxy_set_header        Host            $http_host;
		proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header        X-Scheme        $scheme;
		proxy_set_header        X-Script-Name   /calibre;
	}


#Config for Radarr
 	location ^~ /radarr {
 		auth_basic "Restricted";
 		auth_basic_user_file /config/nginx/.htpasswd;
 		include /config/nginx/proxy.conf;
 		proxy_pass http://192.168.1.252:7878/radarr;
 	}

#Config for Bazarr
location /bazarr/ {
	    auth_basic "Restricted";
 	    auth_basic_user_file /config/nginx/.htpasswd;
 	    include /config/nginx/proxy.conf;
        proxy_pass              http://192.168.1.252:6767/bazarr/;
        proxy_set_header        X-Real-IP               $remote_addr;
        proxy_set_header        Host                    $http_host;
        proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto       $scheme;
        proxy_redirect off;
	}

#Config for Emby
 	location ^~ /emby {
 		auth_basic "Restricted";
 		auth_basic_user_file /config/nginx/.htpasswd;
 		include /config/nginx/proxy.conf;
 		proxy_pass http://192.168.1.252:8096/emby;
 	}

#Config for NZB Hydra
 	location ^~ /hydra {
 		auth_basic "Restricted";
 		auth_basic_user_file /config/nginx/.htpasswd;
 		include /config/nginx/proxy.conf;
 		proxy_pass http://192.168.1.252:5075//hydra/;
 	}

#Config for SABnzbd
 	location ^~ /sabnzbd {
 		auth_basic "Restricted";
 		auth_basic_user_file /config/nginx/.htpasswd;
 		include /config/nginx/proxy.conf;
 		proxy_pass http://192.168.1.252:8080/sabnzbd;
 	}

#Config for Sonarr
 	location ^~ /sonarr {
 		auth_basic "Restricted";
 		auth_basic_user_file /config/nginx/.htpasswd;
 		include /config/nginx/proxy.conf;
 		proxy_pass http://192.168.1.252:8989/sonarr;
 	}

#Config for Deluge
 	location ^~ /deluge {
 		auth_basic "Restricted";
 		auth_basic_user_file /config/nginx/.htpasswd;
 		include /config/nginx/proxy.conf;
 		proxy_pass http://192.168.1.252:8112/;
		proxy_set_header  X-Deluge-Base "/deluge/";
 	}

 

Edited by vurt
Link to comment
On 10/3/2019 at 10:02 PM, vurt said:

2019/10/02 12:36:06 [error] 362#362: *36 connect() failed (111: Connection refused) while connecting to upstream, client: 62.173.147.6, server: _, request: "GET / HTTP/1.1", upstream: "http://192.168.1.252:8282/", host: "157.131.205.0"

It can't connect to your app at http://192.168.1.252:8282/ but you don't even show a proxy conf for that proxy address in the site conf you posted.

 

What happens when you try to access https://yourdomain from a cell phone with wifi turned off? And what happens when you go to https://externalip from a cell?

Link to comment
8 hours ago, aptalca said:

It can't connect to your app at http://192.168.1.252:8282/ but you don't even show a proxy conf for that proxy address in the site conf you posted.

 

What happens when you try to access https://yourdomain from a cell phone with wifi turned off? And what happens when you go to https://externalip from a cell?

Thanks for taking a look @aptalca.

 

http://192.168.1.252:8282/ was for Organizr which I had disabled, I had also commented out that config in my reverse proxy. I'm not sure why it's causing that error?

 

Quote

access https://yourdomain from a cell phone with wifi turned off

"Unable to connect."

 

Quote

what happens when you go to https://externalip from a cell?

"Unable to connect."

 

 

WORKING NOW AFTER CHECKING CLOUDFLARE:

I also use the Cloudflare function with the container. I suspect the container is not updating my IP to Cloudflare's DDNS?

 

After your suggestion to connect with my external IP from my cell, I went into my Cloudflare account to take a look and realize it's pointing my domain to the wrong IP.

 

If I manually updated my IP in Cloudflare, everything works.

 

I also notice this old IP address associated with "tower" and "www":

 

1636356836_ScreenShot2019-10-06at5_36_07PM.thumb.png.434933337416aa62c1a9cf1d53919c57.png

 

67.170.238.189 is a Comcast IP and I haven't been with them since around April.

 

Is it possible the Cloudflare part of the container is broken?

 

 

Edited by vurt
Link to comment
56 minutes ago, vurt said:

Thanks for taking a look @aptalca.

 

http://192.168.1.252:8282/ was for Organizr which I had disabled, I had also commented out that config in my reverse proxy. I'm not sure why it's causing that error?

 

"Unable to connect."

 

"Unable to connect."

 

 

WORKING NOW AFTER CHECKING CLOUDFLARE:

I also use the Cloudflare function with the container. I suspect the container is not updating my IP to Cloudflare's DDNS?

 

After your suggestion to connect with my external IP from my cell, I went into my Cloudflare account to take a look and realize it's pointing my domain to the wrong IP.

 

If I manually updated my IP in Cloudflare, everything works.

 

I also notice this old IP address associated with "tower" and "www":

 

1636356836_ScreenShot2019-10-06at5_36_07PM.thumb.png.434933337416aa62c1a9cf1d53919c57.png

 

67.170.238.189 is a Comcast IP and I haven't been with them since around April.

 

Is it possible the Cloudflare part of the container is broken?

 

 

This container does not update your ip on your dns provider. That's your responsibility. This container only does the domain validation through various methods (through cloudflare in your case).

  • Thanks 1
Link to comment
47 minutes ago, aptalca said:

This container does not update your ip on your dns provider. That's your responsibility. This container only does the domain validation through various methods (through cloudflare in your case).

Sorry for my confusion. What is the domain validation that the container is doing through cloudflare?

 

I had a cloudflare-ddns container runinng before but I must've turned it off thinking this container was updating my external IP with cloudflare (because the setup asked for my cloudflare API token and my associated email).

 

So all this time I thought my Nginx wasn't working but in reality it's because Cloudflare is no longer associating my domain with my external IP because I had stupidly turned off the separate cloudflare-ddns container?

Link to comment
2 hours ago, vurt said:

Sorry for my confusion. What is the domain validation that the container is doing through cloudflare?

 

I had a cloudflare-ddns container runinng before but I must've turned it off thinking this container was updating my external IP with cloudflare (because the setup asked for my cloudflare API token and my associated email).

 

So all this time I thought my Nginx wasn't working but in reality it's because Cloudflare is no longer associating my domain with my external IP because I had stupidly turned off the separate cloudflare-ddns container?

It's validation your ssl certificate.

So the issue was that you turned off the container that updates Cloudflare when you get a new IP.

  • Thanks 1
Link to comment
On 9/28/2019 at 8:20 AM, MothyTim said:

This is the config I've ended up with after much eperimentation! Devices show up and I'm able to add them and manage them!

Cheers,

Tim


# make sure that your dns has a cname set for unms and that your unms container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name unms.YOURDOMAIN.com;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_unms unms;
        proxy_pass https://$upstream_unms:443;
        proxy_cache off;
    	proxy_store off;
    	proxy_buffering off;
        
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_set_header X-Real-IP $remote_addr;
    	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    	proxy_set_header X-Forwarded-Proto $scheme;
    	proxy_set_header Referer "";

    	client_max_body_size 0;
    }

}

 

Anyone else have luck setting up letsencrypt and unms ? I have both services running in docker containers. If I send a websocket request (curl --insecure --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Host: example.com:80" --header "Origin: http://example.com:80" --header "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" --header "Sec-WebSocket-Version: 13" https://192.168.x.x:443/)  then the nginx service within letsencrypt container just redirects me to its default home page instead of the unms container. If I use a regular https request then I do get redirected to the unms container(The login page). So something is weird with trying to connect as a websocket container which is needed for discovery. I tried the setting above too but no luck.  

Edited by dandiodati
Link to comment

I have my own domain through google and a static Ip for my server. I am following spaceinvaderone guide to set up let'sencrypt and when I check my log files like he says and all my subdomains come back with

 

Error: Challenge failed for domain my.example.of.domain

 

Then further in the logs files under important notes it says no valid ip addresses found for each sub domain.

Link to comment
12 minutes ago, Alec.Dalessandro said:

I have my own domain through google and a static Ip for my server. I am following spaceinvaderone guide to set up let'sencrypt and when I check my log files like he says and all my subdomains come back with

 

Error: Challenge failed for domain my.example.of.domain

 

Then further in the logs files under important notes it says no valid ip addresses found for each sub domain.

I'm a newbie too but here are a few things I had to check when I set this up a couple of months ago.!

 

Have you set up your google domain records to point back to your static IP address?

 

I used cloudflare as per the excellent spaceinvader tutorial and all works fine with dns validation.

Check that you have set the top level domain name in the letsencrypt container settings. i.e. if your domain is 'example.domain' and you are creating a certificate for the subdomain 'my.example.domain' then the docker container setting for domain name would be 'example.domain'

 

Also make sure your router/firewall is forwarding traffic, so from your router/firewall port 443 should be forwarded to your local unraid server ip address port 1443 or whatever port number you specified in the docker container settings under 'https'

 

Hope that helps

 

Link to comment
10 minutes ago, Alec.Dalessandro said:

I have set the domain name in the container to my domain. Following your example I set it to 'example.domain' and I have set the port correctly to the forwarded ports for http and https.

 

I guess the only thing I am missing is to set my google domain records to point back to my static IP. Would that be what cloudflare is doing?

See here:

https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

And here:

https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment

I’m having trouble with let’s encrypt it was working fine but I have just changed isp that does not include a static up.
Setup Cloudflare dns and Cloudflare points to my IP address I have a file and a www. That points to ip
Let’s encrypt says it’s not correct at Cloudflare it doesn’t have a or cname it does
Adjustments.JPGAdjustments.JPG


Sent from my iPhone using Tapatalk

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.