[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

5 hours ago, war1000 said:

Thanks for the reply. No I am testing from within my network. I will test it via the phone tonight. 

 

My network setup is pretty standard, 5 computers behind the router. 3 plugged into the router and 2 laptops (there are also phones). 1 server (UnRaid), 1 pc (Windows 10), 1 raspberry pi (Hassio), 2 laptops (Windows 10). I have a laptop that I can use to tether with the phone. Before I do this, I have disconnected hassio so it doesn't ping out when I test. I am also going to redo the nextcloud configs to make it match the spaceinvader setup. I will post the setting here for review.

Fyi, your sonarr is accessible from the internet. Everything works properly. Your issue is hairpin nat or nat loopback.

 

PS. Don't forget to enable http auth for sonarr or you might notice strange shows added to your library ;-)

Edited by aptalca
Link to comment

Darn, and here I was trying out those answers in case it helped my case! :(

 

Any ideas what might be wrong with my logic and setup? I don't remember having to move or configure anything to indicate where the certificates are generated, could this explain why they can't be found?

 

Happy to post any logs or configs that might help figure this out.

Link to comment
15 hours ago, Marshalleq said:

For within your network, it's likely best to create a static DNS record, with the same domain name you're using and point that at your INTERNAL nextcloud / unraid address.

 

Thank you for the reply!

 

How do I create a static dns record? I have done the following in the UnRaid server. 

image.thumb.png.6fde6ee0b6112891f7b9b1a5a7ec060a.png

 

Then in the router I have done the following through the DHCP List:

image.png.22c2c3c55e38d9082420a745fc9b5e89.png

 

So:

  1. Unraid needs to have the correct IP for the domain ---> I think this has been done.
  2. Cloudflare needs to have the correct IP for the domain ---> This is done using the DNS pointing to irisnet.
  3. The proxy setting in cloudflare should be off ---> Done
  4. You need to give it time for the new cloudflare setting to propagate to the DNS servers on the internet (which will include the DNS server at whatever phone provider you are using AND the DNS server that your home router is using) ---> so far 24 hours. so I think this is done now.
  5. Internal devices either need the internal DNS updated or some router trickery which you may or may not have, which is why I suggest adding this manually for now ---> This one I am not sure if I am doing this right or not. Because I thought this was done with the Virtual server rules, which I did.

@aptalca, hahahaha....how did you know I love my little ponny?!!! good one! Ok so if you were able to access it, did you use the sonarr.irisnet.ga? or some other way? I enabled the auth now. Would you also mind trying nextcloud.irisnet.ga? I am going to read up on the nat loopback.

 

Thanks a lot for your help guys! even if I can't get it right, I am still learning new things! That is progress!

 

Link to comment
8 minutes ago, war1000 said:

Thank you for the reply!

 

How do I create a static dns record? I have done the following in the UnRaid server. 

image.thumb.png.6fde6ee0b6112891f7b9b1a5a7ec060a.png

 

Then in the router I have done the following through the DHCP List:

image.png.22c2c3c55e38d9082420a745fc9b5e89.png

 

So:

  1. Unraid needs to have the correct IP for the domain ---> I think this has been done.
  2. Cloudflare needs to have the correct IP for the domain ---> This is done using the DNS pointing to irisnet.
  3. The proxy setting in cloudflare should be off ---> Done
  4. You need to give it time for the new cloudflare setting to propagate to the DNS servers on the internet (which will include the DNS server at whatever phone provider you are using AND the DNS server that your home router is using) ---> so far 24 hours. so I think this is done now.
  5. Internal devices either need the internal DNS updated or some router trickery which you may or may not have, which is why I suggest adding this manually for now ---> This one I am not sure if I am doing this right or not. Because I thought this was done with the Virtual server rules, which I did.

@aptalca, hahahaha....how did you know I love my little ponny?!!! good one! Ok so if you were able to access it, did you use the sonarr.irisnet.ga? or some other way? I enabled the auth now. Would you also mind trying nextcloud.irisnet.ga? I am going to read up on the nat loopback.

 

Thanks a lot for your help guys! even if I can't get it right, I am still learning new things! That is progress!

 

Ok I just confirmed this by using the phone that I can now reach both sonarr and nextcloud....so it must be the nat loopback issue because i can't connect from inside the network.

Link to comment

I've been poking all round your emulator trying to find a loopback / multi-homed thing or perhaps even a DNS rebind and not found anything.  I've also looked in the software for custom DNS records which is also not available.

 

Someone else may have better luck than me, but to be honest this is not uncommon with consumer routers.  Which is why DD-WRT was born - you can flash your router with firmware that does have these kinds of features.  The router compatibility list is here: https://wiki.dd-wrt.com/wiki/index.php/Supported_Devices#TRENDnet

 

It appears your router is still a work in progress, but perhaps you can have a poke around there - they may have a working beta or something.

 

So for you, the best thing will be to put the settings manually into the hosts files of your internal computers.  Or get a different router firewall.  If you want to go the whole hog you can get your own firewall like opnsense.  Or take your luck with another consumer router.

 

Sorry to be the bearer of bad news.

Link to comment
2 hours ago, Marshalleq said:

I've been poking all round your emulator trying to find a loopback / multi-homed thing or perhaps even a DNS rebind and not found anything.  I've also looked in the software for custom DNS records which is also not available.

 

Someone else may have better luck than me, but to be honest this is not uncommon with consumer routers.  Which is why DD-WRT was born - you can flash your router with firmware that does have these kinds of features.  The router compatibility list is here: https://wiki.dd-wrt.com/wiki/index.php/Supported_Devices#TRENDnet

 

It appears your router is still a work in progress, but perhaps you can have a poke around there - they may have a working beta or something.

 

So for you, the best thing will be to put the settings manually into the hosts files of your internal computers.  Or get a different router firewall.  If you want to go the whole hog you can get your own firewall like opnsense.  Or take your luck with another consumer router.

 

Sorry to be the bearer of bad news.

Thank you for all your research and response. I will go with the host file. I do have a archer c2600 that is serving as an extender that i could flash with wrt but I need to take a break for a few days before I do that lol. I found the instrcutions here for the host file: 

so basically add the two hosts with the same ip in the file?

 

Ok I added using the user script. But it didn't work...:(

Edited by war1000
added additional update
Link to comment
On 10/24/2019 at 4:40 PM, war1000 said:

Thank you for all your research and response. I will go with the host file. I do have a archer c2600 that is serving as an extender that i could flash with wrt but I need to take a break for a few days before I do that lol. I found the instrcutions here for the host file: 

so basically add the two hosts with the same ip in the file?

 

Ok I added using the user script. But it didn't work...:(

So just to kind of conclude on this, my friend who is in IT Infrastructure had been dissing me for a while for not getting an ASUS router. So I finally pulled the trigger and got one today. Configured everything almost the same as my Trendnet router....and now I can access the sites from within my network....so I supposed all it required was money!!! lol...I don't know how else to explain it.

Link to comment

Updated the container this morning and now getting:
 

nginx: [emerg] dlopen() "/var/lib/nginx/modules/ngx_stream_geoip2_module.so" failed (Error loading shared library /var/lib/nginx/modules/ngx_stream_geoip2_module.so: No such file or directory) in /etc/nginx/modules/stream_geoip2.conf:1

 

Checked and the module is in fact missing.  Any ideas?

Link to comment
1 hour ago, ksarnelli said:

Updated the container this morning and now getting:
 


nginx: [emerg] dlopen() "/var/lib/nginx/modules/ngx_stream_geoip2_module.so" failed (Error loading shared library /var/lib/nginx/modules/ngx_stream_geoip2_module.so: No such file or directory) in /etc/nginx/modules/stream_geoip2.conf:1

 

Checked and the module is in fact missing.  Any ideas?

Already fixed and new image pushed.

  • Like 1
Link to comment
14 hours ago, war1000 said:

So just to kind of conclude on this, my friend who is in IT Infrastructure had been dissing me for a while for not getting an ASUS router. So I finally pulled the trigger and got one today. Configured everything almost the same as my Trendnet router....and now I can access the sites from within my network....so I supposed all it required was money!!! lol...I don't know how else to explain it.

Yeah - those routers do the loopback / rebind thing we've been talking about.  Your hosts file should have worked too, but this is even better.  Also the Asus usually do take the WRT.  The archer if I recall correctly is actually even better than the Asus in terms of it's hardware so that could have also been an option.  Great that it's sorted!

Link to comment
7 hours ago, j0nnymoe said:

Already fixed and new image pushed.

Hi Jonny,

Is there a way to force update the image? I check for updates but none are available. This is killing access to all my dockers from outside the network!

Alternatively, is there a way to revert to an old version?

Link to comment
49 minutes ago, nikizm said:

Hi Jonny,

Is there a way to force update the image? I check for updates but none are available. This is killing access to all my dockers from outside the network!

Alternatively, is there a way to revert to an old version?

I had the same problem and find the way to fix it.

Go to UNRAID docker page, change the view from basic to advanced with the button in the up-right corner, then you will see there is a "force update" for every docker container. Force update letsencrypt and issue is resolved!

Link to comment
4 hours ago, nikizm said:

Hi Jonny,

Is there a way to force update the image? I check for updates but none are available. This is killing access to all my dockers from outside the network!

Alternatively, is there a way to revert to an old version?

For future reference, if you ever need to do this: edit the container in question, then look for "Repository". Usually this is something like "linuxserver/letsencrypt" or "linuxserver/letsencrypt:latest". Go to that repository on DockerHub and click the "Tags" tab under the name. You'll see a whole pile of things, but we're looking for something like "0.39.0-ls69". Note the most recent version (synonymous with "latest") and just work backwards, noting the tag. If you want to revert to an earlier version, add/edit the text after the ":" in the container edit screen to include the tag you chose from DockerHub.

 

Will look like "linuxserver/letsencrypt:0.39.0-ls69". Then save and the prior version will be called up.

Note that with a specific version selected in this way it will never show that updates are available (you are current on that version!) so you will need to check back periodically to see if the issue is fixed.

Edited by kyle1
Link to comment

Hi everybody,

 

I seem to have an issue with my letsencrypt. It has been working without a flaw for the last year and now it just stopped. I did not change anything.

The subdomains just come back as: ERR_CONNECTION_REFUSED

I tried updating the container, and also force updating, but it is up to date.

I don't get any errors in the log except the ones about "lua" that have been discussed in this thread to be "harmless".

 

Any ideas where I can start to troubleshoot?

 

Edit: Could this be a time-zone issue? As we had the daylight saving time change tonight in our timezone?

 

Acid

Edited by AcidReign
Link to comment

I am trying to setup fail2ban with the nextcloud, letsencrypt and OnlyOffice Document Server dockers, (Nextcloud, letsencrypt & ONLYOFFICE currently work perfectly)  When I look at Nextcloud's log file it shows all logins are coming from a single IP, probably because of the letsencrypt reverse proxy. So I found this page but it says I need a subscription to view it.

 

260196963_ScreenShot2019-10-27at4_24_14PM.thumb.png.a2c4cad7947f7fb8545685326cbc73f1.png

 

Can anyone help with allowing the reverse proxy to pass the client IP so I can configure fail2ban to work using this as a rough guide:

 

https://dennisnotes.com/note/20180831-nextcloud-docker-nginx-reverse-proxy/

 

Are these the lines that I need to add to the letsencrypt conf file for nextcloud that will do the client IP passthrough?

 

proxy_set_header X-Real-IP $remote_addr; 
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
proxy_set_header X-Forwarded-Proto $scheme;

Do I need to add all three or just one or etc? I am not exactly sure what they do which is why I don't want to add them....

Link to comment
12 minutes ago, nraygun said:

Sorry. Wasn't sure which NGINX was affected. From what I can tell NGINX is in the Nextcloud docker and in the Letsencrypt docker.

Can someone answer the question in the context of Letsencrypt? Does it even apply?

It affects every combination of php-fpm and nginx. Packages are updated in both nextcloud, nginx and letsencrypt container.

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.