[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try.

I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network.

-Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443.

-I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to  switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1.

-I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows:

/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp

Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid.

 

Any ideas on where I might be messing up?

Please ask if additional info might be required. Appreciate your time and effort.

Image 1.png

Image2.png

Link to comment
1 hour ago, Tzundoku said:

Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try.

I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network.

-Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443.

-I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to  switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1.

-I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows:


/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp

Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid.

 

Any ideas on where I might be messing up?

Please ask if additional info might be required. Appreciate your time and effort.

Image 1.png

Image2.png

In the mikrotek you should port forward 180 to 180 and 1443 to 1443 as you already port forwarded from 80 to 180 and 443 to 1443 in your isp modem. With the forwarding you set up now, all traffic is lost between the modem and your router.

Link to comment
3 hours ago, Tzundoku said:

Hello there. Unsure if this is the most appropriate place to ask but I guess it's worth a try.

I keep getting "Challenge failed for domain.." in the initial setup validation and I suspect I'm messing up with the port-forwarding somewhere along my network.

-Following SpaceInvaderOnes' guide on Letsencrypt I have http pointing to 180 and https to 1443.

-I have an "obligatory" modem provided by my ISP (Technicolor TG789vac v2) which does not allow/provide an option to  switch to bridge mode due to some kind of conflict with VoIP. My port settings are visible in image 1.

-I have a Mikrotik hEX PoE Routerboard with port settings visible in image 2, or as follows:


/ip firewall nat
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=80 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=180
add action=dst-nat chain=dstnat comment=Letsencrypt dst-port=443 dst-address=!192.168.88.1 protocol=tcp dst-address-type=local to-addresses=192.168.88.88 to-ports=1443

/ip firewall nat
add action=masquerade chain=srcnat comment=Letsencrypt dst-port=180,1443 dst-address=192.168.88.88 protocol=tcp

Where 192.168.88.1 points to the Mikrotik router and 192.168.88.88 points to Unraid.

 

Any ideas on where I might be messing up?

Please ask if additional info might be required. Appreciate your time and effort.

Image 1.png

Image2.png

After following @saarg's advice, use this to confirm: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment

Hi,

 

I'm trying to move my Nextcloud setup from a subfolder setup to a dedicated subdomain using a CNAME record pointing to my DNS.

But I'm struggling to get this to work.

 

Here are the files I adjusted, maybe someone can have a look at this please:

 

Letsencrypt container:

config\nginx\proxy-confs\nextcloud.subdomain.conf

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud Nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Letsencrypt container:

config\nginx\site-confs\default

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	#include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

Nextcloud container

config\nginx\site-confs\default

upstream php-handler {
    server 127.0.0.1:9000;
    # server unix:/var/run/php/php7.2-fpm.sock;
}

server {
    listen 80;
    # listen [::]:80;
    server_name cloud.*;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    # listen [::]:443 ssl http2;
    server_name cloud.*;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant  
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Fetch forwarded remote IP address instead of IP address of docker0 bridge interface
    real_ip_header X-Forwarded-For;
    set_real_ip_from 172.17.0.0/16;
    real_ip_recursive on;

    # Path to the root of your installation
    root /config/www/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
	}

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

 

Nextcloud container:

config\www\nextcloud\config\default

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => '192.168.121.10:444',
    1 => 'cloud.mydomain.de',
  ),
  'trusted_proxies' => ['letsencrypt'],
  'overwrite.cli.url' => 'https://cloud.mydomain.de',
  'overwritehost' => 'cloud.mydomain.de',
  'overwriteprotocol' => 'https',
  '...
);

 

I'm also running Emby with the same config files in Letsencrypt and have no issues there.

When trying to load my Nextcloud site I just get 502 Bad Gateway after a while.

Link to comment
3 hours ago, Marv said:

Hi,

 

I'm trying to move my Nextcloud setup from a subfolder setup to a dedicated subdomain using a CNAME record pointing to my DNS.

But I'm struggling to get this to work.

 

Here are the files I adjusted, maybe someone can have a look at this please:

 

Letsencrypt container:

config\nginx\proxy-confs\nextcloud.subdomain.conf


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud Nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Letsencrypt container:

config\nginx\site-confs\default


# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	#include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

Nextcloud container

config\nginx\site-confs\default


upstream php-handler {
    server 127.0.0.1:9000;
    # server unix:/var/run/php/php7.2-fpm.sock;
}

server {
    listen 80;
    # listen [::]:80;
    server_name cloud.*;
    # enforce https
    return 301 https://$server_name:443$request_uri;
}

server {
    listen 443 ssl http2;
    # listen [::]:443 ssl http2;
    server_name cloud.*;

    # Use Mozilla's guidelines for SSL/TLS settings
    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
    # NOTE: some settings below might be redundant  
    ssl_certificate /config/keys/cert.crt;
    ssl_certificate_key /config/keys/cert.key;

    # Add headers to serve security related headers
    # Before enabling Strict-Transport-Security headers please read into this
    # topic first.
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
    #
    # WARNING: Only add the preload option once you read about
    # the consequences in https://hstspreload.org/. This option
    # will add the domain to a hardcoded list that is shipped
    # in all major browsers and getting removed from this list
    # could take several months.
    add_header Referrer-Policy "no-referrer" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-Download-Options "noopen" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Permitted-Cross-Domain-Policies "none" always;
    add_header X-Robots-Tag "none" always;
    add_header X-XSS-Protection "1; mode=block" always;

    # Remove X-Powered-By, which is an information leak
    fastcgi_hide_header X-Powered-By;

    # Fetch forwarded remote IP address instead of IP address of docker0 bridge interface
    real_ip_header X-Forwarded-For;
    set_real_ip_from 172.17.0.0/16;
    real_ip_recursive on;

    # Path to the root of your installation
    root /config/www/nextcloud;

    location = /robots.txt {
        allow all;
        log_not_found off;
        access_log off;
	}

    # The following 2 rules are only needed for the user_webfinger app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/host-meta /nextcloud/public.php?service=host-meta last;
    #rewrite ^/.well-known/host-meta.json /nextcloud/public.php?service=host-meta-json last;

    # The following rule is only needed for the Social app.
    # Uncomment it if you're planning to use this app.
    #rewrite ^/.well-known/webfinger /nextcloud/public.php?service=webfinger last;

    location = /.well-known/carddav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }
    location = /.well-known/caldav {
      return 301 $scheme://$host:$server_port/remote.php/dav;
    }

    # set max upload size
    client_max_body_size 10G;
    fastcgi_buffers 64 4K;

    # Enable gzip but do not remove ETag headers
    gzip on;
    gzip_vary on;
    gzip_comp_level 4;
    gzip_min_length 256;
    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

    # Uncomment if your server is build with the ngx_pagespeed module
    # This module is currently not supported.
    #pagespeed off;

    location / {
        rewrite ^ /index.php;
    }

    location ~ ^\/(?:build|tests|config|lib|3rdparty|templates|data)\/ {
        deny all;
    }
    location ~ ^\/(?:\.|autotest|occ|issue|indie|db_|console) {
        deny all;
    }

    location ~ ^\/(?:index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+)\.php(?:$|\/) {
        fastcgi_split_path_info ^(.+?\.php)(\/.*|)$;
        set $path_info $fastcgi_path_info;
        try_files $fastcgi_script_name =404;
        include /etc/nginx/fastcgi_params;
        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
        fastcgi_param PATH_INFO $path_info;
        fastcgi_param HTTPS on;
        # Avoid sending the security headers twice
        fastcgi_param modHeadersAvailable true;
        # Enable pretty urls
        fastcgi_param front_controller_active true;
        fastcgi_pass php-handler;
        fastcgi_intercept_errors on;
        fastcgi_request_buffering off;
    }

    location ~ ^\/(?:updater|oc[ms]-provider)(?:$|\/) {
        try_files $uri/ =404;
        index index.php;
    }

    # Adding the cache control header for js, css and map files
    # Make sure it is BELOW the PHP block
    location ~ \.(?:css|js|woff2?|svg|gif|map)$ {
        try_files $uri /index.php$request_uri;
        add_header Cache-Control "public, max-age=15778463";
        # Add headers to serve security related headers (It is intended to
        # have those duplicated to the ones above)
        # Before enabling Strict-Transport-Security headers please read into
        # this topic first.
        add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
        #
        # WARNING: Only add the preload option once you read about
        # the consequences in https://hstspreload.org/. This option
        # will add the domain to a hardcoded list that is shipped
        # in all major browsers and getting removed from this list
        # could take several months.
        add_header Referrer-Policy "no-referrer" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Download-Options "noopen" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Permitted-Cross-Domain-Policies "none" always;
        add_header X-Robots-Tag "none" always;
        add_header X-XSS-Protection "1; mode=block" always;

        # Optional: Don't log access to assets
        access_log off;
    }

    location ~ \.(?:png|html|ttf|ico|jpg|jpeg|bcmap)$ {
        try_files $uri /index.php$request_uri;
        # Optional: Don't log access to other assets
        access_log off;
    }
}

 

Nextcloud container:

config\www\nextcloud\config\default


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxx',
  'passwordsalt' => 'xxx',
  'secret' => 'xxx',
  'trusted_domains' => 
  array (
    0 => '192.168.121.10:444',
    1 => 'cloud.mydomain.de',
  ),
  'trusted_proxies' => ['letsencrypt'],
  'overwrite.cli.url' => 'https://cloud.mydomain.de',
  'overwritehost' => 'cloud.mydomain.de',
  'overwriteprotocol' => 'https',
  '...
);

 

I'm also running Emby with the same config files in Letsencrypt and have no issues there.

When trying to load my Nextcloud site I just get 502 Bad Gateway after a while.

You set the proxy pass to "Nextcloud". It should be "nextcloud" and the container name should also be "nextcloud"

Link to comment
8 hours ago, aptalca said:

You set the proxy pass to "Nextcloud". It should be "nextcloud" and the container name should also be "nextcloud"

 

But my container is named "Nextcloud" actually. That's why I'm using:

set $upstream_nextcloud Nextcloud;

Isn't this correct then?

Link to comment
9 hours ago, Marv said:

 

But my container is named "Nextcloud" actually. That's why I'm using:


set $upstream_nextcloud Nextcloud;

Isn't this correct then?

You can't use uppercase for the container name if you want this to work. So change it to all lower case in both places.

We set it up in the template to use lower case so the user doesn't have to do anything special to get it to work.

Link to comment
15 hours ago, saarg said:

You can't use uppercase for the container name if you want this to work. So change it to all lower case in both places.

We set it up in the template to use lower case so the user doesn't have to do anything special to get it to work.

 

Ok thanks. I'll try this later.

 

Just out of curiosity: Is it possible to use the default config file under "site-confs" to just handle my Nextcloud subdomain (cloud.mydomain.com) and another config for Emby (emby.mydomain.com) under "proxy-confs"? The reason I'm asking is because I don't really have a use case for my main domain (mydomain.com) or my DNS url and just want the two subdomains to be "visible". So when entering either mydomain.com or my DNS domain I want to get pointed to cloud.mydomain.com for example.

Is this possible?

Link to comment
4 hours ago, Marv said:

 

Ok thanks. I'll try this later.

 

Just out of curiosity: Is it possible to use the default config file under "site-confs" to just handle my Nextcloud subdomain (cloud.mydomain.com) and another config for Emby (emby.mydomain.com) under "proxy-confs"? The reason I'm asking is because I don't really have a use case for my main domain (mydomain.com) or my DNS url and just want the two subdomains to be "visible". So when entering either mydomain.com or my DNS domain I want to get pointed to cloud.mydomain.com for example.

Is this possible?

Sure, the proxy confs get imported into the default site conf via "include" statements when nginx reads them

Link to comment

Hey everyone, I had to change DNS configurations recently due to port 80 being blocked and I'm having a heck of a time since moving to Cloudflare and trying to use DNS authentication. I have tried many things and am getting 522 errors from Cloudflare and am hoping that you can help me.

 

I most recently started over with the letsencrypt container, here is my configs....

 

Log file output

Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=xxx.net
SUBDOMAINS=cloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d cloud.xxx.net
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

 

My Cloudflare.ini is set okay based on the cert being setup - skipping that

 

Proxy config for nextcloud (also the name in my docker settings:


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:8000;
    }
}

 

Nextcloud and Letsencrypt Docker configs are attached. Unraid web interface runs on another port so I do actually use 443 for Letsencrypt

 

My Cloudflare settings are also attached. I'm not sure if my subdomains should be proxied or not and what my SSL setting should be.

 

Thanks for any help you can offer!

 

 

Annotation 2019-11-26 183616.png

cf_list.png

cf_ssl.png

 

 

letsencrypt.png

Edited by Kash76
added info
Link to comment
5 hours ago, saarg said:

@Kash76
You do not change the port in the proxy conf when using a custom bridge as letsencryptaand nextcloud are talking internally  and don't use the port forwards.

Change it from 8000 back to 443.

Thanks much for the response.  I changed it back to this and am still getting 522 errors on network and 523 off network

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Link to comment

Alright, I feel really dumb, but I cannot get Ubooquity to work, at all.  I get the "welcome to our server" page.

 

server_name comics.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;
        
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2202/ubooquity/;
    }

    location /admin {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2203/ubooquity/admin/;
    }

 

I have tried without the /ubooquity, etc, and it does not work.  I've gotten it to work by using comics.domain.com/ubooquity/ with only the port listed in proxy_pass instead of the URL, but had no CSS and would show me no actual data, so something is wonky...  I own the domain, and use a dynamic dns to update my domain name, all my cnames are pointed to domain.com and other things work (organizr, booksonic as mentioned below), just hung up here on ubooquity currently, but if anything with a base URL doesn't work I don't know how functional this is for me, I was happy with redirects but I would prefer to use an https connection if possible

 

I had a similar issue with Booksonic, and was able to just turn off the /booksonic/ part of that URL so it loads direct without the base URL, I could not get it to work if I had /booksonic in the proxy_pass line either...  I cannot determine how to do that with my Ubooquity server, so if I should ask there instead, just let me know

 

Herlp.  Please.

Edited by PsiKoTicK
Clarity
Link to comment

I was alerted via email that my LetsEncrypt cert was expiring soon.  I decided to run "certbot renew" from the CLI but received the below error.  After much troubleshooting I am unable to determine what could be causing the issue.  The logs do not give much info other than what is below.  Any thoughts?

 

root@f74f982f283f:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address?). Skipping.
All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Link to comment
5 minutes ago, MrMoosieMan said:

I was alerted via email that my LetsEncrypt cert was expiring soon.  I decided to run "certbot renew" from the CLI but received the below error.  After much troubleshooting I am unable to determine what could be causing the issue.  The logs do not give much info other than what is below.  Any thoughts?

 

root@f74f982f283f:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for mydomain.com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address?). Skipping.
All renewal attempts failed. The following certs could not be renewed:

  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

I just answered my own question.  Not sure why but my API key had changed with Cloudflare.  Replaced the key and BAM, it renewed without issue. 

Link to comment
3 hours ago, Kash76 said:

Thanks much for the response.  I changed it back to this and am still getting 522 errors on network and 523 off network

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_nextcloud nextcloud;
        proxy_max_temp_file_size 2048m;
        proxy_pass https://$upstream_nextcloud:443;
    }
}

 

Turn off cloudflare proxy (click on the orange cloud)

Link to comment
1 hour ago, PsiKoTicK said:

Alright, I feel really dumb, but I cannot get Ubooquity to work, at all.  I get the "welcome to our server" page.

 

server_name comics.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;
        
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2202/ubooquity/;
    }

    location /admin {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_ubooquity ubooquity;
        proxy_pass http://$upstream_ubooquity:2203/ubooquity/admin/;
    }

 

I have tried without the /ubooquity, etc, and it does not work.  I've gotten it to work by using comics.domain.com/ubooquity/ with only the port listed in proxy_pass instead of the URL, but had no CSS and would show me no actual data, so something is wonky...  I own the domain, and use a dynamic dns to update my domain name, all my cnames are pointed to domain.com and other things work (organizr, booksonic as mentioned below), just hung up here on ubooquity currently, but if anything with a base URL doesn't work I don't know how functional this is for me, I was happy with redirects but I would prefer to use an https connection if possible

 

I had a similar issue with Booksonic, and was able to just turn off the /booksonic/ part of that URL so it loads direct without the base URL, I could not get it to work if I had /booksonic in the proxy_pass line either...  I cannot determine how to do that with my Ubooquity server, so if I should ask there instead, just let me know

 

Herlp.  Please.

You're mixing and matching elements from subdomains and subfolder proxy method. Which are you trying to accomplish?

Link to comment
1 hour ago, MrMoosieMan said:

I just answered my own question.  Not sure why but my API key had changed with Cloudflare.  Replaced the key and BAM, it renewed without issue. 

Glad to hear it is fixed. But keep in mind that we do not support running manual commands like "certbot renew" inside the container unless we ask you to run a specific one. All the necessary info about renewals is in the readme.

Link to comment
37 minutes ago, aptalca said:

Turn off cloudflare proxy (click on the orange cloud)

Thank you! Making progress, did that and am now getting "ERR_SSL_PROTOCOL_ERROR" in Chrome and "SSL_ERROR_RX_RECORD_TOO_LONG" in Firefox. I usually do not have issues like this but am having a hell of a time troubleshooting this.

 

Nothing in my error log, access log has entries like this...

10.x.x.x - - [27/Nov/2019:12:15:12 -0600] "\x16\x03\x01\x01.\x01\x00\x01*\x04\x03H\xC4z\xDE\x0B(\xF8\x9E-\x88\xD0l0\x8EC\xC9\x14\xBD\xC2\xD0\xFEq{\xE8\x07H\x9EX\xFDs\xF6D\x00\x00\x88\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-"

 

Link to comment
On 10/8/2019 at 12:06 PM, dandiodati said:

Anyone else have luck setting up letsencrypt and unms ? I have both services running in docker containers. If I send a websocket request (curl --insecure --include --no-buffer --header "Connection: Upgrade" --header "Upgrade: websocket" --header "Host: example.com:80" --header "Origin: http://example.com:80" --header "Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==" --header "Sec-WebSocket-Version: 13" https://192.168.x.x:443/)  then the nginx service within letsencrypt container just redirects me to its default home page instead of the unms container. If I use a regular https request then I do get redirected to the unms container(The login page). So something is weird with trying to connect as a websocket container which is needed for discovery. I tried the setting above too but no luck.  

Still have not been able to get letsencrypt to reverse proxy for unms. MothyTim sent me his configuration on a previous post but still did not work. 

The regular login redirects me fine just the websocket does not work therefore unms device discovery etc dont work correctly.

 

Anyone else have luch with unms ? 

 

I'm using the nico640/docker-unms docker container which starts find and works correctly (websockets included) when I connect directly to it.

I attached my letsencrypt nginx/proxy-confs/unms.subdomain.conf configuration. 

I have a custom network bridge step up for the letsencypt container and unms (also have nextcloud in there which works correctly).

My DNS is setup correct at cloudflare with A name for main ip address and C names for unms and nextcloud pointing to it.

 

Any ideas or help for solving this issue ? Been fighting with it for a long time with no solution.

 

Dan

 

 

unms.subdomain.conf

Edited by dandiodati
Link to comment
5 minutes ago, dandiodati said:

Still have not been able to get letsencrypt to reverse proxy for unms. MothyTim sent me his configuration on a previous post but still did not work. 

The regular login redirects me fine just the websocket does not work therefore unms device discovery etc dont work correctly.

 

Anyone else have luch with unms ? 

 

I'm using the nico640/docker-unms docker container which starts find and works correctly (websockets included) when I connect directly to it.

I attached my letsencrypt nginx/proxy-confs/unms.subdomain.conf configuration. 

I have a custom network bridge step up for the letsencypt container and unms (also have nextcloud in there which works correctly).

My DNS is setup correct at cloudflare with A name for main ip address and C names for unms and nextcloud pointing to it.

On i did notice this error in letsencypt log but does not see to cause any issues:

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

 

Any ideas or help for solving this issue ? Been fighting with it for a long time with no solution.

 

Dan

 

 

unms.subdomain.conf

Link to comment

Wow, some crazy stuff being asked lately.

I’m just wanting to reach out for some much more basic info LOL. I know their are some VERY knowledgeable folks subbed here so...

I currently and using Letsencrypt with DuckDNS through pfSense Appliance to Letsencrypt and to my containers. I am using GoDaddy as domain registrar, Hostgator for Hosting.

I am debating switching entire setup to Cloudflare, port 80/443 is NOT being blocked by ISP. What are advantages with Cloudflare or using it versus current setup? Is it a real pain to switch current entire setup to using Cloudflare over how it’s currently setup? Should I? Should I not switch?

Link to comment
2 hours ago, Kash76 said:

Thank you! Making progress, did that and am now getting "ERR_SSL_PROTOCOL_ERROR" in Chrome and "SSL_ERROR_RX_RECORD_TOO_LONG" in Firefox. I usually do not have issues like this but am having a hell of a time troubleshooting this.

 

Nothing in my error log, access log has entries like this...


10.x.x.x - - [27/Nov/2019:12:15:12 -0600] "\x16\x03\x01\x01.\x01\x00\x01*\x04\x03H\xC4z\xDE\x0B(\xF8\x9E-\x88\xD0l0\x8EC\xC9\x14\xBD\xC2\xD0\xFEq{\xE8\x07H\x9EX\xFDs\xF6D\x00\x00\x88\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-"

 

Well this is embarrassing. I had the http and https ports for LetsEncrypt crossed. Thanks for the support and sorry for the bother!!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.