[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

4 hours ago, sse450 said:

@aptalca , thank you for indicating the readme file. I successfully mounted LE config folder to onlyoffice docker. Howver, I still need to present the certs in the filenames onlyoffice required onlyoffice.crt, onlyoffice.key. Should I use "ln -s" or create a cron job to copy LE certs in the filenames required?

 

I would appreciate any advice. Thank you.

Sure, you can create symlinks with those names.

 

But you really should be reverse proxying instead.

Link to comment
8 hours ago, phyzical said:

so what i mean is i want to have a seperate pool per nginx server directive. so one pool for be website-a and another for website-b. im just trying to acheive separation of envs through php-fpm.

 

so i add a new pool for [website-a] how does it line up with website-a server directive

 

sorry if my not being clear enough

 

thanks!

Edit /config/php/www2.conf

Link to comment
1 hour ago, aptalca said:

Sure, you can create symlinks with those names.

 

But you really should be reverse proxying instead.

@aptalca Thank you for the hint. But, second sentence in your reply is important. It is not very clear tome.

 

I do reverse proxy using LE docker. But, I think that onlyoffice still needs the certs in its /Data/certs directory. Am I wrong?

 

How do just reverse proxying solve that issue without certs in OO docker?

 

 

Link to comment

Hi All,

This may be a “duh” question, but I am trying to learn and not hose this box’s dialed in setup in the process. So, my question is, should I just change the ip addy/subnet for the LetsEncrypt (LE) container?

 

Background:

br0: 192.168.69.0/24

eth2: 192.168.169.0/24

I originally installed LE using the bonded (br0) interface which is working perfectly. I have since added a small 10Gb second subnet (eth2) which includes my servers and one desktop. When I have the desktop on the original br0 subnet, I can access anything behind the LE proxy as expected. When I switch the desktop over to the new eth2 subnet I can do everything BUT access anything behind the LE proxy.

 

Therefore, it seems to me that by simply changing the LE proxy’s subnet to that of the eth2 interface, I should be able to utilize my 10Gb interface on the desktop for everything, including those services behind the LE proxy. However, if I am overlooking a better way of doing this, I am open to suggestions and the ‘why’ so I understand for future needs and having the ability pay it forward. As a sample, here is info from the Nextcloud config.php file and the Docker network:

 

Config.php snippet:

'trusted_domains' =>

  array (

    0 => '192.168.69.xxx:aaa',

    1 => 'daxxxxx.aaaaaa.bbbbbbbfe',

  ),

  'dbtype' => 'mysql',

  'version' => '17.0.2.1',

  'overwrite.cli.url' => 'https://da daxxxxx.aaaaaa.bbbbbbbfe',

  'overwritehost' => 'da daxxxxx.aaaaaa.bbbbbbbfe',

  'overwriteprotocol' => 'https',

  'dbname' => 'dbname',

  'dbhost' => '192.168.69.xxx:aaaa',

  'dbport' => '',

  'dbtableprefix' => 'oc_',

  'mysql.utf8mb4' => true,

 

Docker:

DockerNetworks.thumb.png.3c394530d76da4da1e1b3df2592f6a8b.png

 

 

Thanks!!!

 

Link to comment
2 hours ago, sse450 said:

@aptalca Thank you for the hint. But, second sentence in your reply is important. It is not very clear tome.

 

I do reverse proxy using LE docker. But, I think that onlyoffice still needs the certs in its /Data/certs directory. Am I wrong?

 

How do just reverse proxying solve that issue without certs in OO docker?

 

 

when your cert is working in LE docker u dont need another cert in onlyoffice "underneath", ssl is handled then by nginx from letsencrypt.

Link to comment
3 hours ago, sse450 said:

@aptalca Thank you for the hint. But, second sentence in your reply is important. It is not very clear tome.

 

I do reverse proxy using LE docker. But, I think that onlyoffice still needs the certs in its /Data/certs directory. Am I wrong?

 

How do just reverse proxying solve that issue without certs in OO docker?

 

 

I haven't used onlyoffice. We use collabora with nextcloud, reverse proxied through letsencrypt container.

 

Here's a post about it: https://helpcenter.onlyoffice.com/server/document/document-server-proxy.aspx

Link to comment

Hi all,

So I have this working but really want to get CloudFlare to work with Proxies.

I have it working without the Proxies, just as DNS and its working fine.

 

I have it set like so:

image.thumb.png.d68d28400e1ed96c13525607637d4662.png

So A record to my WAN IP, then CNAME subdomains for each thing I want.

 

I also have LetsEncrypt set as DNS verification challenge and its working using wildcard.

I have ports forwarded from my router for 1443 and 180 and all good there too.

 

BUT my question is!

1) Can I remove said ports as its doing DNS verification or just the 180 (80) one? 

2) Is there a way I can get the Proxy status to work, as every time I set it as Proxy I cannot access anything remotely?

 

Thanks

Link to comment
6 hours ago, SavellM said:

Hi all,

So I have this working but really want to get CloudFlare to work with Proxies.

I have it working without the Proxies, just as DNS and its working fine.

 

I have it set like so:

image.thumb.png.d68d28400e1ed96c13525607637d4662.png

So A record to my WAN IP, then CNAME subdomains for each thing I want.

 

I also have LetsEncrypt set as DNS verification challenge and its working using wildcard.

I have ports forwarded from my router for 1443 and 180 and all good there too.

 

BUT my question is!

1) Can I remove said ports as its doing DNS verification or just the 180 (80) one? 

2) Is there a way I can get the Proxy status to work, as every time I set it as Proxy I cannot access anything remotely?

 

Thanks

If you're doing dns validation, you don't need port 80 mapping.

 

Can't help you with cloudflare proxy. I don't use it

Link to comment

Hi question,

 

Tried to find this online but could not find it.

I have two instances of a few dockers running ("radarr and radarr4k" "bazarr and bazarr4k").
 

Now I have succesfully set up the not 4k intended dockers with let's encrypt and all is working now I want to do the same for the 4k intended dockers.

 

I have done the following changes in the conf already:

 

# make sure that your dns has a cname set for bazarr and that your bazarr container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bazarr4k.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_bazarr bazarr4k;
        proxy_pass http://$upstream_bazarr:6868;
    }
}

- I changed the server_name to the correct subdomain for which i obtained a certificate.

- Changed the proxy_pass to http://$upstream_bazarr:6868; (as how i have the port setup in unraid)

 

Now I just changed the name of the config to bazarr4k.subdomain.conf since bazarr was already in use did not expect this to work and got a 502 bad gateway.

 

Does anybody run the same or does anybody have an idea on how to do this correctly?

Much appreciated,

 

Bleak

Link to comment
40 minutes ago, Bleak said:

Hi question,

 

Tried to find this online but could not find it.

I have two instances of a few dockers running ("radarr and radarr4k" "bazarr and bazarr4k").
 

Now I have succesfully set up the not 4k intended dockers with let's encrypt and all is working now I want to do the same for the 4k intended dockers.

 

I have done the following changes in the conf already:

 


# make sure that your dns has a cname set for bazarr and that your bazarr container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bazarr4k.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_bazarr bazarr4k;
        proxy_pass http://$upstream_bazarr:6868;
    }
}

- I changed the server_name to the correct subdomain for which i obtained a certificate.

- Changed the proxy_pass to http://$upstream_bazarr:6868; (as how i have the port setup in unraid)

 

Now I just changed the name of the config to bazarr4k.subdomain.conf since bazarr was already in use did not expect this to work and got a 502 bad gateway.

 

Does anybody run the same or does anybody have an idea on how to do this correctly?

Much appreciated,

 

Bleak

Don't change the port

  • Thanks 1
Link to comment

Would it be possible to run multiple instances of the letsencrypt container? All instances would have to have the same port mapping (i presume). Would this be possible by defining custom docker networks for each instance of letsencrypt and would http validation still work?

 

Thank you for the help!

Link to comment

OK, so I can access my calibre docker through the reverse proxy.

 

What I would like to be able to do is to also access the OPDS server that is builtin so I can download books on the road. Typically the address would be IPaddress:8080/opds; but right now I only have 80 and 443 port forwarded (and the webgui works fine there)

 

 

Link to comment
22 hours ago, Seige said:

Would it be possible to run multiple instances of the letsencrypt container? All instances would have to have the same port mapping (i presume). Would this be possible by defining custom docker networks for each instance of letsencrypt and would http validation still work?

 

Thank you for the help!

Hi not sure why you would want multiple instances for let's encrypt. If you need to add extra domains just add an extra variable with the name Extra domains. As the value use EXTRA_DOMAINS and then in the key you can add extra domains note this has to be the full version you want so example.domain.com and not domain.com if you need even more add them with a comma like this example.domain.com,example2.domain.com,example3.domain.com etc... 

 

So in my case I want to be able to reach my plex from 3 different domains I add one the normal way as top domain and with the sub domains. and the other two in the extra domains.

image.thumb.png.d65d392db8f4965d711cdec543d51c78.png

 

  Hope this helps!

Edited by Bleak
  • Thanks 1
Link to comment

How can I fix this lua error?

 

 

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:
no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

Link to comment
How can I fix this lua error?
 
 
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:no field package.preload['resty.core']no file './resty/core.lua'no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'no file '/usr/local/share/lua/5.1/resty/core.lua'no file '/usr/local/share/lua/5.1/resty/core/init.lua'no file '/usr/share/lua/5.1/resty/core.lua'no file '/usr/share/lua/5.1/resty/core/init.lua'no file '/usr/share/lua/common/resty/core.lua'no file '/usr/share/lua/common/resty/core/init.lua'no file './resty/core.so'no file '/usr/local/lib/lua/5.1/resty/core.so'no file '/usr/lib/lua/5.1/resty/core.so'no file '/usr/local/lib/lua/5.1/loadall.so'no file './resty.so'no file '/usr/local/lib/lua/5.1/resty.so'no file '/usr/lib/lua/5.1/resty.so'no file '/usr/local/lib/lua/5.1/loadall.so')

 



What it means has been talked about in length previously in this thread.

TLDR; ignore it
  • Like 1
Link to comment
7 minutes ago, blaine07 said:

 


What it means has been talked about in length previously in this thread.

TLDR; ignore it

Thanks, and this part?

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "ocsp.int-x3.letsencrypt.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"

Edited by L0rdRaiden
Link to comment

So, i guess it's the usual problem:
 

root@cc3c920d7a5b:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.somedomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.somedomain.com
http-01 challenge for oo.somedomain.com
Cleaning up challenges
Attempting to renew cert (nextcloud.somedomain.com) from /etc/letsencrypt/renewal/nextcloud.somedomain.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.somedomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.somedomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Of course ports 80 and 443 are forwarded correcly to the container.

 

Deleting certificates and key and try to get new ones leads it to generate them, download them and then saying there the same error (and of course, the new ones don't work):
 

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nextcloud.somedomain.com-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nextcloud.somedomain.com-0002/privkey.pem
Your cert will expire on 2020-04-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Any hint?

Thanks.
 

Edited by dhstsw
Link to comment
2 hours ago, dhstsw said:

So, i guess it's the usual problem:
 


root@cc3c920d7a5b:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/nextcloud.somedomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for nextcloud.somedomain.com
http-01 challenge for oo.somedomain.com
Cleaning up challenges
Attempting to renew cert (nextcloud.somedomain.com) from /etc/letsencrypt/renewal/nextcloud.somedomain.com.conf produced an unexpected error: Problem binding to port 80: Could not bind to IPv4 or IPv6.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.somedomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/nextcloud.somedomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)

Of course ports 80 and 443 are forwarded correcly to the container.

 

Deleting certificates and key and try to get new ones leads it to generate them, download them and then saying there the same error (and of course, the new ones don't work):
 


Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nextcloud.somedomain.com-0002/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nextcloud.somedomain.com-0002/privkey.pem
Your cert will expire on 2020-04-30. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Any hint?

Thanks.
 

Don't manually run commands inside the container and don't manually delete key files unless we ask you to. We don't provide support for that.

Link to comment
3 hours ago, aptalca said:

Don't manually run commands inside the container and don't manually delete key files unless we ask you to. We don't provide support for that.

I did that after having the container not updating the keys (received email from letsencrypt stating certs are expiring in 20 days).

Anyway, i keep a backup of all the appdata folder, keys and certs are the way they used to be.
Never the less, it's not updating.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Athens
URL=somedomain.com
SUBDOMAINS=nextcloud,oo
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d nextcloud.somedomain.com -d oo.somedomain.com
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready

 

Link to comment
1 hour ago, dhstsw said:

I did that after having the container not updating the keys (received email from letsencrypt stating certs are expiring in 20 days).

Anyway, i keep a backup of all the appdata folder, keys and certs are the way they used to be.
Never the less, it's not updating.


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Athens
URL=somedomain.com
SUBDOMAINS=nextcloud,oo
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d nextcloud.somedomain.com -d oo.somedomain.com
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready

 

If you turn off your server at night the certs will not renew. Tha cron job is run at 2 in the night.

 

Have you checked in the browser that the current cert is expiring?

Link to comment

I am trying to expose my Octoprint page, but am having trouble finding a configuration that will work.  

 

Here's the examples that Octoprint provides: https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107

 

Here's my current config:

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name print.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.2.13:80;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;

    }

}

I took out a few lines that were causing the docker container to throw errors.  I'm currently getting a 500 error.  If I copy a config from another container and change the IP/port/subdomain, I do actually get to see the login page, but it says it's offline and asks me to reconnect.

 

Has anyone successfully configured Octoprint in this container? If so, would you be able to share the config?

  • Like 1
Link to comment

Having an issue uploading large files to nextcloud only using letsencrypt reverse proxy, works fine without letsencrypt.  Even just a 2.3 GB file: the file completes uploading on the client, and I see that it's processing and copying the file into the final location on nextcloud/<user>/files/<path>.  However, this only lasts for around 1 minute then stops writing the file, and tells the client that it timed out.  Watching the file get written, it's in the range of 800~1200 MB.

 

If I turn reverse proxy off and revert those settings, it works fine and the "processing" of copying into the final location runs for longer than that minute.  All the guides I've seen about configuring letsencrypt are removing client_max_body_size, but that was already removed back on 01/21/2019.  I'm on the latest nextcloud docker and letsencrypt docker.  

 

There were some timeout settings in letsencrypt/nginx/proxy.conf: send_timeout, proxy_*_timeout, increasing those significantly and restarting yielded the same result.  Same with modifying proxy_max_temp_file_size  in letsencrypt/nginx/proxy-confs/nextcloud.*.conf

 

I'm not really seeing anything in letsencrypt/nextcloud's log/[nginx,php]/*.log either.  Is there a loglevel I should be changing?

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.