[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

4 hours ago, jonathanm said:

Different ISP?

Or pay for a dns server that does URL forwarding.

 

4 hours ago, aptalca said:

Or you can ask your isp to stop blocking port 443. It worked for some people

 

I live in Brazil and here, as far as I know, all major ISP does this...

Ports 80 and 443 can be open only on business plans...

 

I guess it's going to be like this.

 

@aptalca thank you very much for providing the solution to my problem!

Link to comment

Guys, I'm at a complete loss here. On my Unraid server I've got a working nextcloud container plus a working letsencrypt container (for ports see screenshot). Nextcloud can be reached if I use the internal IP and over the subdomain bodenwiesli.duckdns.org I can reach the nginx server which tells me that the subdomain works and the port forwarding of the router is also active. But not matter what guide I follow (this one, this one or this one) it never works. I would really appreciate if someone could tell me how I need to configure the containers to get this working.

 

By the way for testing purposes I forwarded incoming requests to port 80 to the nextcloud container and was able to login to my nextcloud account so I'm 100 % positive that both the subdomain and the nextcloud container actually work. But I'm not ok with unencrypted traffic.

Containers.jpg

Edited by oeci
Link to comment
17 hours ago, kbbeer said:

Going down a rabbit hole this morning, curious if a solution exists to this problem. I've been using this container to allow access to one subdomain externally. I noticed today that if I go to my public ip (when remote) chrome prompts with a privacy error and gives the reason that this ip and the subdomain certs which I setup are different. Is it possible to configure so that my ip doesn't respond and you need to hit the subdomain for a response? Or is it best to create a cert for the main page to camouflage the subdomain?

You can set the main server block (the one that's defined as default) to serve a 404 or not even respond. So only the match for the subdomain will be displayed, any other request will go to the default block and get denied

Edited by aptalca
Link to comment
1 hour ago, oeci said:

Guys, I'm at a complete loss here. On my Unraid server I've got a working nextcloud container plus a working letsencrypt container (for ports see screenshot). Nextcloud can be reached if I use the internal IP and over the subdomain bodenwiesli.duckdns.org I can reach the nginx server which tells me that the subdomain works and the port forwarding of the router is also active. But not matter what guide I follow (this one, this one or this one) it never works. I would really appreciate if someone could tell me how I need to configure the containers to get this working.

 

By the way for testing purposes I forwarded incoming requests to port 80 to the nextcloud container and was able to login to my nextcloud account so I'm 100 % positive that both the subdomain and the nextcloud container actually work. But I'm not ok with unencrypted traffic.

Containers.jpg

You're not using our nextcloud image

Link to comment

Ooops, changed to yours and indeed the reverse proxy seems to work. But now I cannot setup nextcloud, when I try to do so I can start the process (enter an admin account, choose database, set credentials for database) but it will always terminate with a 504 Gateway Time-Out message after a few minutes.

Link to comment
On 3/16/2020 at 1:08 PM, saarg said:

Not correct. You need to let the container run and it will renew it before it expires.

It attempt to renew every night at about 2.

When is your cert expiring?

Thank you - its not due to expire for a while - I just wasn't sure of the renewal process. Thank you!! 

Link to comment

Hello,

I try to configure a reverse proxy in my VPS.
For now, I have my docker services (portainer, whoami, grafana, prometheus, ....) available through XXX.mydomain.duckdns.org (and basic auth for each services).

Pretty happy with it... but have twho minor problems:

  • Fail to use Deluge with reverse proxy: get a '502 bad gateway'
    I enable the proxy-conf as for other services, witout success. 
    Try with/without basic auth
     
  • Is there a way to 'share' the auth, so I don't need to login for each service ? (looking for a simple solution)

Thanks for your help
Mickaël

Link to comment
1 hour ago, mika91 said:

Hello,

I try to configure a reverse proxy in my VPS.
For now, I have my docker services (portainer, whoami, grafana, prometheus, ....) available through XXX.mydomain.duckdns.org (and basic auth for each services).

Pretty happy with it... but have twho minor problems:

  • Fail to use Deluge with reverse proxy: get a '502 bad gateway'
    I enable the proxy-conf as for other services, witout success. 
    Try with/without basic auth
     
  • Is there a way to 'share' the auth, so I don't need to login for each service ? (looking for a simple solution)

Thanks for your help
Mickaël

502 means letsencrypt cannot reach deluge

 

You likely have deluge in host networking, so change the address to point to unraid ip and port to the mapped port in your proxy conf

Link to comment
3 hours ago, Joker169 said:

I setup almost mirror to SpaceInvader vid.

So.... just add error.conf and profit?!?

"almost mirror" != "the same"

 

If you post exactly what you did, we can try and help. But if you say "I followed x video or guide for the most part", then we don't have a crystal ball.

Link to comment
1 hour ago, aptalca said:

"almost mirror" != "the same"

 

If you post exactly what you did, we can try and help. But if you say "I followed x video or guide for the most part", then we don't have a crystal ball.

I have to correct you there. We do have a crystal ball, but it's still in the repair shop waiting for the not in stock part.

  • Thanks 1
  • Haha 1
Link to comment
12 hours ago, aptalca said:

"almost mirror" != "the same"

 

If you post exactly what you did, we can try and help. But if you say "I followed x video or guide for the most part", then we don't have a crystal ball.

Well the "almost" is the fact, that I USED MY OWN DNS and config, I'm sorry if this annoyed you. Other than that exactly what was in the video. Thanks for reading....I got it working. Guess I'll use a more "newb" solution in the future.

 

  • Haha 1
Link to comment

I'm looking for advice on how to setup a subdomain.conf for a custom docker. 

I'm trying to emulate what's described here: https://pgsnake.blogspot.com/2019/07/reverse-proxying-to-pgadmin.html

 

I've also tried to use some other of the provided templates to build from. Here's what I have:

# filename: pgsql.subdomain.conf
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name pgsql.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
	client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
		# custom docker's name: pgadmin4
        set $upstream_pgadmin4 pgadmin4;
        proxy_pass http://$upstream_pgadmin4:5050;
    }
}

In the custom docker the network type is set to custom and pointed at my proxy network. Letsencrypt docker has pgsql as a subdomain to look out for. 

When I restart letsencrypt docker and visit the subdomain (pgsql.mydomain.com) I get an nginx 502 bad gateway. Have I forgotten something in my configuration? The only thing I can see from other templates is not including any "proxy_set_header"'s, but I'm not really sure what those are and if they are needed. Thanks in advance!
 

Link to comment
3 hours ago, njdowdy said:

I'm looking for advice on how to setup a subdomain.conf for a custom docker. 

I'm trying to emulate what's described here: https://pgsnake.blogspot.com/2019/07/reverse-proxying-to-pgadmin.html

 

I've also tried to use some other of the provided templates to build from. Here's what I have:


# filename: pgsql.subdomain.conf
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name pgsql.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
	client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
		# custom docker's name: pgadmin4
        set $upstream_pgadmin4 pgadmin4;
        proxy_pass http://$upstream_pgadmin4:5050;
    }
}

In the custom docker the network type is set to custom and pointed at my proxy network. Letsencrypt docker has pgsql as a subdomain to look out for. 

When I restart letsencrypt docker and visit the subdomain (pgsql.mydomain.com) I get an nginx 502 bad gateway. Have I forgotten something in my configuration? The only thing I can see from other templates is not including any "proxy_set_header"'s, but I'm not really sure what those are and if they are needed. Thanks in advance!
 

Doesn't pgadmin listen on port 80?

  • Thanks 1
Link to comment

Hi! I trying for days now to get this going and I followed every guide a could find. I want to be able to access my Nextcloud from outside my network. First I tried the "regular" way with http and duckdns but no luck. After that I followed Spaceinvader Ones new guide using wildcard and SSL with my own domain name. Im not very good at this but I've followed a lot of guides from Spaceinvader One and this is the first one that I just can't get working. Ill post the log file from lets encrypt. Im really stuck and I think I've tried everything.

 

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a RSA private key
........+++++
....................+++++
writing new private key to '/config/keys/cert.key'
-----
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

Created donoteditthisfile.conf
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
...............................................+..............................................................................................................................+.....................................................+...................................+.................................................+............................+.............+..........................................+.........................................................................................................................................................................................................................+...........................................................+...........................+..................................................+......+....................................................................+........................................................+......................................................................................................................................................................+........................................................................................................................................................................+............................................................................+............................................+................................................N[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of reverseproxy.nu will be requested
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for reverseproxy.nu
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Waiting for verification...
Challenge failed for domain reverseproxy.nu
dns-01 challenge for reverseproxy.nu
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: reverseproxy.nu
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.reverseproxy.nu - the domain's nameservers may be
malfunctioning
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
 

 

AND the above error is a mystery as I have edited it with the API Key and email adress as the guide states.

 

Please I need help.

Link to comment
1 hour ago, oskarax said:

Hi! I trying for days now to get this going and I followed every guide a could find. I want to be able to access my Nextcloud from outside my network. First I tried the "regular" way with http and duckdns but no luck. After that I followed Spaceinvader Ones new guide using wildcard and SSL with my own domain name. Im not very good at this but I've followed a lot of guides from Spaceinvader One and this is the first one that I just can't get working. Ill post the log file from lets encrypt. Im really stuck and I think I've tried everything.

 

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a RSA private key
........+++++
....................+++++
writing new private key to '/config/keys/cert.key'
-----
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

Created donoteditthisfile.conf
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
...............................................+..............................................................................................................................+.....................................................+...................................+.................................................+............................+.............+..........................................+.........................................................................................................................................................................................................................+...........................................................+...........................+..................................................+......+....................................................................+........................................................+......................................................................................................................................................................+........................................................................................................................................................................+............................................................................+............................................+................................................N[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of reverseproxy.nu will be requested
E-mail address entered: [email protected]
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for reverseproxy.nu
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Waiting for verification...
Challenge failed for domain reverseproxy.nu
dns-01 challenge for reverseproxy.nu
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: reverseproxy.nu
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.reverseproxy.nu - the domain's nameservers may be
malfunctioning
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
 

 

AND the above error is a mystery as I have edited it with the API Key and email adress as the guide states.

 

Please I need help.

A couple of others on discord mentioned a cloudflare outage that resulted in the same outcome as above. No errors setting txt records, but they can't be verified.

Link to comment

Today something weird happened to letsencrypt. 
I had a clean installation of unraid, on docker just Plex, Nextcloud, Mariadb, duckdns and letsencrypt. Everything perfectly worked until this afternoon, when things just stopped working. Nextcloud and plex would kept working when trying to access them locally, but would timeout whenever trying to use the reverse proxy. So, since I'm far from being an expert user, and one time I already broke my docker containers by messing too much, I deleted my docker image, all my folders in appdata relative to docker containers, and just installed plex and letsencrypt, to see if the problem went away. But it still doesn't work - tried to change domain, issue new certificates - no luck.

Then I started thinking. For the sake of explaining I'll my plex domain plex.duckdns.org. I issued one certificate for this subdomain, but never actually used. Yet, for the sake of testing, I tried to access remotely my machine by typing plex.duckdns.org:32400, which is the port used by plex for its webgui, and it worked. I could access plex remotely just fine. Then I went, created a conf file in letsencrypt, which I'm posting:
 

# make sure that your dns has a cname set for plex
# if plex is running in bridge mode and the container is named "plex", the below config should work as is
# if not, replace the line "set $upstream_app plex;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app PlexMediaServer;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Changed the name from plex to the docker container name, so PlexMediaServer, obviously changed plex.* to the actual subdomain. And it worked! I shared the link with my friend, so that he could access my plex webgui remotely. 
Everything was fine, but tonight everything is "time out" and I can't wrap my head around this.

The port forwarding is working fine. The certs are issued without issues, and the letsencrypt log looks normal, the server is up (Server ready, as end message of the log). Before tonight, when trying to access one of the domains for which I issued a certificate I would get a white and simple html page saying "Welcome to our server. The website is currently being setup under this address. For help and support, please contact: [email protected]", but now, no matter the certs I issued, everything would just time out.

Letsencrypt is in a custom "proxynet" network (yes, I too followed, or better bought unraid thanks to the spaceinvaderone tutorials) and the command is the same of when the reverse proxy worked. Since the port forwarding is fine, the plex container itself is fine, the problem is either duckdns or letsencrypt, tertium non datur.

What can I do to see what is the problem? I tried a minimal troubleshooting, but I'm not an expert user, and already disheartened at how could this even happen without touching the nas or any settings.

Please, help me.

Edited by anongum
Link to comment
5 minutes ago, anongum said:

Today something weird happened to letsencrypt. 
I had a clean installation of unraid, on docker just Plex, Nextcloud, Mariadb, duckdns and letsencrypt. Everything perfectly worked until this afternoon, when things just stopped working. Nextcloud and plex would kept working when trying to access them locally, but would timeout whenever trying to use the reverse proxy. So, since I'm far from being an expert user, and one time I already broke my docker containers by messing too much, I deleted my docker image, all my folders in appdata relative to docker containers, and just installed plex and letsencrypt, to see if the problem went away. But it still doesn't work - tried to change domain, issue new certificates - no luck.

Then I started thinking. For the sake of explaining I'll my plex domain plex.duckdns.org. I issued one certificate for this subdomain, but never actually used. Yet, for the sake of testing, I tried to access remotely my machine by typing plex.duckdns.org:32400, which is the port used by plex for its webgui, and it worked. I could access plex remotely just fine. Then I went, created a conf file in letsencrypt, which I'm posting:
 


# make sure that your dns has a cname set for plex
# if plex is running in bridge mode and the container is named "plex", the below config should work as is
# if not, replace the line "set $upstream_app plex;" with "set $upstream_app <containername>;"
# or "set $upstream_app <HOSTIP>;" for host mode, HOSTIP being the IP address of plex
# in plex server settings, under network, fill in "Custom server access URLs" with your domain (ie. "https://plex.yourdomain.url:443")

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app PlexMediaServer;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

Changed the name from plex to the docker container name, so PlexMediaServer, obviously changed plex.* to the actual subdomain. And it worked! I shared the link with my friend, so that he could access my plex webgui remotely. 
Everything was fine, but tonight everything is "time out" and I can't wrap my head around this.

The port forwarding is working fine. The certs are issued without issues, and the letsencrypt log looks normal, the server is up (Server ready, as end message of the log). Before tonight, when trying to access one of the domains for which I issued a certificate I would get a white and simple html page saying "the site or server is under construction, for more info contact the server admin", but now, no matter the certs I issued, everything would just time out.

Letsencrypt is in a custom "proxynet" network (yes, I too followed, or better bought unraid thanks to the spaceinvaderone tutorials) and the command is the same of when the reverse proxy worked. Since the port forwarding is fine, the plex container itself is fine, the problem is either duckdns or letsencrypt, tertium non datur.

What can I do to see what is the problem? I tried a minimal troubleshooting, but I'm not an expert user, and already disheartened at how could this even happen without touching the nas or any settings.

Please, help me.

A few things wrong here.

 

Using uppercase letters in container name will prevent nginx from properly resolving it. You'll get a 502

 

If you're trying to access https://url:32400, you're not going through reverse proxy as letsencrypt is accessed at port 443, not 32400. You are giving direct access to Plex via that port.

 

Start over and follow our guides: https://blog.linuxserver.io/2019/04/25/letsencrypt-nginx-starter-guide/

And for troubleshooting: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.