[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

44 minutes ago, CiaoCiao said:

Hello everyone,

 

I am setting up Letsencrypt following SpaceInvaderOne's video tutorial.

 

I am having a hard time getting the validation process to pass successfully.

 

I own a domain name and my IP is static, so I did not enter "duckdns.org" in the container settings since this would be useless. I entered my custom domain name instead.

Also, I have already created two subdomains which are pointing at my public static IP.

 

The HTPP and HTTPS ports I entered in the container template before installing are forwarded to my Unraid server's local static IP.

 

I should probably also mention I think it is weird that the Letsencrypt container is displayed in the Dashboard tab but not in the Docker tab...

 

Could you please give me a hint as to what to check or change to get this to work?

 

Thank you in advance.

 

Here are the logs :

 

Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

  • Like 1
Link to comment
2 minutes ago, aptalca said:

Well, I couldn't get nat reflection to work on pfsense even without double nat, so maybe that's some consolation for you. I am also using split dns. With that, we have no choice but to run letsencrypt on at least port 443. You'll have to change unraid's https port to something else. I kept unraid on port 80 for http, so when I hit my addresses inside my lan, I use the https endpoint and all is well.

Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question.

Link to comment
3 minutes ago, Revrto said:

Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question.

You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that.

Link to comment
23 minutes ago, aptalca said:

You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that.

I think that makes sense if i switch to dns verification and use a wildcard for the certs (I have not migrated that yet). I saw the post about proxy_pass and that seems like it might  work if I pair that with danioj's method of restricting to local. You mentioned to him about using http auth as well for good measure. I am not familiar with it, I assume that is different than using 2FA with an authenticator, correct?. Could you point me to a link on implementing it in this scenario? 

 

Thanks btw for all your help.

Link to comment

Hi everybody :)

 

I'm struggling with my reverse proxy setup.

I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name).

The logs seem to be ok, server running. Ports opened.

But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured)

 

QKG99GF.png

 

Any hint how to debug all this ?

Edited by guilhem31
More info
Link to comment

I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container.

 

My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge.

 

I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for?

Link to comment
3 hours ago, rragu said:

I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container.

 

My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge.

 

I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for?

Blank page is usually an add-on blocking something.

Link to comment
9 hours ago, guilhem31 said:

Hi everybody :)

 

I'm struggling with my reverse proxy setup.

I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name).

The logs seem to be ok, server running. Ports opened.

But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured)

 

QKG99GF.png

 

Any hint how to debug all this ?

I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error

So I looked into the Nginx error logs :

2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh"
2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh"

I don't understand the problem at all ^^

Link to comment
5 hours ago, guilhem31 said:

I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error

So I looked into the Nginx error logs :


2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh"
2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh"

I don't understand the problem at all ^^

Post the proxy conf you used

Link to comment
9 minutes ago, aptalca said:

Post the proxy conf you used

My bad, I just solved the problem (and my proxy conf was fine ;) )

I use MPTCProuter to handle my network in my house, and a setting was wrong (i don't know why it changed recently), now that I set it the right way, everything is working !!

 

Thanks aptaica for your interest

Link to comment
14 hours ago, saarg said:

Blank page is usually an add-on blocking something.

@saarg Thanks! uBlock Origin was the culprit. Apparently, it's not a fan of duckdns.org?

I had planned to switch from duckdns to cloudflare-ddns anyway. After doing so, the site is working properly in Firefox with uBlock Origin still enabled.

Link to comment
On 5/6/2020 at 3:37 PM, aptalca said:

 

Hello and thank you for this link. I finally figured out how to redirect the ports properly.

 

So now in the Letsencrypt container logs I get "server ready".


But there seem to be two issues :

  1. The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?!
  2. In the logs, after the "Server ready" line, I get a never ending repetition of the following line :
    Quote

    nginx: [emerg] invalid URL prefix in /config/nginx/site-confs/default:19

Edited by CiaoCiao
Link to comment
1 hour ago, CiaoCiao said:

 

Hello and thank you for this link. I finally figured out how to redirect the ports properly.

 

So now in the Letsencrypt container logs I get "server ready".


But there seem to be two issues :

  1. The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?!
  2. In the logs, after the "Server ready" line, I get a never ending repetition of the following line :

1. Something unrelated to the container, so probably better to ask for help in general help area.

 

2. That means you have an error in the file mentioned on line 19.

  • Like 1
Link to comment

Hey so I am trying to setup basic auth with fail2ban and the authenticating is working great but fail2ban does not seem to do it's part:

 

020-05-09 18:31:32,502 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:31
2020-05-09 18:31:38,515 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:37
2020-05-09 18:31:43,727 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:43
2020-05-09 18:31:44,462 fail2ban.actions        [388]: NOTICE  [nginx-http-auth] Ban 84.241.199.134
2020-05-09 18:31:44,465 fail2ban.utils          [388]: #39-Lev. 1501c3a14110 -- exec: iptables -w -N f2b-nginx-http-auth
iptables -w -A f2b-nginx-http-auth -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: 'getsockopt failed strangely: Operation not permitted'
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- returned 1
2020-05-09 18:31:44,467 fail2ban.actions        [388]: ERROR   Failed to execute ban jail 'nginx-http-auth' action 'iptables-multiport' info 'ActionInfo({'ip': '84.241.199.134', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x1501c3ece3a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x1501c3ece940>})': Error starting action Jail('nginx-http-auth')/iptables-multiport
2020-05-09 18:31:48,940 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:48
2020-05-09 18:31:54,150 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:54
2020-05-09 18:31:59,362 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:58
2020-05-09 18:31:59,686 fail2ban.actions        [388]: NOTICE  [nginx-http-auth] 84.241.199.134 already banned
2020-05-09 18:32:05,374 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:32:04

Basically trying from my phone on 4g to get myself banned but i can just keep retrying even though max retry's is at 3 if i try it for the 10th time and enter it correctly i just get in. dont know what the above errors mean tried to google it but did not find anything that helped me..

Edited by Bleak
Link to comment

Added --cap-add=NET_ADMIN to extra parameters.

Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it.

 

Can someone link me something that explains what this does exactly? (or tell me ofcourse) want to understand what i just did and why i missed it..

Edited by Bleak
Link to comment
49 minutes ago, Bleak said:

Added --cap-add=NET_ADMIN to extra parameters.

Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it.

Perhaps you should read the readme linked in the first post

Link to comment
10 minutes ago, aptalca said:

Perhaps you should read the readme linked in the first post

image.thumb.png.8caad39f89f9d0b7fe0b10d237e0afad.png

 

I swear I've searched this whole thing 10 times no clue how I missed this...

 

Thanks anyway sorry for missing this..

Edited by Bleak
Link to comment
On 5/8/2020 at 11:11 AM, saarg said:

2. That means you have an error in the file mentioned on line 19.

So I tried to go to the specified file.

First, instead of this file path which is specified in the error message :

Quote

nginx: [emerg] invalid URL prefix in /config/nginx/site-confs/default:19

I find the "default" file under config/appdata/nginx/nginx/site-confs

 

Then, when I go to line 19 of this file, it's a blank line :

image.png.f19eec3288230c1673674798cfd6f00c.png

 

Also, isn't it weird that this file specifies ports 80 and 443 when I actually set up different ports in the template? And yet I'm still getting the "Server ready" message?

 

I'm confused as to what I should do to solve this issue.

Edited by CiaoCiao
Link to comment
3 hours ago, CiaoCiao said:

So I tried to go to the specified file.

First, instead of this file path which is specified in the error message :

I find the "default" file under config/appdata/nginx/nginx/site-confs

 

Then, when I go to line 19 of this file, it's a blank line :

image.png.f19eec3288230c1673674798cfd6f00c.png

 

Also, isn't it weird that this file specifies ports 80 and 443 when I actually set up different ports in the template? And yet I'm still getting the "Server ready" message?

 

I'm confused as to what I should do to solve this issue.

 

It seems you are a little confused about how docker works. The path you see in the log is the path inside the container, not on unraid. The container doesn't know which path on unraid you set in the template.

It's  the same with the ports. Port 80 and 443 are the ports used inside the container. Which ports you mapped those ports to on the unraid side is irrelevant for the container.

 

At the top of this file there is a date. If it's not the one below, you should delete the file and restart the container to get the newest. If you have made any changes to the file, you would have to redo them.

 

## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

  • Thanks 1
Link to comment
1 hour ago, saarg said:

 

It seems you are a little confused about how docker works. The path you see in the log is the path inside the container, not on unraid. The container doesn't know which path on unraid you set in the template.

It's  the same with the ports. Port 80 and 443 are the ports used inside the container. Which ports you mapped those ports to on the unraid side is irrelevant for the container.

 

At the top of this file there is a date. If it's not the one below, you should delete the file and restart the container to get the newest. If you have made any changes to the file, you would have to redo them.

 

## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

 

Well I must admit I was terribly confused. Thank you very very much for explaining this to me.

 

So I actually was so confused I was messing with the "default" config file from the Nginx container I used previously to troubleshoot the port forwarding of my router... instead of the "default" config file of letsencrypt! lol

 

So now I have found the right one and here is what the content of the right "default" config file looks like :

server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name domainname.net;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'manymanythings here';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location / {
        include /config/nginx/proxy.conf;
        proxy_pass 192.168.0.16:444;
    }
   
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

So line 19 reads :

proxy_pass 192.168.0.16:444;

Out of curiosity I tried forwarding the port 444 to my Unraid server but the error line 19 in the "Default" config file did not go away from the logs and keeps repeating after "Server ready".

Edited by CiaoCiao
removed domain name
Link to comment
48 minutes ago, CiaoCiao said:

 

Well I must admit I was terribly confused. Thank you very very much for explaining this to me.

 

So I actually was so confused I was messing with the "default" config file from the Nginx container I used previously to troubleshoot the port forwarding of my router... instead of the "default" config file of letsencrypt! lol

 

So now I have found the right one and here is what the content of the right "default" config file looks like :


server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name  ;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location / {
        include /config/nginx/proxy.conf;
        proxy_pass 192.168.0.16:444;
    }
   
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

So line 19 reads :


proxy_pass 192.168.0.16:444;

Out of curiosity I tried forwarding the port 444 to my Unraid server but the error line 19 in the "Default" config file did not go away from the logs and keeps repeating after "Server ready".

You do not have http:// in the proxy_pass.

 

Also, remove the domain name from your post 😉

  • Thanks 1
Link to comment
1 hour ago, saarg said:

You do not have http:// in the proxy_pass.

 

Also, remove the domain name from your post 😉

Thank you very much!

 

I tweaked a few things I also had made mistakes on as well and now everything is working fine, I'm just getting the "Server ready" message :)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.