aptalca Posted May 6, 2020 Share Posted May 6, 2020 44 minutes ago, CiaoCiao said: Hello everyone, I am setting up Letsencrypt following SpaceInvaderOne's video tutorial. I am having a hard time getting the validation process to pass successfully. I own a domain name and my IP is static, so I did not enter "duckdns.org" in the container settings since this would be useless. I entered my custom domain name instead. Also, I have already created two subdomains which are pointing at my public static IP. The HTPP and HTTPS ports I entered in the container template before installing are forwarded to my Unraid server's local static IP. I should probably also mention I think it is weird that the Letsencrypt container is displayed in the Dashboard tab but not in the Docker tab... Could you please give me a hint as to what to check or change to get this to work? Thank you in advance. Here are the logs : Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/ 1 Quote Link to comment
Revrto Posted May 6, 2020 Share Posted May 6, 2020 2 minutes ago, aptalca said: Well, I couldn't get nat reflection to work on pfsense even without double nat, so maybe that's some consolation for you. I am also using split dns. With that, we have no choice but to run letsencrypt on at least port 443. You'll have to change unraid's https port to something else. I kept unraid on port 80 for http, so when I hit my addresses inside my lan, I use the https endpoint and all is well. Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question. Quote Link to comment
aptalca Posted May 6, 2020 Share Posted May 6, 2020 3 minutes ago, Revrto said: Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question. You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that. Quote Link to comment
Revrto Posted May 6, 2020 Share Posted May 6, 2020 23 minutes ago, aptalca said: You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that. I think that makes sense if i switch to dns verification and use a wildcard for the certs (I have not migrated that yet). I saw the post about proxy_pass and that seems like it might work if I pair that with danioj's method of restricting to local. You mentioned to him about using http auth as well for good measure. I am not familiar with it, I assume that is different than using 2FA with an authenticator, correct?. Could you point me to a link on implementing it in this scenario? Thanks btw for all your help. Quote Link to comment
guilhem31 Posted May 6, 2020 Share Posted May 6, 2020 (edited) Hi everybody I'm struggling with my reverse proxy setup. I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name). The logs seem to be ok, server running. Ports opened. But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured) Any hint how to debug all this ? Edited May 6, 2020 by guilhem31 More info Quote Link to comment
rragu Posted May 7, 2020 Share Posted May 7, 2020 I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container. My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge. I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for? Quote Link to comment
saarg Posted May 7, 2020 Share Posted May 7, 2020 3 hours ago, rragu said: I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container. My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge. I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for? Blank page is usually an add-on blocking something. Quote Link to comment
guilhem31 Posted May 7, 2020 Share Posted May 7, 2020 9 hours ago, guilhem31 said: Hi everybody I'm struggling with my reverse proxy setup. I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name). The logs seem to be ok, server running. Ports opened. But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured) Any hint how to debug all this ? I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error So I looked into the Nginx error logs : 2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh" 2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh" I don't understand the problem at all ^^ Quote Link to comment
aptalca Posted May 7, 2020 Share Posted May 7, 2020 5 hours ago, guilhem31 said: I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error So I looked into the Nginx error logs : 2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh" 2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh" I don't understand the problem at all ^^ Post the proxy conf you used Quote Link to comment
guilhem31 Posted May 7, 2020 Share Posted May 7, 2020 9 minutes ago, aptalca said: Post the proxy conf you used My bad, I just solved the problem (and my proxy conf was fine ) I use MPTCProuter to handle my network in my house, and a setting was wrong (i don't know why it changed recently), now that I set it the right way, everything is working !! Thanks aptaica for your interest Quote Link to comment
rragu Posted May 7, 2020 Share Posted May 7, 2020 14 hours ago, saarg said: Blank page is usually an add-on blocking something. @saarg Thanks! uBlock Origin was the culprit. Apparently, it's not a fan of duckdns.org? I had planned to switch from duckdns to cloudflare-ddns anyway. After doing so, the site is working properly in Firefox with uBlock Origin still enabled. Quote Link to comment
CiaoCiao Posted May 8, 2020 Share Posted May 8, 2020 (edited) On 5/6/2020 at 3:37 PM, aptalca said: Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/ Hello and thank you for this link. I finally figured out how to redirect the ports properly. So now in the Letsencrypt container logs I get "server ready". But there seem to be two issues : The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?! In the logs, after the "Server ready" line, I get a never ending repetition of the following line : Quote nginx: [emerg] invalid URL prefix in /config/nginx/site-confs/default:19 Edited May 8, 2020 by CiaoCiao Quote Link to comment
saarg Posted May 8, 2020 Share Posted May 8, 2020 1 hour ago, CiaoCiao said: Hello and thank you for this link. I finally figured out how to redirect the ports properly. So now in the Letsencrypt container logs I get "server ready". But there seem to be two issues : The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?! In the logs, after the "Server ready" line, I get a never ending repetition of the following line : 1. Something unrelated to the container, so probably better to ask for help in general help area. 2. That means you have an error in the file mentioned on line 19. 1 Quote Link to comment
Bleak Posted May 9, 2020 Share Posted May 9, 2020 (edited) Hey so I am trying to setup basic auth with fail2ban and the authenticating is working great but fail2ban does not seem to do it's part: 020-05-09 18:31:32,502 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:31 2020-05-09 18:31:38,515 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:37 2020-05-09 18:31:43,727 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:43 2020-05-09 18:31:44,462 fail2ban.actions [388]: NOTICE [nginx-http-auth] Ban 84.241.199.134 2020-05-09 18:31:44,465 fail2ban.utils [388]: #39-Lev. 1501c3a14110 -- exec: iptables -w -N f2b-nginx-http-auth iptables -w -A f2b-nginx-http-auth -j RETURN iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)" 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.' 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)" 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.' 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: 'getsockopt failed strangely: Operation not permitted' 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- returned 1 2020-05-09 18:31:44,467 fail2ban.actions [388]: ERROR Failed to execute ban jail 'nginx-http-auth' action 'iptables-multiport' info 'ActionInfo({'ip': '84.241.199.134', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x1501c3ece3a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x1501c3ece940>})': Error starting action Jail('nginx-http-auth')/iptables-multiport 2020-05-09 18:31:48,940 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:48 2020-05-09 18:31:54,150 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:54 2020-05-09 18:31:59,362 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:58 2020-05-09 18:31:59,686 fail2ban.actions [388]: NOTICE [nginx-http-auth] 84.241.199.134 already banned 2020-05-09 18:32:05,374 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:32:04 Basically trying from my phone on 4g to get myself banned but i can just keep retrying even though max retry's is at 3 if i try it for the 10th time and enter it correctly i just get in. dont know what the above errors mean tried to google it but did not find anything that helped me.. Edited May 9, 2020 by Bleak Quote Link to comment
Bleak Posted May 9, 2020 Share Posted May 9, 2020 (edited) Added --cap-add=NET_ADMIN to extra parameters. Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it. Can someone link me something that explains what this does exactly? (or tell me ofcourse) want to understand what i just did and why i missed it.. Edited May 9, 2020 by Bleak Quote Link to comment
aptalca Posted May 9, 2020 Share Posted May 9, 2020 49 minutes ago, Bleak said: Added --cap-add=NET_ADMIN to extra parameters. Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it. Perhaps you should read the readme linked in the first post Quote Link to comment
Bleak Posted May 9, 2020 Share Posted May 9, 2020 (edited) 10 minutes ago, aptalca said: Perhaps you should read the readme linked in the first post I swear I've searched this whole thing 10 times no clue how I missed this... Thanks anyway sorry for missing this.. Edited May 9, 2020 by Bleak Quote Link to comment
Marshalleq Posted May 10, 2020 Share Posted May 10, 2020 Hi all, anyone know if the lets encrypt container supports the mail directive? Am trying to use it to proxy imap and smtp. Many thanks. Quote Link to comment
aptalca Posted May 10, 2020 Share Posted May 10, 2020 1 hour ago, Marshalleq said: Hi all, anyone know if the lets encrypt container supports the mail directive? Am trying to use it to proxy imap and smtp. Many thanks. I believe there is sendmail in there Quote Link to comment
StandardToast Posted May 10, 2020 Share Posted May 10, 2020 Hi, Posting here because I think I am having an issue with my reverse proxy rather than next cloud itself. Original post is here getting a 502 bad gateway error. Any help would be appreciated. Quote Link to comment
CiaoCiao Posted May 10, 2020 Share Posted May 10, 2020 (edited) On 5/8/2020 at 11:11 AM, saarg said: 2. That means you have an error in the file mentioned on line 19. So I tried to go to the specified file. First, instead of this file path which is specified in the error message : Quote nginx: [emerg] invalid URL prefix in /config/nginx/site-confs/default:19 I find the "default" file under config/appdata/nginx/nginx/site-confs Then, when I go to line 19 of this file, it's a blank line : Also, isn't it weird that this file specifies ports 80 and 443 when I actually set up different ports in the template? And yet I'm still getting the "Server ready" message? I'm confused as to what I should do to solve this issue. Edited May 10, 2020 by CiaoCiao Quote Link to comment
saarg Posted May 10, 2020 Share Posted May 10, 2020 3 hours ago, CiaoCiao said: So I tried to go to the specified file. First, instead of this file path which is specified in the error message : I find the "default" file under config/appdata/nginx/nginx/site-confs Then, when I go to line 19 of this file, it's a blank line : Also, isn't it weird that this file specifies ports 80 and 443 when I actually set up different ports in the template? And yet I'm still getting the "Server ready" message? I'm confused as to what I should do to solve this issue. It seems you are a little confused about how docker works. The path you see in the log is the path inside the container, not on unraid. The container doesn't know which path on unraid you set in the template. It's the same with the ports. Port 80 and 443 are the ports used inside the container. Which ports you mapped those ports to on the unraid side is irrelevant for the container. At the top of this file there is a date. If it's not the one below, you should delete the file and restart the container to get the newest. If you have made any changes to the file, you would have to redo them. ## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default 1 Quote Link to comment
CiaoCiao Posted May 10, 2020 Share Posted May 10, 2020 (edited) 1 hour ago, saarg said: It seems you are a little confused about how docker works. The path you see in the log is the path inside the container, not on unraid. The container doesn't know which path on unraid you set in the template. It's the same with the ports. Port 80 and 443 are the ports used inside the container. Which ports you mapped those ports to on the unraid side is irrelevant for the container. At the top of this file there is a date. If it's not the one below, you should delete the file and restart the container to get the newest. If you have made any changes to the file, you would have to redo them. ## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default Well I must admit I was terribly confused. Thank you very very much for explaining this to me. So I actually was so confused I was messing with the "default" config file from the Nginx container I used previously to troubleshoot the port forwarding of my router... instead of the "default" config file of letsencrypt! lol So now I have found the right one and here is what the content of the right "default" config file looks like : server { listen 443 ssl default_server; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name domainname.net; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'manymanythings here'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { include /config/nginx/proxy.conf; proxy_pass 192.168.0.16:444; } location ~ /netdata/(?<ndpath>.*) { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://backend/$ndpath$is_args$args; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; } } So line 19 reads : proxy_pass 192.168.0.16:444; Out of curiosity I tried forwarding the port 444 to my Unraid server but the error line 19 in the "Default" config file did not go away from the logs and keeps repeating after "Server ready". Edited May 10, 2020 by CiaoCiao removed domain name Quote Link to comment
saarg Posted May 10, 2020 Share Posted May 10, 2020 48 minutes ago, CiaoCiao said: Well I must admit I was terribly confused. Thank you very very much for explaining this to me. So I actually was so confused I was messing with the "default" config file from the Nginx container I used previously to troubleshoot the port forwarding of my router... instead of the "default" config file of letsencrypt! lol So now I have found the right one and here is what the content of the right "default" config file looks like : server { listen 443 ssl default_server; listen 80 default_server; root /config/www; index index.html index.htm index.php; server_name ; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { include /config/nginx/proxy.conf; proxy_pass 192.168.0.16:444; } location ~ /netdata/(?<ndpath>.*) { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://backend/$ndpath$is_args$args; proxy_http_version 1.1; proxy_pass_request_headers on; proxy_set_header Connection "keep-alive"; proxy_store off; } } So line 19 reads : proxy_pass 192.168.0.16:444; Out of curiosity I tried forwarding the port 444 to my Unraid server but the error line 19 in the "Default" config file did not go away from the logs and keeps repeating after "Server ready". You do not have http:// in the proxy_pass. Also, remove the domain name from your post 😉 1 Quote Link to comment
CiaoCiao Posted May 10, 2020 Share Posted May 10, 2020 1 hour ago, saarg said: You do not have http:// in the proxy_pass. Also, remove the domain name from your post 😉 Thank you very much! I tweaked a few things I also had made mistakes on as well and now everything is working fine, I'm just getting the "Server ready" message Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.