[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

It's me again!

 

So now everything is working fine with the reverse proxy.

 

Yet there is one more thing I would like it to do. I have an Ubuntu VM I would like the reverse proxy to forward the traffic when people access a certain subdomain.

I have allocated the Ubuntu VM a static local IP and I would like to redirect anyone accessing the specific subdomain to this VM's local IP on a certain port.

 

I'm pretty sure this is possible but I have not found how.

Link to comment

Hey,

 

I've got this docker setup and running with Organizr as the frontend, it has been working great!

Now I'm developing a .php page that I want to try while coding it. Is there an easy solution to use this docker to serve the .php without messing with the rest of my setup?

 

For now I'd like to just have it served locally

Link to comment

I am having the same concern:
Error getting validation data

I have read a few pages of the thread, and cannot seem to gather why this is happening.
Ping urls with no issue
port forwarding is enabled.
firewall to access ports accordingly.

Error
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Error getting validation data


Has there been any fix to allow this container to work?
Would the default config help, I installed this docker fresh, opened my FW wide open to make sure nothing was blocking and not having any success.

Edited by bombz
Link to comment
7 hours ago, bombz said:

I am having the same concern:
Error getting validation data

I have read a few pages of the thread, and cannot seem to gather why this is happening.
Ping urls with no issue
port forwarding is enabled.
firewall to access ports accordingly.

Error
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Error getting validation data


Has there been any fix to allow this container to work?
Would the default config help, I installed this docker fresh, opened my FW wide open to make sure nothing was blocking and not having any success.

You can start with this.

https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment
5 hours ago, gRuNdLeKrEiSt said:

How would I got about using the letsencrypt docker to generate a CSR. I have an SSL Cert available through my DNS provider and I would like to use it. I've been looking on Google and in this topic and have not found any answers.

tenor.gif

Link to comment
10 hours ago, aptalca said:

Follow those steps exactly

Yes I followed them.
I have also completely removed the docker and the files in appdata to start a fresh install. Have the ports and fw rules set, can ping the domain successfully, I can hit the domain service on the direct port with a port forward rule directly to the service.
I have rebooted modem and gateway etc.

can't seem to get the docker app to talk
Still have:

http-01 challenge for domainnamehere
Cleaning up challenges
Some challenges have failed
Domain: domiannamehere
Type: connection
Detail: Fetching
http://domainnamehere/.well-known/acme-challenge/long string of data (I do not see this folder anywhere under the letsencrypt folder via SSH)
Error getting validation data

I have added the default config from letsencrypt/nginx/site-confs/
not sure if this will help
there are also no logs being created on /var/logs/letsencrypt - as stated in the error window

config.JPG

Edited by bombz
Link to comment
2 hours ago, bombz said:

Yes I followed them.
I have also completely removed the docker and the files in appdata to start a fresh install. Have the ports and fw rules set, can ping the domain successfully, I can hit the domain service on the direct port with a port forward rule directly to the service.
I have rebooted modem and gateway etc.

can't seem to get the docker app to talk
Still have:

http-01 challenge for domainnamehere
Cleaning up challenges
Some challenges have failed
Domain: domiannamehere
Type: connection
Detail: Fetching
http://domainnamehere/.well-known/acme-challenge/long string of data (I do not see this folder anywhere under the letsencrypt folder via SSH)
Error getting validation data

I have added the default config from letsencrypt/nginx/site-confs/
not sure if this will help
there are also no logs being created on /var/logs/letsencrypt - as stated in the error window

config.JPG

Did you set up nginx with the same port mappings as letsencrypt and can see the welcome page when you connect to your domain on http port 80 via cell phone with wifi disabled?

Link to comment
34 minutes ago, aptalca said:

Did you set up nginx with the same port mappings as letsencrypt and can see the welcome page when you connect to your domain on http port 80 via cell phone with wifi disabled?

I have setup port forwarding for 80 and 443 -> custom port for letsencrypt
letsencrypt is using using a different network 'proxy'

Perhaps I am confused and not understanding as I am learning this.
Following the video guide nginx was not referenced.
reading the troubleshooting guide I was reading about nginx and thought letsencrypt handled what nginx did or does.
nginx container needs to run alongside letsencrypt?
I will feel terrible if that's the case this is new to me.

Also I have been fiddling with letsencrypt restarts too many times that I am now at a standstill as I have received from letencrypt "too many failed authorizations recently"


as far as I know I am required to wait up to 1 week before I can try again 😞
 

image.png.35118db29e42dd69cead3e9f05c6f78a.png

binhex nginx is installed
80 > 8080
443 > 8443
Cannot hit nginx from outside the network

Edited by bombz
Link to comment

Hey team!

 

Wondering if anyone might have an advice on how to fix my proxy config for the stash app.

 

I followed some of the other conf files as examples when creating it:

# make sure that your dns has a cname set for stash

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name stash.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app stash;
        set $upstream_port 9999;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}


It works for the most part with a very small exception, when I access the app through the reverse proxy I get these errors in the logs:
download-1.jpg.b4b0b0c9a171908a403c994abc844fc8.jpg

 

Wondering if anyone might have advice on how I can alter my conf file to support the calls being blocked there.

 

Thanks!

Link to comment
12 hours ago, aptalca said:

That's imap proxy, completely different.

 

But in any case, nginx is already compiled with mail in our image

Thanks - yeah in my original it says Imap - but recognise easy to overlook, you have a huge job responding to all these requests!  Many thanks for the info, will check it out!

 

Marshalleq

Edited by Marshalleq
  • Thanks 1
Link to comment

I'm following the SpaceInvaderOne video on setting up a Reverse Proxy with LetsEncrypt and I've run into a permissions issue.

At around 20:00 in the video, he's editing the configuration files in the appdata/letsencrypt/nginx/proxy-confs folder. He saves the file directly into the proxy-confs folder, but I'm unable to do that. I get "Destination Folder Access Denied. You need permission to perform this action." whenever I try to save a file, or rename a file in that folder. I'm accessing it through Windows Explorer. I do have read/write access to the nginx folder right above this one. I can't figure out how to get permissions to this folder. Has anyone had this issue setting this up? How do I get permissions to this folder?

 

 

Edited by Ccheese4
Link to comment
2 hours ago, bombz said:

I have setup port forwarding for 80 and 443 -> custom port for letsencrypt
letsencrypt is using using a different network 'proxy'

Perhaps I am confused and not understanding as I am learning this.
Following the video guide nginx was not referenced.
reading the troubleshooting guide I was reading about nginx and thought letsencrypt handled what nginx did or does.
nginx container needs to run alongside letsencrypt?
I will feel terrible if that's the case this is new to me.

Also I have been fiddling with letsencrypt restarts too many times that I am now at a standstill as I have received from letencrypt "too many failed authorizations recently"


as far as I know I am required to wait up to 1 week before I can try again 😞
 

image.png.35118db29e42dd69cead3e9f05c6f78a.png

binhex nginx is installed
80 > 8080
443 > 8443
Cannot hit nginx from outside the network

Smh. You see the linuxserver version and the binhex version side by side in your screenshot and you still select the binhex version. Why? Not that there is anything wrong with that version, but I'm asking you to follow the simple steps outlined in the troubleshooting article. We put a lot of time into it and it gets frustrating when users still don't follow them even when we spell them out step by step.

 

The whole point of the troubleshooting article is so you can make sure that your ports are properly mapped and forwarded and that the container is accessible from the internet. Only then, you should try to set up letsencrypt. Otherwise there are too many reasons why it can fail and as you experienced, if it fails a bunch of times, you're throttled.

 

So read the directions carefully. 

Link to comment
12 minutes ago, Ccheese4 said:

I'm following the SpaceInvaderOne video on setting up a Reverse Proxy with LetsEncrypt and I've run into a permissions issue.

At around 20:00 in the video, he's editing the configuration files in the appdata/letsencrypt/nginx/proxy-confs folder. He saves the file directly into the proxy-confs folder, but I'm unable to do that. I get "Destination Folder Access Denied. You need permission to perform this action." whenever I try to save a file, or rename a file in that folder. I'm accessing it through Windows Explorer. I do have read/write access to the nginx folder right above this one. I can't figure out how to get permissions to this folder. Has anyone had this issue setting this up? How do I get permissions to this folder?

 

 

I recommend unraid console for those operations. Simple "cp sourcefilename targetfilename" will do what you want. And use "nano filename" to edit files

Link to comment
1 hour ago, Marshalleq said:

Thanks - yeah in my original it says Imap - but recognise easy to overlook, you have a huge job responding to all these requests!  Many thanks for the info, will check it out!

 

Marshalleq

Oh yeah I did overlook on mobile 😄

 

I thought you were trying to send emails from within the container.

 

That's exactly what you want for proxy. The nginx.conf I believe has a very basic sample in there which you can enable and modify: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/nginx.conf#L85

Edited by aptalca
Link to comment
2 hours ago, aptalca said:

Smh. You see the linuxserver version and the binhex version side by side in your screenshot and you still select the binhex version. Why? Not that there is anything wrong with that version, but I'm asking you to follow the simple steps outlined in the troubleshooting article. We put a lot of time into it and it gets frustrating when users still don't follow them even when we spell them out step by step.

 

The whole point of the troubleshooting article is so you can make sure that your ports are properly mapped and forwarded and that the container is accessible from the internet. Only then, you should try to set up letsencrypt. Otherwise there are too many reasons why it can fail and as you experienced, if it fails a bunch of times, you're throttled.

 

So read the directions carefully. 

Thank you for your assistance. 
I attempted linuxserver version (2015) first and it prompted a server error when I attempted to start it the binhex did not. 

I can understand the frustration, I knew as soon as I responded the 'smh' was understandable.
Copy that on the troubleshooting steps and outlook. Its been a long few days on this.
Long story short I made some successful progress tonight, but good things came of it.

Continue some more tomorrow.

Link to comment

Anyone know where I can change the default error file locations?

I've tried adding something like this to one of my .conf

 

Nevermind. I fixed it below. Didn't have correct volume mapping path.

 

error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 421 422 423 424 425 426 428 429 431 451 500 501 502 503 504 505 506 507 508 510 511 /error.html;

location = /error.html {

  ssi on;
  internal;
  auth_basic off;
  root /config/www;
}

 

Edited by KJThaDon
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.