[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

7 hours ago, Energen said:

Am I doing this wrong or what don't I understand here....   ? (which is a lot)

 

I'm playing with a Gotify docker container for push notifications.

I'm playing with this letsencrypt docker for SSL certificates.

 

Is it possible/how do I use the SSL certs from the letscrypt container in the Gotify container?

 

The Gotify config file has an area for SSL

 


  ssl:
    enabled: false # if https should be enabled
    redirecttohttps: true # redirect to https if site is accessed by http
    listenaddr: "" # the address to bind on, leave empty to bind on all addresses
    port: 443 # the https port
    certfile: # the cert file (leave empty when using letsencrypt)
    certkey: # the cert key (leave empty when using letsencrypt)
    letsencrypt:
      enabled: false # if the certificate should be requested from letsencrypt
      accepttos: false # if you accept the tos from letsencrypt
      cache: data/certs # the directory of the cache from letsencrypt

 

But this seems to require that letsencrypt is running within the same docker container?

 

I've tried just copying the files from appdata/letsencrypt to a folder in appdata/gotify but the files "weren't found", so not sure where gotify was looking for them.  The main config file is found in appdata/gotify/config, tried the certs there also.

 

Gotify doesn't have a support thread here so I'll try in the letsencrypt thread, since I need letsencrypt files ;)

 

Thanks for any assistance.

It's explained in the readme, but you really should reverse proxy rather than share certs

Link to comment
19 hours ago, aptalca said:

Can you post the output of ”ps -ef" from inside the container when that happens?

This morning it appears it didn't do. So perhaps it really is connected to the cron job? It renewed the night before but still went down. Last night it simply said "Cert not yet due for renewal" and everything is running this morning. Very strange..

Link to comment

Hi, 

 

I'm having a problem with my nextcloud application that doesn't allow me to upload files larger than 50Mb. I have checked everything on the installation and the problem is leading me to believe that is the let's encrypt docker container. 

 

I have updated the php-local.ini post_max_size and upload_max_filezise to 3GB. Also added to the subdomain.conf client_max_body_size,  and proxy_max_temp_file_size 30720M

 

I don't know what am I missing or if this is something happening to someone else in the forum. 

 

Server replied "413 Request Entity Too Large" to "PUT https://nextcloud.mydomain.com/remote.php/dav/uploads/myprofile/213883260/00000001" 

 

Link to comment

@gacpac 50mb sounds almost like you use webdav to upload

 

in case its webdav u use, windows is limited to 50mb by default when using webdav, u can increase the size by editing

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

 

key FileSizeLimitInBytes change to max 4294967295 (4gb)

 

only if webdav is the protocol u try to use

Link to comment
12 minutes ago, alturismo said:

@gacpac 50mb sounds almost like you use webdav to upload

 

in case its webdav u use, windows is limited to 50mb by default when using webdav, u can increase the size by editing

 

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WebClient\Parameters

 

key FileSizeLimitInBytes change to max 4294967295 (4gb)

 

only if webdav is the protocol u try to use

I'm using whatever the nextcloud application is using. I'm looking to replace dropbox for nextcloud completely. Let me give it a try

Link to comment

@alturismo your fix in the registry actually worked for manually accessing nextcloud using webdav. But the application for Windows doesn't work. And it seems the app is using webdav as well, but it just doesn't work. It doesn't make sense, is there a setting that I should be looking out regarding webdav or something?

 

If someone had this problem with the nextcloud app, maybe I'm not the only one. 

 

 

Link to comment

I followed the comment from. I modified the proxy.conf I'm not sure if that opens a security hole with the other subdomains. But it did the job

 

https://github.com/nextcloud/docker/issues/762#issuecomment-504225433

 

Quote:

@JanMalte
I finally solved my issue regarding 413 response with files over 10mb. I'm not sure if it'll help you but I fixed my issue by editing the proxy.conf file for my letsencrypt container. It can be found in your appdata directory at~/appdata/letsencrypt/nginx/proxy.conf.

You can also enter the container by typing docker exec -it letsencrypt bash and then edit /config/nginx/proxy.conf.

The first line in this file reads client_max_body_size 10m;. Change the 10m to the size you desire. Then restart the letsencrypt container via docker restart letsencrypt and that should fix the issue.

 

Update

 

Based on the changelog for the proxy.conf it's better to remove the client_max_body_size so it takes the information from the subdomain.conf

Edited by gacpac
Link to comment
4 hours ago, uek2wooF said:

Seems like you can only have one TLD and then multiple subdomains.  Is there a way to get all my domains in this?  Like:

www.example.tld

plex.example.tld

www.example2.tld

 

Did you read the readme on GitHub? It's explained there.

Link to comment
1 minute ago, allanp81 said:

This seems to have stopped working for me this morning for no obvious reason. I've scanned all of the error logs and there's no errors logged that are any different to those that sporadically appear from time to time anyway. I'm perplexed.

Nothing we can do to help either with that info.

Link to comment
On 6/23/2020 at 8:49 AM, Jerky_san said:

o-o welp that helped.. was trying to renew my domain that is behind cloudflare so it was failing.. Danke Danke

I ended up converting from HTTP to DSN Validation through ClouldFlare to my own Domain instead of DuckDNS and that fixed my issue.   I've been meaning to move to my own domain from DuckDNS, this just finally gave me the motivation. 

Edited by SeveredDime
Link to comment

I managed to config various subdomains to the relevant dockers but I'm struggling with the simplest of stuff.

 

So I have some "pac" proxy scripts that I save at /mnt/cache/proxy, mapped to /config/www/proxy of the letsecrypt docker (since it has nginx and my understanding is nginx works as a http server).

I want to point proxy.domain.com to /config/www/proxy.

The end result is to be able type https://proxy.domain.com/script01.pac in the browser and the script would be downloaded / loaded.

 

It seems rather simple but I just can't get it to work. Please can someone help with the conf file. Many thanks.

 

 

 

 

Link to comment

Hi,

 

I currently use this docker for nextcloud and bitwarden dockers, that works great.
Now im trying to setup a Wordress inside the www folder in the letsencrypt docker and i want to redirect www.mysite.io to mysite.io.

But if i use www, in the subdomain field the certificate will be for www.mysite.io, and then visitors get redirected to mysite.io and a cert warning will show.

 

If i dont enter www, in the subdomain field i get this error

 

No subdomains defined
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/www.mysite.io/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysite.io
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mysite.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mysiste.io/privkey.pem
Your cert will expire on 2020-09-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

# redirect www to https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.mysite.io; 
 return 301 https://mysite.io$request_uri;
}

# redirect http to https://[domain.com]
server {
    listen 80;
    server_name mysite.io; 
    return 301 https://mysite.io$request_uri;
}

# server config
server {
 listen 443 ssl http2;
 server_name mysite.io;

anyone know what i have done wrong?

Edited by lusitopp
Link to comment
52 minutes ago, lusitopp said:

Hi,

 

I currently use this docker for nextcloud and bitwarden dockers, that works great.
Now im trying to setup a Wordress inside the www folder in the letsencrypt docker and i want to redirect www.mysite.io to mysite.io.

But if i use www, in the subdomain field the certificate will be for www.mysite.io, and then visitors get redirected to mysite.io and a cert warning will show.

 

If i dont enter www, in the subdomain field i get this error

 


No subdomains defined
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/www.mysite.io/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for mysite.io
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/mysite.io/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/mysiste.io/privkey.pem
Your cert will expire on 2020-09-29. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 


# redirect www to https://[domain.com]
server {
 listen 80;
 listen 443 ssl http2;
 server_name www.mysite.io; 
 return 301 https://mysite.io$request_uri;
}

# redirect http to https://[domain.com]
server {
    listen 80;
    server_name mysite.io; 
    return 301 https://mysite.io$request_uri;
}

# server config
server {
 listen 443 ssl http2;
 server_name mysite.io;

anyone know what i have done wrong?

post your docker run

Link to comment

Hi everyone,

 

I currently have a working LetsEncrypt (port forwarded 443 -> 444) + DuckDNS for all of my docker containers hosted on my unRAID. I added a new machine to my network that is running Windows 10 and hosting a Jellyfin instance.

 

If I want to use a different domain (not DuckDNS) for Jellyfin, how should I set things up that way I can keep my existing DuckDNS + my new domain all as HTTPS?

 

Edit: I was able to get it working by pointing my CloudFlare DNS to my public ip, and creating the appropriate proxy-conf with the server_name set to my non-DuckDNS domain. If I understand correctly, this means that my SSL isn't actually being created / handled by the LetsEncrypt docker and is being managed at CloudFlare. Does anyone see any issues with taking this approach?

Edited by Ezro
Link to comment
1 hour ago, Ezro said:

Hi everyone,

 

I currently have a working LetsEncrypt (port forwarded 443 -> 444) + DuckDNS for all of my docker containers hosted on my unRAID. I added a new machine to my network that is running Windows 10 and hosting a Jellyfin instance.

 

If I want to use a different domain (not DuckDNS) for Jellyfin, how should I set things up that way I can keep my existing DuckDNS + my new domain all as HTTPS?

Use the extra domain variable and replace jellyfin with the IP of the windows 10 computer in the proxy-conf. Don't remember the variable name now, but it's the one above the port. Might be host.

Link to comment
23 hours ago, aptalca said:

post your docker run

  

As soon as I copy/pasted my docker run I did see what I did wrong, 'only subdomains' was in true. After changing to false i now get certificate for https://mysite.io.

But another question that someone might be able to help me with.
With wordpress there is often updates to plugins, themes and wordpress itself. Trying do update from admin page will prompt me for ftp username and password, I dont have a ftp.
I understand that this is because the user that runs the page don't have access to the folders in wordpress, anyone knows how to set that up?

Quote

In order to install directly the themes or plugins without the need to provide FTP user and password to Wordpress, edit the wp-config.php file and add this line:

define('FS_METHOD', 'direct');

If you still can't install directly and Wordpress is still asking for FTP credential, check that the wp-content folder is writable for the www-data user, or the user that manage your Apache or Nginx server.

 

Link to comment
7 hours ago, lusitopp said:

  

As soon as I copy/pasted my docker run I did see what I did wrong, 'only subdomains' was in true. After changing to false i now get certificate for https://mysite.io.

But another question that someone might be able to help me with.
With wordpress there is often updates to plugins, themes and wordpress itself. Trying do update from admin page will prompt me for ftp username and password, I dont have a ftp.
I understand that this is because the user that runs the page don't have access to the folders in wordpress, anyone knows how to set that up?

 

The user is abc and its pid is set to 99 (unless you changed it). It should have access to those folders on host

Link to comment
3 hours ago, aptalca said:

The user is abc and its pid is set to 99 (unless you changed it). It should have access to those folders on host

im new to linux systems, but im eager to learn, this is the output i get

 

root@0d9237f2d370:/config/www/wordpress/wp-content# ls -la
total 8
drwxr-xr-x 1 root root   67 Jul  2 07:59 .
drwxr-xr-x 1 root root 4096 Jul  2 07:50 ..
-rw-r--r-- 1 root root   28 Jul  1 17:36 index.php
drwxr-xr-x 1 root root   80 Jul  2 18:00 plugins
drwxr-xr-x 1 root root  108 Jul  2 18:00 themes
drwxr-xr-x 1 abc  abc    54 Jul  1 18:03 uploads

 

Edited by lusitopp
Link to comment

Could use some help here. Started using cloudflare dns validation 3 months ago, and now my cert is due for renewal but it fails. Looking at the log it seems like the process never fully completes. It just stops, or at least the logging stopped. For about 10-15 days now all that's in the log is this: 

 

cronjob running on Mon Jun 29 02:08:00 CEST 2020
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 87.04891948754788 seconds
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for emby.mydomain.com
dns-01 challenge for mydomain.com
dns-01 challenge for ombi.mydomain.com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Cleaning up challenges
<------------------------------------------------->

 

Then finally 2 days ago it got a little further and actually produces an error:

 

cronjob running on Tue Jun 30 02:08:00 CEST 2020
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/mydomain.com.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 326.6042396698244 seconds
Plugins selected: Authenticator dns-cloudflare, Installer None
Renewing an existing certificate
Performing the following challenges:
dns-01 challenge for emby.mydomain.com
dns-01 challenge for mydomain.com
dns-01 challenge for ombi.mydomain.com
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Cleaning up challenges
Attempting to renew cert (mydomain.com) from /etc/letsencrypt/renewal/mydomain.com.conf produced an unexpected error: Unable to determine zone_id for ombi.mydomain.com using zone names: ['ombi.mydomain.com', 'mydomain.com', 'tv']. Please confirm that the domain name has been entered correctly and is already associated with the supplied Cloudflare account. The error from Cloudflare was: 0 connection failed.. Skipping.
All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All renewal attempts failed. The following certs could not be renewed:
  /etc/letsencrypt/live/mydomain.com/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Running post-hook command: if ps aux | grep [n]ginx: > /dev/null; then s6-svc -h /var/run/s6/services/nginx; fi;     cd /config/keys/letsencrypt &&     openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: &&     sleep 1 &&     cat privkey.pem fullchain.pem > priv-fullchain-bundle.pem
1 renew failure(s), 0 parse failure(s)
<------------------------------------------------->

 

How do I solve this? I've checked my cloudflare account and I have created a CNAME for both my subdomains to my duckdns domain. But I see I have 2 TXT records for my emby subdomain and none for my ombi subdomain. Maybe that's the issue? Because the log only mention that it fails for my ombi subdomain?

 

image.png.2fa87068f1857dcf1bc3439e943122df.png

 

Edit: Solved.. It was my firewall blocking cloudflare

Edited by strike
Link to comment

Hi again @saarg , I'ld like to ask you to edit/snip your quote you made of my message earlier in the thread.

 

It contained some info about what email, domain, and IPtracker I use for letsencrypt and all, including docker configs and all.

 

Few days ago I started having heavy traffic on owncloud login page, with a lot of random login attempts. I wouldn't have linked it to this post if, checking the email account used in letsencrypt, it wasn't also being targeted, finding a few fake alerts and fake OVH login page phishing attempts in it. This mail wasn't used to register anything else than letsencrypt, so in two years up to now it collected 0 spam and no mail.

 

If editing the post won't stop the actual attack (which I'm not fearing about it actually succeeding, just annoying), I would like that no one else but that random script kiddie be tempted to give a try at it, so it would be better to just not leave these hints available.

I edited my post already, I would appreciate it if you would please snip the full quote you made of it.
My post

Yours with the quote

 

Thanks!

 

Edited by Keexrean
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.