[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 hour ago, hotdog218 said:

I configured it based on the support post, and based on my other conf files that were premade by linuxserver that work.

 

Do you have any examples on how I would allow resource loading from subfolders?

Unfortunately I don't.  Not very familiar with htaccess.. only ever used it once for a basic website.  Way, way long ago.

 

You may be able figure something else by anyone else that had the same problem.  I googled ".htaccess load resources" and came up with the resource problem.

 

You may find some stuff here that's useful, all about the htaccess file... especially the SSI includes section.. that might be relevant.

https://www.whoishostingthis.com/resources/htaccess/

 

And not sure if this is useful at all, https://www.htaccessredirect.net/

Link to comment
8 hours ago, Energen said:

Unfortunately I don't.  Not very familiar with htaccess.. only ever used it once for a basic website.  Way, way long ago.

 

You may be able figure something else by anyone else that had the same problem.  I googled ".htaccess load resources" and came up with the resource problem.

 

You may find some stuff here that's useful, all about the htaccess file... especially the SSI includes section.. that might be relevant.

https://www.whoishostingthis.com/resources/htaccess/

 

And not sure if this is useful at all, https://www.htaccessredirect.net/

.htaccess is an apache thing. What you need to look into is .htpasswd

Link to comment
9 hours ago, aptalca said:

There is an extra domains variable. No need for another instance

[edit] I assume it's as simple as adding a new variable with the key EXTRA_PARAMETERS?

 

How does it work with subdomains? Does it share the same subdomains parameter above? How does the docker container tell which subdomains belong to the first URL, and which ones belong to the extra parameter URL?

 

Also are there any extra steps needed with cloudflare DNS?

Edited by Stubbs
Link to comment
9 hours ago, Stubbs said:

[edit] I assume it's as simple as adding a new variable with the key EXTRA_PARAMETERS?

 

How does it work with subdomains? Does it share the same subdomains parameter above? How does the docker container tell which subdomains belong to the first URL, and which ones belong to the extra parameter URL?

 

Also are there any extra steps needed with cloudflare DNS?

The readme explains it in detail. It has nothing to do with subdomains. You need to define full urls (fqdn) in that variable

Link to comment

Hiya! I'm having an issue with a subdomain.conf file for my docker 'speedtest'. Since there was no template I copied one of the more basic ones and modified it to try and get it to work. Unfortunately that endeavor has failed and here I am. 

 

speedtest.subdomain.conf - https://codeshare.io/aJXrME

The speedtest docker is the new Openspeedtest docker. Setup with standard config: On custom docker network for letsencrypt. WebUI available at :3001. That's why I put 3001 in the subdomain.conf as I had seen other dockers set similarly in their subdomain.conf files.

Thanks for any and all help!

 

EDIT: I was able to resolve my issue with the following speedtest.subdomain.conf file:

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name speedtest.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app speedtest;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

 

Edited by DeathByDentures
Issue Resolved
Link to comment

I am using the letsencrypt container to run an ssl reverse proxy that is only accessible from within the VPN.  For example, everything is setup as {service-name}.mydomain.net which resolves to a local IP.  Everything (HAAS, unifi controller, most of Unraid Web GUI) seems to be working except for the main syslog in the Unraid Web GUI (it just won't load).  The docker container logs load fine.  My sites file is below.  Does anyone have experience with getting this last bit to work through a reverse proxy?

 

Any help is appreciated.

 

server {
       listen 443 ssl;
       listen [::]:443 ssl;

       server_name tower.mydomain.net;

       # all ssl related config moved to ssl.conf
       #include /config/nginx/ssl.conf;

       location / {
              #proxy_set_header X-Real-IP $remote_addr;
              #proxy_set_header Host $host;
              #proxy_pass https://localip:port/;
              #proxy_set_header Upgrade $http_upgrade;
              #proxy_set_header Connection $connection_upgrade;

              proxy_set_header Host $host;
              proxy_pass https://localIP:port;
              proxy_set_header X-Forwarded-Host $server_name;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Ssl on;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $connection_upgrade;
       }
}

 

Link to comment
6 hours ago, Michael Hacker said:

I am using the letsencrypt container to run an ssl reverse proxy that is only accessible from within the VPN.  For example, everything is setup as {service-name}.mydomain.net which resolves to a local IP.  Everything (HAAS, unifi controller, most of Unraid Web GUI) seems to be working except for the main syslog in the Unraid Web GUI (it just won't load).  The docker container logs load fine.  My sites file is below.  Does anyone have experience with getting this last bit to work through a reverse proxy?

 

Any help is appreciated.

 

 

Issue resolved at this post.  Add to nginx config for the unraid proxy server.

proxy_buffering off; 

 

 

 

Link to comment

i have setup the letsencrypt docker (soon to be a other name i was reading)  with the fail2ban

 

i got bitwarden running. i added some filters etc.

 

but when open a terminal session on the letsencrypt docker and type

 

iptables -L

 

i get this error

 

iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

and seeing there isnt a Sudo.

 

 

in the fail2ban log

2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- exec: iptables -w -N f2b-bitwarden
iptables -w -A f2b-bitwarden -j RETURN
iptables -w -I INPUT -p tcp -j f2b-bitwarden
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- returned 3
2020-08-12 21:14:50,009 fail2ban.actions        [388]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'ip.ip.ip.ip', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x147d392323a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x147d39232a60>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Edited by KoNeko
added fail2ban log
Link to comment
7 hours ago, KoNeko said:

i have setup the letsencrypt docker (soon to be a other name i was reading)  with the fail2ban

 

i got bitwarden running. i added some filters etc.

 

but when open a terminal session on the letsencrypt docker and type

 

iptables -L

 

i get this error

 

iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

and seeing there isnt a Sudo.

 

 

in the fail2ban log

2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- exec: iptables -w -N f2b-bitwarden
iptables -w -A f2b-bitwarden -j RETURN
iptables -w -I INPUT -p tcp -j f2b-bitwarden
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- returned 3
2020-08-12 21:14:50,009 fail2ban.actions        [388]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'ip.ip.ip.ip', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x147d392323a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x147d39232a60>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Post your docker run

Link to comment
15 hours ago, aptalca said:

Post your docker run

/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='br0' --ip='192.168.1.15' -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e 'TCP_PORT_80'='' -e 'TCP_PORT_443'='443' -e 'EMAIL'='@gmail.com' -e 'URL'='.nl' -e 'SUBDOMAINS'='www,bitwarden' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='4096' -e 'VALIDATION'='dns' -e 'DNSPLUGIN'='transip' -e 'cap-add'='NET_ADMIN' -e 'PUID'='99' -e 'PGID'='100' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' -v '/mnt/user/appdata/bitwarden/log/':'/log':'rw' 'linuxserver/letsencrypt'

697237b82c1fa9c198a7507d22255f87c991adebc68c08ab615127cfa14e83a2

The command finished successfully!

 

also when i run

iptables -S


iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

or Iptables -L

 

 

the passwd files says

 

abc:x:99:100::/config:/bin/false
nginx:x:100:100:nginx:/var/lib/nginx:/sbin/nologin

 

for those 2 ids

Edited by KoNeko
added
Link to comment
2 hours ago, KoNeko said:

/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='br0' --ip='192.168.1.15' -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e 'TCP_PORT_80'='' -e 'TCP_PORT_443'='443' -e 'EMAIL'='@gmail.com' -e 'URL'='.nl' -e 'SUBDOMAINS'='www,bitwarden' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='4096' -e 'VALIDATION'='dns' -e 'DNSPLUGIN'='transip' -e 'cap-add'='NET_ADMIN' -e 'PUID'='99' -e 'PGID'='100' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' -v '/mnt/user/appdata/bitwarden/log/':'/log':'rw' 'linuxserver/letsencrypt'

697237b82c1fa9c198a7507d22255f87c991adebc68c08ab615127cfa14e83a2

The command finished successfully!

 

also when i run

iptables -S


iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

or Iptables -L

 

 

the passwd files says

 

abc:x:99:100::/config:/bin/false
nginx:x:100:100:nginx:/var/lib/nginx:/sbin/nologin

 

for those 2 ids

I turned on Privileged and it works for the website and bitwarden.

bitwarden only on the login part it still shows the site.

 

 

 

Edited by KoNeko
corrected the text
Link to comment
6 hours ago, KoNeko said:

I turned on Privileged and it works for the website and bitwarden.

bitwarden only on the login part it still shows the site.

 

 

 

That's because cap-add is not an environment variable so you did not set that correctly. You need to pass it in extra parameters

Link to comment

I'm having an issue with my subdomains that i've configured. All are accessible outside my network with no issues at all, but i can't seem to connect internally. 

 

I know there must be some setting that i've done incorrectly, but i can't figure it out. Anyone know what might be causing it?

 

let me know what logs to provide if needed. 

Link to comment
18 minutes ago, xxbigfootxx said:

I'm having an issue with my subdomains that i've configured. All are accessible outside my network with no issues at all, but i can't seem to connect internally. 

 

I know there must be some setting that i've done incorrectly, but i can't figure it out. Anyone know what might be causing it?

 

let me know what logs to provide if needed. 

It's not your configuration, it's your router. Google your router model, along with the search terms nat loopback hairpinning reflection

Link to comment
11 hours ago, xxbigfootxx said:

If it's not supported does that mean that i'll have to stick with the local adresses instead of using the subdomain?

Then you can do split dns, where your local dns server will tell clients to connect to the local ip when they request the domain.

Link to comment

Are there any special settings I need to set to get nested subdomains working? I've got no issues with certificates for my root and first-level subdomains, but the second-level nested aren't getting added to the cert.

 

I'm using cloudflare and dns verification

 

Example A records:

A example.com <ip>   <-- OK
A *.example.com <ip>  <-- OK
A *.subdomain.example.com <ip>  <-- Cert invalid when navigating to site

 

Link to comment
8 hours ago, StudiesTheBlade said:

Are there any special settings I need to set to get nested subdomains working? I've got no issues with certificates for my root and first-level subdomains, but the second-level nested aren't getting added to the cert.

 

I'm using cloudflare and dns verification

 

Example A records:


A example.com <ip>   <-- OK
A *.example.com <ip>  <-- OK
A *.subdomain.example.com <ip>  <-- Cert invalid when navigating to site

 

Set EXTRA_DOMAINS to *.subdomain.example.com

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.