[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

On 11/8/2018 at 8:15 AM, Squiggley said:

So reading the release notes for Unraid 6.6.4 I see they have integrated nginx and letsencrypt into the OS. What does this mean for your docker? I am using it quite heavily as I have subdomained every app I want to access externally.

 

Is it safe to upgrade? or will it break this oh so useful docker?

 

nginx and letsencrypt have been in unraid for some time now. Which version are you on?

If you are using port 80 and 443 for the letsencrypt container, you need to change either the container or the webgui of unraid.

If you are using any other ports than 80 and 443 for letsencrypt container, you are good to go.

Link to comment

Hello All, 

 

I have been using letsencrypt nginx for a few years now and all is working fine except for a new entry i added. Ive added a docker for pihole which is using the following. Note: my unraid is on 192.168.0.100. 

 

pihole is the first docker to run in custom br0 mode. all other dockers are using host or bridge mode on the same ip ad unraid (.100)

 

Current domains

tv,sab,unifi,movies,guac,router,unraid,pihole

 

image.thumb.png.a9557e8e3bdfa8bfcc3a2b39f70959e1.png

 

in nginx i've added a new entry for pihole.domain.com and duplicated a existing nginx config but when i use this address i get a 502 bad gateway.

 

server {
	ssl_session_cache shared:SSL:10m;
    	ssl_session_timeout 4h;
	listen 443 ssl http2;
	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_session_tickets on;
	root /config/www;
	index index.html index.htm index.php;
	server_name pihole.mydomain.com;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!3DES:!ADH:!AECDH:!MD5;
	ssl_prefer_server_ciphers on;
	client_max_body_size 0;
	location / {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.0.101;
	}
}

nginx log for pihole request

2018/11/11 19:17:34 [error] 377#377: *1 connect() failed (113: Host is unreachable) while connecting to upstream, client: 142.xxx.xxx.xxx, server: pihole.mydomain.com, request: "GET / HTTP/2.0", upstream: "http://192.168.0.101:80/admin", host: "pihole.mydomain.com"
2018/11/11 19:17:37 [error] 377#377: *1 connect() failed (113: Host is unreachable) while connecting to upstream, client: 142.xxx.xxx.xxx, server: pihole.mydomain.com, request: "GET /favicon.ico HTTP/2.0", upstream: "http://192.168.0.101:80/adminfavicon.ico", host: "pihole.mydomain.com", referrer: "https://pihole.mydomain.com/"

 

Link to comment
59 minutes ago, rcmpayne said:

Hello All, 

 

I have been using letsencrypt nginx for a few years now and all is working fine except for a new entry i added. Ive added a docker for pihole which is using the following. Note: my unraid is on 192.168.0.100. 

 

pihole is the first docker to run in custom br0 mode. all other dockers are using host or bridge mode on the same ip ad unraid (.100)

 

Current domains


tv,sab,unifi,movies,guac,router,unraid,pihole

 

image.thumb.png.a9557e8e3bdfa8bfcc3a2b39f70959e1.png

 

in nginx i've added a new entry for pihole.domain.com and duplicated a existing nginx config but when i use this address i get a 502 bad gateway.

 


server {
	ssl_session_cache shared:SSL:10m;
    	ssl_session_timeout 4h;
	listen 443 ssl http2;
	ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_session_tickets on;
	root /config/www;
	index index.html index.htm index.php;
	server_name pihole.mydomain.com;
	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:!3DES:!ADH:!AECDH:!MD5;
	ssl_prefer_server_ciphers on;
	client_max_body_size 0;
	location / {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.0.101;
	}
}

nginx log for pihole request


2018/11/11 19:17:34 [error] 377#377: *1 connect() failed (113: Host is unreachable) while connecting to upstream, client: 142.xxx.xxx.xxx, server: pihole.mydomain.com, request: "GET / HTTP/2.0", upstream: "http://192.168.0.101:80/admin", host: "pihole.mydomain.com"
2018/11/11 19:17:37 [error] 377#377: *1 connect() failed (113: Host is unreachable) while connecting to upstream, client: 142.xxx.xxx.xxx, server: pihole.mydomain.com, request: "GET /favicon.ico HTTP/2.0", upstream: "http://192.168.0.101:80/adminfavicon.ico", host: "pihole.mydomain.com", referrer: "https://pihole.mydomain.com/"

 

Macvlan prevents access to host so your pihole won't be able to connect to your unraid host or any containers running in bridge or host mode (or vice versa) 

Link to comment

Hi, may someone has a hint for me for a reverse setup, i get the following error in chrome dev view

 

data.js:242 WebSocket connection to 'wss://web.mydomain/data/?Token=undefined' failed: Error during WebSocket handshake: Unexpected response code: 404
xTeVe @ data.js:242
toolbarContentscript.js:122 {message: "The message port closed before a response was received."}

 

i tried all kinda several setups from google regarding websocket but im clueless ... may someone has a hint howto setup a reverse proxy here

 

thanks ahead for a hint

Link to comment
7 hours ago, alturismo said:

Hi, may someone has a hint for me for a reverse setup, i get the following error in chrome dev view

 

data.js:242 WebSocket connection to 'wss://web.mydomain/data/?Token=undefined' failed: Error during WebSocket handshake: Unexpected response code: 404
xTeVe @ data.js:242
toolbarContentscript.js:122 {message: "The message port closed before a response was received."}

 

i tried all kinda several setups from google regarding websocket but im clueless ... may someone has a hint howto setup a reverse proxy here

 

thanks ahead for a hint

What are you trying to proxy? 

Link to comment
7 hours ago, aptalca said:

thats what i already found at google but without any luck

 

heres my last config as sample, may i interpret something wrong

 

error from chrome console is 

 

WebSocket connection to 'wss://web.mydomain.de/data/?Token=undefined' failed: Error during WebSocket handshake: Unexpected response code: 400

 

image.png.b8554da9e352925b073877e2691cb2d1.png

 

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name web.*;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location / {
#        auth_basic off;
#        allow all; # Allow all to see content 
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://192.168.1.2:34400/web/;
    }
    location /data {                ### location /wss {    <-- same result
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://192.168.1.2:34400/web/;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_ssl_verify off;
    }
}

 

thanks again for trying to help ;)

Edited by alturismo
Link to comment
3 hours ago, alturismo said:

thats what i already found at google but without any luck

 

heres my last config as sample, may i interpret something wrong

 

error from chrome console is 

 

WebSocket connection to 'wss://web.mydomain.de/data/?Token=undefined' failed: Error during WebSocket handshake: Unexpected response code: 400

 

image.png.b8554da9e352925b073877e2691cb2d1.png

 

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name web.*;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location / {
#        auth_basic off;
#        allow all; # Allow all to see content 
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://192.168.1.2:34400/web/;
    }
    location /data {                ### location /wss {    <-- same result
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://192.168.1.2:34400/web/;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_ssl_verify off;
    }
}

 

thanks again for trying to help ;)

It looks like you're trying to proxy /web through the root domain, and also /web through subfolder /data or /wss and you only added the websocket bits to the /data or /wss subfolder. 

 

Does the app actually serve the websockets at subfolder /data or /wss? From the error message, it looks like it doesn't

Link to comment
On 11/17/2016 at 9:09 AM, joachimvadseth said:

Ok thanks, but first things first - how do I access the /mnt/user/appdata folder from my mac? A long long time ago I used ubuntu and mounting sshfs was not that big a deal and CLI is not my happiest place to work.. :)

I think I did the following:

 

go to Shares

click on appdata, should be on top

 

Go to either AFP or SMB, whichever you have credentials setup on unraid, personally I created the same user in unraid so it matches my user in my macbook and everything seems to be easier

anyways, on the Export/Enhanced OS Interoperability i selected both to Yes,
And leave the Security as is (Public)..
Eject/Disconnect from mounted shares on your mac or better, restart your computer..

when you connect to the network shares you 

 

a) should see the appdata share

b) be able to open it and open files from within

TADA!!"!

Link to comment
On 11/17/2016 at 3:24 AM, joachimvadseth said:

Can anyone help me configure and set up sites in Nginx?

 

I got the following docker apps installed:

 

letsencrypt;

1.1.1.3:8833

1.1.1.3:8181

 

nextcloud:

1.1.1.3:3443 resolved to cloud.domain.com

 

plex:

 

rutorrent:

1.1.1.3:8099 resolved to torrent.domain.com

1.1.1.3:45566

1.1.1.3:8089

1.1.1.3:9527

 

unifi:

1.1.1.3:8080 resolved to unifi.domain.com

1.1.1.3:8081

1.1.1.3:8443

Quick question, how do you "resolve" the nextcloud, etc. to *cloud.domain.com or cloud.duckdns.org??
what does that "resolved" mean?
Plz excuse the question, I'm trying to learn and troubleshooting nextcloud/letsencrypt to be accesible from outside my network.. 
not successful after so many attempts...

Link to comment

Ok, I am in way over my head here, but after working with the IT at my friend's web-agency in Berlin, where my unRAID server is hosted, we finally got to the point where he set up both an OpenVPN access to my server, that I can use to address most ports, and he also set up a vLAN for the server with a publicly reachable IP on port 80 and 443. I moved port 80 for the WebGUI to another port which only accessible via OpenVPN, but I don't remember now whether I did the same for port 443. Where do I check that, again?

Anyway, I just installed the lets encrypt docker, but read that lets encrypt has already been part of the unRAID OS for a few versions, so should I not install this Docker on top of it if I am just now getting started on trying to use my unRAID system to host some websites?

Be that as it may, I configured one of my domains to point to the publicly accessible IP of my unRAID server, and entered this domain name into the lets encrypt Docker's config page. The Docker is now running, but when I point my browser to the domain I mapped to the unRAID IP, I get "Safari Can't Connect to the Server" error message. Also, when I try to open the Docker's WebUI, I also get the same error message, although I am not surprised about that, as it tries to open this page at https://10.0.95.2, which is the OpenVPN IP of the server. Since I have no indication of an SSL connection being configured (I can't reach my server at https anything), I am now completely in the dark about where to even start trouble-shooting this rather naive approach at getting unRAID to be reachable via its public IP.

Any pointers as to where to start? Since I pointed my domain host's entry for the domain to the IP number only about 45mins ago, could it be something as simple as a DNS propagation issue?

What needs to happen before I can open the WebUI page for the Docker at https://10.0.95.2 ?

I suppose that the WebUI page will give me the option of pointing to the public_html folder (which I have yet to create), so without that, is there even anything to connect to, for the browser?

Edited by tillkrueger
Link to comment
20 hours ago, aptalca said:

It looks like you're trying to proxy /web through the root domain, and also /web through subfolder /data or /wss and you only added the websocket bits to the /data or /wss subfolder. 

 

Does the app actually serve the websockets at subfolder /data or /wss? From the error message, it looks like it doesn't

thats something idk, just thought cause in the error i see .../data/...

 

now, when i do setup like this (without the 2nd location

 

server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name web.*;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AE..... ### <- cutted so paste is smaller
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass http://192.168.1.2:34400/web/;
        proxy_redirect off;
        proxy_buffering off;
        proxy_set_header Host $host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_ssl_verify off;
    }
}

 

i get the following error in browser

 

400 Bad Request: too many Host headers

 

from console

 

image.png.c4d0601664b7152fb597e228233445a3.png

Link to comment

Ok, in the settings page of the docker I saw that the "http:" and "https:" fields were empty...I had thought they auto-populate with the default ports, which obviously isn't the case.

After entering 80 and 443, I can now see the default index.html page in the docker's www folder. So, since the www folder is inside appdata, which is on my Cache drive, how can I remap www to my protected array which has vastly more space? I tried moving the www folder to it and creating an alias inside the letsencrypt folder via the Mac OS Finder, but it won't let me...always complains that it already exists.

What's the proper way of accomplishing hosting the www folder on the array?

Link to comment

and to pile even further on top of the questions I already asked, is there some sort of WebGUI that I can install fairly easily that lets me administer the web functionality of the nginx part of the letsencrypt docker? something like webadmin or maybe even Vesta (https://vestacp.com)? not being a Linux guy and knowing very little about how to use Terminal effectively, it would have to be something really easy to install, so that I *don't* have to rely on Terminal to administer the webserver.

also, is PHP already a part of this docker or do I need to install something else to get PHP functionality, and if so, what and how?

sine this discussion is already 103 pages long and contains dozens and dozens of ongoing issues various users are trying to figure out, would I be better off starting a new topic in one of the other forums, maybe? I have a feeling that come tomorrow, all my questions will have faded into the "distant" past. So what's the best way for a nginx/letsencrypt noob to get up and running properly? 

Link to comment

I'm still stuck trying to provision the certificate. Getting the exact "timed out" error that @SpaceInvaderOne says is most likely caused by firewall issues. I've set the port forwarding in my router exactly how @SpaceInvaderOne describes in his tutorial, and I have the Let'sEncrypt container config set to the same ports: https://imgur.com/a/6fvhKWy

 

I'm using the duckdns container and I've already confirmed that it has been updating correctly.

 

Any ideas where to start troubleshooting this?

Edited by scud133b
Link to comment
1 hour ago, scud133b said:

I'm still stuck trying to provision the certificate. Getting the exact "timed out" error that @SpaceInvaderOne says is most likely caused by firewall issues. I've set the port forwarding in my router exactly how @SpaceInvaderOne describes in his tutorial, and I have the Let'sEncrypt container config set to the same ports: https://imgur.com/a/6fvhKWy

 

I'm using the duckdns container and I've already confirmed that it has been updating correctly.

 

Any ideas where to start troubleshooting this?

Probably the problem is due to your isp blocking port 80, which some do.

Because of this HTTP authentification will fail. 

But you can work around this but you will need to buy your own domain.

Then sign up for a free Cloudflare account and add your domain to it

You would point your own subdomains (using cname) to your duck DNS (example nextcloud.  sonarr.  radarr.  yourdomain.com to myserver.duckdns.org)

 

When this is set up you would then change the template for lets encrypt to use DNS authentification and Cloudflare like this.

cloudflare.thumb.png.39a6d31f5c16dd7d1ef3bc6191639446.png

 

Then you will need to goto your appdata share then letsencrypt and the folder dns-config

Here you will find a file called cloudflare.ini  in this file you will need to put your email address which you used to sign up for cloudflare and also your cloudflare api key.

Once you have done this, restart lets encrypt and it will validate and generate the certs that you need.

Hope that helps.

Link to comment
23 hours ago, tillkrueger said:

Ok, in the settings page of the docker I saw that the "http:" and "https:" fields were empty...I had thought they auto-populate with the default ports, which obviously isn't the case.

After entering 80 and 443, I can now see the default index.html page in the docker's www folder. So, since the www folder is inside appdata, which is on my Cache drive, how can I remap www to my protected array which has vastly more space? I tried moving the www folder to it and creating an alias inside the letsencrypt folder via the Mac OS Finder, but it won't let me...always complains that it already exists.

What's the proper way of accomplishing hosting the www folder on the array?

Symlink to the array won't work because inside the container, nginx won't be able to follow that link to the array. 

 

Easiest way is to map another location to the container, one that resides on the array, and use that location in the root directive in the nginx site config

Link to comment
3 hours ago, SpaceInvaderOne said:

Probably the problem is due to your isp blocking port 80, which some do.

Because of this HTTP authentification will fail. 

But you can work around this but you will need to buy your own domain.

Then sign up for a free Cloudflare account and add your domain to it

You would point your own subdomains (using cname) to your duck DNS (example nextcloud.  sonarr.  radarr.  yourdomain.com to myserver.duckdns.org)

 

When this is set up you would then change the template for lets encrypt to use DNS authentification and Cloudflare like this.

cloudflare.thumb.png.39a6d31f5c16dd7d1ef3bc6191639446.png

 

Then you will need to goto your appdata share then letsencrypt and the folder dns-config

Here you will find a file called cloudflare.ini  in this file you will need to put your email address which you used to sign up for cloudflare and also your cloudflare api key.

Once you have done this, restart lets encrypt and it will validate and generate the certs that you need.

Hope that helps.

That was accurate until yesterday 😉

 

We just pushed a new build that supports dns validated wildcard certs with duckdns. 

 

It requires VALIDATION set to duckdns and a new environment variable added for the duckdns token. 

 

There is one big limitation though. The cert will only cover the sub-subdomains such as *.yoursubdomain.duckdns.org but it won't cover yoursubdomain.duckdns.org

 

So if you want to use reverse proxies with the subfolder method, you would do it with a sub-subdomain like www.yoursubdomain.duckdns.org/nextcloud

 

Details are also included in the image description on both github and docker hub

  • Like 1
Link to comment
3 hours ago, SpaceInvaderOne said:

Probably the problem is due to your isp blocking port 80, which some do.

Because of this HTTP authentification will fail. 

But you can work around this but you will need to buy your own domain.

Then sign up for a free Cloudflare account and add your domain to it

You would point your own subdomains (using cname) to your duck DNS (example nextcloud.  sonarr.  radarr.  yourdomain.com to myserver.duckdns.org)

 

When this is set up you would then change the template for lets encrypt to use DNS authentification and Cloudflare like this.

cloudflare.thumb.png.39a6d31f5c16dd7d1ef3bc6191639446.png

 

Then you will need to goto your appdata share then letsencrypt and the folder dns-config

Here you will find a file called cloudflare.ini  in this file you will need to put your email address which you used to sign up for cloudflare and also your cloudflare api key.

Once you have done this, restart lets encrypt and it will validate and generate the certs that you need.

Hope that helps.

Worked for generating the certificate. Thanks! Now just trying to get the reverse proxy to nextcloud working (whch it's not, still timing out). I edited the nginx config files in let's encrypt, and the config.php file in nextcloud, and I'm still getting a timeout error when trying to connect through my subdomain.

Link to comment
7 hours ago, tillkrueger said:

and to pile even further on top of the questions I already asked, is there some sort of WebGUI that I can install fairly easily that lets me administer the web functionality of the nginx part of the letsencrypt docker? something like webadmin or maybe even Vesta (https://vestacp.com)? not being a Linux guy and knowing very little about how to use Terminal effectively, it would have to be something really easy to install, so that I *don't* have to rely on Terminal to administer the webserver.

also, is PHP already a part of this docker or do I need to install something else to get PHP functionality, and if so, what and how?

sine this discussion is already 103 pages long and contains dozens and dozens of ongoing issues various users are trying to figure out, would I be better off starting a new topic in one of the other forums, maybe? I have a feeling that come tomorrow, all my questions will have faded into the "distant" past. So what's the best way for a nginx/letsencrypt noob to get up and running properly? 

Not aware of a gui based management system. It's unlikely that one would work for our image since we changed the locations of a lot of the config files so they are in the appdata folder. 

 

You don't really have to use terminal or Linux since all the necessary files are in the appdata folder. You can edit them with notepad++ on windows or any decent file editor on mac. Restart the container for changes to take effect. 

Link to comment

hm, ok, thanks for letting me know aptalca.

If I still have you attention, could you tell me the easiest way to move the www folder out of appdata/letsencrypt and onto my array, where I have the necessary space to host all of my sites? I tried moving it and then dragging an alias back into it via the Mac Finder, but I get an error every time that such a folder already exists (even though I had moved it out of there and cannot see an alias or folder by the name of www).

*never mind*, just saw your post pertaining to that question!

Edited by tillkrueger
Link to comment
On 11/16/2018 at 12:58 AM, aptalca said:

It looks like you're trying to proxy /web through the root domain, and also /web through subfolder /data or /wss and you only added the websocket bits to the /data or /wss subfolder. 

 

Does the app actually serve the websockets at subfolder /data or /wss? From the error message, it looks like it doesn't

after some more reading i assume its not so easy for apps in golang behind a nginx reverse proxy, thanks for trying.

Link to comment
16 hours ago, Jclendineng said:

Was NGINX compiled with openssl? I am adding TLSv1.3 to my server but it does not seem to be working properly.  Trying to narrow down the cause.  I know it is still very new, but I am testing it for something.

 

Thanks for any input!

 

If I remember correctly it's alpine based, so then we use libressl. Alpine deprecated openssl some releases ago. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.