[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I've been trying to set-up nginx to work with .htpasswrd so I can leverage fail2ban (and make the whole reverse proxy business more secure) but can't seem to get it working.

I followed the below steps :

1 - Uncomment the lines in the auth_basic and auth_basic_user_file in letsencrypt/nginx/proxy-conf/

2 - Used the following command to generate and add a username/password to .htpasswd "docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd <username>"

 

However, I keep getting the username/password prompt, as if the username/password I enter is incorrect. Also, I'm trying to find out whether fail2ban works properly as it seems I might have blocked my IP (oops) but can't figure out how to list banned IPs (and unban them) - I've had to resort testing from my 4G network.

Any help appreciated (and any more tips how to make a reverse proxy more secure, greatly appreciated)

Thanks

Link to comment

Hmm, I thought I had this working before, but I'm having a little trouble getting Sabnzbd to work.  I've got the CNAME set up already, and here's my proxy-conf fro Sab:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name sabnzbd.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;


    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sabnzbd binhex-sabnzbd;
        proxy_pass http://$upstream_sabnzbd:8800;
    }

    location ~ (/sabnzbd)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sabnzbd binhex-sabnzbd;
        proxy_pass http://$upstream_sabnzbd:8800;
    }
}

Note that my Sabnzbd port is 8800, and not 8080.

 

I keep getting 502 bad gateway when attempting to access the site using the reverse proxy.  Anything I should check?

 

Edit: Posting in these threads apparently is the magic step, because I just realized I need to keep the Port at 8080 because it's the Docker network I created where it's looking for the Sab GUI.

Edited by Coolsaber57
Link to comment

I've been trying to get auto-redirect from http to https (including subdomains) all night but can't seem to get it working. It seems going from http://subdomain.mydomain.com always redirects to https://mydomain.com.

 

For example I'd like http://sonarr.mydomain.com to automatically redirect to https://sonarr.mydomain.com

 

I've added the following in nginx.conf in the http block just below the brace:

 

server {
	listen 80;
	server_name mydomain.com;
	return 301 https://$server_name$request_uri;
}

 

 

In whole, here's my nginx.conf - nothing else has been modified besides the "custom" stuff

 

## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Custom
	##

server {
listen 80;
server_name mydomain.com;
return 301 https://$server_name$request_uri;
}

	# don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/Content_Security_Policy
	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	# directives for css and js(if you have inline css or js, you will need to keep it too).
	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;

}

Thanks

Edited by teh0wner
Link to comment
14 hours ago, teh0wner said:

I've been trying to get auto-redirect from http to https (including subdomains) all night but can't seem to get it working. It seems going from http://subdomain.mydomain.com always redirects to https://mydomain.com.

 

For example I'd like http://sonarr.mydomain.com to automatically redirect to https://sonarr.mydomain.com

 

 


## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Custom
	##

server {
listen 80;
server_name mydomain.com;
return 301 https://$server_name$request_uri;
}

	# don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/Content_Security_Policy
	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	# directives for css and js(if you have inline css or js, you will need to keep it too).
	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;

}

Thanks

Remove that bit from nginx.conf, open the default site config and you'll see the message about https redirect at the top

Edited by aptalca
Link to comment
On 12/17/2018 at 3:27 AM, strike said:

You're probably missing something in your site config like the include syntax. Anyways, everything you want to know is in here: https://technicalramblings.com/blog/banning-with-http-auth-and-fail2ban/

 

He also has a guide on how to use geo IP database to block IP's based on contries which I think you should check out.

Thanks for that - managed to get it working. Now trying to get GeoIP to work, but banging my head against the wall. Followed his instructions step by step, but everything seems to come thru regardless of location.

My nginx.conf looks as follows :

 

## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Custom
	##

	geoip_country /config/geoip/GeoIPv6.dat;

	# LOCAL IP ALLOW GEO BLOCK
	geo $lan-ip {
	    default no;
	    192.168.1.0/24 yes;
	}

	# GEO IP BLOCK SITE 1
	map $geoip_country_code $allowed_country {
	    default no;
	    UK yes;
	}

	# don't send the nginx version number in error pages and Server header
	server_tokens off;

	# config to don't allow the browser to render the page inside an frame or iframe
	# and avoid clickjacking http://en.wikipedia.org/wiki/Clickjacking
	# if you need to allow [i]frames, you can use SAMEORIGIN or even set an uri with ALLOW-FROM uri
	# https://developer.mozilla.org/en-US/docs/HTTP/X-Frame-Options
	add_header X-Frame-Options SAMEORIGIN;

	# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
	# to disable content-type sniffing on some browsers.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	# currently suppoorted in IE > 8 http://blogs.msdn.com/b/ie/archive/2008/09/02/ie8-security-part-vi-beta-2-update.aspx
	# http://msdn.microsoft.com/en-us/library/ie/gg622941(v=vs.85).aspx
	# 'soon' on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=471020
	add_header X-Content-Type-Options nosniff;

	# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
	# It's usually enabled by default anyway, so the role of this header is to re-enable the filter for 
	# this particular website if it was disabled by the user.
	# https://www.owasp.org/index.php/List_of_useful_HTTP_headers
	add_header X-XSS-Protection "1; mode=block";

	# with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
	# you can tell the browser that it can only download content from the domains you explicitly allow
	# http://www.html5rocks.com/en/tutorials/security/content-security-policy/
	# https://www.owasp.org/index.php/Content_Security_Policy
	# I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
	# directives for css and js(if you have inline css or js, you will need to keep it too).
	# more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
	add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;

}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
daemon off;

 

My default as follows :

 

## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
server {
	listen 80;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {

	# LOCAL IP ALLOW GEO BLOCK
    if ($lan-ip = yes) {
    	set $allowed_country yes;
    }
    
	# COUNTRY GEO BLOCK 
    if ($allowed_country = no) {
    	return 403;
    }

	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	#Custom
	add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;
	
	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#	location ^~ /cp {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050/cp;
#	}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	include /config/nginx/ssl.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;	
#	}
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name heimdall.*;
#
#	include /config/nginx/ssl.conf;
#
#	include /config/nginx/ldap.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
#		auth_request /auth;
#		error_page 401 =200 /login;
#
#		include /config/nginx/proxy.conf;
#		resolver 127.0.0.11 valid=30s;
#		set $upstream_heimdall heimdall;
#		proxy_pass https://$upstream_heimdall:443;
#	}
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

I've tried placing the if blocks in various parts in the server block but no matter where I put them, it won't work. I'm also 100% sure /config/geoip/GeoIPv6.dat; exists with 911 permissions.

Any ideas?

Link to comment

Try to move the geoIP part away from your main server block to after the location ~ \.php$ part in your default site config so it looks like this:

 

Location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
    
    # LOCAL IP ALLOW GEO BLOCK
    if ($lan-ip = yes) {
        set $allowed_country yes;
    }
    
    # COUNTRY GEO BLOCK 
    if ($allowed_country = no) {
        return 403;
    }

 

Edit: And remember to restart the container

Edited by strike
Link to comment
13 minutes ago, strike said:

Try to move the geoIP part away from your main server block to after the location ~ \.php$ part in your default site config so it looks like this:

 

Location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }
    
    # LOCAL IP ALLOW GEO BLOCK
    if ($lan-ip = yes) {
        set $allowed_country yes;
    }
    
    # COUNTRY GEO BLOCK 
    if ($allowed_country = no) {
        return 403;
    }

 

Edit: And remember to restart the container

Thanks for this. No luck unfortunately; gets me straight through to the login prompt :(

Link to comment
56 minutes ago, strike said:

How are you testing to check if you get blocked or not? Remember you told it to ignore your LAN IP so you must test from outside your LAN. I can't see any obvious reason why it won't work.

I've tried various ways including using a VPN connected to a 'blocked' country, using a proxy and an online proxy website. All while accessing my domain. 

Link to comment
On 11/5/2018 at 3:08 PM, Gobs said:

@happyagnostic

 

So I tried that (adding port forward 32400, protocol = TCP) and adding the lines that you wrote. The good news: I can actually open the Plex GUI now, but I just get a page saying:

Plex is not reachable.

Make sure your server has an internet connection and any firewalls or other programs are set to allow access.

So back to square one. (This is when I run it in custom bridge mode - if I run it in host mode, I can at least access my files but still get complaints about not being able to reach Plex and I can't sign in).

@happyagnostic

 

So I only just found out what was wrong - having done what you suggested (port forwarding parameters + using Plex with the custom network) I was able to reach my plex, but it still said server unreachable. This was because I use uMatrix to prevent websites from loading scripts, and it was preventing access to plex.tv, so I disabled this and everything works fine now, I'm so happy!

 

I'm still a bit confused as to how the port forwarding works. If I understand correctly, I request goes to plex.mydomain.com through port 443, which is then forwarded to port 1443 by my router, letsencrypt / nginx recieves this request then forwards it to port 32400 on the plex docker? Does that sound about right?

Link to comment
45 minutes ago, teh0wner said:

I've destroyed the container and created one from scratch - and still have the exact same issue. I've followed the steps for a reverse proxy from SpaceInvader One's video (https://www.youtube.com/watch?v=I0lhZc25Sro) and GeoIP set-up from https://technicalramblings.com/blog/blocking-countries-with-geoip2-using-the-letsencrypt-docker-container/

Since you started from scratch, please post your nginx.conf and your default site config again. 

Link to comment
2 hours ago, strike said:

Since you started from scratch, please post your nginx.conf and your default site config again. 

It looks very similar to the last one but here they are :

nginx.conf:

## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/nginx.conf

user abc;
worker_processes 4;
pid /run/nginx.pid;
include /etc/nginx/modules/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Custom
	##

	geoip_country /config/geoip/GeoIPv6.dat;

	geo $lan-ip {
		default no;
		192.168.1.0/24 yes;
	}

	map $geoip_country_code $allowed_country {
		default no;
		UK yes;
	}

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# nginx-naxsi config
	##
	# Uncomment it if you installed nginx-naxsi
	##

	#include /etc/nginx/naxsi_core.rules;

	##
	# nginx-passenger config
	##
	# Uncomment it if you installed nginx-passenger
	##

	#passenger_root /usr;
	#passenger_ruby /usr/bin/ruby;

	##
	# Virtual Host Configs
	##
	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;
  
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
#
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
#
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
#
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}
daemon off;

default:
 

## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
server {
	listen 80;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;
	
	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}

	# LOCAL IP ALLOW GEO BLOCK
	if ($lan-ip = yes) {
		set $allowed_country yes;
	}
    
	# COUNTRY GEO BLOCK 
	if ($allowed_country = no) {
		return 444;
	}

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#	location ^~ /cp {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050/cp;
#	}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	include /config/nginx/ssl.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;	
#	}
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name heimdall.*;
#
#	include /config/nginx/ssl.conf;
#
#	include /config/nginx/ldap.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
#		auth_request /auth;
#		error_page 401 =200 /login;
#
#		include /config/nginx/proxy.conf;
#		resolver 127.0.0.11 valid=30s;
#		set $upstream_heimdall heimdall;
#		proxy_pass https://$upstream_heimdall:443;
#	}
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

 

Thanks in advance. Really appreciate your efforts to help me out.

Link to comment

Hmm.. I still can't see anything wrong with that. No errors in the log either? It's a long shot, but the only thing I can think of is to remove the comment before geoip_country /config/geoip/GeoIPv6.dat; in your nginx.conf, restart the container and test again.

 

It says in the guide you should put the geo ip part right after http {

But then again I can't see why comments should affect that either, as I said a long shot. If all else fail you can try to put it in your proxy conf files instead of the default site config and see if that makes a difference.

Link to comment
1 hour ago, strike said:

Hmm.. I still can't see anything wrong with that. No errors in the log either? It's a long shot, but the only thing I can think of is to remove the comment before geoip_country /config/geoip/GeoIPv6.dat; in your nginx.conf, restart the container and test again.

 

It says in the guide you should put the geo ip part right after http {

But then again I can't see why comments should affect that either, as I said a long shot. If all else fail you can try to put it in your proxy conf files instead of the default site config and see if that makes a difference.

Removing the comment didn't seem to work.

A few things that might trigger a few thoughts :

Running nginx -t when I connect to the docker container gives me :


root@f973a7ead368:/$ nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] open() "/run/nginx/nginx.pid" failed (2: No such file or directory)
nginx: configuration file /etc/nginx/nginx.conf test failed


I've tried a small test to see if default even gets triggered, but it looks like it doesn't.. Is that even possible?

I've changed my default to (see below), but it goes thru to sonar just fine without returning the code and message.

 

## Version 2018/09/12 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
server {
	listen 80;
	server_name _;
	return 301 https://$host$request_uri;
}

# main server block
server {
	location / {
		return 200 "Country code is : $geoip_country_code";
		#try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	listen 443 ssl default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;
	
	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;



	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}

	# LOCAL IP ALLOW GEO BLOCK
	if ($lan-ip = yes) {
		set $allowed_country yes;
	}
    
	# COUNTRY GEO BLOCK 
	if ($allowed_country = no) {
		return 444;
	}

# sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp"
# notice this is within the same server block as the base
# don't forget to generate the .htpasswd file as described on docker hub
#	location ^~ /cp {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050/cp;
#	}

}

# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name cp.*;
#
#	include /config/nginx/ssl.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
#		include /config/nginx/proxy.conf;
#		proxy_pass http://192.168.1.50:5050;	
#	}
#}

# sample reverse proxy config for "heimdall" via subdomain, with ldap authentication
# ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info
# notice this is a new server block, you need a new server block for each subdomain
#server {
#	listen 443 ssl;
#
#	root /config/www;
#	index index.html index.htm index.php;
#
#	server_name heimdall.*;
#
#	include /config/nginx/ssl.conf;
#
#	include /config/nginx/ldap.conf;
#
#	client_max_body_size 0;
#
#	location / {
#		# the next two lines will enable ldap auth along with the included ldap.conf in the server block
#		auth_request /auth;
#		error_page 401 =200 /login;
#
#		include /config/nginx/proxy.conf;
#		resolver 127.0.0.11 valid=30s;
#		set $upstream_heimdall heimdall;
#		proxy_pass https://$upstream_heimdall:443;
#	}
#}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;



However, putting it in my sonar config server block, returns 200 with the country code just fine.. 

 

Edit: For completeness sake, here's my sonarr.subdomain.conf which seems to work.

 

# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name sonarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # LOCAL IP ALLOW GEO BLOCK
    if ($lan-ip = yes) {
        set $allowed_country yes;
    }
    
    # COUNTRY GEO BLOCK 
    if ($allowed_country = no) {
        return 444;
    }

    location / {
        # enable the next two lines for http auth
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
    }

    location ~ (/sonarr)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_sonarr sonarr;
        proxy_pass http://$upstream_sonarr:8989;
   }
}



 

Edited by teh0wner
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.