[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5637 posts in this topic Last Reply

Recommended Posts

Just now, ofthethorn said:

All seems to work now. Alas, still no connection to the local server. Probably should've added that I can't even connect to plex docker IP address.

Did you configure also enable access from outside your network in Plex and open port 32400 in your router to your docker? If so, disable that all. Your plex docker should only be accessible through your LE setup.

 

And what mode is Plex on? Own IP, or bridge or host, or?

Link to post
  • Replies 5.6k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

I don't need support.  I just wanted to say thanks for this container and its continuous maintenance.  I started with Aptalca's container then switched to the linuxserver.io container.  Its been close

Posted Images

Just now, Kaizac said:

Did you configure also enable access from outside your network in Plex and open port 32400 in your router to your docker? If so, disable that all. Your plex docker should only be accessible through your LE setup.

 

And what mode is Plex on? Own IP, or bridge or host, or?

Port 32400 is closed, so that's a negative.

Plex is on a separate network, the same as duckDNS and Le.

Link to post
Just now, ofthethorn said:

Port 32400 is closed, so that's a negative.

Plex is on a separate network, the same as duckDNS and Le.

Seperate network? What does that mean? If you mean a VLAN and you haven't enabled access from your LAN to that VLAN your router/firewall is blocking your local access.

Link to post
Just now, Kaizac said:

Seperate network? What does that mean? If you mean a VLAN and you haven't enabled access from your LAN to that VLAN your router/firewall is blocking your local access.

That may actually be it. I followed spaceinvader one's guide, I believe. And he recommended making a new docker network.

Link to post
Just now, ofthethorn said:

That may actually be it. I followed spaceinvader one's guide, I believe. And he recommended making a new docker network.

Try giving plex it's own IP first by putting it on br0 or something. That will put it on your LAN. If you can access it locally then, you know that's the issue.

Link to post
7 minutes ago, Kaizac said:

Try giving plex it's own IP first by putting it on br0 or something. That will put it on your LAN. If you can access it locally then, you know that's the issue.

Another quick update: since my router is a piece of trash I cannot control (forced by ISP) I decided to just add a second plex container, change its name and give it its own appdata folder. This container will solely be used for local access and is not setup in the LE docker. 

This won't have any downsides I hope...

Thanks for all your help though! Really appreciate the effort.

Link to post
5 minutes ago, ofthethorn said:

Another quick update: since my router is a piece of trash I cannot control (forced by ISP) I decided to just add a second plex container, change its name and give it its own appdata folder. This container will solely be used for local access and is not setup in the LE docker. 

This won't have any downsides I hope...

Thanks for all your help though! Really appreciate the effort.

But why? It's incredibly inefficient, straining your server needlessley and you have configure 2 dockers. You can have both, local and WAN access to the same docker. You just need to configure it well.

 

So your DuckDNS doesn't need to be on the docker network. It can just be in host mode on your Unraid box. For your LE docker I would also give that docker it's own IP and make sure your redirect your router to that IP (I assume this is what you also did for your current setup?). And then in your nginx config you use the ip of your Plex docker and both WAN as LAN access should work.

 

Link to post
1 hour ago, ofthethorn said:

since my router is a piece of trash I cannot control (forced by ISP)

If that router will allow you to pass through your public IP to a specific device, you could always put your own router in place and get control again.

Link to post
5 hours ago, Kaizac said:

But why? It's incredibly inefficient, straining your server needlessley and you have configure 2 dockers. You can have both, local and WAN access to the same docker. You just need to configure it well.

 

So your DuckDNS doesn't need to be on the docker network. It can just be in host mode on your Unraid box. For your LE docker I would also give that docker it's own IP and make sure your redirect your router to that IP (I assume this is what you also did for your current setup?). And then in your nginx config you use the ip of your Plex docker and both WAN as LAN access should work.

 

I got it. I got stuck after doing what you described. I, like a complete dummy, forgot to change the plex conf file.

Got it all working. Thanks for all the help man. 
 

Link to post

Trying to setup an HTML5 speedtest to be accessable via subdomain but I am having no luck.  All other dockers work on subdomains fine, and the speedtest works on the localip:port, but for some reason nginx is having an issue serving it.  My config is:

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name speedtest.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_speedtest speedtest;
        proxy_pass http://$upstream_speedtest:6580;
    }
}

 

Any ideas?

Link to post
4 minutes ago, thrroow said:

Trying to setup an HTML5 speedtest to be accessable via subdomain but I am having no luck.  All other dockers work on subdomains fine, and the speedtest works on the localip:port, but for some reason nginx is having an issue serving it.  My config is:

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name speedtest.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_speedtest speedtest;
        proxy_pass http://$upstream_speedtest:6580;
    }
}

 

Any ideas?

Is your speedtest running inside a container named speedtest? And is that service listening on port 6580 inside the container? If it's actually listening on 80 inside the container but you mapped it to 6580 on the host, you need to use 80 in the proxy pass directive

Link to post
1 minute ago, aptalca said:

Is your speedtest running inside a container named speedtest? And is that service listening on port 6580 inside the container? If it's actually listening on 80 inside the container but you mapped it to 6580 on the host, you need to use 80 in the proxy pass directive

Yes the container is called "speedtest" and it maps 80:6580.  It's setup in the exact same manner as sonarr/radarr etc. except with the docker name and port switched out.

Link to post
7 hours ago, thrroow said:

Yes the container is called "speedtest" and it maps 80:6580.  It's setup in the exact same manner as sonarr/radarr etc. except with the docker name and port switched out.

Then like I said, use port 80 in your proxy pass directive

Link to post

Hi all,

 

Having an odd issue at container startup "Can't open privkey.pem for reading, No such file or directory".  However, the keys are saved in the folder specified and the privileges for the files should allow letsencrypt to access them (even tried 777). Any help would be appreciated.

 

- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/privkey.pem
Your cert will expire on 2019-06-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Can't open privkey.pem for reading, No such file or directory
22760616274792:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

22760616274792:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

Edit:

 

After fiddling a bit the problem  continues and now I cannot get new certs.

 

...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
An unexpected error occurred:

There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: XXXXXXX.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
Can't open privkey.pem for reading, No such file or directory
23291569253224:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

23291569253224:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

[services.d] done.
Server ready
Server ready
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

Edited by cablecutter
Link to post
8 hours ago, cablecutter said:

Hi all,

 

Having an odd issue at container startup "Can't open privkey.pem for reading, No such file or directory".  However, the keys are saved in the folder specified and the privileges for the files should allow letsencrypt to access them (even tried 777). Any help would be appreciated.

 


- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/XXXXXXX.duckdns.org-0001/privkey.pem
Your cert will expire on 2019-06-05. To obtain a new or tweaked
version of this certificate in the future, simply run certbot

again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Can't open privkey.pem for reading, No such file or directory
22760616274792:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

22760616274792:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

Edit:

 

After fiddling a bit the problem  continues and now I cannot get new certs.

 


...
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate
An unexpected error occurred:

There were too many requests of a given type :: Error finalizing order :: too many certificates already issued for exact set of domains: XXXXXXX.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
Can't open privkey.pem for reading, No such file or directory
23291569253224:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('privkey.pem','r')

23291569253224:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

[services.d] done.
Server ready
Server ready
nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

nginx: [emerg] BIO_new_file("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

Post your container settings

Link to post
11 hours ago, aptalca said:

Post your container settings

image.thumb.png.908507729cabcd5f331118c000fc0ae3.png

 

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXXXXX.duckdns.org -d XXXXXXX.duckdns.org -d XXXXXXXX.duckdns.org
E-mail address entered: XXXXXXXXXXXXXXXX@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Edited by cablecutter
Link to post
2 minutes ago, cablecutter said:

image.thumb.png.908507729cabcd5f331118c000fc0ae3.png

 


2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXXXXX.duckdns.org -d XXXXXXX.duckdns.org -d XXXXXXXX.duckdns.org
E-mail address entered: XXXXXXXXXXXXXXXX@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

You've hit the request limit:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Need to wait for that to reset which I believe is 7 days.

Link to post
34 minutes ago, cablecutter said:

image.thumb.png.908507729cabcd5f331118c000fc0ae3.png

 


2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXXXXX.duckdns.org -d XXXXXXX.duckdns.org -d XXXXXXXX.duckdns.org
E-mail address entered: XXXXXXXXXXXXXXXX@gmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: linnaeus.duckdns.org,linnio.duckdns.org,lserv.duckdns.org: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

It seems when you messed with the permissions, you prevented the container from properly deleting the certs folder and when it regenerated certs, it created a duplicate folder with a 0001 appended to the name. Start over, don't change any permissions.

 

Also a side note, duckdns shouldn't really be the url variable. Url should be yoursubdomain.duckdns.org and subdomains should be any sub-subdomains you would like to use ie. "sonarr" so you can access sonarr.yoursubdomain.duckdns.org

 

If you need to add additional duckdns subdomains (usually needed for servers with different IPs, although I doubt that's the case here since they all need to point to the same letsencrypt instance), put them in the extra domains.

Edited by aptalca
Link to post
14 hours ago, cablecutter said:

Thanks aptalca, I deleted the folder and started from scratch, but won't be able to test this again until the cert request count resets.

If you change the set, you'll be able to get a cert because your current restriction is "for the exact set of domains". I recommend starting with one duckdns subdomain as the url and see what happens. You can then expand if you need to

Link to post

OK, I REALLY need help!!!

I'm exhausted trying to make this work (Letsencrypt and NGINX)
After A LOT of time trying to get my certificates to validate, I finally contacted my ISP who confirmed they are blocking port 80...

So I got my domain name to CloudFlare and change the validation to that so FINALLY, I was able to get Letsencrypt get the certificates.

letsencrypt.thumb.png.b612889028fb8e276ba3515d0a8c929d.png

 

So now, my problem is nginx, I just can't get the HTTPS url to work. (trying first with nextcloud and SABNZBD)

I read a lot of tutorials, etc... and pretty sure I got everything right...

Here is my letsencrypt docker settings:

letsencryptdocker.thumb.png.94fa019ca8d0045688bf8e00638ecd9c.png

-CNAME created

cloudflare.thumb.png.a38a30e8d0b566fe44e1c5069777d6e0.png

-I can ping the subdomains

-Did the custom network for the dockers and assigned letsencrypt, nextcloud and SABNZBD to it

dockers.thumb.png.ea50fa791842a9f5c5bc055e6188354d.png

-Did my NAT config in my PFSENSE to open 443 (to 443 since that's what i'm using in the docker (UNRAID is using another port than 80 also)

pfsense.thumb.png.c17d5b7477bad0bd3432eb417984a31f.png

 

I confirmed port 443 is opened when Letsencrypt is running so the port is opened:
port.png.9f1019731dbfe958526635d3b7519605.png

 

Renamed the file in /appdata/letsencrypt/nginx/proxy-confs (the one for nextcloud subdomain and sabnzbd for subdomain)

861926920_2019-03-1101_42_38-proxy-confs-sfUNRAID-WinSCP.png.eaada094503796edfbf0fb8a90365e80.png

 

Edited the config.php in /appdata/nextcloud/www/nextcloud (change my actual domain name for "mydomain.ca")

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oceazvkmg45k',
  'passwordsalt' => 'EaiIqWmh7ARTfOGMcQPjIlPy/ZXcmL',
  'secret' => 'UfTMrKdIb3ZmO/CNaFUgZSz2ygB91jt8M4JcyJ5aizsHxGWe',
  'trusted_domains' => 
  array (
    0 => '192.168.1.5:444',
    1 => 'nextcloud.mydomain.ca',
  ),  
  'trusted_proxies' => ['letsencrypt'],
  'overwrite.cli.url' => 'https://nextcloud.mydomain.ca/',
  'overwritehost' => 'nextcloud.mydomain.ca',
  'overwriteprotocol' => 'https',  
  'dbtype' => 'mysql',
  'version' => '15.0.2.0',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.5:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'sf-Pass',
  'installed' => true,
);

Restarted all dockers multiple times but still cannot access using https://nextcloud.mydomain.ca

error.thumb.png.43b88d1479b9a86b05aeb5b964019e25.png

 

Please help, I'm out of idea (and patience lol)

 

***I'm on RC version 6.7.0 RC5, god I hope that is not why it's not working...

 

 

Edited by sfnetwork
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.