[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5497 posts in this topic Last Reply

Recommended Posts

Hi Guys,

 

I need a little guidance.... I am almost there.... but there is a little bit of a struggle w/ NGINX's page serving... I have Goggled and nothing has helped.

 

First Issue

So, reverse proxies are working great. I have my own qualified domain and all external traffic get routed properly. I also have a personal web site for my private use, which I want to password protect when accessing it from the outside via domain name.

 

The web site is stored in the \appdata\letsencrypt\www\personalwebsite folder. In my defaults file I have added the below code the bottom of the block:

 

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name nandito.com;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}

	location ~^/personalwebsite/.* {
        try_files $uri $uri/ /index.html /index.php?$args =404;
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
	}

 

So this has properly password protected when acessing from the internet...:

 

https://MyDomainName.com/personalwebsite

 

but it has ALSO protected it when using it internally....

 

https://192.168.0.200/personalwebsite

 

Is there a way to not require the password if accessing it internally?

 

Second Issue

I own 2 fully qualified domain names. I am only able to certify one of them... in the docker config, I have tried:

 

Docker Name: FirstDomainName.com;SecondDomainName.com

Subdomains: www,

and

Docker Name: FirstDomainName.com

Subdomains: www,SecondDomainName.com

 

Neither of these options creates the certificate for the second domain. Is there a way to fix? Once fixed, I will attempt giving the second domain its own folder.... but I don't know where to store this folder... /config/www2? and add a new non-default server block?

 

Thank you guys.... for ages I have been trying to migrate to LE/NGINX... I resolved the php issues by changing some of the php callouts to a MariaDB database.

 

I feel like I have been alone on a small deserted island and I now I am swimming to the shore to join the rest of the world!

 

H.

 

Edited by hernandito
Link to post
  • Replies 5.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

1 hour ago, hernandito said:

Hi Guys,

 

I need a little guidance.... I am almost there.... but there is a little bit of a struggle w/ NGINX's page serving... I have Goggled and nothing has helped.

 

First Issue

So, reverse proxies are working great. I have my own qualified domain and all external traffic get routed properly. I also have a personal web site for my private use, which I want to password protect when accessing it from the outside via domain name.

 

The web site is stored in the \appdata\letsencrypt\www\personalwebsite folder. In my defaults file I have added the below code the bottom of the block:

 


# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name hernandito.com;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	# enable for ldap auth
	#include /config/nginx/ldap.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}

	location ~^/personalwebsite/.* {
        try_files $uri $uri/ /index.html /index.php?$args =404;
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
	}

 

So this has properly password protected when acessing from the internet...:

 

https://MyDomainName.com/personalwebsite

 

but it has ALSO protected it when using it internally....

 

https://192.168.0.200/personalwebsite

 

Is there a way to not require the password if accessing it internally?

 

Second Issue

I own 2 fully qualified domain names. I am only able to certify one of them... in the docker config, I have tried:

 

Docker Name: FirstDomainName.com;SecondDomainName.com

Subdomains: www,

and

Docker Name: FirstDomainName.com

Subdomains: www,SecondDomainName.com

 

Neither of these options creates the certificate for the second domain. Is there a way to fix? Once fixed, I will attempt giving the second domain its own folder.... but I don't know where to store this folder... /config/www2? and add a new non-default server block?

 

Thank you guys.... for ages I have been trying to migrate to LE/NGINX... I resolved the php issues by changing some of the php callouts to a MariaDB database.

 

I feel like I have been alone on a small deserted island and I now I am swimming to the shore to join the rest of the world!

 

H.

 

Use the extra domains variable for the second domain

Link to post
4 hours ago, aptalca said:

Use the extra domains variable for the second domain

Thank you.... EDITED - created the variable and it worked perfectly. 

 

Now, can anyone help on my first issue?

 

thanks!!!

 

h.

Edited by hernandito
Link to post
6 hours ago, gacpac said:

I'm wondering. 

 

I have a domain but also want to use duckdns.org as my other domain. 

 

Is it possible to certify 2 domains, if so. How can I do it? 

 

image.png.221e83ce18282ca2b7c073a76a414c3d.png

 

You can add it as an extra domain. Read the Readme in the githublink in the first post.

Link to post

Hi There,

 

I have done a bunch of searching here and elsewhere and can't seem to find an answer on this.

 

1. I have OpenVPN AS setup in a docker with ports 943 Web and 9443 TCP VPN port open

2. I am looking to use letsencrypt to redirect 443 for domain vpn.duckdns.org to local server 192.168.1.5:9443 for vpn connections

 

Does anyone have any idea how i would set this up in the letsencrypt docker. Reason for this is work is blocking anything but HTTP/HTTPS so need to be accessing on one of these open ports.

 

Help would greatly be appreciated.

 

Thanks!

Link to post
Hi There,
 
I have done a bunch of searching here and elsewhere and can't seem to find an answer on this.
 
1. I have OpenVPN AS setup in a docker with ports 943 Web and 9443 TCP VPN port open
2. I am looking to use letsencrypt to redirect 443 for domain vpn.duckdns.org to local server 192.168.1.5:9443 for vpn connections
 
Does anyone have any idea how i would set this up in the letsencrypt docker. Reason for this is work is blocking anything but HTTP/HTTPS so need to be accessing on one of these open ports.
 
Help would greatly be appreciated.
 
Thanks!
I'll like to know for future deployments too. I was able to get les encrypt forwarding the address without the port, but this port needs to be open regardless



Sent from my Pixel 2 XL using Tapatalk

Link to post
1 hour ago, Draco said:

Hi There,

 

I have done a bunch of searching here and elsewhere and can't seem to find an answer on this.

 

1. I have OpenVPN AS setup in a docker with ports 943 Web and 9443 TCP VPN port open

2. I am looking to use letsencrypt to redirect 443 for domain vpn.duckdns.org to local server 192.168.1.5:9443 for vpn connections

 

Does anyone have any idea how i would set this up in the letsencrypt docker. Reason for this is work is blocking anything but HTTP/HTTPS so need to be accessing on one of these open ports.

 

Help would greatly be appreciated.

 

Thanks!

Google nginx tcp stream proxy. It's very easy and straightforward.

Link to post

I have let's encrypt working well with the pre configured dockers like sonarr, deluge etc but I would like to add rdp-calibre and/or cops ebook servers to the reverse proxy and in all honesty I haven't got a clue how... I've tried renaming and editing some of the existing examples but they don't seem to work.. 

 

I'm using my own domain name. 

 

 

Link to post

Alright so I woke up to this error.

 

nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /config/nginx/site-confs/default:9

Strange, since I haven't changed anything. So I remove the "default_server" part in line 9 and then I get the following issue below. Tried new install and get the same issues.

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

Edited by aaronhong13
Added more information
Link to post
8 hours ago, aaronhong13 said:

Alright so I woke up to this error.

 


nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /config/nginx/site-confs/default:9

Strange, since I haven't changed anything. So I remove the "default_server" part in line 9 and then I get the following issue below. Tried new install and get the same issues.


nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

Same here, could it be a faulty update?

 

I've reverted back to linuxserver/letsencrypt:0.34.1-ls25 and it works like normal again.

Edited by ulTimaS
Link to post
4 hours ago, aaronhong13 said:

Alright so I woke up to this error.

 


nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /config/nginx/site-confs/default:9

Strange, since I haven't changed anything. So I remove the "default_server" part in line 9 and then I get the following issue below. Tried new install and get the same issues.


nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

no field package.preload['resty.core']
no file './resty/core.lua'
no file '/usr/share/luajit-2.1.0-beta3/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core.lua'
no file '/usr/local/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/5.1/resty/core.lua'
no file '/usr/share/lua/5.1/resty/core/init.lua'
no file '/usr/share/lua/common/resty/core.lua'
no file '/usr/share/lua/common/resty/core/init.lua'
no file './resty/core.so'
no file '/usr/local/lib/lua/5.1/resty/core.so'
no file '/usr/lib/lua/5.1/resty/core.so'
no file '/usr/local/lib/lua/5.1/loadall.so'
no file './resty.so'
no file '/usr/local/lib/lua/5.1/resty.so'
no file '/usr/lib/lua/5.1/resty.so'
no file '/usr/local/lib/lua/5.1/loadall.so')

 

Same problem here

Link to post
4 hours ago, capino said:

Same problem here

and here. I rolled back a version. Just change the repository entry to "linuxserver/letsencrypt:0.34.1-ls25" until an update with a fix is here.

Edited by Draic
Link to post
2 hours ago, Draic said:

and here. I rolled back a version. Just change the repository entry to "linuxserver/letsencrypt:0.34.1-ls25" until an update with a fix is here.

I also woke up to this issue.   Rolled back and everything is working fine.

Link to post
47 minutes ago, aptalca said:

I can't reproduce the error. Please list the reverse proxy configs you enabled or any specific changes you made to your nginx or site configs

sonarr, radarr, nextcloud, tautulli, unifi (not docker pointing to vm), taisun, guacamole, jackett.

 

I can access my dockers via the proxy

Edited by ijuarez
added info
Link to post

I can't rollback to an older working version, I put 

linuxserver/letsencrypt:0.34.1-ls25

into the Repository field but I just get:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='bridge' --privileged=true -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e 'EMAIL'='(redacted)' -e 'URL'='(redacted).duckdns.org' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='2048' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'SUBDOMAINS'='www,' -e 'PUID'='99' -e 'PGID'='100' -p '43666:80/tcp' -p '43667:443/tcp' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' 'linuxserver/letsencrypt:0.34.1-ls25' 
/usr/bin/docker: invalid reference format.
See '/usr/bin/docker run --help'.

The command failed.

Anyone else or is it something on my end?

 

EDIT: I fixed it by reverting to an even older version:

linuxserver/letsencrypt:0.34.0-ls24

I got the version number from here: https://github.com/linuxserver/docker-letsencrypt/releases

Edited by nadbmal
Link to post

Reproduced them.

 

There are two separate issues. The issue of nginx not starting is fixed in the next update.

 

Still looking into the luajit error, but it seems to only affect lua, nothing else.

Link to post
4 hours ago, aptalca said:

I can't reproduce the error. Please list the reverse proxy configs you enabled or any specific changes you made to your nginx or site configs

Unraid Version: 6.7.0-rc8

Latest docker build.

All my configurations live in the default file found below.
```https://pastebin.com/CzAZ0ELM```

Link to post

ok, i need some help.  I have letsencrypt working fine. It works with plex and is in dns mode due to my ISP.  I want to be able to get it to work with binhex-jacket but any configuration i try within letsencrypt just gives me an error 500.  Now i understand that i won't be able to access the gui from my domain but my real goal is to replace the 192.168 address for the torznab feeds with my domain. aka domain.com:8446/torznap....  can anyone help me try to figure this out?

Link to post

Hello. I am trying to setup letsencrypt following spaceinvaderone's video. However, I cannot get letsencrypt to verify.

 

I am utilise an Ubiquiti USG as my router. I have set port forwarding in the the controller (running in a docker container) for port 80 to 180 and 443 to 1443 following spaceinvaderone's recommendation. According to the controller the port forwarding is working.

 

I have set the same ports in the container template and added my own domain name and the subdomain. I have edited the DNS settings in my domain provider adding a new CNAME "nextcloud" with the value set to my dynamic IP address with no-ip.

 

I am getting the message "ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container"

 

I have gone over my settings quite a few times but cannot see what I have done wrong. Could someone offer advice?

 

I have noted in no-ip's control panel that the dynamic DNS is not configured/detected for the subdomain. I dont know if this is the problem. It is showing the correct IP target though. I have dynamic DNS set in the unifi controller to my host name, but not to the second hostname listed in the dashboard. The unifi controller wont allow me to set two dynamic DNS etries to the same service.

Link to post
On 5/8/2019 at 1:04 PM, aptalca said:

Reproduced them.

 

There are two separate issues. The issue of nginx not starting is fixed in the next update.

 

Still looking into the luajit error, but it seems to only affect lua, nothing else.

I am also seeing this error and I am on unraid 6.6.7 and just use Ombi site-conf file. All appears to be working though, but I am concerned about performance and security.

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

 

Link to post
Reproduced them.
 
There are two separate issues. The issue of nginx not starting is fixed in the next update.
 
Still looking into the luajit error, but it seems to only affect lua, nothing else.
Just curious what's Lua?

Sent from my SM-N960U using Tapatalk

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.