[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

ritalin Noob

ritalin

Posted
Posted (edited)

Ok, Im back. 
As stated before I have my reverse proxy setup for my Home-Assistant docker, and its working well. 
Im trying to get Sonarr, Couchpotato and NZBGet setup now. 

So far I have Couchpotato working perfectly. 
Sonarr works as well, but the address comes out differently once it resolves. It shows up as https://couchpotato.mydomain.com/mydomain.com
NZBGet on the other hand resolves to the correct url but it simply loads up the main "Welcome" webpage. 

Im overlooking something with regard to adding proxies to the default file. 
Any help is appreciated. 
 


EDIT Resolved 
Avoided the use of the default file and created a 3 extra files in the same directory as the default. 

 

Edited by ritalin
Link to comment
  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

jrdnlc Contributor

jrdnlc

Posted
Posted
So would anyone like to help me setup Lets Encrypt?  I just can't figure it out.  We could use Team Viewer.  Thinking Thursday sometime if that would work for anyone.  I live in the USA on the east coast.  Just let me know ahead of time what information you might need so I can have it all ready to go.  Feel free to PM if you want.
 
Thanks


Sure, I can help you out this thursday. I sent you a PM
  • Upvote 1
Link to comment
planetwilson Explorer

planetwilson

Posted
Posted

I have switched from Aptalca's docker which was working perfectly to the linuxserver one, kept my old nginx config and now getting this error:-

 

nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)

 

I have the https port mapped to 4443. The reason for this is that I also run an OpenVPN-AS docker which intercepts all 443 traffic coming into the NAS (so I can run a VPN to home on TCP/443 and get around firewall restrictions in a lot of locations). You can configure OpenVPN to pass non-VPN traffic on to another server, in this case my letsencrypt/nginx docker which I have set to 4443 normally (with it appearing as 443 inside the docker)

 

Now this worked perfectly before but doesn't with the newer linuxserver docker. Is this new docker hard-wired to only work with 443 somehow? doesn't seem like that should be the case?

 

Link to comment
planetwilson Explorer

planetwilson

Posted
Posted
2 hours ago, planetwilson said:

I have switched from Aptalca's docker which was working perfectly to the linuxserver one, kept my old nginx config and now getting this error:-

 

nginx: [emerg] bind() to 0.0.0.0:443 failed (98: Address in use)

 

I have the https port mapped to 4443. The reason for this is that I also run an OpenVPN-AS docker which intercepts all 443 traffic coming into the NAS (so I can run a VPN to home on TCP/443 and get around firewall restrictions in a lot of locations). You can configure OpenVPN to pass non-VPN traffic on to another server, in this case my letsencrypt/nginx docker which I have set to 4443 normally (with it appearing as 443 inside the docker)

 

Now this worked perfectly before but doesn't with the newer linuxserver docker. Is this new docker hard-wired to only work with 443 somehow? doesn't seem like that should be the case?

 

 

My fault. I had replaced ngingx.conf wholesale from the previous Docker. I did it again just transferring my server entries and all working now. Can't quite spot the difference though!

Link to comment
local.bin Contributor

local.bin

Posted
Posted (edited)

Hi there

 

I am trying to install piwix analytics to my nginx webserver using your docker, but am missing iconv support.

 

I don't suppose it would be possible to add the --with-iconv option into your build scripts for php, if that is how it works :)

Please ...

Quote

System Check

PHP version >= 5.5.9  7.0.16 
PDO extension  
PDO\MYSQL extension  
MYSQLI extension  
Other required extensions  zlib 
 SPL 
 iconv: After making this change, restart your web server. 
 json 
 mbstring 
 Reflection 

You need to configure and rebuild PHP with "iconv" support enabled, --with-iconv.

Edited by local.bin
Link to comment
aptalca Proficient

aptalca

Posted
Posted
Hi there
 
I am trying to install piwix analytics to my nginx webserver using your docker, but am missing iconv support.
 

I don't suppose it would be possible to add the --with-iconv option into your build scripts for php, if that is how it works

Please ...

System Check

PHP version >= 5.5.9  7.0.16 
PDO extension  
PDO\MYSQL extension  
MYSQLI extension  
Other required extensions  zlib 
 SPL 
 iconv: After making this change, restart your web server. 
 json 
 mbstring 
 Reflection 

You need to configure and rebuild PHP with "iconv" support enabled, --with-iconv.


Can you exec into the container and install the package "php7-iconv" and see if it fixes your issue? If so we'll add it to the image in the next update.

You can install packages with "apk add --update php7-iconv"
Link to comment
local.bin Contributor

local.bin

Posted
Posted
On 11/19/2016 at 9:48 PM, ChaOConnor said:

I think the issue is you can't use a CNAME to point to a root domain, it has to be a subdomain, in this case "www".  That's why it fails w/o the www. 

 

Instead I'm going to use a permanent re-direct (301) type from the root domain to the duckdns domain.

 

I'll have to let it propagate and see if it works.

 

Thanks for everyone's help!

 

I am having the same problem and my hair has gone I've been pulling it out so much!

 

Did this redirect work and how does it look in your config if you don't mind sharing :)

 

Thanks in advance

Link to comment
local.bin Contributor

local.bin

Posted
Posted
On 2/26/2017 at 1:25 AM, aptalca said:


Can you exec into the container and install the package "php7-iconv" and see if it fixes your issue? If so we'll add it to the image in the next update.

You can install packages with "apk add --update php7-iconv"

 

Apologies aptalca with my delayed response; I had to get my website going again asap for something else, so got delayed.

 

I also deleted the piwik setup from the letsencrypt container as I was unclear if it could be accessed externally with nothing setup yet, so deleted it, so I cannot quickly test adding iconv back in.

 

I did try adding it myself at the time but forgot you had updated to php7 so tried to add the wrong file, which was not found.

 

Also, I am not clear whether adding piwik directly to this container with my reverse proxy would be the best setup, or whether I should use your nginx container to host piwik in a similar way to how you have done nextcloud.

 

To add further complication I see your nginx container is ubuntu and not alpine (which I love) so was thinking again at the best approach to take.

 

Ideally you would create a piwik container like nextcloud using your existing nginx containers :) but I know you have enough to do already! :)

Link to comment
jrdnlc Contributor

jrdnlc

Posted
Posted
On 2/25/2017 at 5:25 PM, aptalca said:


Can you exec into the container and install the package "php7-iconv" and see if it fixes your issue? If so we'll add it to the image in the next update.

You can install packages with "apk add --update php7-iconv"

 

Would be great if you can add the dom, pdo_sqlite, and iconv extensions. I added them manually but have to re-add them once the containers get updated

Link to comment
aptalca Proficient

aptalca

Posted
Posted
 
Apologies aptalca with my delayed response; I had to get my website going again asap for something else, so got delayed.
 
I also deleted the piwik setup from the letsencrypt container as I was unclear if it could be accessed externally with nothing setup yet, so deleted it, so I cannot quickly test adding iconv back in.
 
I did try adding it myself at the time but forgot you had updated to php7 so tried to add the wrong file, which was not found.
 
Also, I am not clear whether adding piwik directly to this container with my reverse proxy would be the best setup, or whether I should use your nginx container to host piwik in a similar way to how you have done nextcloud.
 
To add further complication I see your nginx container is ubuntu and not alpine (which I love) so was thinking again at the best approach to take.
 
Ideally you would create a piwik container like nextcloud using your existing nginx containers  but I know you have enough to do already!

Nginx has just been rebased to alpine 3.5 with php7 (same versions as the letsencrypt one)
Link to comment
aptalca Proficient

aptalca

Posted
Posted
any chance an upgrade to nginx is in the queue?  I require ngx_stream_ssl_preread module and ngx_stream_map module.  Sounds like those are in 1.11.5

We install whatever nginx package is in the latest stable alpine (currently alpine 3.5). But even alpine edge only has nginx 1.10.3 and no stream map or stream ssl preread (unless those are bundled into the stream mod package). I'm not really familiar with those modules
  • Upvote 1
Link to comment
local.bin Contributor

local.bin

Posted
Posted (edited)
16 hours ago, aptalca said:


Nginx has just been rebased to alpine 3.5 with php7 (same versions as the letsencrypt one)

 

Thats great, thanks and what a saving, 176M to 46M :)

 

I hope to get piwik going on it today, so thanks for the base to try and mess up :D

 

Edit: Piwik running lovely with letsencrypt docker too, thanks :) 

Edited by local.bin
Link to comment
Living Legend Enthusiast

Living Legend

Posted
Posted

I suppose it's been close to 90 days since I initially set this up.  Has been working flawlessly since, but the gap in time has rendered this docker foreign to me once again.

 

I was surprised a search within the thread for "renew" did not create more results.  I have been receiving regular emails for the past week from the LetsEncrypt Expiry Bot stating:

 

---------------------

Hello,

Your certificate (or certificates) for the names listed below will expire in
1 days (on 01 Mar 17 03:37 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.

--------------------

 

I reviewed my log file to see this:

 

<------------------------------------------------->
cronjob running on Wed Mar 1 05:59:53 PST 2017
Running certbot renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/***.duckdns.org.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
/etc/letsencrypt/live/***.duckdns.org/fullchain.pem (skipped)
No renewals were attempted.
2017-03-01 05:59:54,446 fail2ban.server [258]: INFO Starting Fail2ban v0.9.4
2017-03-01 05:59:54,447 fail2ban.server [258]: INFO Starting in daemon mode
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

So according to this, they're not due for renewal?  I'm a little confused.  Is there something I can manually due to renew, or is this going to take care of it?  As of now, it seems to still be up and running.

 

Thanks!

Link to comment
aptalca Proficient

aptalca

Posted
Posted
I suppose it's been close to 90 days since I initially set this up.  Has been working flawlessly since, but the gap in time has rendered this docker foreign to me once again.
 
I was surprised a search within the thread for "renew" did not create more results.  I have been receiving regular emails for the past week from the LetsEncrypt Expiry Bot stating:
 
---------------------
Hello,

Your certificate (or certificates) for the names listed below will expire in
1 days (on 01 Mar 17 03:37 +0000). Please make sure to renew
your certificate before then, or visitors to your website will encounter errors.
--------------------
 
I reviewed my log file to see this:
 

cronjob running on Wed Mar 1 05:59:53 PST 2017
Running certbot renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/***.duckdns.org.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
/etc/letsencrypt/live/***.duckdns.org/fullchain.pem (skipped)
No renewals were attempted.
2017-03-01 05:59:54,446 fail2ban.server [258]: INFO Starting Fail2ban v0.9.4
2017-03-01 05:59:54,447 fail2ban.server [258]: INFO Starting in daemon mode
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
 
So according to this, they're not due for renewal?  I'm a little confused.  Is there something I can manually due to renew, or is this going to take care of it?  As of now, it seems to still be up and running.
 
Thanks!

The one expiring is likely an old cert that is no longer used. Go to your website and check the cert details in your browser. It will tell you the expiration date
Link to comment
local.bin Contributor

local.bin

Posted
Posted

Can anyone help me answer a question please.

 

If I want to harden php7 specifically running on an nginx docker running behind this docker reverse proxy style, should I be adding hardening to the php7 on this docker or the target docker, or both?

 

I am assuming the target docker but have not fully convinced myself :)

 

Same goes for the nginx config for that reverse proxied application, do I add php7 restrictions to its vhost nginx config on this docker?

 

Thank in advance

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted

This container should be the one you concentrate all your security on imho.  I don't bother tackling the configs behind the reverse proxy as the communication between them and this container are taking place on my LAN, whereas this is the WAN facing bit.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing