[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

16 hours ago, Spectral Force said:

Good morning/afternoon.  

 

I am a bit out of my element with the reverse proxy stuff and custom conf files and need some help.

 

I am trying to run the CSMM-7DTD server manager (docker by ich77) via reverse proxy and https.  It works portionately via http, but uses steam to login to the software itself and that's where I get hung up.  I click my steam login and because its https it craps out.  I am unsure if this is supposed to be handled by the .conf file or elsewhere.  Anything to point me in the proper direction would be appreciated.  What I do have for a conf file comes from the creator of CSMM.  I am using DuckDNS docker and links, as well as a CNAME from my website. Thanks in advance for any and all help.  

 


server {

  server_name csmm.example.com;
  index index.html;

        location / {
            proxy_pass http://localhost:1337;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection 'upgrade';
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_cache_bypass $http_upgrade;
            proxy_read_timeout 300;
            proxy_connect_timeout 300;
        }

  listen 80;
}

 

Don't copy paste a conf from another source. Use an existing preset proxy conf and modify accordingly.

 

The conf you posted above is missing all the ssl bits, and it tries to reverse proxy localhost, which won't work in a container. Also see the examples in the default site config for very basic confs

Link to comment

anyone able to get reverse proxy on a searx docker working? I have 5 other dockers that work flawlessly but for whatever reason i get a bad gateway with searx. It works with the internal br0 (http://192.168.1.19:8888) but when going to my external domain it doesn't work at all. Cname is correctly setup and letsencrypt as well.

 

server {
    listen 80;
    listen 443 ssl;
    server_name searx.myprivatedomain.org;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DS>

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass http://192.168.1.19:8888;
        include /config/nginx/proxy.conf;
    }
}

 

Edited by ffhelllskjdje
Link to comment
4 minutes ago, ffhelllskjdje said:

anyone able to get reverse proxy on a searx docker working? I have 5 other dockers that work flawlessly but for whatever reason i get a bad gateway with searx. It works with the internal br0 (http://192.168.1.19:8888) but when going to my external domain it doesn't work at all. Cname is correctly setup and letsencrypt as well.

 


server {
    listen 80;
    listen 443 ssl;
    server_name searx.myprivatedomain.org;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DS>

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass http://192.168.1.19:8888;
        include /config/nginx/proxy.conf;
    }
}

 

If it's macvlan, it blocks connections between macvlan and host. Try to ping it from inside the letsencrypt container

Link to comment

Is it possible to use the reverse proxy to redirect traffic to an internal IP, either a VM or another machine? I am new to unraid, and I have a synology NAS that I am migrating away from. I have also set up a xpenology VM.

 

I have set up a number of synology units with friends and family and I like the way it handles backup, so I want to use my xpenology VM or current synology as a remote target.

 

I have set up Letsencrypt docker and it works grate after following the spaceinvaderone video. However this only looks to work with dockers on the Unraid machine, via proxynet.

 

I found some example code to root the proxy pass to an internal IP for example 192.168.X.XX at https://www.reddit.com/r/unRAID/comments/apapqw/reverse_proxy_with_letsencrypt_docker_and_vm/

However I cant get it to work. I have my own domain and plan to use something like xpenology.mydomain.com and synology.mydomain.com.

 

If it forward port 5001 to my xpenology vm I can connect directly using xpenology.mydomain.com:5001 but if I don’t specify the port I get the “Welcome to our server” nginx splash page.

 

It would be nice to be redirected to each of these DSM web interfaces by using xpenology. and synology. as i can only forward 5001 once.

 

My congfig file is currently.

 

server {
  listen 443 ssl http2;
 
 server_name xpenology.*;
 server_tokens off;

access_log /var/log/nginx/xpenology.SITE.access.log;
error_log /var/log/nginx/xpenology.SITE.error.log error;

 ssl on;

 ssl_certificate /etc/letsencrypt/live/SITE/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/SITE/privkey.pem;

 location /{
  proxy_pass https://192.168.X.XXX:50001;
  proxy_redirect off;
  proxy_set_header Host $http_host;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_set_header X-Forwarded-Protocol $scheme;
  proxy_set_header X-Url-Scheme $scheme;
 }
}

 

Link to comment
1 hour ago, saarg said:

Permission issues is my guess. So check the permissions on the recentlyadded folder. Should be nobody:users

image.png.ab9b15143e38b2ea77e080fdeea564a7.png

 

Everything has full access - i even changed the permission via unraid terminal and terminal on the container as well

Edited by Ladrek
Link to comment
12 hours ago, Ladrek said:

image.png.ab9b15143e38b2ea77e080fdeea564a7.png

 

Everything has full access - i even changed the permission via unraid terminal and terminal on the container as well

If you are going to post a screenshot of permissions, please post the ones from unraid command line, not something from windows.

Link to comment

I'm trying to use this container, which I had working for a single subdomain, but now I'm getting the following after trying to add additional domains:
 

Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

I've treid rebuilding the container etc, but I'm not unable to get past this error.

Any one able to help or point me in the right direction as this appears to be an issue with custom internal code so I'm at a loss at being able to debug the issue myself.

Thanks for the help.

 

Link to comment

 

Hi, getting this when starting the container, no idea how to fix it.. Please help.

 

Generating new certificate
An unexpected error occurred:
pkg_resources.ContextualVersionConflict: (cryptography 2.6.1 (/usr/lib/python3.7/site-packages), Requirement.parse('cryptography>=2.8'), {'PyOpenSSL'})
Please see the logfile '/tmp/tmph9dkw77d/log' for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
Link to comment
1 hour ago, g0nz0 said:

I'm trying to use this container, which I had working for a single subdomain, but now I'm getting the following after trying to add additional domains:
 


Plugins selected: Authenticator standalone, Installer None
An unexpected error occurred:
Traceback (most recent call last):
File "/usr/lib/python3.7/site-packages/urllib3/connection.py", line 157, in _new_conn
(self._dns_host, self.port), self.timeout, **extra_kw
File "/usr/lib/python3.7/site-packages/urllib3/util/connection.py", line 61, in create_connection
for res in socket.getaddrinfo(host, port, family, socket.SOCK_STREAM):
File "/usr/lib/python3.7/socket.py", line 748, in getaddrinfo
for res in _socket.getaddrinfo(host, port, family, type, proto, flags):
socket.gaierror: [Errno -3] Try again

I've treid rebuilding the container etc, but I'm not unable to get past this error.

Any one able to help or point me in the right direction as this appears to be an issue with custom internal code so I'm at a loss at being able to debug the issue myself.

Thanks for the help.

 

Post your container settings

Link to comment
13 minutes ago, g0nz0 said:

Sorry to be dense, but are they in an xml file somewhere like with rancher and it's API?

If not, this is a copy paste from the docker container edit page:
 

Name:	letsencrypt
Repository:	linuxserver/letsencrypt
Network Type: Custom: br2.2502	
Fixed IP address (optional): 10.250.2.101
Subnet: 10.250.2.0/24
Console shell command:	Shell
Privileged:	ON
http:   Container Port: 80
https:  Container Port: 443
Email:	gonzo@g0nz0.me.uk
Domain Name: g0nz0.me.uk
Subdomain(s):	unifi,plex,firewall,
Only Subdomains:	true
Diffie Hellman:	2048
Validation:	http
AppData Config Path:	/mnt/user/appdata/letsencrypt

 

Edited by g0nz0
Link to comment
2 minutes ago, g0nz0 said:

If not, this is a copy paste from the docker container edit page:
 


Name:	letsencrypt
Repository:	linuxserver/letsencrypt
Network Type: Custom: br2.2502	
Fixed IP address (optional): 10.250.2.101
Subnet: 10.250.2.0/24
Console shell command:	Shell
Privileged:	ON
http:   Container Port: 80
https:  Container Port: 443
Email:	gonzo@g0nz0.me.uk
Domain Name: g0nz0.me.uk
Subdomain(s):	unifi,plex,firewall,
Only Subdomains:	true
Diffie Hellman:	2048
Validation:	http
AppData Config Path:	/mnt/user/appdata/letsencrypt

 

Seriously, it's working again now. The issue must have been an error coming back from the letsencrypt API or certbot and just not being handled well in the code.
 

If you're a / the dev on this project, let me know if you want some log extracts (specifically what you want from the logs etc) and I'll get them to you to investigate.

Link to comment
18 minutes ago, g0nz0 said:

Seriously, it's working again now. The issue must have been an error coming back from the letsencrypt API or certbot and just not being handled well in the code.
 

If you're a / the dev on this project, let me know if you want some log extracts (specifically what you want from the logs etc) and I'll get them to you to investigate.

I don't think we need them, if it were a widespread issue, we'd have heard by now.  As it stands a solitary report I don't think justifies a conclusion of the container logic not handling things well.  If the API/certbot had an issue, no amount of rewriting of the container is going to fix that.

Link to comment

Having issues with python cryptography -- looks like py3-openssl was updated just a few hours after the current latest version was updated, and is causing issues because py3-cryptography is outdated now? I'm no expert, just a bit of digging. Error is:

 

pkg_resources.ContextualVersionConflict: (cryptography 2.6.1 (/usr/lib/python3.7/site-packages), Requirement.parse('cryptography>=2.8'), {'PyOpenSSL'})

EDIT: In the meantime, running this in console and restarting works fine, though it has to be done each time the container is recreated (edited, etc)
apk add gcc musl-dev libffi-dev openssl-dev python3-dev; pip install cryptography --upgrade
 

apk add gcc musl-dev libffi-dev openssl-dev python3-dev; pip install cryptography --upgrade

 

Edited by drumstyx
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.