[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, Kash76 said:

Thank you! Making progress, did that and am now getting "ERR_SSL_PROTOCOL_ERROR" in Chrome and "SSL_ERROR_RX_RECORD_TOO_LONG" in Firefox. I usually do not have issues like this but am having a hell of a time troubleshooting this.

 

Nothing in my error log, access log has entries like this...


10.x.x.x - - [27/Nov/2019:12:15:12 -0600] "\x16\x03\x01\x01.\x01\x00\x01*\x04\x03H\xC4z\xDE\x0B(\xF8\x9E-\x88\xD0l0\x8EC\xC9\x14\xBD\xC2\xD0\xFEq{\xE8\x07H\x9EX\xFDs\xF6D\x00\x00\x88\xC00\xC0,\xC0(\xC0$\xC0\x14\xC0" 400 157 "-" "-"

 

Well this is embarrassing. I had the http and https ports for LetsEncrypt crossed. Thanks for the support and sorry for the bother!!

Link to comment
6 hours ago, blaine07 said:

Wow, some crazy stuff being asked lately.

I’m just wanting to reach out for some much more basic info LOL. I know their are some VERY knowledgeable folks subbed here so...

I currently and using Letsencrypt with DuckDNS through pfSense Appliance to Letsencrypt and to my containers. I am using GoDaddy as domain registrar, Hostgator for Hosting.

I am debating switching entire setup to Cloudflare, port 80/443 is NOT being blocked by ISP. What are advantages with Cloudflare or using it versus current setup? Is it a real pain to switch current entire setup to using Cloudflare over how it’s currently setup? Should I? Should I not switch?

I don't quite follow the second paragraph there. What is your current setup? Just a website running on HostGator with the domain purchased from GoDaddy? And your contemplating switching that to self hosted at home via letsencrypt?

 

In that scenario cloudflare would only be used for dns, for which it does a great job.

  • Like 1
Link to comment
6 hours ago, dandiodati said:

On i did notice this error in letsencypt log but does not see to cause any issues:

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
nginx: [error] lua_load_resty_core failed to load the resty.core module from https://github.com/openresty/lua-resty-core; ensure you are using an OpenResty release from https://openresty.org/en/download.html (rc: 2, reason: module 'resty.core' not found:

 

Any ideas or help for solving this issue ? Been fighting with it for a long time with no solution.

 

Dan

 

 

unms.subdomain.conf 1.42 kB · 0 downloads

Openresty errors are harmless.

Link to comment
I don't quite follow the second paragraph there. What is your current setup? Just a website running on HostGator with the domain purchased from GoDaddy? And your contemplating switching that to self hosted at home via letsencrypt?
 
In that scenario cloudflare would only be used for dns, for which it does a great job.


Yeah, it’s been a LONG day. Sigh. Lol

Yes debating purchasing a new domain, from name cheap, and using Cloudflare for DNS to Letsencrypt on Unraid.

Is it a disaster to switch from current setup to Cloudflare with Letsencrypt? I don’t have a static IP at home so I’d still have to keep DuckDNS in the middle of Cloudflare and Letsencrypt on Unraid?
Link to comment
3 minutes ago, blaine07 said:

 


Yeah, it’s been a LONG day. Sigh. Lol

Yes debating purchasing a new domain, from name cheap, and using Cloudflare for DNS to Letsencrypt on Unraid.

Is it a disaster to switch from current setup to Cloudflare with Letsencrypt? I don’t have a static IP at home so I’d still have to keep DuckDNS in the middle of Cloudflare and Letsencrypt on Unraid?

 

It really depends on how complicated your setup on HostGator is. I have a website on HostGator that I never switched over to anything because it was so entrenched in and was setup over a decade ago. Also because there were too many mailers set up and I didn't want to bother with hosting a mail server at home so I just left it there.

 

But if it's a relatively simple site, it shouldn't be a big deal. 

 

For updating ip on cloudflare, you can use ddclient, or your router may even have that capability (many routers do).

  • Like 1
Link to comment
On 11/23/2019 at 2:47 PM, aptalca said:

 

Changed settings as shown in the image and followed the linked guide, letsencrypt still comes up with:

Challenge failed for domain .myserver.com
Type: Unauthorized

"To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address." Checked.

When trying to access nginx from outside the network according to the guide (i.e. nextcloud.myserver.com) a page comes up along the lines of "this page is under construction".

Also, when attempting to port check ports 80, 180, 443, 1443, the connection is refused on 80/443 and timed out on 180/1443.


Thoughts?

Screenshot (14).png

Link to comment
It really depends on how complicated your setup on HostGator is. I have a website on HostGator that I never switched over to anything because it was so entrenched in and was setup over a decade ago. Also because there were too many mailers set up and I didn't want to bother with hosting a mail server at home so I just left it there.
 
But if it's a relatively simple site, it shouldn't be a big deal. 
 
For updating ip on cloudflare, you can use ddclient, or your router may even have that capability (many routers do).


Using PFsense. Would that update the Cnames IP even as dynamic changed?
Link to comment
53 minutes ago, blaine07 said:

 


Using PFsense. Would that update the Cnames IP even as dynamic changed?

 

Pfsense has dynamic dns support and can update your A records (I'm using it). Your CNAMEs should be pointing to your main A record (alternatively you can have a wildcard CNAME, just a *, which points them all to the main A record)

  • Like 1
Link to comment
Pfsense has dynamic dns support and can update your A records (I'm using it). Your CNAMEs should be pointing to your main A record (alternatively you can have a wildcard CNAME, just a *, which points them all to the main A record)


So hypothetically if I were to switch to CloudFlare I could remove all the crap with DuckDNS in middle(because dynamic IP) and go straight to Unraid Reverse proxy from the domain name && all the controls and benefits of CF. At moment not sure I’ll ever use “domain.co”; am going to use “cloud.domain.co” and etc though.
Link to comment
12 hours ago, blaine07 said:

 


So hypothetically if I were to switch to CloudFlare I could remove all the crap with DuckDNS in middle(because dynamic IP) and go straight to Unraid Reverse proxy from the domain name && all the controls and benefits of CF. At moment not sure I’ll ever use “domain.co”; am going to use “cloud.domain.co” and etc though.

 

Yup

  • Like 1
Link to comment
Yup

 

Yeah bought a domain to “test” with and was playing with forwarding and such(since server isn’t actually setup with test domain). I think it’s going to work nicely with server. I think this weekend going to pull plug and migrate main domain to over to Cloudflare. My main domain has 23 DNS records. When I start, but not change NS, all seems well. Any advice on that front as far as converting NS? Figured If I save a copy of what everything is now if I were to really Bork it I could just roll it back? Any other tips?  

 

(Oh yeah, figured out how to get PFSense to update A records with CF, too, since dynamic IPs. Easy like you said!)

 

Thanks a ton for your advice@aptalca, I appreciate it

 

 

Link to comment
On 11/27/2019 at 12:39 PM, aptalca said:

You're mixing and matching elements from subdomains and subfolder proxy method. Which are you trying to accomplish?

I have a subdomain, comics.domain.com.  I am using the ubooquity.subdomain.conf.sample, and just updated it to server_name comics.* instead of ubooquity.*

 

The Ubooquity page requires domain.com:2202/ubooquity or domain.com:2203/ubooquity/admin for admin access.  I changed the server_name and added the /ubooquity and the /ubooquity/admin in the proxy_pass, but it won't pass that through properly.  That is what I'm trying to figure out, I think.

 

With Booksonic, I was able to tell the booksonic server to use no base URL, so it just goes to domain.com:4040/ instead of domain.com:4040/booksonic/

 

If it would be easier to use the subfolder method, and just a redirect for my subdomain, I'm fine with that as well, I honestly just had that thought, but I'm not quite sure how I'd set that up in my domain provider (which is namecheap, but if I know the methodology to use I can figure that part out)

Link to comment
On 11/27/2019 at 11:37 AM, aptalca said:

Turn off cloudflare proxy (click on the orange cloud)

Random Q... could you be as kind to enlighten me when Cloudflare proxy should or shouldn’t be used? Made FULL jump to CF as we spoke about a few days ago(happy so far, too)... so far NextCloud, Guacamole, Emby, BitWarden and OnlyOffice are all working fine with the CF Proxy ON. Not having issues but for future reference does proxy being on just cause issues with some containers or? (Knock on wood, no issues here with it on yet). Any elaboration in case somehow I run into issues later would be awesome mate 😀

Link to comment
4 minutes ago, blaine07 said:

Random Q... could you be as kind to enlighten me when Cloudflare proxy should or shouldn’t be used? Made FULL jump to CF as we spoke about a few days ago(happy so far, too)... so far NextCloud, Guacamole, Emby, BitWarden and OnlyOffice are all working fine with the CF Proxy ON. Not having issues but for future reference does proxy being on just cause issues with some containers or? (Knock on wood, no issues here with it on yet). Any elaboration in case somehow I run into issues later would be awesome mate 😀

Cloudflare proxy has a bunch of different settings and depending on how they are set, it can break letsencrypt validation. If yours is working and it validated with the proxy on, then you're fine. But for most people it won't validate as cloudflare will highjack the connections from the letsencrypt server.

  • Like 1
Link to comment
Cloudflare proxy has a bunch of different settings and depending on how they are set, it can break letsencrypt validation. If yours is working and it validated with the proxy on, then you're fine. But for most people it won't validate as cloudflare will highjack the connections from the letsencrypt server.


Exactly why I wanted your insight! If I have issues in future it may be related to proxy being on; just disable CF Proxy and try again? My certs haven’t expired since change so it’s very possible come time to re-new they won’t... Very valuable point! Thank you!
Link to comment
12 hours ago, blaine07 said:

 


Exactly why I wanted your insight! If I have issues in future it may be related to proxy being on; just disable CF Proxy and try again? My certs haven’t expired since change so it’s very possible come time to re-new they won’t... Very valuable point! Thank you! emoji3060.png

 

Yup, if you put in your email when you last validated, look out for expiration email, then confirm the expiration date in the browser. If it's expiring in less than 30 days, look for the logs in the config folder to see why it failed.

  • Like 1
Link to comment
Yup, if you put in your email when you last validated, look out for expiration email, then confirm the expiration date in the browser. If it's expiring in less than 30 days, look for the logs in the config folder to see why it failed.

 

Have certs being generated successfully in Letsencrypt(when I delete a subdomain, start/stop LE and add subdomain back it fully completes and no errors in LE log) but browser says my SSL is Cloudflare and doesn’t expire for 313 days? Any disadvantage to using CFs SSL? I think under security in CF I can change something to not use their SSL? Have SSL set to “Full” in CF. The way I read it if I were to switch to “Flexible” it would use my own SSL for sever to Cloudflare connection. Any advantage either way? Sorry for all the questions; I most certainly appreciate your continued guidance. Just not sure if “all SSLs are created equally..” or

 

a265c70eb3cba0f7eeb589df39b50a42.plist&key=ecf7b76f0d91f1d3e37bb2df6c7740bc2cd8828625597cc6394952e208d7d1f5

 

8a2998e32bcdc7f4d8ee4f570739afa3.png&key=7904d31c2ec03eb56da58b5007303b3f7fa5eb564aee100025d30269d5f8e07c

 

67cfbbb9e0c3d1a40429fb2abb006de1.jpg

Link to comment
6 hours ago, blaine07 said:

 

Have certs being generated successfully in Letsencrypt(when I delete a subdomain, start/stop LE and add subdomain back it fully completes and no errors in LE log) but browser says my SSL is Cloudflare and doesn’t expire for 313 days? Any disadvantage to using CFs SSL? I think under security in CF I can change something to not use their SSL? Have SSL set to “Full” in CF. The way I read it if I were to switch to “Flexible” it would use my own SSL for sever to Cloudflare connection. Any advantage either way? Sorry for all the questions; I most certainly appreciate your continued guidance. Just not sure if “all SSLs are created equally..” or emoji848.png

 

a265c70eb3cba0f7eeb589df39b50a42.plist&key=ecf7b76f0d91f1d3e37bb2df6c7740bc2cd8828625597cc6394952e208d7d1f5

 

8a2998e32bcdc7f4d8ee4f570739afa3.png&key=7904d31c2ec03eb56da58b5007303b3f7fa5eb564aee100025d30269d5f8e07c

 

67cfbbb9e0c3d1a40429fb2abb006de1.jpg

Cloudflare proxy is an entirely different commercial product with a different purpose, which is beyond the scope of this thread. Please open a new thread to discuss that.

  • Like 1
Link to comment
14 minutes ago, Tucubanito07 said:

Hey Guys. I googled "letsencrypt welcome to our server page edit" and i dont see anything about modifying the Welcome to our server. Can we modify this to something else? Thank you.

 

 

image.png.1b6c0da17862ff67d93f836742b00907.png

It's a webserver, so you can do whatever you want with the landing page.

Link to comment
1 hour ago, saarg said:

It's a webserver, so you can do whatever you want with the landing page.

I did some changes and saved it using nano and when I refresh the docker it did not update with everything I changed on that file. That’s why I asked. Thank you @aptalca when I change anything in there so I have to do anything else to make sure it comes up with the updates I made on the confit file? What is the location of the file? I want to make sure I am making changes to the right configure file. 

Edited by Tucubanito07
Link to comment
1 hour ago, Tucubanito07 said:

I did some changes and saved it using nano and when I refresh the docker it did not update with everything I changed on that file. That’s why I asked. Thank you @aptalca when I change anything in there so I have to do anything else to make sure it comes up with the updates I made on the confit file? What is the location of the file? I want to make sure I am making changes to the right configure file. 

The default folder for www is /config/www or appdata folder of letsemcrypt/www.

You probably have to restart the container for the changes to be active.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.