Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

So my issue is sorted. For reasons unknown my Asus router was silently dropping the HTTP challenges. I turned the firewall off and the certs renewed, turned it back on again and all is well.

 

Thanks for your help aptalca!

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

Hello,

 

I just noticed that for my Nextcloud certificate there is also the name of Bitwarden and the other subdomains. Is this normal?
Basically the certificate that is used for my Nextcloud subdomain and the certificate that was issued to Bitwaren.

 

Sorry if there are mistakes, I'm French and I use Google translation to write here

5 hours ago, DimitriXav said:

Hello,

 

I just noticed that for my Nextcloud certificate there is also the name of Bitwarden and the other subdomains. Is this normal?
Basically the certificate that is used for my Nextcloud subdomain and the certificate that was issued to Bitwaren.

 

Sorry if there are mistakes, I'm French and I use Google translation to write here

Letsencrypt generates one cert that covers all domains and subdomains you validated

Hello,

 

I don't think this is a problem with Letsencrypt . Right now I have letsencrypt configured to reverse proxy several dockers which I can access from the internet no problem, but when I try to access those dockers inside my domain that is using a Windows Server 2019 Domain controller I can't but I can access any other website. Do you know any tricks to get windows DNS to recognize those addresses?

21 minutes ago, Ben93p said:

reverse proxy several dockers which I can access from the internet no problem, but when I try to access those dockers inside my domain

Sounds like a NAT reflection /  loopback / hairpinning  issue.

15 minutes ago, jonathanm said:

Sounds like a NAT reflection /  loopback / hairpinning  issue.

I think i fixed the issue, not the best solution but it seems to work. I added my DoH DNS Docker as my primary DNS and the domain controller as the secondary. I tried disabling NAT and configuring a split dns exception in my firewall but Windows server still refused to cooperate and return the site but DoH would. Thank you for the help. Somedays I really hate trying to figure out how to get windows to work with linux systems right.

 

A couple of things it would nice to fix within the docker:

 

Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please manually download/update the GeoIP2 db and save as /config/geoip2db/GeoLite2-City.mmdb

Maybe add a personal license key field to the docker and a script to  update periodically?

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

No idea what this one is.

So I followed spaceinvaderone's tutorial on setting up a proxynet to use for this, and then followed his guide on shinobi to get that running on my IOT vlan.

 

But despite his proxy file, it doesn't work for me. So I am trying to sort out why. But I also wonder why setup a proxynetwork if letsencrypt can access dockers on other vlans?

40 minutes ago, tknx said:

A couple of things it would nice to fix within the docker:

 


Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please manually download/update the GeoIP2 db and save as /config/geoip2db/GeoLite2-City.mmdb

Maybe add a personal license key field to the docker and a script to  update periodically?


nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

No idea what this one is.

Maxmind already provides a script that you can run via cron on the host.

 

Luajit alert is an upstream issue with the luajit nginx module on alpine. It's harmless, just an alert.

31 minutes ago, tknx said:

So I followed spaceinvaderone's tutorial on setting up a proxynet to use for this, and then followed his guide on shinobi to get that running on my IOT vlan.

 

But despite his proxy file, it doesn't work for me. So I am trying to sort out why. But I also wonder why setup a proxynetwork if letsencrypt can access dockers on other vlans?

You'll have to contact spaceinvaderone on that one.

So still struggling with the shinobi letsencrypt reverse proxy.


Subdomain.conf:

server {

listen 443 ssl;

listen [::]:443 ssl;



server_name shinobi.*;



include /config/nginx/ssl.conf;



client_max_body_size 0;



location / {

include /config/nginx/proxy.conf;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection 'upgrade';

proxy_set_header Host $host;

proxy_buffering off;

proxy_request_buffering off;

proxy_pass http://10.0.3.100:8080;

}

}

 

But error.log I am getting timeouts, which I am unsure as to why. (Client being 10.0.1.1 - not sure why it indicates my router).

 

2020/02/23 16:28:17 [error] 388#388: *1 connect() failed (110: Operation timed out) while connecting to upstream, client: 10.0.1.1, server: shinobi.*, request: "GET /favicon.ico HTTP/2.0", upstream: "http://10.0.3.100:8080/favicon.ico", host: "shinobi.mydomain.com", referrer: "https://shinobi.mydomain.com/"

 

Edited by tknx

Hey Folks,

Just need to know if it is possible to do mutiple sites under this?

 

D.

23 minutes ago, dianad said:

checked and there is noting running on ports 80 and 443.

Here is my docker-compose config

By this I assume you are not using this on Unraid. You should always read the first post in any support thread. 

6 hours ago, CJandDarren said:

Hey Folks,

Just need to know if it is possible to do mutiple sites under this?

 

D.

Yes, see the extradomains variable

Is there a guide to get e-mail notifications working for fail2ban in this docker? Got it all setup correcting and it bans, but can't quite figure out how to properly setup emails. Tried following this guide, but it doesn't seem to work. Getting "sendmail: can't connect to remote host (127.0.0.1): Connection refused" so I'm not inputting the e-mail info into the right place, it's trying to send to root@localhost etc etc. Which file should this be going into, right into the sendmail-whois.local and not the jail file like the guide said?

10 hours ago, aptalca said:

Yes, see the extradomains variable

I might have asked this wrong. I want to create sites for 3 domains is it possible to do this with in the www directory and where does one add the extra information to point each one to the correct directory?

Edited by CJandDarren

For some reason I cannot access my NextCloud domain outside my home network, even though I followed the tutorial exactly.

 

Everything is in order with the config files and port forwarding (click to expand the image):

 

qD837jj.jpg

 

When I enter the domain on my home network, it appears fine with the correct https address.

 

But if I try to do the same outside my local network, or when connected to a VPN, it times out. I ran the Let's Debug and got this:

 

nlcMJJW.png

 

(the Let's Debug image is newer, hence the different IP from the DuckDNS part above)

 

But as seen in the first image, I have port 80 forwarded properly. I can still access my Plex server from outside my local network.

I used to be able to access NextCloud from other networks, but something appears to have gone wrong recently.

 

None of the docker logs are showing any errors.

 

[edit]

NextCloud shows these errors:

 

0W0aK9m.png

 

but I don't understand why X-Frame-Options is listed, because I am 100% sure I fixed that in the config.

 

Log:

 

_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Australia/Sydney
URL=duckdns.org
SUBDOMAINS=mydomain
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d mydomain.duckdns.org
E-mail address entered: [email protected]
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

 

Edited by Stubbs

2 hours ago, CJandDarren said:

I might have asked this wrong. I want to create sites for 3 domains is it possible to do this with in the www directory and where does one add the extra information to point each one to the correct directory?

Edit the default site config, create 3 server blocks, one for each site, and set their server names and root directives accordingly. You can create folders "/config/www-domain1", "/config/www-domain2", etc.

 

This is just basic nginx config. There are plenty of guides online.

Hello alli am currently going crazy, I am currently trying to reverse proxy plex using my own domain with letsencrypt and cant seem to get this working. Can someone tell me where i am going wrong ?, i have the address set in the plexmediaserver docker as https://mydomain.org and have created a CNAME for it. Here is my current config

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plexh.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app PlexMediaServer;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

 

i am using dns verication with wildcard

@Sinister upstream doesnt allow upper cases ... looks like u use the official plex docker and not the lsio one, change to the ip and u should be fine.

 

also your listening domain name is plexh.* ? if thats correct, ok

35 minutes ago, alturismo said:

@Sinister upstream doesnt allow upper cases ... looks like u use the official plex docker and not the lsio one, change to the ip and u should be fine.

 

also your listening domain name is plexh.* ? if thats correct, ok

yes i am now able to reach plex via my domain name but now i cant reach it locally through unraid GUI via the WEBUI option when you click the docker. Any idea how to fix that ? also docker is not showing any IP address info like other dockers on proxynet custom network

plexproxy.png

Is this causing a problem for anyone else?

 

https://letsencrypt.status.io/

 

Says there is a service disruption. Is this common?

 

Hi there,

Hoping you guys can help me out. In short, my letsencrypt docker is giving me the 'likely firewall issue' message but I have tested port forwarding with nginx and nginxproxymanager dockers, which show their default pages via the opened ports.

 

I followed spaceinvaderone's guide (with methodical pausing while i applied the steps), so forwarding 443 from router to 1443 on unraid host, and 80 to 180 in the same way. 

 

I've got a domain registered. I've added a CNAME to my domain, pointing to a duckdns subdomain. I've setup the duckdns docker to update IP for this.

 

My ISP did have default ports blocked, which I've turned off (otherwise the tests above wouldn't have worked anyway).

 

I've also followed the linuxserver troubleshooting guide for the port forwarding issue already.

 

Can anyone shed some light? Would be much appreciated

 

If my letsencrypt log is useful, it's pasted below (xxxx'd out the domain and email specifics:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Australia/Sydney
URL=xxxxxxxx.net
SUBDOMAINS=nextcloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
[email protected]
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d nextcloud.xxxxxxxx.net
E-mail address entered: [email protected]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.xxxxxxxx.net
Waiting for verification...
Challenge failed for domain nextcloud.xxxxxxxx.net

http-01 challenge for nextcloud.xxxxxxxx.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.xxxxxxxx.net
Type: connection
Detail: Fetching
http://nextcloud.xxxxxxxx.net/.well-known/acme-challenge/dTkFfXItBI3Q886xxxxxxxxxxxxXeCA8Dz6mEyanU:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
 

1 hour ago, BeeKay said:

I've got a domain registered. I've added a CNAME to my domain, pointing to a duckdns subdomain. I've setup the duckdns docker to update IP for this.

If you have your own domain, why get duckdns involved at all?

 

The video tutorial shows you how to do it with duckdns, OR how to do it with your own domain. Not both at the same time.

Hi @aptalca,

 

Since you appear to have a deep understanding of Let's Encrypt, I am wondering if when you have time, you would take a look at this post from earlier? Either I am missing something obvious or I am not using the correct search parameters to find the answer because I have looked for a while now. Thanks!

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.