[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5374 posts in this topic Last Reply

Recommended Posts

4 hours ago, JoHimself said:

Hi guys, I'm having issues with this container. I have my domain set up, it has been for a while since this was working until I changed one of the subdomains so it had to re-generate the certificate. The validation fails using http challenge.

 

I have tried removing the container and appdata and even that does not rectify the issue. If I fire up an NGINX container with the default config then it shows the NGINX startup page by going to the domain. When I use this container with the same port forwarding there doesn't seem to be anything listening.

 

This is my log:


-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=johimself.co.uk
SUBDOMAINS=www,
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=MY_EMAIL_ADDRESS
STAGING=true

NOTICE: Staging is active
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.johimself.co.uk
E-mail address entered: MY_EMAIL_ADDRESS
http validation is selected
Generating new certificate
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:32: SyntaxWarning: "is" with a literal. Did you mean "=="?
if x is 0 or x is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:34: SyntaxWarning: "is" with a literal. Did you mean "=="?
elif y is 0 or y is 1:
/usr/lib/python3.8/site-packages/jmespath/visitor.py:260: SyntaxWarning: "is" with a literal. Did you mean "=="?
if original_result is 0:
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for www.johimself.co.uk
http-01 challenge for johimself.co.uk
Waiting for verification...
Challenge failed for domain www.johimself.co.uk

Challenge failed for domain johimself.co.uk

http-01 challenge for www.johimself.co.uk
http-01 challenge for johimself.co.uk
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.johimself.co.uk
Type: connection
Detail: During secondary validation: Fetching
http://www.johimself.co.uk/.well-known/acme-challenge/Ugsgna0D4LoyVydrpfn93WbNKBjWP2I__LsX0MvbpYQ:
Timeout during connect (likely firewall problem)

Domain: johimself.co.uk
Type: connection
Detail: Fetching
http://johimself.co.uk/.well-known/acme-challenge/fN_EX6RO0s1Q0u4dNpBURbECXtBVTU6PT1RsDnkxpQs:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.johimself.co.uk
Type: connection
Detail: During secondary validation: Fetching
http://www.johimself.co.uk/.well-known/acme-challenge/Ugsgna0D4LoyVydrpfn93WbNKBjWP2I__LsX0MvbpYQ:
Timeout during connect (likely firewall problem)

Domain: johimself.co.uk
Type: connection
Detail: Fetching
http://johimself.co.uk/.well-known/acme-challenge/fN_EX6RO0s1Q0u4dNpBURbECXtBVTU6PT1RsDnkxpQs:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

If anyone has any more ideas, that would be great!

When you put up the nginx container, are you trying the http endpoint? From outside of the lan?

Link to post
  • Replies 5.4k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

I don't need support.  I just wanted to say thanks for this container and its continuous maintenance.  I started with Aptalca's container then switched to the linuxserver.io container.  Its been close

Posted Images

Hello,

 

I just noticed that for my Nextcloud certificate there is also the name of Bitwarden and the other subdomains. Is this normal?
Basically the certificate that is used for my Nextcloud subdomain and the certificate that was issued to Bitwaren.

 

Sorry if there are mistakes, I'm French and I use Google translation to write here

Link to post
5 hours ago, DimitriXav said:

Hello,

 

I just noticed that for my Nextcloud certificate there is also the name of Bitwarden and the other subdomains. Is this normal?
Basically the certificate that is used for my Nextcloud subdomain and the certificate that was issued to Bitwaren.

 

Sorry if there are mistakes, I'm French and I use Google translation to write here

Letsencrypt generates one cert that covers all domains and subdomains you validated

Link to post

Hello,

 

I don't think this is a problem with Letsencrypt . Right now I have letsencrypt configured to reverse proxy several dockers which I can access from the internet no problem, but when I try to access those dockers inside my domain that is using a Windows Server 2019 Domain controller I can't but I can access any other website. Do you know any tricks to get windows DNS to recognize those addresses?

Link to post
15 minutes ago, jonathanm said:

Sounds like a NAT reflection /  loopback / hairpinning  issue.

I think i fixed the issue, not the best solution but it seems to work. I added my DoH DNS Docker as my primary DNS and the domain controller as the secondary. I tried disabling NAT and configuring a split dns exception in my firewall but Windows server still refused to cooperate and return the site but DoH would. Thank you for the help. Somedays I really hate trying to figure out how to get windows to work with linux systems right.

 

Link to post

A couple of things it would nice to fix within the docker:

 

Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please manually download/update the GeoIP2 db and save as /config/geoip2db/GeoLite2-City.mmdb

Maybe add a personal license key field to the docker and a script to  update periodically?

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

No idea what this one is.

Link to post

So I followed spaceinvaderone's tutorial on setting up a proxynet to use for this, and then followed his guide on shinobi to get that running on my IOT vlan.

 

But despite his proxy file, it doesn't work for me. So I am trying to sort out why. But I also wonder why setup a proxynetwork if letsencrypt can access dockers on other vlans?

Link to post
40 minutes ago, tknx said:

A couple of things it would nice to fix within the docker:

 


Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please manually download/update the GeoIP2 db and save as /config/geoip2db/GeoLite2-City.mmdb

Maybe add a personal license key field to the docker and a script to  update periodically?


nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

No idea what this one is.

Maxmind already provides a script that you can run via cron on the host.

 

Luajit alert is an upstream issue with the luajit nginx module on alpine. It's harmless, just an alert.

Link to post
31 minutes ago, tknx said:

So I followed spaceinvaderone's tutorial on setting up a proxynet to use for this, and then followed his guide on shinobi to get that running on my IOT vlan.

 

But despite his proxy file, it doesn't work for me. So I am trying to sort out why. But I also wonder why setup a proxynetwork if letsencrypt can access dockers on other vlans?

You'll have to contact spaceinvaderone on that one.

Link to post

So still struggling with the shinobi letsencrypt reverse proxy.


Subdomain.conf:

server {

listen 443 ssl;

listen [::]:443 ssl;



server_name shinobi.*;



include /config/nginx/ssl.conf;



client_max_body_size 0;



location / {

include /config/nginx/proxy.conf;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection 'upgrade';

proxy_set_header Host $host;

proxy_buffering off;

proxy_request_buffering off;

proxy_pass http://10.0.3.100:8080;

}

}

 

But error.log I am getting timeouts, which I am unsure as to why. (Client being 10.0.1.1 - not sure why it indicates my router).

 

2020/02/23 16:28:17 [error] 388#388: *1 connect() failed (110: Operation timed out) while connecting to upstream, client: 10.0.1.1, server: shinobi.*, request: "GET /favicon.ico HTTP/2.0", upstream: "http://10.0.3.100:8080/favicon.ico", host: "shinobi.mydomain.com", referrer: "https://shinobi.mydomain.com/"

 

Edited by tknx
Link to post
23 minutes ago, dianad said:

checked and there is noting running on ports 80 and 443.

Here is my docker-compose config

By this I assume you are not using this on Unraid. You should always read the first post in any support thread. 

Link to post

Is there a guide to get e-mail notifications working for fail2ban in this docker? Got it all setup correcting and it bans, but can't quite figure out how to properly setup emails. Tried following this guide, but it doesn't seem to work. Getting "sendmail: can't connect to remote host (127.0.0.1): Connection refused" so I'm not inputting the e-mail info into the right place, it's trying to send to root@localhost etc etc. Which file should this be going into, right into the sendmail-whois.local and not the jail file like the guide said?

Link to post
10 hours ago, aptalca said:

Yes, see the extradomains variable

I might have asked this wrong. I want to create sites for 3 domains is it possible to do this with in the www directory and where does one add the extra information to point each one to the correct directory?

Edited by CJandDarren
Link to post

For some reason I cannot access my NextCloud domain outside my home network, even though I followed the tutorial exactly.

 

Everything is in order with the config files and port forwarding (click to expand the image):

 

qD837jj.jpg

 

When I enter the domain on my home network, it appears fine with the correct https address.

 

But if I try to do the same outside my local network, or when connected to a VPN, it times out. I ran the Let's Debug and got this:

 

nlcMJJW.png

 

(the Let's Debug image is newer, hence the different IP from the DuckDNS part above)

 

But as seen in the first image, I have port 80 forwarded properly. I can still access my Plex server from outside my local network.

I used to be able to access NextCloud from other networks, but something appears to have gone wrong recently.

 

None of the docker logs are showing any errors.

 

[edit]

NextCloud shows these errors:

 

0W0aK9m.png

 

but I don't understand why X-Frame-Options is listed, because I am 100% sure I fixed that in the config.

 

Log:

 

_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Australia/Sydney
URL=duckdns.org
SUBDOMAINS=mydomain
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=myemail@email.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d mydomain.duckdns.org
E-mail address entered: myemail@email.com
http validation is selected
Certificate exists; parameters unchanged; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

 

Edited by Stubbs
Link to post
2 hours ago, CJandDarren said:

I might have asked this wrong. I want to create sites for 3 domains is it possible to do this with in the www directory and where does one add the extra information to point each one to the correct directory?

Edit the default site config, create 3 server blocks, one for each site, and set their server names and root directives accordingly. You can create folders "/config/www-domain1", "/config/www-domain2", etc.

 

This is just basic nginx config. There are plenty of guides online.

Link to post

Hello alli am currently going crazy, I am currently trying to reverse proxy plex using my own domain with letsencrypt and cant seem to get this working. Can someone tell me where i am going wrong ?, i have the address set in the plexmediaserver docker as https://mydomain.org and have created a CNAME for it. Here is my current config

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plexh.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app PlexMediaServer;
        set $upstream_port 32400;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

 

i am using dns verication with wildcard

Link to post
35 minutes ago, alturismo said:

@Sinister upstream doesnt allow upper cases ... looks like u use the official plex docker and not the lsio one, change to the ip and u should be fine.

 

also your listening domain name is plexh.* ? if thats correct, ok

yes i am now able to reach plex via my domain name but now i cant reach it locally through unraid GUI via the WEBUI option when you click the docker. Any idea how to fix that ? also docker is not showing any IP address info like other dockers on proxynet custom network

plexproxy.png

Link to post

Hi there,

Hoping you guys can help me out. In short, my letsencrypt docker is giving me the 'likely firewall issue' message but I have tested port forwarding with nginx and nginxproxymanager dockers, which show their default pages via the opened ports.

 

I followed spaceinvaderone's guide (with methodical pausing while i applied the steps), so forwarding 443 from router to 1443 on unraid host, and 80 to 180 in the same way. 

 

I've got a domain registered. I've added a CNAME to my domain, pointing to a duckdns subdomain. I've setup the duckdns docker to update IP for this.

 

My ISP did have default ports blocked, which I've turned off (otherwise the tests above wouldn't have worked anyway).

 

I've also followed the linuxserver troubleshooting guide for the port forwarding issue already.

 

Can anyone shed some light? Would be much appreciated

 

If my letsencrypt log is useful, it's pasted below (xxxx'd out the domain and email specifics:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Australia/Sydney
URL=xxxxxxxx.net
SUBDOMAINS=nextcloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=xxxxx@protonmail.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d nextcloud.xxxxxxxx.net
E-mail address entered: xxxx@protonmail.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloud.xxxxxxxx.net
Waiting for verification...
Challenge failed for domain nextcloud.xxxxxxxx.net

http-01 challenge for nextcloud.xxxxxxxx.net
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.xxxxxxxx.net
Type: connection
Detail: Fetching
http://nextcloud.xxxxxxxx.net/.well-known/acme-challenge/dTkFfXItBI3Q886xxxxxxxxxxxxXeCA8Dz6mEyanU:
Timeout during connect (likely firewall problem)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
 

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.