[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 hour ago, luizmont said:

@aptalca I have confirmed that my ISP blocks port 80 and 443 (consumer connection).

From what I have read, the only way to use letsencrypt is with DNS challenges.

Is that correct? Can you help me to configure it? Or at least point me in the direction to do this....

 

Thank you very much!

You're already using dns validation, that's why nginx is coming up and reverse proxy works on your lan. If 80/443 are blocked, you'll have to use a different port to access

So you'll forward 444 on the router and access https://domain.com:444

Link to comment
47 minutes ago, aptalca said:

You're already using dns validation, that's why nginx is coming up and reverse proxy works on your lan. If 80/443 are blocked, you'll have to use a different port to access

So you'll forward 444 on the router and access https://domain.com:444

Awesome! It worked!!!!!

 

Let me just understand something.

It is really annoying having to type both the "https://" and the ":444"

Is there a way to do it without having to add the port and the https?

 

 

Link to comment
4 hours ago, jonathanm said:

Different ISP?

Or pay for a dns server that does URL forwarding.

 

4 hours ago, aptalca said:

Or you can ask your isp to stop blocking port 443. It worked for some people

 

I live in Brazil and here, as far as I know, all major ISP does this...

Ports 80 and 443 can be open only on business plans...

 

I guess it's going to be like this.

 

@aptalca thank you very much for providing the solution to my problem!

Link to comment

Guys, I'm at a complete loss here. On my Unraid server I've got a working nextcloud container plus a working letsencrypt container (for ports see screenshot). Nextcloud can be reached if I use the internal IP and over the subdomain bodenwiesli.duckdns.org I can reach the nginx server which tells me that the subdomain works and the port forwarding of the router is also active. But not matter what guide I follow (this one, this one or this one) it never works. I would really appreciate if someone could tell me how I need to configure the containers to get this working.

 

By the way for testing purposes I forwarded incoming requests to port 80 to the nextcloud container and was able to login to my nextcloud account so I'm 100 % positive that both the subdomain and the nextcloud container actually work. But I'm not ok with unencrypted traffic.

Containers.jpg

Edited by oeci
Link to comment
17 hours ago, kbbeer said:

Going down a rabbit hole this morning, curious if a solution exists to this problem. I've been using this container to allow access to one subdomain externally. I noticed today that if I go to my public ip (when remote) chrome prompts with a privacy error and gives the reason that this ip and the subdomain certs which I setup are different. Is it possible to configure so that my ip doesn't respond and you need to hit the subdomain for a response? Or is it best to create a cert for the main page to camouflage the subdomain?

You can set the main server block (the one that's defined as default) to serve a 404 or not even respond. So only the match for the subdomain will be displayed, any other request will go to the default block and get denied

Edited by aptalca
Link to comment
1 hour ago, oeci said:

Guys, I'm at a complete loss here. On my Unraid server I've got a working nextcloud container plus a working letsencrypt container (for ports see screenshot). Nextcloud can be reached if I use the internal IP and over the subdomain bodenwiesli.duckdns.org I can reach the nginx server which tells me that the subdomain works and the port forwarding of the router is also active. But not matter what guide I follow (this one, this one or this one) it never works. I would really appreciate if someone could tell me how I need to configure the containers to get this working.

 

By the way for testing purposes I forwarded incoming requests to port 80 to the nextcloud container and was able to login to my nextcloud account so I'm 100 % positive that both the subdomain and the nextcloud container actually work. But I'm not ok with unencrypted traffic.

Containers.jpg

You're not using our nextcloud image

Link to comment

Ooops, changed to yours and indeed the reverse proxy seems to work. But now I cannot setup nextcloud, when I try to do so I can start the process (enter an admin account, choose database, set credentials for database) but it will always terminate with a 504 Gateway Time-Out message after a few minutes.

Link to comment
On 3/16/2020 at 1:08 PM, saarg said:

Not correct. You need to let the container run and it will renew it before it expires.

It attempt to renew every night at about 2.

When is your cert expiring?

Thank you - its not due to expire for a while - I just wasn't sure of the renewal process. Thank you!! 

Link to comment

Hello,

I try to configure a reverse proxy in my VPS.
For now, I have my docker services (portainer, whoami, grafana, prometheus, ....) available through XXX.mydomain.duckdns.org (and basic auth for each services).

Pretty happy with it... but have twho minor problems:

  • Fail to use Deluge with reverse proxy: get a '502 bad gateway'
    I enable the proxy-conf as for other services, witout success. 
    Try with/without basic auth
     
  • Is there a way to 'share' the auth, so I don't need to login for each service ? (looking for a simple solution)

Thanks for your help
Mickaël

Link to comment
1 hour ago, mika91 said:

Hello,

I try to configure a reverse proxy in my VPS.
For now, I have my docker services (portainer, whoami, grafana, prometheus, ....) available through XXX.mydomain.duckdns.org (and basic auth for each services).

Pretty happy with it... but have twho minor problems:

  • Fail to use Deluge with reverse proxy: get a '502 bad gateway'
    I enable the proxy-conf as for other services, witout success. 
    Try with/without basic auth
     
  • Is there a way to 'share' the auth, so I don't need to login for each service ? (looking for a simple solution)

Thanks for your help
Mickaël

502 means letsencrypt cannot reach deluge

 

You likely have deluge in host networking, so change the address to point to unraid ip and port to the mapped port in your proxy conf

Link to comment
3 hours ago, Joker169 said:

I setup almost mirror to SpaceInvader vid.

So.... just add error.conf and profit?!?

"almost mirror" != "the same"

 

If you post exactly what you did, we can try and help. But if you say "I followed x video or guide for the most part", then we don't have a crystal ball.

Link to comment
1 hour ago, aptalca said:

"almost mirror" != "the same"

 

If you post exactly what you did, we can try and help. But if you say "I followed x video or guide for the most part", then we don't have a crystal ball.

I have to correct you there. We do have a crystal ball, but it's still in the repair shop waiting for the not in stock part.

  • Thanks 1
  • Haha 1
Link to comment
12 hours ago, aptalca said:

"almost mirror" != "the same"

 

If you post exactly what you did, we can try and help. But if you say "I followed x video or guide for the most part", then we don't have a crystal ball.

Well the "almost" is the fact, that I USED MY OWN DNS and config, I'm sorry if this annoyed you. Other than that exactly what was in the video. Thanks for reading....I got it working. Guess I'll use a more "newb" solution in the future.

 

  • Haha 1
Link to comment

I'm looking for advice on how to setup a subdomain.conf for a custom docker. 

I'm trying to emulate what's described here: https://pgsnake.blogspot.com/2019/07/reverse-proxying-to-pgadmin.html

 

I've also tried to use some other of the provided templates to build from. Here's what I have:

# filename: pgsql.subdomain.conf
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name pgsql.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
	client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
		# custom docker's name: pgadmin4
        set $upstream_pgadmin4 pgadmin4;
        proxy_pass http://$upstream_pgadmin4:5050;
    }
}

In the custom docker the network type is set to custom and pointed at my proxy network. Letsencrypt docker has pgsql as a subdomain to look out for. 

When I restart letsencrypt docker and visit the subdomain (pgsql.mydomain.com) I get an nginx 502 bad gateway. Have I forgotten something in my configuration? The only thing I can see from other templates is not including any "proxy_set_header"'s, but I'm not really sure what those are and if they are needed. Thanks in advance!
 

Link to comment
3 hours ago, njdowdy said:

I'm looking for advice on how to setup a subdomain.conf for a custom docker. 

I'm trying to emulate what's described here: https://pgsnake.blogspot.com/2019/07/reverse-proxying-to-pgadmin.html

 

I've also tried to use some other of the provided templates to build from. Here's what I have:


# filename: pgsql.subdomain.conf
server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name pgsql.*;

    include /config/nginx/ssl.conf;
    proxy_redirect off;
    proxy_buffering off;
	client_max_body_size 0;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
		# custom docker's name: pgadmin4
        set $upstream_pgadmin4 pgadmin4;
        proxy_pass http://$upstream_pgadmin4:5050;
    }
}

In the custom docker the network type is set to custom and pointed at my proxy network. Letsencrypt docker has pgsql as a subdomain to look out for. 

When I restart letsencrypt docker and visit the subdomain (pgsql.mydomain.com) I get an nginx 502 bad gateway. Have I forgotten something in my configuration? The only thing I can see from other templates is not including any "proxy_set_header"'s, but I'm not really sure what those are and if they are needed. Thanks in advance!
 

Doesn't pgadmin listen on port 80?

  • Thanks 1
Link to comment

Hi! I trying for days now to get this going and I followed every guide a could find. I want to be able to access my Nextcloud from outside my network. First I tried the "regular" way with http and duckdns but no luck. After that I followed Spaceinvader Ones new guide using wildcard and SSL with my own domain name. Im not very good at this but I've followed a lot of guides from Spaceinvader One and this is the first one that I just can't get working. Ill post the log file from lets encrypt. Im really stuck and I think I've tried everything.

 

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a RSA private key
........+++++
....................+++++
writing new private key to '/config/keys/cert.key'
-----
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=oskar.ax@me.com
STAGING=

Created donoteditthisfile.conf
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
...............................................+..............................................................................................................................+.....................................................+...................................+.................................................+............................+.............+..........................................+.........................................................................................................................................................................................................................+...........................................................+...........................+..................................................+......+....................................................................+........................................................+......................................................................................................................................................................+........................................................................................................................................................................+............................................................................+............................................+................................................N[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=oskar.ax@me.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of reverseproxy.nu will be requested
E-mail address entered: oskar.ax@me.com
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for reverseproxy.nu
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Waiting for verification...
Challenge failed for domain reverseproxy.nu
dns-01 challenge for reverseproxy.nu
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: reverseproxy.nu
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.reverseproxy.nu - the domain's nameservers may be
malfunctioning
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
 

 

AND the above error is a mystery as I have edited it with the API Key and email adress as the guide states.

 

Please I need help.

Link to comment
1 hour ago, oskarax said:

Hi! I trying for days now to get this going and I followed every guide a could find. I want to be able to access my Nextcloud from outside my network. First I tried the "regular" way with http and duckdns but no luck. After that I followed Spaceinvader Ones new guide using wildcard and SSL with my own domain name. Im not very good at this but I've followed a lot of guides from Spaceinvader One and this is the first one that I just can't get working. Ill post the log file from lets encrypt. Im really stuck and I think I've tried everything.

 

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a RSA private key
........+++++
....................+++++
writing new private key to '/config/keys/cert.key'
-----
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=oskar.ax@me.com
STAGING=

Created donoteditthisfile.conf
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
...............................................+..............................................................................................................................+.....................................................+...................................+.................................................+............................+.............+..........................................+.........................................................................................................................................................................................................................+...........................................................+...........................+..................................................+......+....................................................................+........................................................+......................................................................................................................................................................+........................................................................................................................................................................+............................................................................+............................................+................................................N[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=reverseproxy.nu
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=dns
DNSPLUGIN=cloudflare
EMAIL=oskar.ax@me.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of reverseproxy.nu will be requested
E-mail address entered: oskar.ax@me.com
dns validation via cloudflare plugin is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for reverseproxy.nu
Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Waiting for verification...
Challenge failed for domain reverseproxy.nu
dns-01 challenge for reverseproxy.nu
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: reverseproxy.nu
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for
_acme-challenge.reverseproxy.nu - the domain's nameservers may be
malfunctioning
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.
 

 

AND the above error is a mystery as I have edited it with the API Key and email adress as the guide states.

 

Please I need help.

A couple of others on discord mentioned a cloudflare outage that resulted in the same outcome as above. No errors setting txt records, but they can't be verified.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.