bigmak 0 Posted May 3 (edited) Any chance anyone can post their working Dokuwiki nginx configuration as well as any changes to settings they made within Dokuwiki itself? I've been trying various things without any success. There have been a few comments in this thread on the subject but nobody ever confirmed what the final configuration was actually... edit: OK, finally figured out what was wrong. In the nginx configuration file, I was updating the port number to match the docker container when it needs to remain as the app port number. Also, zero changes were required within dokuwiki to make it work. Dumb on my part, I know; I'm still learning... Edited May 3 by bigmak Figured out issue Quote Share this post Link to post
RandomGeekyGuy 0 Posted May 5 Hei guys and gals This might be an obvious thing but i am a noob to the more advanced stuff on here. I am trying to access my nextcloud and my server via the internet but i am unable to do so. (would like to make a wordpress webiste run on it as well at some point) I have followed spaceinvaders guides, but i have had to mix and match between them since my ISP uses port 80. That means i have used his guide on how to setup a reverse proxy and then overwritten everything that he mentions in his DNS verification video. I have my own domain But no matter what i do it simply says This site can’t be reached Quote Share this post Link to post
Revrto 0 Posted May 6 (edited) All, Any help you all can provide would be greatly appreciated. I am stuck in a “less than desirable” network layout and have been beating my head against this wall for the past few days and I am at a loss. Apologies in advance for the book. Background: I have started experimenting with the letsencrypt docker as a reverse proxy to access services externally and so far, external services are working. I purchased my own domain name and have that CNAME point over to DuckDNS. I am using a pfSense VM on Unraid as my router and configured everything as Spaceinvader One recommends. Unfortunately, I am in an apartment with a roommate who refuses to let his devices fall under my network because he does not want a chance of his games being disrupted. So, I am currently forced to have my pfSense router double NAT underneath his Spectrum(ISP) provided router (I know that is terrible and it does pain me to say it). I was able to place my pfSense router in the DMZ on his router to at least get external services working. (i.e. nextcloud, etc.) However, even though pfSense supports NAT reflection the ISP router does not. So, I cannot access the devices through their domain name (i.e. nextcloud.mydomain.com) and thus do not have https connections on the local network. I thought this would not be a big deal and I would use DNS host overrides in pfSense to do a Split-DNS, however the pfSense host override does not allow DNS host assignments to IP and port (i.e. 192.168.1.5:443). It goes straight to port 80/443. This ends up that anything I try to resolve on the server dumps me at the Unraid WebUI. Objectives: Hopefully, that is enough background. My two objectives I cannot find answers on anywhere are: 1. How should I work around this host override/NAT reflection issue? I am open to other ideas, but I was thinking of swapping the Unraid WebUI and letsencrypt proxy ports so it routes through the proxy but then I can't find anywhere that says how to have letsencrypt make a cert and passthrough the unraid UI as a subdomain (i.e. UnraidUI.mydomain.com). 2. Related, how can I have the letsencrypt reverse proxy provide valid domains and certificates to other devices and dockers yet restrict them to only the local network. For example, I would like letsencrypt to provide a valid domain name and cert to my pfSense router residing on 192.168.1.1 and make it so It had a valid cert from letsencrypt but the subdomain ‘pfsense.mydomain.com’ was only accessible from the internal network. I am open to any other solutions be they in docker, Unraid, or pfSense. Thanks in advance for any help. This has been making my eyes bleed for days. V/R Revrto Edited May 6 by Revrto spelling errors Quote Share this post Link to post
CiaoCiao 4 Posted May 6 (edited) Hello everyone, I am setting up Letsencrypt following SpaceInvaderOne's video tutorial. I am having a hard time getting the validation process to pass successfully. I own a domain name and my IP is static, so I did not enter "duckdns.org" in the container settings since this would be useless. I entered my custom domain name instead. Also, I have already created two subdomains which are pointing at my public static IP. The HTPP and HTTPS ports I entered in the container template before installing are forwarded to my Unraid server's local static IP. I should probably also mention I think it is weird that the Letsencrypt container is displayed in the Dashboard tab but not in the Docker tab... Could you please give me a hint as to what to check or change to get this to work? Thank you in advance. Here are the logs : Quote [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 01-envfile: executing... [cont-init.d] 01-envfile: exited 0. [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io ------------------------------------- To support the app dev(s) visit: Let's Encrypt: https://letsencrypt.org/donate/ To support LSIO projects visit: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/Los_Angeles URL=mydomain.net SUBDOMAINS=firstsubdomain,secondsubdomain EXTRA_DOMAINS= ONLY_SUBDOMAINS=true DHLEVEL=2048 VALIDATION=http DNSPLUGIN= EMAIL=somethingsomething@gmail.com STAGING= 2048 bit DH parameters present SUBDOMAINS entered, processing SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d firstsubdomain.mydomain.net -d secondsubdomain.mydomain.net E-mail address entered: somethingsomething@gmail.com http validation is selected Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Plugins selected: Authenticator standalone, Installer None Obtaining a new certificate Performing the following challenges: http-01 challenge for firstsubdomain.mydomain.net http-01 challenge for secondsubdomain.mydomain.net Waiting for verification... Challenge failed for domain firstsubdomain.mydomain.net Challenge failed for domain secondsubdomain.mydomain.net http-01 challenge for firstsubdomain.mydomain.net http-01 challenge for secondsubdomain.mydomain.net Cleaning up challenges Some challenges have failed. Edited May 6 by CiaoCiao Quote Share this post Link to post
aptalca 306 Posted May 6 9 hours ago, Revrto said: All, Any help you all can provide would be greatly appreciated. I am stuck in a “less than desirable” network layout and have been beating my head against this wall for the past few days and I am at a loss. Apologies in advance for the book. Background: I have started experimenting with the letsencrypt docker as a reverse proxy to access services externally and so far, external services are working. I purchased my own domain name and have that CNAME point over to DuckDNS. I am using a pfSense VM on Unraid as my router and configured everything as Spaceinvader One recommends. Unfortunately, I am in an apartment with a roommate who refuses to let his devices fall under my network because he does not want a chance of his games being disrupted. So, I am currently forced to have my pfSense router double NAT underneath his Spectrum(ISP) provided router (I know that is terrible and it does pain me to say it). I was able to place my pfSense router in the DMZ on his router to at least get external services working. (i.e. nextcloud, etc.) However, even though pfSense supports NAT reflection the ISP router does not. So, I cannot access the devices through their domain name (i.e. nextcloud.mydomain.com) and thus do not have https connections on the local network. I thought this would not be a big deal and I would use DNS host overrides in pfSense to do a Split-DNS, however the pfSense host override does not allow DNS host assignments to IP and port (i.e. 192.168.1.5:443). It goes straight to port 80/443. This ends up that anything I try to resolve on the server dumps me at the Unraid WebUI. Objectives: Hopefully, that is enough background. My two objectives I cannot find answers on anywhere are: 1. How should I work around this host override/NAT reflection issue? I am open to other ideas, but I was thinking of swapping the Unraid WebUI and letsencrypt proxy ports so it routes through the proxy but then I can't find anywhere that says how to have letsencrypt make a cert and passthrough the unraid UI as a subdomain (i.e. UnraidUI.mydomain.com). 2. Related, how can I have the letsencrypt reverse proxy provide valid domains and certificates to other devices and dockers yet restrict them to only the local network. For example, I would like letsencrypt to provide a valid domain name and cert to my pfSense router residing on 192.168.1.1 and make it so It had a valid cert from letsencrypt but the subdomain ‘pfsense.mydomain.com’ was only accessible from the internal network. I am open to any other solutions be they in docker, Unraid, or pfSense. Thanks in advance for any help. This has been making my eyes bleed for days. V/R Revrto Well, I couldn't get nat reflection to work on pfsense even without double nat, so maybe that's some consolation for you. I am also using split dns. With that, we have no choice but to run letsencrypt on at least port 443. You'll have to change unraid's https port to something else. I kept unraid on port 80 for http, so when I hit my addresses inside my lan, I use the https endpoint and all is well. Quote Share this post Link to post
aptalca 306 Posted May 6 44 minutes ago, CiaoCiao said: Hello everyone, I am setting up Letsencrypt following SpaceInvaderOne's video tutorial. I am having a hard time getting the validation process to pass successfully. I own a domain name and my IP is static, so I did not enter "duckdns.org" in the container settings since this would be useless. I entered my custom domain name instead. Also, I have already created two subdomains which are pointing at my public static IP. The HTPP and HTTPS ports I entered in the container template before installing are forwarded to my Unraid server's local static IP. I should probably also mention I think it is weird that the Letsencrypt container is displayed in the Dashboard tab but not in the Docker tab... Could you please give me a hint as to what to check or change to get this to work? Thank you in advance. Here are the logs : Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/ 1 Quote Share this post Link to post
Revrto 0 Posted May 6 2 minutes ago, aptalca said: Well, I couldn't get nat reflection to work on pfsense even without double nat, so maybe that's some consolation for you. I am also using split dns. With that, we have no choice but to run letsencrypt on at least port 443. You'll have to change unraid's https port to something else. I kept unraid on port 80 for http, so when I hit my addresses inside my lan, I use the https endpoint and all is well. Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question. Quote Share this post Link to post
aptalca 306 Posted May 6 3 minutes ago, Revrto said: Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question. You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that. Quote Share this post Link to post
Revrto 0 Posted May 6 23 minutes ago, aptalca said: You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that. I think that makes sense if i switch to dns verification and use a wildcard for the certs (I have not migrated that yet). I saw the post about proxy_pass and that seems like it might work if I pair that with danioj's method of restricting to local. You mentioned to him about using http auth as well for good measure. I am not familiar with it, I assume that is different than using 2FA with an authenticator, correct?. Could you point me to a link on implementing it in this scenario? Thanks btw for all your help. Quote Share this post Link to post
guilhem31 0 Posted May 6 (edited) Hi everybody I'm struggling with my reverse proxy setup. I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name). The logs seem to be ok, server running. Ports opened. But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured) Any hint how to debug all this ? Edited May 6 by guilhem31 More info Quote Share this post Link to post
rragu 0 Posted May 7 I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container. My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge. I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for? Quote Share this post Link to post
saarg 369 Posted May 7 3 hours ago, rragu said: I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container. My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge. I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for? Blank page is usually an add-on blocking something. Quote Share this post Link to post
guilhem31 0 Posted May 7 9 hours ago, guilhem31 said: Hi everybody I'm struggling with my reverse proxy setup. I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name). The logs seem to be ok, server running. Ports opened. But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured) Any hint how to debug all this ? I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error So I looked into the Nginx error logs : 2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh" 2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh" I don't understand the problem at all ^^ Quote Share this post Link to post
aptalca 306 Posted May 7 5 hours ago, guilhem31 said: I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error So I looked into the Nginx error logs : 2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh" 2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh" I don't understand the problem at all ^^ Post the proxy conf you used Quote Share this post Link to post
guilhem31 0 Posted May 7 9 minutes ago, aptalca said: Post the proxy conf you used My bad, I just solved the problem (and my proxy conf was fine ) I use MPTCProuter to handle my network in my house, and a setting was wrong (i don't know why it changed recently), now that I set it the right way, everything is working !! Thanks aptaica for your interest Quote Share this post Link to post
rragu 0 Posted May 7 14 hours ago, saarg said: Blank page is usually an add-on blocking something. @saarg Thanks! uBlock Origin was the culprit. Apparently, it's not a fan of duckdns.org? I had planned to switch from duckdns to cloudflare-ddns anyway. After doing so, the site is working properly in Firefox with uBlock Origin still enabled. Quote Share this post Link to post
CiaoCiao 4 Posted May 8 (edited) On 5/6/2020 at 3:37 PM, aptalca said: Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/ Hello and thank you for this link. I finally figured out how to redirect the ports properly. So now in the Letsencrypt container logs I get "server ready". But there seem to be two issues : The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?! In the logs, after the "Server ready" line, I get a never ending repetition of the following line : Quote nginx: [emerg] invalid URL prefix in /config/nginx/site-confs/default:19 Edited May 8 by CiaoCiao Quote Share this post Link to post
saarg 369 Posted May 8 1 hour ago, CiaoCiao said: Hello and thank you for this link. I finally figured out how to redirect the ports properly. So now in the Letsencrypt container logs I get "server ready". But there seem to be two issues : The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?! In the logs, after the "Server ready" line, I get a never ending repetition of the following line : 1. Something unrelated to the container, so probably better to ask for help in general help area. 2. That means you have an error in the file mentioned on line 19. 1 Quote Share this post Link to post
Bleak 1 Posted May 9 (edited) Hey so I am trying to setup basic auth with fail2ban and the authenticating is working great but fail2ban does not seem to do it's part: 020-05-09 18:31:32,502 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:31 2020-05-09 18:31:38,515 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:37 2020-05-09 18:31:43,727 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:43 2020-05-09 18:31:44,462 fail2ban.actions [388]: NOTICE [nginx-http-auth] Ban 84.241.199.134 2020-05-09 18:31:44,465 fail2ban.utils [388]: #39-Lev. 1501c3a14110 -- exec: iptables -w -N f2b-nginx-http-auth iptables -w -A f2b-nginx-http-auth -j RETURN iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)" 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.' 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)" 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.' 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- stderr: 'getsockopt failed strangely: Operation not permitted' 2020-05-09 18:31:44,466 fail2ban.utils [388]: ERROR 1501c3a14110 -- returned 1 2020-05-09 18:31:44,467 fail2ban.actions [388]: ERROR Failed to execute ban jail 'nginx-http-auth' action 'iptables-multiport' info 'ActionInfo({'ip': '84.241.199.134', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x1501c3ece3a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x1501c3ece940>})': Error starting action Jail('nginx-http-auth')/iptables-multiport 2020-05-09 18:31:48,940 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:48 2020-05-09 18:31:54,150 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:54 2020-05-09 18:31:59,362 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:58 2020-05-09 18:31:59,686 fail2ban.actions [388]: NOTICE [nginx-http-auth] 84.241.199.134 already banned 2020-05-09 18:32:05,374 fail2ban.filter [388]: INFO [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:32:04 Basically trying from my phone on 4g to get myself banned but i can just keep retrying even though max retry's is at 3 if i try it for the 10th time and enter it correctly i just get in. dont know what the above errors mean tried to google it but did not find anything that helped me.. Edited May 9 by Bleak Quote Share this post Link to post
Bleak 1 Posted May 9 (edited) Added --cap-add=NET_ADMIN to extra parameters. Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it. Can someone link me something that explains what this does exactly? (or tell me ofcourse) want to understand what i just did and why i missed it.. Edited May 9 by Bleak Quote Share this post Link to post
aptalca 306 Posted May 9 49 minutes ago, Bleak said: Added --cap-add=NET_ADMIN to extra parameters. Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it. Perhaps you should read the readme linked in the first post Quote Share this post Link to post
Bleak 1 Posted May 9 (edited) 10 minutes ago, aptalca said: Perhaps you should read the readme linked in the first post I swear I've searched this whole thing 10 times no clue how I missed this... Thanks anyway sorry for missing this.. Edited May 9 by Bleak Quote Share this post Link to post
Marshalleq 68 Posted May 10 Hi all, anyone know if the lets encrypt container supports the mail directive? Am trying to use it to proxy imap and smtp. Many thanks. Quote Share this post Link to post
aptalca 306 Posted May 10 1 hour ago, Marshalleq said: Hi all, anyone know if the lets encrypt container supports the mail directive? Am trying to use it to proxy imap and smtp. Many thanks. I believe there is sendmail in there Quote Share this post Link to post
StandardToast 0 Posted May 10 Hi, Posting here because I think I am having an issue with my reverse proxy rather than next cloud itself. Original post is here getting a 502 bad gateway error. Any help would be appreciated. Quote Share this post Link to post
