Jump to content
linuxserver.io

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

4916 posts in this topic Last Reply

Recommended Posts

Posted (edited)

Any chance anyone can post their working Dokuwiki nginx configuration as well as any changes to settings they made within Dokuwiki itself? I've been trying various things without any success. There have been a few comments in this thread on the subject but nobody ever confirmed what the final configuration was actually...

 

edit: OK, finally figured out what was wrong. In the nginx configuration file, I was updating the port number to match the docker container when it needs to remain as the app port number. Also, zero changes were required within dokuwiki to make it work. Dumb on my part, I know; I'm still learning...

Edited by bigmak
Figured out issue

Share this post


Link to post

Hei guys and gals

This might be an obvious thing but i am a noob to the more advanced stuff on here.

I am trying to access my nextcloud and my server via the internet but i am unable to do so. (would like to make a wordpress webiste run on it as well at some point)
I have followed spaceinvaders guides, but i have had to mix and match between them since my ISP uses port 80. That means i have used his guide on how to setup a reverse proxy and then overwritten everything that he mentions in his DNS verification video.
I have my own domain 

But no matter what i do it simply says This site can’t be reached

Share this post


Link to post
Posted (edited)

All,

 

Any help you all can provide would be greatly appreciated. I am stuck in a “less than desirable” network layout and have been beating my head against this wall for the past few days and I am at a loss. Apologies in advance for the book.

 

Background: I have started experimenting with the letsencrypt docker as a reverse proxy to access services externally and so far, external services are working. I purchased my own domain name and have that CNAME point over to DuckDNS. I am using a pfSense VM on Unraid as my router and configured everything as Spaceinvader One recommends. Unfortunately, I am in an apartment with a roommate who refuses to let his devices fall under my network because he does not want a chance of his games being disrupted. So, I am currently forced to have my pfSense router double NAT underneath his Spectrum(ISP) provided router (I know that is terrible and it does pain me to say it). I was able to place my pfSense router in the DMZ on his router to at least get external services working. (i.e. nextcloud, etc.) However, even though pfSense supports NAT reflection the ISP router does not. So, I cannot access the devices through their domain name (i.e. nextcloud.mydomain.com) and thus do not have https connections on the local network. I thought this would not be a big deal and I would use DNS host overrides in pfSense to do a Split-DNS, however the pfSense host override does not allow DNS host assignments to IP and port (i.e. 192.168.1.5:443). It goes straight to port 80/443. This ends up that anything I try to resolve on the server dumps me at the Unraid WebUI.

 

Objectives: Hopefully, that is enough background. My two objectives I cannot find answers on anywhere are:

1.       How should I work around this host override/NAT reflection issue? I am open to other ideas, but I was thinking of swapping the Unraid WebUI and letsencrypt proxy ports so it routes through the proxy but then I can't find anywhere that says how to have letsencrypt make a cert and passthrough the unraid UI as a subdomain (i.e. UnraidUI.mydomain.com).

2.       Related, how can I have the letsencrypt reverse proxy provide valid domains and certificates to other devices and dockers yet restrict them to only the local network. For example, I would like letsencrypt to provide a valid domain name and cert to my pfSense router residing on 192.168.1.1 and make it so It had a valid cert from letsencrypt but the subdomain ‘pfsense.mydomain.com’ was only accessible from the internal network.

I am open to any other solutions be they in docker, Unraid, or pfSense.

 

Thanks in advance for any help. This has been making my eyes bleed for days.

 

V/R

 

Revrto

Edited by Revrto
spelling errors

Share this post


Link to post
Posted (edited)

Hello everyone,

 

I am setting up Letsencrypt following SpaceInvaderOne's video tutorial.

 

I am having a hard time getting the validation process to pass successfully.

 

I own a domain name and my IP is static, so I did not enter "duckdns.org" in the container settings since this would be useless. I entered my custom domain name instead.

Also, I have already created two subdomains which are pointing at my public static IP.

 

The HTPP and HTTPS ports I entered in the container template before installing are forwarded to my Unraid server's local static IP.

 

I should probably also mention I think it is weird that the Letsencrypt container is displayed in the Dashboard tab but not in the Docker tab...

 

Could you please give me a hint as to what to check or change to get this to work?

 

Thank you in advance.

 

Here are the logs :

Quote

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Let's Encrypt: https://letsencrypt.org/donate/

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=mydomain.net
SUBDOMAINS=firstsubdomain,secondsubdomain
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=somethingsomething@gmail.com
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d firstsubdomain.mydomain.net -d secondsubdomain.mydomain.net
E-mail address entered: somethingsomething@gmail.com
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for firstsubdomain.mydomain.net
http-01 challenge for secondsubdomain.mydomain.net
Waiting for verification...
Challenge failed for domain firstsubdomain.mydomain.net
Challenge failed for domain secondsubdomain.mydomain.net
http-01 challenge for firstsubdomain.mydomain.net
http-01 challenge for secondsubdomain.mydomain.net
Cleaning up challenges
Some challenges have failed.

 

Edited by CiaoCiao

Share this post


Link to post
9 hours ago, Revrto said:

All,

 

Any help you all can provide would be greatly appreciated. I am stuck in a “less than desirable” network layout and have been beating my head against this wall for the past few days and I am at a loss. Apologies in advance for the book.

 

Background: I have started experimenting with the letsencrypt docker as a reverse proxy to access services externally and so far, external services are working. I purchased my own domain name and have that CNAME point over to DuckDNS. I am using a pfSense VM on Unraid as my router and configured everything as Spaceinvader One recommends. Unfortunately, I am in an apartment with a roommate who refuses to let his devices fall under my network because he does not want a chance of his games being disrupted. So, I am currently forced to have my pfSense router double NAT underneath his Spectrum(ISP) provided router (I know that is terrible and it does pain me to say it). I was able to place my pfSense router in the DMZ on his router to at least get external services working. (i.e. nextcloud, etc.) However, even though pfSense supports NAT reflection the ISP router does not. So, I cannot access the devices through their domain name (i.e. nextcloud.mydomain.com) and thus do not have https connections on the local network. I thought this would not be a big deal and I would use DNS host overrides in pfSense to do a Split-DNS, however the pfSense host override does not allow DNS host assignments to IP and port (i.e. 192.168.1.5:443). It goes straight to port 80/443. This ends up that anything I try to resolve on the server dumps me at the Unraid WebUI.

 

Objectives: Hopefully, that is enough background. My two objectives I cannot find answers on anywhere are:

1.       How should I work around this host override/NAT reflection issue? I am open to other ideas, but I was thinking of swapping the Unraid WebUI and letsencrypt proxy ports so it routes through the proxy but then I can't find anywhere that says how to have letsencrypt make a cert and passthrough the unraid UI as a subdomain (i.e. UnraidUI.mydomain.com).

2.       Related, how can I have the letsencrypt reverse proxy provide valid domains and certificates to other devices and dockers yet restrict them to only the local network. For example, I would like letsencrypt to provide a valid domain name and cert to my pfSense router residing on 192.168.1.1 and make it so It had a valid cert from letsencrypt but the subdomain ‘pfsense.mydomain.com’ was only accessible from the internal network.

I am open to any other solutions be they in docker, Unraid, or pfSense.

 

Thanks in advance for any help. This has been making my eyes bleed for days.

 

V/R

 

Revrto

Well, I couldn't get nat reflection to work on pfsense even without double nat, so maybe that's some consolation for you. I am also using split dns. With that, we have no choice but to run letsencrypt on at least port 443. You'll have to change unraid's https port to something else. I kept unraid on port 80 for http, so when I hit my addresses inside my lan, I use the https endpoint and all is well.

Share this post


Link to post
44 minutes ago, CiaoCiao said:

Hello everyone,

 

I am setting up Letsencrypt following SpaceInvaderOne's video tutorial.

 

I am having a hard time getting the validation process to pass successfully.

 

I own a domain name and my IP is static, so I did not enter "duckdns.org" in the container settings since this would be useless. I entered my custom domain name instead.

Also, I have already created two subdomains which are pointing at my public static IP.

 

The HTPP and HTTPS ports I entered in the container template before installing are forwarded to my Unraid server's local static IP.

 

I should probably also mention I think it is weird that the Letsencrypt container is displayed in the Dashboard tab but not in the Docker tab...

 

Could you please give me a hint as to what to check or change to get this to work?

 

Thank you in advance.

 

Here are the logs :

 

Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Share this post


Link to post
2 minutes ago, aptalca said:

Well, I couldn't get nat reflection to work on pfsense even without double nat, so maybe that's some consolation for you. I am also using split dns. With that, we have no choice but to run letsencrypt on at least port 443. You'll have to change unraid's https port to something else. I kept unraid on port 80 for http, so when I hit my addresses inside my lan, I use the https endpoint and all is well.

Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question.

Share this post


Link to post
3 minutes ago, Revrto said:

Thats, what I was thinking about doing but I cant figure out a way to have letsencrypt pass through a valid cert to unraid and point it at that IP. Much less doing that while restricting access to that device to only the local network. Similar to the pfSense example in my second question.

You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that.

Share this post


Link to post
23 minutes ago, aptalca said:

You don't need to provide certs to anything else. You can reverse proxy. You'll also still be able to access unraid on port 80 with http via its ip. If you want remote access, reverse proxy it. You can use allow/deny statements to control access. There is a post here on one of the last couple of pages about that.

I think that makes sense if i switch to dns verification and use a wildcard for the certs (I have not migrated that yet). I saw the post about proxy_pass and that seems like it might  work if I pair that with danioj's method of restricting to local. You mentioned to him about using http auth as well for good measure. I am not familiar with it, I assume that is different than using 2FA with an authenticator, correct?. Could you point me to a link on implementing it in this scenario? 

 

Thanks btw for all your help.

Share this post


Link to post
Posted (edited)

Hi everybody :)

 

I'm struggling with my reverse proxy setup.

I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name).

The logs seem to be ok, server running. Ports opened.

But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured)

 

QKG99GF.png

 

Any hint how to debug all this ?

Edited by guilhem31
More info

Share this post


Link to post

I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container.

 

My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge.

 

I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for?

Share this post


Link to post
3 hours ago, rragu said:

I installed LSIO's code-server container and set up a reverse proxy using the LSIO LetsEncrypt container.

 

My issue is: on Firefox, once I go to code.mydomain.com and log in with the password I set in the code-server container, I just get a blank page. However, the same site works perfectly fine on Chrome and Edge.

 

I know I'm being kinda vague. But any ideas as to why this might be or what I should start checking for?

Blank page is usually an add-on blocking something.

Share this post


Link to post
9 hours ago, guilhem31 said:

Hi everybody :)

 

I'm struggling with my reverse proxy setup.

I followed the spaceinvader's tutorial, using DNS verification (with an OVH domain name).

The logs seem to be ok, server running. Ports opened.

But I'm getting this when I try to reach radarr.mydomain.com (or any subdomain I configured)

 

QKG99GF.png

 

Any hint how to debug all this ?

I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error

So I looked into the Nginx error logs :

2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh"
2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh"

I don't understand the problem at all ^^

Share this post


Link to post
5 hours ago, guilhem31 said:

I saw that accessing to this adress via WIFI gets me this error page, while accessing via LTE network shows me a 500 Internal Server Error

So I looked into the Nginx error logs :


2020/05/07 08:55:09 [error] 415#415: *66 connect() failed (111: Connection refused) while connecting to upstream, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", subrequest: "/auth", upstream: "http://45.13.xxx.xxx:7878/auth", host: "radarr.nasdoury.ovh"
2020/05/07 08:55:09 [error] 415#415: *66 auth request unexpected status: 502 while sending to client, client: 37.171.xxx.xxx, server: radarr.*, request: "GET / HTTP/2.0", host: "radarr.nasdoury.ovh"

I don't understand the problem at all ^^

Post the proxy conf you used

Share this post


Link to post
9 minutes ago, aptalca said:

Post the proxy conf you used

My bad, I just solved the problem (and my proxy conf was fine ;) )

I use MPTCProuter to handle my network in my house, and a setting was wrong (i don't know why it changed recently), now that I set it the right way, everything is working !!

 

Thanks aptaica for your interest

Share this post


Link to post
14 hours ago, saarg said:

Blank page is usually an add-on blocking something.

@saarg Thanks! uBlock Origin was the culprit. Apparently, it's not a fan of duckdns.org?

I had planned to switch from duckdns to cloudflare-ddns anyway. After doing so, the site is working properly in Firefox with uBlock Origin still enabled.

Share this post


Link to post
Posted (edited)
On 5/6/2020 at 3:37 PM, aptalca said:

 

Hello and thank you for this link. I finally figured out how to redirect the ports properly.

 

So now in the Letsencrypt container logs I get "server ready".


But there seem to be two issues :

  1. The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?!
  2. In the logs, after the "Server ready" line, I get a never ending repetition of the following line :
    Quote

    nginx: [emerg] invalid URL prefix in /config/nginx/site-confs/default:19

Edited by CiaoCiao

Share this post


Link to post
1 hour ago, CiaoCiao said:

 

Hello and thank you for this link. I finally figured out how to redirect the ports properly.

 

So now in the Letsencrypt container logs I get "server ready".


But there seem to be two issues :

  1. The Letsencrypt container is only present in the Dashboard tab, not in the Docker tab. Is that normal?!
  2. In the logs, after the "Server ready" line, I get a never ending repetition of the following line :

1. Something unrelated to the container, so probably better to ask for help in general help area.

 

2. That means you have an error in the file mentioned on line 19.

Share this post


Link to post
Posted (edited)

Hey so I am trying to setup basic auth with fail2ban and the authenticating is working great but fail2ban does not seem to do it's part:

 

020-05-09 18:31:32,502 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:31
2020-05-09 18:31:38,515 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:37
2020-05-09 18:31:43,727 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:43
2020-05-09 18:31:44,462 fail2ban.actions        [388]: NOTICE  [nginx-http-auth] Ban 84.241.199.134
2020-05-09 18:31:44,465 fail2ban.utils          [388]: #39-Lev. 1501c3a14110 -- exec: iptables -w -N f2b-nginx-http-auth
iptables -w -A f2b-nginx-http-auth -j RETURN
iptables -w -I INPUT -p tcp -m multiport --dports http,https -j f2b-nginx-http-auth
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: "iptables v1.8.3 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- stderr: 'getsockopt failed strangely: Operation not permitted'
2020-05-09 18:31:44,466 fail2ban.utils          [388]: ERROR   1501c3a14110 -- returned 1
2020-05-09 18:31:44,467 fail2ban.actions        [388]: ERROR   Failed to execute ban jail 'nginx-http-auth' action 'iptables-multiport' info 'ActionInfo({'ip': '84.241.199.134', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x1501c3ece3a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x1501c3ece940>})': Error starting action Jail('nginx-http-auth')/iptables-multiport
2020-05-09 18:31:48,940 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:48
2020-05-09 18:31:54,150 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:54
2020-05-09 18:31:59,362 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:31:58
2020-05-09 18:31:59,686 fail2ban.actions        [388]: NOTICE  [nginx-http-auth] 84.241.199.134 already banned
2020-05-09 18:32:05,374 fail2ban.filter         [388]: INFO    [nginx-http-auth] Found 84.241.199.134 - 2020-05-09 18:32:04

Basically trying from my phone on 4g to get myself banned but i can just keep retrying even though max retry's is at 3 if i try it for the 10th time and enter it correctly i just get in. dont know what the above errors mean tried to google it but did not find anything that helped me..

Edited by Bleak

Share this post


Link to post
Posted (edited)

Added --cap-add=NET_ADMIN to extra parameters.

Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it.

 

Can someone link me something that explains what this does exactly? (or tell me ofcourse) want to understand what i just did and why i missed it..

Edited by Bleak

Share this post


Link to post
49 minutes ago, Bleak said:

Added --cap-add=NET_ADMIN to extra parameters.

Found it somewhere in a forum apparently it should be mentioned somewhere that you need this but could not find it.

Perhaps you should read the readme linked in the first post

Share this post


Link to post
Posted (edited)
10 minutes ago, aptalca said:

Perhaps you should read the readme linked in the first post

image.thumb.png.8caad39f89f9d0b7fe0b10d237e0afad.png

 

I swear I've searched this whole thing 10 times no clue how I missed this...

 

Thanks anyway sorry for missing this..

Edited by Bleak

Share this post


Link to post

Hi all, anyone know if the lets encrypt container supports the mail directive?  Am trying to use it to proxy imap and smtp.  Many thanks.

Share this post


Link to post
1 hour ago, Marshalleq said:

Hi all, anyone know if the lets encrypt container supports the mail directive?  Am trying to use it to proxy imap and smtp.  Many thanks.

I believe there is sendmail in there

Share this post


Link to post

Hi,

 

Posting here because I think I am having an issue with my reverse proxy rather than next cloud itself. Original post is here getting a 502 bad gateway error. Any help would be appreciated.

 

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.