[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5287 posts in this topic Last Reply

Recommended Posts

On 5/8/2020 at 11:11 AM, saarg said:

2. That means you have an error in the file mentioned on line 19.

So I tried to go to the specified file.

First, instead of this file path which is specified in the error message :

Quote

nginx: [emerg] invalid URL prefix in /config/nginx/site-confs/default:19

I find the "default" file under config/appdata/nginx/nginx/site-confs

 

Then, when I go to line 19 of this file, it's a blank line :

image.png.f19eec3288230c1673674798cfd6f00c.png

 

Also, isn't it weird that this file specifies ports 80 and 443 when I actually set up different ports in the template? And yet I'm still getting the "Server ready" message?

 

I'm confused as to what I should do to solve this issue.

Edited by CiaoCiao
Link to post
  • Replies 5.3k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

3 hours ago, CiaoCiao said:

So I tried to go to the specified file.

First, instead of this file path which is specified in the error message :

I find the "default" file under config/appdata/nginx/nginx/site-confs

 

Then, when I go to line 19 of this file, it's a blank line :

image.png.f19eec3288230c1673674798cfd6f00c.png

 

Also, isn't it weird that this file specifies ports 80 and 443 when I actually set up different ports in the template? And yet I'm still getting the "Server ready" message?

 

I'm confused as to what I should do to solve this issue.

 

It seems you are a little confused about how docker works. The path you see in the log is the path inside the container, not on unraid. The container doesn't know which path on unraid you set in the template.

It's  the same with the ports. Port 80 and 443 are the ports used inside the container. Which ports you mapped those ports to on the unraid side is irrelevant for the container.

 

At the top of this file there is a date. If it's not the one below, you should delete the file and restart the container to get the newest. If you have made any changes to the file, you would have to redo them.

 

## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

Link to post
1 hour ago, saarg said:

 

It seems you are a little confused about how docker works. The path you see in the log is the path inside the container, not on unraid. The container doesn't know which path on unraid you set in the template.

It's  the same with the ports. Port 80 and 443 are the ports used inside the container. Which ports you mapped those ports to on the unraid side is irrelevant for the container.

 

At the top of this file there is a date. If it's not the one below, you should delete the file and restart the container to get the newest. If you have made any changes to the file, you would have to redo them.

 

## Version 2020/03/05 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default

 

Well I must admit I was terribly confused. Thank you very very much for explaining this to me.

 

So I actually was so confused I was messing with the "default" config file from the Nginx container I used previously to troubleshoot the port forwarding of my router... instead of the "default" config file of letsencrypt! lol

 

So now I have found the right one and here is what the content of the right "default" config file looks like :

server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name domainname.net;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'manymanythings here';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location / {
        include /config/nginx/proxy.conf;
        proxy_pass 192.168.0.16:444;
    }
   
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

So line 19 reads :

proxy_pass 192.168.0.16:444;

Out of curiosity I tried forwarding the port 444 to my Unraid server but the error line 19 in the "Default" config file did not go away from the logs and keeps repeating after "Server ready".

Edited by CiaoCiao
removed domain name
Link to post
48 minutes ago, CiaoCiao said:

 

Well I must admit I was terribly confused. Thank you very very much for explaining this to me.

 

So I actually was so confused I was messing with the "default" config file from the Nginx container I used previously to troubleshoot the port forwarding of my router... instead of the "default" config file of letsencrypt! lol

 

So now I have found the right one and here is what the content of the right "default" config file looks like :


server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name  ;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location / {
        include /config/nginx/proxy.conf;
        proxy_pass 192.168.0.16:444;
    }
   
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

So line 19 reads :


proxy_pass 192.168.0.16:444;

Out of curiosity I tried forwarding the port 444 to my Unraid server but the error line 19 in the "Default" config file did not go away from the logs and keeps repeating after "Server ready".

You do not have http:// in the proxy_pass.

 

Also, remove the domain name from your post 😉

Link to post
1 hour ago, saarg said:

You do not have http:// in the proxy_pass.

 

Also, remove the domain name from your post 😉

Thank you very much!

 

I tweaked a few things I also had made mistakes on as well and now everything is working fine, I'm just getting the "Server ready" message :)

Link to post

It's me again!

 

So now everything is working fine with the reverse proxy.

 

Yet there is one more thing I would like it to do. I have an Ubuntu VM I would like the reverse proxy to forward the traffic when people access a certain subdomain.

I have allocated the Ubuntu VM a static local IP and I would like to redirect anyone accessing the specific subdomain to this VM's local IP on a certain port.

 

I'm pretty sure this is possible but I have not found how.

Link to post

Hey,

 

I've got this docker setup and running with Organizr as the frontend, it has been working great!

Now I'm developing a .php page that I want to try while coding it. Is there an easy solution to use this docker to serve the .php without messing with the rest of my setup?

 

For now I'd like to just have it served locally

Link to post

I am having the same concern:
Error getting validation data

I have read a few pages of the thread, and cannot seem to gather why this is happening.
Ping urls with no issue
port forwarding is enabled.
firewall to access ports accordingly.

Error
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Error getting validation data


Has there been any fix to allow this container to work?
Would the default config help, I installed this docker fresh, opened my FW wide open to make sure nothing was blocking and not having any success.

Edited by bombz
Link to post
7 hours ago, bombz said:

I am having the same concern:
Error getting validation data

I have read a few pages of the thread, and cannot seem to gather why this is happening.
Ping urls with no issue
port forwarding is enabled.
firewall to access ports accordingly.

Error
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Error getting validation data


Has there been any fix to allow this container to work?
Would the default config help, I installed this docker fresh, opened my FW wide open to make sure nothing was blocking and not having any success.

You can start with this.

https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to post
54 minutes ago, bombz said:

Thank you,
Yes I saw this a few posts back, went over it. Everything seems to be good on that front.
I also followed 'Spaceinvader' video tutorial as well

Follow those steps exactly

Link to post
5 hours ago, gRuNdLeKrEiSt said:

How would I got about using the letsencrypt docker to generate a CSR. I have an SSL Cert available through my DNS provider and I would like to use it. I've been looking on Google and in this topic and have not found any answers.

tenor.gif

Link to post
10 hours ago, aptalca said:

Follow those steps exactly

Yes I followed them.
I have also completely removed the docker and the files in appdata to start a fresh install. Have the ports and fw rules set, can ping the domain successfully, I can hit the domain service on the direct port with a port forward rule directly to the service.
I have rebooted modem and gateway etc.

can't seem to get the docker app to talk
Still have:

http-01 challenge for domainnamehere
Cleaning up challenges
Some challenges have failed
Domain: domiannamehere
Type: connection
Detail: Fetching
http://domainnamehere/.well-known/acme-challenge/long string of data (I do not see this folder anywhere under the letsencrypt folder via SSH)
Error getting validation data

I have added the default config from letsencrypt/nginx/site-confs/
not sure if this will help
there are also no logs being created on /var/logs/letsencrypt - as stated in the error window

config.JPG

Edited by bombz
Link to post
2 hours ago, bombz said:

Yes I followed them.
I have also completely removed the docker and the files in appdata to start a fresh install. Have the ports and fw rules set, can ping the domain successfully, I can hit the domain service on the direct port with a port forward rule directly to the service.
I have rebooted modem and gateway etc.

can't seem to get the docker app to talk
Still have:

http-01 challenge for domainnamehere
Cleaning up challenges
Some challenges have failed
Domain: domiannamehere
Type: connection
Detail: Fetching
http://domainnamehere/.well-known/acme-challenge/long string of data (I do not see this folder anywhere under the letsencrypt folder via SSH)
Error getting validation data

I have added the default config from letsencrypt/nginx/site-confs/
not sure if this will help
there are also no logs being created on /var/logs/letsencrypt - as stated in the error window

config.JPG

Did you set up nginx with the same port mappings as letsencrypt and can see the welcome page when you connect to your domain on http port 80 via cell phone with wifi disabled?

Link to post
34 minutes ago, aptalca said:

Did you set up nginx with the same port mappings as letsencrypt and can see the welcome page when you connect to your domain on http port 80 via cell phone with wifi disabled?

I have setup port forwarding for 80 and 443 -> custom port for letsencrypt
letsencrypt is using using a different network 'proxy'

Perhaps I am confused and not understanding as I am learning this.
Following the video guide nginx was not referenced.
reading the troubleshooting guide I was reading about nginx and thought letsencrypt handled what nginx did or does.
nginx container needs to run alongside letsencrypt?
I will feel terrible if that's the case this is new to me.

Also I have been fiddling with letsencrypt restarts too many times that I am now at a standstill as I have received from letencrypt "too many failed authorizations recently"


as far as I know I am required to wait up to 1 week before I can try again 😞
 

image.png.35118db29e42dd69cead3e9f05c6f78a.png

binhex nginx is installed
80 > 8080
443 > 8443
Cannot hit nginx from outside the network

Edited by bombz
Link to post

Hey team!

 

Wondering if anyone might have an advice on how to fix my proxy config for the stash app.

 

I followed some of the other conf files as examples when creating it:

# make sure that your dns has a cname set for stash

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name stash.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app stash;
        set $upstream_port 9999;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}


It works for the most part with a very small exception, when I access the app through the reverse proxy I get these errors in the logs:
download-1.jpg.b4b0b0c9a171908a403c994abc844fc8.jpg

 

Wondering if anyone might have advice on how I can alter my conf file to support the calls being blocked there.

 

Thanks!

Link to post
12 hours ago, aptalca said:

That's imap proxy, completely different.

 

But in any case, nginx is already compiled with mail in our image

Thanks - yeah in my original it says Imap - but recognise easy to overlook, you have a huge job responding to all these requests!  Many thanks for the info, will check it out!

 

Marshalleq

Edited by Marshalleq
Link to post

I'm following the SpaceInvaderOne video on setting up a Reverse Proxy with LetsEncrypt and I've run into a permissions issue.

At around 20:00 in the video, he's editing the configuration files in the appdata/letsencrypt/nginx/proxy-confs folder. He saves the file directly into the proxy-confs folder, but I'm unable to do that. I get "Destination Folder Access Denied. You need permission to perform this action." whenever I try to save a file, or rename a file in that folder. I'm accessing it through Windows Explorer. I do have read/write access to the nginx folder right above this one. I can't figure out how to get permissions to this folder. Has anyone had this issue setting this up? How do I get permissions to this folder?

 

 

Edited by Ccheese4
Link to post
2 hours ago, bombz said:

I have setup port forwarding for 80 and 443 -> custom port for letsencrypt
letsencrypt is using using a different network 'proxy'

Perhaps I am confused and not understanding as I am learning this.
Following the video guide nginx was not referenced.
reading the troubleshooting guide I was reading about nginx and thought letsencrypt handled what nginx did or does.
nginx container needs to run alongside letsencrypt?
I will feel terrible if that's the case this is new to me.

Also I have been fiddling with letsencrypt restarts too many times that I am now at a standstill as I have received from letencrypt "too many failed authorizations recently"


as far as I know I am required to wait up to 1 week before I can try again 😞
 

image.png.35118db29e42dd69cead3e9f05c6f78a.png

binhex nginx is installed
80 > 8080
443 > 8443
Cannot hit nginx from outside the network

Smh. You see the linuxserver version and the binhex version side by side in your screenshot and you still select the binhex version. Why? Not that there is anything wrong with that version, but I'm asking you to follow the simple steps outlined in the troubleshooting article. We put a lot of time into it and it gets frustrating when users still don't follow them even when we spell them out step by step.

 

The whole point of the troubleshooting article is so you can make sure that your ports are properly mapped and forwarded and that the container is accessible from the internet. Only then, you should try to set up letsencrypt. Otherwise there are too many reasons why it can fail and as you experienced, if it fails a bunch of times, you're throttled.

 

So read the directions carefully. 

Link to post
12 minutes ago, Ccheese4 said:

I'm following the SpaceInvaderOne video on setting up a Reverse Proxy with LetsEncrypt and I've run into a permissions issue.

At around 20:00 in the video, he's editing the configuration files in the appdata/letsencrypt/nginx/proxy-confs folder. He saves the file directly into the proxy-confs folder, but I'm unable to do that. I get "Destination Folder Access Denied. You need permission to perform this action." whenever I try to save a file, or rename a file in that folder. I'm accessing it through Windows Explorer. I do have read/write access to the nginx folder right above this one. I can't figure out how to get permissions to this folder. Has anyone had this issue setting this up? How do I get permissions to this folder?

 

 

I recommend unraid console for those operations. Simple "cp sourcefilename targetfilename" will do what you want. And use "nano filename" to edit files

Link to post
1 hour ago, Marshalleq said:

Thanks - yeah in my original it says Imap - but recognise easy to overlook, you have a huge job responding to all these requests!  Many thanks for the info, will check it out!

 

Marshalleq

Oh yeah I did overlook on mobile 😄

 

I thought you were trying to send emails from within the container.

 

That's exactly what you want for proxy. The nginx.conf I believe has a very basic sample in there which you can enable and modify: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/nginx.conf#L85

Edited by aptalca
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.