[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

48 minutes ago, CiaoCiao said:

 

Well I must admit I was terribly confused. Thank you very very much for explaining this to me.

 

So I actually was so confused I was messing with the "default" config file from the Nginx container I used previously to troubleshoot the port forwarding of my router... instead of the "default" config file of letsencrypt! lol

 

So now I have found the right one and here is what the content of the right "default" config file looks like :


server {
    listen 443 ssl default_server;
    listen 80 default_server;
    root /config/www;
    index index.html index.htm index.php;
 
    server_name  ;
 
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;
 
    client_max_body_size 0;
 
    location / {
        include /config/nginx/proxy.conf;
        proxy_pass 192.168.0.16:444;
    }
   
    location ~ /netdata/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://backend/$ndpath$is_args$args;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
    }
}

So line 19 reads :


proxy_pass 192.168.0.16:444;

Out of curiosity I tried forwarding the port 444 to my Unraid server but the error line 19 in the "Default" config file did not go away from the logs and keeps repeating after "Server ready".

You do not have http:// in the proxy_pass.

 

Also, remove the domain name from your post 😉

  • Thanks 1
Link to comment
1 hour ago, saarg said:

You do not have http:// in the proxy_pass.

 

Also, remove the domain name from your post 😉

Thank you very much!

 

I tweaked a few things I also had made mistakes on as well and now everything is working fine, I'm just getting the "Server ready" message :)

Link to comment

It's me again!

 

So now everything is working fine with the reverse proxy.

 

Yet there is one more thing I would like it to do. I have an Ubuntu VM I would like the reverse proxy to forward the traffic when people access a certain subdomain.

I have allocated the Ubuntu VM a static local IP and I would like to redirect anyone accessing the specific subdomain to this VM's local IP on a certain port.

 

I'm pretty sure this is possible but I have not found how.

Link to comment

Hey,

 

I've got this docker setup and running with Organizr as the frontend, it has been working great!

Now I'm developing a .php page that I want to try while coding it. Is there an easy solution to use this docker to serve the .php without messing with the rest of my setup?

 

For now I'd like to just have it served locally

Link to comment

I am having the same concern:
Error getting validation data

I have read a few pages of the thread, and cannot seem to gather why this is happening.
Ping urls with no issue
port forwarding is enabled.
firewall to access ports accordingly.

Error
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Error getting validation data


Has there been any fix to allow this container to work?
Would the default config help, I installed this docker fresh, opened my FW wide open to make sure nothing was blocking and not having any success.

Edited by bombz
Link to comment
7 hours ago, bombz said:

I am having the same concern:
Error getting validation data

I have read a few pages of the thread, and cannot seem to gather why this is happening.
Ping urls with no issue
port forwarding is enabled.
firewall to access ports accordingly.

Error
Waiting for verification...
Challenge failed for domain
http-01 challenge for
Error getting validation data


Has there been any fix to allow this container to work?
Would the default config help, I installed this docker fresh, opened my FW wide open to make sure nothing was blocking and not having any success.

You can start with this.

https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to comment
5 hours ago, gRuNdLeKrEiSt said:

How would I got about using the letsencrypt docker to generate a CSR. I have an SSL Cert available through my DNS provider and I would like to use it. I've been looking on Google and in this topic and have not found any answers.

tenor.gif

Link to comment
10 hours ago, aptalca said:

Follow those steps exactly

Yes I followed them.
I have also completely removed the docker and the files in appdata to start a fresh install. Have the ports and fw rules set, can ping the domain successfully, I can hit the domain service on the direct port with a port forward rule directly to the service.
I have rebooted modem and gateway etc.

can't seem to get the docker app to talk
Still have:

http-01 challenge for domainnamehere
Cleaning up challenges
Some challenges have failed
Domain: domiannamehere
Type: connection
Detail: Fetching
http://domainnamehere/.well-known/acme-challenge/long string of data (I do not see this folder anywhere under the letsencrypt folder via SSH)
Error getting validation data

I have added the default config from letsencrypt/nginx/site-confs/
not sure if this will help
there are also no logs being created on /var/logs/letsencrypt - as stated in the error window

config.JPG

Edited by bombz
Link to comment
2 hours ago, bombz said:

Yes I followed them.
I have also completely removed the docker and the files in appdata to start a fresh install. Have the ports and fw rules set, can ping the domain successfully, I can hit the domain service on the direct port with a port forward rule directly to the service.
I have rebooted modem and gateway etc.

can't seem to get the docker app to talk
Still have:

http-01 challenge for domainnamehere
Cleaning up challenges
Some challenges have failed
Domain: domiannamehere
Type: connection
Detail: Fetching
http://domainnamehere/.well-known/acme-challenge/long string of data (I do not see this folder anywhere under the letsencrypt folder via SSH)
Error getting validation data

I have added the default config from letsencrypt/nginx/site-confs/
not sure if this will help
there are also no logs being created on /var/logs/letsencrypt - as stated in the error window

config.JPG

Did you set up nginx with the same port mappings as letsencrypt and can see the welcome page when you connect to your domain on http port 80 via cell phone with wifi disabled?

Link to comment
34 minutes ago, aptalca said:

Did you set up nginx with the same port mappings as letsencrypt and can see the welcome page when you connect to your domain on http port 80 via cell phone with wifi disabled?

I have setup port forwarding for 80 and 443 -> custom port for letsencrypt
letsencrypt is using using a different network 'proxy'

Perhaps I am confused and not understanding as I am learning this.
Following the video guide nginx was not referenced.
reading the troubleshooting guide I was reading about nginx and thought letsencrypt handled what nginx did or does.
nginx container needs to run alongside letsencrypt?
I will feel terrible if that's the case this is new to me.

Also I have been fiddling with letsencrypt restarts too many times that I am now at a standstill as I have received from letencrypt "too many failed authorizations recently"


as far as I know I am required to wait up to 1 week before I can try again 😞
 

image.png.35118db29e42dd69cead3e9f05c6f78a.png

binhex nginx is installed
80 > 8080
443 > 8443
Cannot hit nginx from outside the network

Edited by bombz
Link to comment

Hey team!

 

Wondering if anyone might have an advice on how to fix my proxy config for the stash app.

 

I followed some of the other conf files as examples when creating it:

# make sure that your dns has a cname set for stash

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name stash.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app stash;
        set $upstream_port 9999;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}


It works for the most part with a very small exception, when I access the app through the reverse proxy I get these errors in the logs:
download-1.jpg.b4b0b0c9a171908a403c994abc844fc8.jpg

 

Wondering if anyone might have advice on how I can alter my conf file to support the calls being blocked there.

 

Thanks!

Link to comment
12 hours ago, aptalca said:

That's imap proxy, completely different.

 

But in any case, nginx is already compiled with mail in our image

Thanks - yeah in my original it says Imap - but recognise easy to overlook, you have a huge job responding to all these requests!  Many thanks for the info, will check it out!

 

Marshalleq

Edited by Marshalleq
  • Thanks 1
Link to comment

I'm following the SpaceInvaderOne video on setting up a Reverse Proxy with LetsEncrypt and I've run into a permissions issue.

At around 20:00 in the video, he's editing the configuration files in the appdata/letsencrypt/nginx/proxy-confs folder. He saves the file directly into the proxy-confs folder, but I'm unable to do that. I get "Destination Folder Access Denied. You need permission to perform this action." whenever I try to save a file, or rename a file in that folder. I'm accessing it through Windows Explorer. I do have read/write access to the nginx folder right above this one. I can't figure out how to get permissions to this folder. Has anyone had this issue setting this up? How do I get permissions to this folder?

 

 

Edited by Ccheese4
Link to comment
2 hours ago, bombz said:

I have setup port forwarding for 80 and 443 -> custom port for letsencrypt
letsencrypt is using using a different network 'proxy'

Perhaps I am confused and not understanding as I am learning this.
Following the video guide nginx was not referenced.
reading the troubleshooting guide I was reading about nginx and thought letsencrypt handled what nginx did or does.
nginx container needs to run alongside letsencrypt?
I will feel terrible if that's the case this is new to me.

Also I have been fiddling with letsencrypt restarts too many times that I am now at a standstill as I have received from letencrypt "too many failed authorizations recently"


as far as I know I am required to wait up to 1 week before I can try again 😞
 

image.png.35118db29e42dd69cead3e9f05c6f78a.png

binhex nginx is installed
80 > 8080
443 > 8443
Cannot hit nginx from outside the network

Smh. You see the linuxserver version and the binhex version side by side in your screenshot and you still select the binhex version. Why? Not that there is anything wrong with that version, but I'm asking you to follow the simple steps outlined in the troubleshooting article. We put a lot of time into it and it gets frustrating when users still don't follow them even when we spell them out step by step.

 

The whole point of the troubleshooting article is so you can make sure that your ports are properly mapped and forwarded and that the container is accessible from the internet. Only then, you should try to set up letsencrypt. Otherwise there are too many reasons why it can fail and as you experienced, if it fails a bunch of times, you're throttled.

 

So read the directions carefully. 

Link to comment
12 minutes ago, Ccheese4 said:

I'm following the SpaceInvaderOne video on setting up a Reverse Proxy with LetsEncrypt and I've run into a permissions issue.

At around 20:00 in the video, he's editing the configuration files in the appdata/letsencrypt/nginx/proxy-confs folder. He saves the file directly into the proxy-confs folder, but I'm unable to do that. I get "Destination Folder Access Denied. You need permission to perform this action." whenever I try to save a file, or rename a file in that folder. I'm accessing it through Windows Explorer. I do have read/write access to the nginx folder right above this one. I can't figure out how to get permissions to this folder. Has anyone had this issue setting this up? How do I get permissions to this folder?

 

 

I recommend unraid console for those operations. Simple "cp sourcefilename targetfilename" will do what you want. And use "nano filename" to edit files

Link to comment
1 hour ago, Marshalleq said:

Thanks - yeah in my original it says Imap - but recognise easy to overlook, you have a huge job responding to all these requests!  Many thanks for the info, will check it out!

 

Marshalleq

Oh yeah I did overlook on mobile 😄

 

I thought you were trying to send emails from within the container.

 

That's exactly what you want for proxy. The nginx.conf I believe has a very basic sample in there which you can enable and modify: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/nginx.conf#L85

Edited by aptalca
Link to comment
2 hours ago, aptalca said:

Smh. You see the linuxserver version and the binhex version side by side in your screenshot and you still select the binhex version. Why? Not that there is anything wrong with that version, but I'm asking you to follow the simple steps outlined in the troubleshooting article. We put a lot of time into it and it gets frustrating when users still don't follow them even when we spell them out step by step.

 

The whole point of the troubleshooting article is so you can make sure that your ports are properly mapped and forwarded and that the container is accessible from the internet. Only then, you should try to set up letsencrypt. Otherwise there are too many reasons why it can fail and as you experienced, if it fails a bunch of times, you're throttled.

 

So read the directions carefully. 

Thank you for your assistance. 
I attempted linuxserver version (2015) first and it prompted a server error when I attempted to start it the binhex did not. 

I can understand the frustration, I knew as soon as I responded the 'smh' was understandable.
Copy that on the troubleshooting steps and outlook. Its been a long few days on this.
Long story short I made some successful progress tonight, but good things came of it.

Continue some more tomorrow.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.