[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5374 posts in this topic Last Reply

Recommended Posts

I'm trying to use letsencrypt with OpenEats, and for the most part everything works okay, but when I enable http auth it breaks everything. Here is how it is supposed to look. Here is how it looks with http auth enabled. In addition to not displaying the pixelated blue blob called test, it won't let me save recipes or users or do anything permanent. 

 

Any advice would be appreciated. Attached is my .conf file.

openeats.subdomain.conf

Link to post
  • Replies 5.4k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

I don't need support.  I just wanted to say thanks for this container and its continuous maintenance.  I started with Aptalca's container then switched to the linuxserver.io container.  Its been close

Posted Images

On 8/7/2020 at 5:33 AM, casperse said:

I know I am missing some small thing? (Log shows that cert. and all domains are okay and they work for my other dockers?)

I can see that the default path is: "/youtube-dl" and that the subfolder take that into account

I've been playing around with this for a while now and only had various levels of success...   using what you have now if you change the line to this:

 

proxy_pass $upstream_proto://$upstream_app:$upstream_port/youtube-dl;

 

I can get the page to load, but it doesn't load all the graphics, and I don't know if it would actually work either.

 

I'm not sure if the problem is that the youtube-dl-server container runs on http and letsencrypt makes everything https.  In one configuration I was trying my nginx error log had a certificate handshake failed because youtube-dl-server had no ssl.

 

But however ngixproxymanager works apparently some other guys got a subdomain to work properly

 

Link to post
10 hours ago, hotdog218 said:

I'm trying to use letsencrypt with OpenEats, and for the most part everything works okay, but when I enable http auth it breaks everything. Here is how it is supposed to look. Here is how it looks with http auth enabled. In addition to not displaying the pixelated blue blob called test, it won't let me save recipes or users or do anything permanent. 

 

Any advice would be appreciated. Attached is my .conf file.

openeats.subdomain.conf 915 B · 1 download

How did you configure your .htaccess file?

 

That's likely where your problem is.  You have to allow it to load resources from subfolders (such as css, graphics, etc).

Edited by Energen
Link to post
4 minutes ago, Energen said:

I've been playing around with this for a while now and only had various levels of success...   using what you have now if you change the line to this:

 

proxy_pass $upstream_proto://$upstream_app:$upstream_port/youtube-dl;

 

I can get the page to load, but it doesn't load all the graphics, and I don't know if it would actually work either.

 

I'm not sure if the problem is that the youtube-dl-server container runs on http and letsencrypt makes everything https.  In one configuration I was trying my nginx error log had a certificate handshake failed because youtube-dl-server had no ssl.

 

But however ngixproxymanager works apparently some other guys got a subdomain to work properly

 

Thanks @Energen much appreciated have been trying so many things... (http is not a problem have other dockers with subdomain and they work fine!)

Using this and with your added line (didn't make any difference):

I still have to write the https://youtube.domain.com/youtube-dl and then it works but get a cert. error

My conf file is now like this:

# make sure that your dns has a cname set for youtube-dl-server and that your youtube-dl-server container is named youtube-dl-server

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name youtube.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app youtube-dl-server;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
    }

    location ~ (/youtube-dl/)?/socket {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app youtube-dl-server;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port/youtube-dl;

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
   }
}

The link you shared is to use another docker?

 

 

Link to post
1 hour ago, casperse said:

I still have to write the https://youtube.domain.com/youtube-dl and then it works but get a cert. error

 

The link you shared is to use another docker?

You do have youtube as a subdomain in the letsencrypt docker right?  That might be the cause of the cert error.

 

And yes, the link is for another docker.  I've never used it but it seems to make nginx proxy confs easier.

Link to post
4 hours ago, Energen said:

How did you configure your .htaccess file?

 

That's likely where your problem is.  You have to allow it to load resources from subfolders (such as css, graphics, etc).

I configured it based on the support post, and based on my other conf files that were premade by linuxserver that work.

 

Do you have any examples on how I would allow resource loading from subfolders?

Link to post
3 hours ago, Energen said:

You do have youtube as a subdomain in the letsencrypt docker right?  That might be the cause of the cert error.

 

And yes, the link is for another docker.  I've never used it but it seems to make nginx proxy confs easier.

Yes youtube. is the subdomain :-)

I get the feeling this is simple if I know how to substitute the path to https://youtube.domain/youtube-dl 

Link to post
1 hour ago, hotdog218 said:

I configured it based on the support post, and based on my other conf files that were premade by linuxserver that work.

 

Do you have any examples on how I would allow resource loading from subfolders?

Unfortunately I don't.  Not very familiar with htaccess.. only ever used it once for a basic website.  Way, way long ago.

 

You may be able figure something else by anyone else that had the same problem.  I googled ".htaccess load resources" and came up with the resource problem.

 

You may find some stuff here that's useful, all about the htaccess file... especially the SSI includes section.. that might be relevant.

https://www.whoishostingthis.com/resources/htaccess/

 

And not sure if this is useful at all, https://www.htaccessredirect.net/

Link to post
8 hours ago, Energen said:

Unfortunately I don't.  Not very familiar with htaccess.. only ever used it once for a basic website.  Way, way long ago.

 

You may be able figure something else by anyone else that had the same problem.  I googled ".htaccess load resources" and came up with the resource problem.

 

You may find some stuff here that's useful, all about the htaccess file... especially the SSI includes section.. that might be relevant.

https://www.whoishostingthis.com/resources/htaccess/

 

And not sure if this is useful at all, https://www.htaccessredirect.net/

.htaccess is an apache thing. What you need to look into is .htpasswd

Link to post
3 hours ago, Stubbs said:

If I wanted to start a new domain alongside my current one, would I have to make another Letsencrypt container? Or is there another way?

 

There is an extra domains variable. No need for another instance

Link to post
9 hours ago, aptalca said:

There is an extra domains variable. No need for another instance

[edit] I assume it's as simple as adding a new variable with the key EXTRA_PARAMETERS?

 

How does it work with subdomains? Does it share the same subdomains parameter above? How does the docker container tell which subdomains belong to the first URL, and which ones belong to the extra parameter URL?

 

Also are there any extra steps needed with cloudflare DNS?

Edited by Stubbs
Link to post
9 hours ago, Stubbs said:

[edit] I assume it's as simple as adding a new variable with the key EXTRA_PARAMETERS?

 

How does it work with subdomains? Does it share the same subdomains parameter above? How does the docker container tell which subdomains belong to the first URL, and which ones belong to the extra parameter URL?

 

Also are there any extra steps needed with cloudflare DNS?

The readme explains it in detail. It has nothing to do with subdomains. You need to define full urls (fqdn) in that variable

Link to post

Hiya! I'm having an issue with a subdomain.conf file for my docker 'speedtest'. Since there was no template I copied one of the more basic ones and modified it to try and get it to work. Unfortunately that endeavor has failed and here I am. 

 

speedtest.subdomain.conf - https://codeshare.io/aJXrME

The speedtest docker is the new Openspeedtest docker. Setup with standard config: On custom docker network for letsencrypt. WebUI available at :3001. That's why I put 3001 in the subdomain.conf as I had seen other dockers set similarly in their subdomain.conf files.

Thanks for any and all help!

 

EDIT: I was able to resolve my issue with the following speedtest.subdomain.conf file:

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name speedtest.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app speedtest;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

 

Edited by DeathByDentures
Issue Resolved
Link to post

I am using the letsencrypt container to run an ssl reverse proxy that is only accessible from within the VPN.  For example, everything is setup as {service-name}.mydomain.net which resolves to a local IP.  Everything (HAAS, unifi controller, most of Unraid Web GUI) seems to be working except for the main syslog in the Unraid Web GUI (it just won't load).  The docker container logs load fine.  My sites file is below.  Does anyone have experience with getting this last bit to work through a reverse proxy?

 

Any help is appreciated.

 

server {
       listen 443 ssl;
       listen [::]:443 ssl;

       server_name tower.mydomain.net;

       # all ssl related config moved to ssl.conf
       #include /config/nginx/ssl.conf;

       location / {
              #proxy_set_header X-Real-IP $remote_addr;
              #proxy_set_header Host $host;
              #proxy_pass https://localip:port/;
              #proxy_set_header Upgrade $http_upgrade;
              #proxy_set_header Connection $connection_upgrade;

              proxy_set_header Host $host;
              proxy_pass https://localIP:port;
              proxy_set_header X-Forwarded-Host $server_name;
              proxy_set_header X-Real-IP $remote_addr;
              proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
              proxy_set_header X-Forwarded-Ssl on;
              proxy_set_header Upgrade $http_upgrade;
              proxy_set_header Connection $connection_upgrade;
       }
}

 

Link to post
6 hours ago, Michael Hacker said:

I am using the letsencrypt container to run an ssl reverse proxy that is only accessible from within the VPN.  For example, everything is setup as {service-name}.mydomain.net which resolves to a local IP.  Everything (HAAS, unifi controller, most of Unraid Web GUI) seems to be working except for the main syslog in the Unraid Web GUI (it just won't load).  The docker container logs load fine.  My sites file is below.  Does anyone have experience with getting this last bit to work through a reverse proxy?

 

Any help is appreciated.

 

 

Issue resolved at this post.  Add to nginx config for the unraid proxy server.

proxy_buffering off; 

 

 

 

Link to post

i have setup the letsencrypt docker (soon to be a other name i was reading)  with the fail2ban

 

i got bitwarden running. i added some filters etc.

 

but when open a terminal session on the letsencrypt docker and type

 

iptables -L

 

i get this error

 

iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

and seeing there isnt a Sudo.

 

 

in the fail2ban log

2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- exec: iptables -w -N f2b-bitwarden
iptables -w -A f2b-bitwarden -j RETURN
iptables -w -I INPUT -p tcp -j f2b-bitwarden
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- returned 3
2020-08-12 21:14:50,009 fail2ban.actions        [388]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'ip.ip.ip.ip', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x147d392323a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x147d39232a60>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Edited by KoNeko
added fail2ban log
Link to post
7 hours ago, KoNeko said:

i have setup the letsencrypt docker (soon to be a other name i was reading)  with the fail2ban

 

i got bitwarden running. i added some filters etc.

 

but when open a terminal session on the letsencrypt docker and type

 

iptables -L

 

i get this error

 

iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

and seeing there isnt a Sudo.

 

 

in the fail2ban log

2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- exec: iptables -w -N f2b-bitwarden
iptables -w -A f2b-bitwarden -j RETURN
iptables -w -I INPUT -p tcp -j f2b-bitwarden
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,008 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: "iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)"
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- stderr: 'Perhaps iptables or your kernel needs to be upgraded.'
2020-08-12 21:14:50,009 fail2ban.utils          [388]: ERROR   147d3985c450 -- returned 3
2020-08-12 21:14:50,009 fail2ban.actions        [388]: ERROR   Failed to execute ban jail 'bitwarden' action 'iptables-allports' info 'ActionInfo({'ip': 'ip.ip.ip.ip', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x147d392323a0>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x147d39232a60>})': Error starting action Jail('bitwarden')/iptables-allports: 'Script error'

Post your docker run

Link to post
15 hours ago, aptalca said:

Post your docker run

/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='br0' --ip='192.168.1.15' -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e 'TCP_PORT_80'='' -e 'TCP_PORT_443'='443' -e 'EMAIL'='@gmail.com' -e 'URL'='.nl' -e 'SUBDOMAINS'='www,bitwarden' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='4096' -e 'VALIDATION'='dns' -e 'DNSPLUGIN'='transip' -e 'cap-add'='NET_ADMIN' -e 'PUID'='99' -e 'PGID'='100' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' -v '/mnt/user/appdata/bitwarden/log/':'/log':'rw' 'linuxserver/letsencrypt'

697237b82c1fa9c198a7507d22255f87c991adebc68c08ab615127cfa14e83a2

The command finished successfully!

 

also when i run

iptables -S


iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

or Iptables -L

 

 

the passwd files says

 

abc:x:99:100::/config:/bin/false
nginx:x:100:100:nginx:/var/lib/nginx:/sbin/nologin

 

for those 2 ids

Edited by KoNeko
added
Link to post
2 hours ago, KoNeko said:

/usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='br0' --ip='192.168.1.15' -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e 'TCP_PORT_80'='' -e 'TCP_PORT_443'='443' -e 'EMAIL'='@gmail.com' -e 'URL'='.nl' -e 'SUBDOMAINS'='www,bitwarden' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='4096' -e 'VALIDATION'='dns' -e 'DNSPLUGIN'='transip' -e 'cap-add'='NET_ADMIN' -e 'PUID'='99' -e 'PGID'='100' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' -v '/mnt/user/appdata/bitwarden/log/':'/log':'rw' 'linuxserver/letsencrypt'

697237b82c1fa9c198a7507d22255f87c991adebc68c08ab615127cfa14e83a2

The command finished successfully!

 

also when i run

iptables -S


iptables v1.8.4 (legacy): can't initialize iptables table `filter': Permission denied (you must be root)
Perhaps iptables or your kernel needs to be upgraded.

 

or Iptables -L

 

 

the passwd files says

 

abc:x:99:100::/config:/bin/false
nginx:x:100:100:nginx:/var/lib/nginx:/sbin/nologin

 

for those 2 ids

I turned on Privileged and it works for the website and bitwarden.

bitwarden only on the login part it still shows the site.

 

 

 

Edited by KoNeko
corrected the text
Link to post
6 hours ago, KoNeko said:

I turned on Privileged and it works for the website and bitwarden.

bitwarden only on the login part it still shows the site.

 

 

 

That's because cap-add is not an environment variable so you did not set that correctly. You need to pass it in extra parameters

Link to post

I'm having an issue with my subdomains that i've configured. All are accessible outside my network with no issues at all, but i can't seem to connect internally. 

 

I know there must be some setting that i've done incorrectly, but i can't figure it out. Anyone know what might be causing it?

 

let me know what logs to provide if needed. 

Link to post
18 minutes ago, xxbigfootxx said:

I'm having an issue with my subdomains that i've configured. All are accessible outside my network with no issues at all, but i can't seem to connect internally. 

 

I know there must be some setting that i've done incorrectly, but i can't figure it out. Anyone know what might be causing it?

 

let me know what logs to provide if needed. 

It's not your configuration, it's your router. Google your router model, along with the search terms nat loopback hairpinning reflection

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.