[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

Homer-S Noob

Homer-S

Posted
Posted

Hello,

after solving issues with Pydio I am facing strange things with a wordpress container which should be accessed similar.

 

I am using same conf file as for pydio/nextcloud for wordpress.

localhost access is working perfectly.

if I am adding subdomain.myserver.de browsertools show me a address like this

subdomain:90

 

90 is the port I want to forward to but I can not figure out why it is not using my proxy_pass http://192.168.100.10:90/; command?

 

Does anybody has an idea what is wrong or a working nginx-rev-proxy-config for wordpress container?

 

many thanks, and I am promising, after that my whole server is setup completely :)

 

 

 

 

Link to comment
  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

CHBMB Veteran

CHBMB

Posted
Posted
2 hours ago, Homer-S said:

Hello,

after solving issues with Pydio I am facing strange things with a wordpress container which should be accessed similar.

 

I am using same conf file as for pydio/nextcloud for wordpress.

localhost access is working perfectly.

if I am adding subdomain.myserver.de browsertools show me a address like this

subdomain:90

 

90 is the port I want to forward to but I can not figure out why it is not using my proxy_pass http://192.168.100.10:90/; command?

 

Does anybody has an idea what is wrong or a working nginx-rev-proxy-config for wordpress container?

 

many thanks, and I am promising, after that my whole server is setup completely :)

 

 

 

 

Couple of things.  Pydio others have been having trouble with so if you could post your config that may be helpful for others.  Secondly, no way can I work out what the hell is going on with that wordpress container.  Got a link to the container you're using?

Link to comment
Homer-S Noob

Homer-S

Posted
Posted

He comes my Pydio config 

server {
            listen 443 ssl;
            server_name pydio.dyndns.myserver.com;
            root /config/www;
	    	index index.html index.htm index.php;
            
            access_log /config/log/nginx/access_pydio.log;
            error_log /config/log/nginx/error_pydio.log;

	    ###SSL Certificates
	    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

	    ###Diffie–Hellman key exchange ###
	    ssl_dhparam /config/nginx/dhparams.pem;

	    ###SSL Ciphers
	    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	    ###Extra Settings###
	    ssl_prefer_server_ciphers on;
	    ssl_session_cache shared:SSL:10m;

	    ### Add HTTP Strict Transport Security ###
	    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	    add_header Front-End-Https on;
	    client_max_body_size 0;

	   location / {
	       proxy_pass http://192.168.1.11:84/;
	   }
	}

 

 

Now back to my wordpress issue.

This is the official container from wordpress: 

docker run -it -d \
  --name wordpress \
  --restart=always \
  -p 90:80 \
  -e PUID=33 -e PGID=33 \
  -e TZ=Europe/Berlin \
  -v /docker/data/wordpress:/var/www/html  \
  wordpress

it is working with local ip 192.168.1.11:90

mariadb is successfully set up with wordpress db

 

if I am going to access it via nginx reverse proxy

I am entering this

https://subdomain.myserver.de

and this is after a short time displayed in url bar:

subdomain:90

and a "server not found" page appears.

 

this is my wordpress config file: 

server {
    listen 443 ssl;
    server_name wordpress.dyndns.myserver.com;
    root /config/www;
    index index.html index.htm index.php;

    access_log /config/log/nginx/access_wordpress.log;
    error_log /config/log/nginx/error_wordpress.log;


    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
     
    ###Diffie–Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;
    
    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    
    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;
    client_max_body_size 0;

    location / {
        proxy_pass http://192.168.1.11:90/;
    }
}

 

 

 

Link to comment
b0mb Apprentice

b0mb

Posted
Posted

Hi!

 

I´m trying to use this nice container but it kills itself because of an error right after start

  

Failed authorization procedure. xxx.4irc.com (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested

Does any1 have a tipp for me?

 

I´ve entered "4irc.com" in the domain field of the template and xxx into the subdomain field. I´ve also set only subdomains to true.

 

Thx!

 

b0mb

Link to comment
Malykai Noob

Malykai

Posted
Posted

I was hoping it wasn't that simple and should have done some more checking before I posted and went to bed lol. 4irc.com is just a dynamic dns service? If that is the case I believe you would use xxx.4irc.com as the domain with no sub domain for it?

Link to comment
b0mb Apprentice

b0mb

Posted
Posted
2 hours ago, Malykai said:

I was hoping it wasn't that simple and should have done some more checking before I posted and went to bed lol. 4irc.com is just a dynamic dns service? If that is the case I believe you would use xxx.4irc.com as the domain with no sub domain for it?

 

Got it working now :)

 

Port 443 was in use fore remote service of my router... changed the port now and forwarded 443 to the unraid server ;)

Link to comment
JonathanM Grand Master

JonathanM

Posted
Posted
1 hour ago, CHBMB said:

Remote access of a router should be banished in my opinion.  One of the parts of my network I'll never expose to any form of remote admin....

Keys to the kingdom. The router is the only thing keeping the baddies out, yet tends to be one of the least maintained pieces of equipment. I've migrated to pfsense, at least I can be reasonably sure it's being updated in a timely fashion, unlike netgear, linksys, etc.

Link to comment
Homer-S Noob

Homer-S

Posted
Posted

Hello,

 

another question (not related to reverse proxying :) 

I received an email from letsencrypt that my man URI will expire within 9 days.

I exec then letsencrypt container with bash /app/le-renew.sh by hand and it tells me

The following certs are not due for renewal yet: /path/path/path/fullchain.pem

 

The option subdomain only is set to false.

Do you have any idea?

Link to comment
aptalca Proficient

aptalca

Posted
Posted
Hello,
 
another question (not related to reverse proxying  
I received an email from letsencrypt that my man URI will expire within 9 days.
I exec then letsencrypt container with bash /app/le-renew.sh by hand and it tells me
The following certs are not due for renewal yet: /path/path/path/fullchain.pem
 
The option subdomain only is set to false.
Do you have any idea?


The email is for a cert that is no longer used.

You likely reinstalled this container and deleted the old appdata without revoking the old certs.

Nothing to worry about. Letsencrypt lets you get multiple certs for the same domain without revoking the old ones (albeit with limits on number and frequency)
  • Upvote 1
Link to comment
StanC Apprentice

StanC

Posted
Posted
On 4/18/2017 at 5:57 PM, heytcass said:

Hey guys,

 

I've been banging my head against the wall trying to get this going. But I'm having a bear of a time.

 

I checked in the logs and found a couple errors:

  


certbot: error: argument --cert-path: No such file or directory

and

  


Detail: Failed to connect to 192.64.119.116:443 for tls-sni-01

I have ports 443 and 80 passed to 81 on my unRAID box, so that shouldn't be an issue. Is there a way to test that those are going through fine?

 

Any thoughts?

 

Thanks in advance.

 

I have this same issue and have not been able to figure it out how to fix it? 

Link to comment
StanC Apprentice

StanC

Posted
Posted (edited)
12 hours ago, CHBMB said:

Or DNS is not correct.

Sent from my LG-H815 using Tapatalk
 

 

Dang it - you are right. I just checked my Alias in the firewall and I typo'd the IP address now it shows it up and running. Thx.

Edited by StanC
Link to comment
noja Apprentice

noja

Posted
Posted (edited)

FOUND MY FIX!

 

It was issue of not knowing NGINX very well and I've learned a lot more.  The correct usage should be:

  

server {
	listen 443 ssl;
	
	server_name shaarli.domain.com;
	    	
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers xxxxxxxxxxxxxx;
	ssl_prefer_server_ciphers on;
	

	client_max_body_size 0;
    		
  	location / {
		proxy_pass http://192.168.1.1:8383;
		add_header X-Frame-Options "ALLOW-FROM https://domain.com/";
	}
}

-----------------------------------------------(Original Post)-----------------------------

OK - so I'm not sure if I have a letsencrypt issue or if I'm just unsure of how to make nginx work.  I've been working with a new docker called Shaarli, which is interesting, but Shaarli's chrome extension keeps getting blocked due to x-frame headers being denied.  One of the comments on the Shaarli Chrome plugin noted:

 

Quote

I had the same issue. Traced the problem to the fact that my Shaarli server (running nginx) had "add x-frame-options DENY" set. I needed to set the nginx settings to not add that header, in order for this chrome extension to load the shaarli interface.

 

So I ran through what I could on Google and generally failed.

 

Currently, I've added: 

server {
	listen 443 ssl;
	
	server_name shaarli.domain.com;
	    	
	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'xxxxxxxxxxxxxxxxxx';
	ssl_prefer_server_ciphers on;
	add_header X-Frame-Options SAMEORIGIN;

	client_max_body_size 0;
    		
  	location / {
		proxy_pass http://192.168.1.1:8383;
	}
}

However, I've also tried changing that X-Frame-Options to ALLOW-FROM https://domain.com/ and ALLOW-FROM https://shaarli.domain.com/

 

Both of those options keep generating an error in the docker and don't allow access to the webpage.  

 

First, is my issue with the docker since it won't start with that "ALLOW-FROM" option? Or do I need to keep learning nginx?

 

Second, anyone have a good idea?  

 

Thank you!

Edited by noja
Link to comment
Jonny190 Noob

Jonny190

Posted
Posted

Hi Guys,

 

I'm trying to initially power the docker container but its giving me the error: 

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
WARNING: The standalone specific supported challenges flag is deprecated.

any ideas ?

Link to comment
fc0712 Rookie

fc0712

Posted
Posted (edited)

This looks very promising. I'm completely new to Nginx and reverse proxy. I have a static ip at my ISP and have my own domain name. Can you guys recommend any reading material/Guides to learn how to set up reverse proxy. As I understand it when I have a static ip a DDNS is obsolete. Currently my domain's DNS is hosted at Cloudflare with only DNS activated. Can someone if possible briefly explain or link to an article or guide etc on what to add on my domains DNS record (how it works).  I assume DNS A records pointing to my public ip. 

 

Thanks in advance :)

 

Which DNS would you guys recommend im only using Google for business and reverse proxy through this docker

 

 

As followup to my original question every application this docker need to make reverse proxy is hosted in containers on my unraid machine 

Edited by fc0712
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing