[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

wayner Enthusiast

wayner

Posted
Posted

Is anyone able to get reverse proxying working for the Unifi docker?    I have this working for other dockers but not for Unifi.  

From my LAN, before trying reverse proxying, hitting http://tower:8080 or https://tower:8443 will redirect to https://tower:8443/manage/account/login?redirect=%2Fmanage.

 

When I try the following in my default file I will get a 404 error from Apache Tomcat. 

    location ^~ /unifi {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.99:8080;
    }

Same thing when I try 

    location ^~ /unifi {
        include /config/nginx/proxy.conf;
        proxy_pass https://192.168.1.99:8443
    }

I also tried both of the above with trailing slashes after unifi.

 

Any ideas on how to get this working?

 

Link to comment
  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

aptalca Proficient

aptalca

Posted
Posted
Is anyone able to get reverse proxying working for the Unifi docker?    I have this working for other dockers but not for Unifi.  
From my LAN, before trying reverse proxying, hitting http://tower:8080 or https://tower:8443 will redirect to https://tower:8443/manage/account/login?redirect=%2Fmanage.
 
When I try the following in my default file I will get a 404 error from Apache Tomcat.
    location ^~ /unifi {        include /config/nginx/proxy.conf;        proxy_pass http://192.168.1.99:8080;    }

Same thing when I try

    location ^~ /unifi {        include /config/nginx/proxy.conf;        proxy_pass https://192.168.1.99:8443    }

I also tried both of the above with trailing slashes after unifi.
 
Any ideas on how to get this working?
 



Base url to root reverse proxy often causes issues. Try the subdomain method.

Or see if there is a way to have unifi use a base url as well
Link to comment
wayner Enthusiast

wayner

Posted
Posted

What's the subdomain method?  I did have to change rutorrent to use a base url of /rutorrent/ rather than the root but I don't know if that can be changed with the Unifi controller.  It doesn't seem to have a nginx.conf file the way that rutorrent did.

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
26 minutes ago, truetype said:

 

I have a complete working setup today with my domain.com, and I got nextcloud.domain.com.

How do I add another subdomain? Like foobar.domain.com?

 

Can I do this with a certbot command?

 

~TrueType

 

Just edit the template and add it in.

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted
11 minutes ago, truetype said:

 

I tried that but got a lot of errors in the log and the docker shutdown itself.

It should work, but seeing as you haven't posted the logs or any screenshots of your setup or the docker run command, can't really help.

Link to comment
truetype Explorer

truetype

Posted
Posted
5 hours ago, CHBMB said:

It should work, but seeing as you haven't posted the logs or any screenshots of your setup or the docker run command, can't really help.

 

I am sorry, here comes the log for docker.

Notice that every subdomain worked before, until I added home.domain.com. 

  

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.domain.com -d nextcloud.domain.com -d couchpotato.domain.com -d sickbeard.domain.com -d muxi.domain.com -d guacamole.domain.com -d sabnzbd.domain.com -d plexpy.domain.com -d home.domain.com
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
An unexpected error occurred:

The request message was malformed :: Certificate already revoked
Please see the logfiles in /var/log/letsencrypt for more details.
Generating new certificate
WARNING: The standalone specific supported challenges flag is deprecated.

Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
tls-sni-01 challenge for www.domain.com
tls-sni-01 challenge for nextcloud.domain.com
tls-sni-01 challenge for couchpotato.domain.com
tls-sni-01 challenge for sickbeard.domain.com
tls-sni-01 challenge for muxi.domain.com
tls-sni-01 challenge for guacamole.domain.com
tls-sni-01 challenge for sabnzbd.domain.com
tls-sni-01 challenge for plexpy.domain.com
tls-sni-01 challenge for home.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. guacamole.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01 challenge

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: guacamole.domain.com
Type: connection
Detail: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01

challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 108: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

And after this I try to go back to the template and delete "home" in order to get back to as it were. But then the log looks like this. 

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.domain.com -d nextcloud.domain.com -d couchpotato.domain.com -d sickbeard.domain.com -d muxi.domain.com -d guacamole.domain.com -d sabnzbd.domain.com -d plexpy.domain.com
Generating new certificate
WARNING: The standalone specific supported challenges flag is deprecated.

Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for domain.com
tls-sni-01 challenge for www.domain.com
tls-sni-01 challenge for nextcloud.domain.com
tls-sni-01 challenge for couchpotato.domain.com
tls-sni-01 challenge for sickbeard.domain.com
tls-sni-01 challenge for muxi.domain.com
tls-sni-01 challenge for guacamole.domain.com
tls-sni-01 challenge for sabnzbd.domain.com
tls-sni-01 challenge for plexpy.domain.com
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. plexpy.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01 challenge

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: plexpy.domain.com
Type: connection
Detail: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01

challenge

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
/var/run/s6/etc/cont-init.d/50-config: line 108: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

In order to get it working as it was before, I have to delete the letsencrypt folder in Appdata and replace it with my backup which I luckily did right before I tried to add home in the template.

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted

Looks to me like your DNS is out of date, a backup will work as if the certs are valid it won't attempt to recertify, look at these lines here.  It tells you what is wrong.

  

Failed authorization procedure. guacamole.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01 challenge
Failed authorization procedure. plexpy.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01 challenge

 

Link to comment
truetype Explorer

truetype

Posted
Posted (edited)
7 minutes ago, CHBMB said:

Looks to me like your DNS is out of date, a backup will work as if the certs are valid it won't attempt to recertify, look at these lines here.  It tells you what is wrong.

  


Failed authorization procedure. guacamole.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01 challenge

Failed authorization procedure. plexpy.domain.com (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Failed to connect to XX.XXX.XXX.XXX:443 for tls-sni-01 challenge

 

Ok, but that's really strange because my other subdomains are configured all the same with A-records at my domain provider, and it gave no errors when I did it for the first time yesterday. You think I should just delete the A-records and readd them again and see if that solves it?

Edited by truetype
Link to comment
ebnerjoh Apprentice

ebnerjoh

Posted
Posted

Hi,

 

I have now installed LetsEncrpyt and Nextcloud on my UnRaid installation following the instruction here.

 

I have 2 questions:

 

1) When i connect to "cloud.domain.at" from my internal Subnet, then the URL is rewritten to "https://cloud.domain.at". If I do the same from public, then I am getting "https://_" in my url field and an error message "ERR_NAME_NOT_RESOLVED"..

 

2) Can I use the same NextCloud and LetsEncrypt Docker installation with two different Domains? I have a private domain and I am also supporting an NGO with a seperate domain.

 

Br,

Johannes

Link to comment
aptalca Proficient

aptalca

Posted
Posted

Hi,

 

I have now installed LetsEncrpyt and Nextcloud on my UnRaid installation following the instruction here.

 

I have 2 questions:

 

1) When i connect to "cloud.domain.at" from my internal Subnet, then the URL is rewritten to "https://cloud.domain.at". If I do the same from public, then I am getting "https://_" in my url field and an error message "ERR_NAME_NOT_RESOLVED"..

 

2) Can I use the same NextCloud and LetsEncrypt Docker installation with two different Domains? I have a private domain and I am also supporting an NGO with a seperate domain.

 

Br,

Johannes



1) post your site config and we'll take a look. Likely you have a faulty url rewrite

2) letsencrypt will only work with one, but you can use both of them in nginx through creating separate server blocks in the site config
Link to comment
ebnerjoh Apprentice

ebnerjoh

Posted
Posted

Hi,

 

Here is the Site-Conf:

  

server {
    listen 443 ssl;
    server_name cloud.my-domain.at;

    root /config/www;
    index index.html index.htm index.php;

    ###SSL Certificates
    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

    ###Diffie▒..Hellman key exchange ###
    ssl_dhparam /config/nginx/dhparams.pem;

    ###SSL Ciphers
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-
AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA
-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!
aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

    ###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://192.168.1.252:443;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}

192.168.1.252 is the nextcloud docker. This docker is installed with "Host = none" and running on a dedicated IP (like LetsEncrypt as well).

 

Ad 2) "letsencrypt will only work with one, but you can use both of them in nginx through creating separate server blocks in the site config"

What does this mean? I can use reverseproxy with two domains but not SSL?

 

Link to comment
aptalca Proficient

aptalca

Posted
Posted
Hi,
 
Here is the Site-Conf:
 
server {   listen 443 ssl;   server_name cloud.my-domain.at;   root /config/www;   index index.html index.htm index.php;   ###SSL Certificates   ssl_certificate /config/keys/letsencrypt/fullchain.pem;   ssl_certificate_key /config/keys/letsencrypt/privkey.pem;   ###Diffie▒..Hellman key exchange ###   ssl_dhparam /config/nginx/dhparams.pem;   ###SSL Ciphers   ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';   ###Extra Settings###   ssl_prefer_server_ciphers on;   ssl_session_cache shared:SSL:10m;       ### Add HTTP Strict Transport Security ###   add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";   add_header Front-End-Https on;   client_max_body_size 0;   location / {       proxy_pass https://192.168.1.252:443;       proxy_max_temp_file_size 2048m;       include /config/nginx/proxy.conf;   }}

192.168.1.252 is the nextcloud docker. This docker is installed with "Host = none" and running on a dedicated IP (like LetsEncrypt as well).
 
Ad 2) "letsencrypt will only work with one, but you can use both of them in nginx through creating separate server blocks in the site config"
What does this mean? I can use reverseproxy with two domains but not SSL?
 



I believe you need to modify the nextcloud site config to set the external domain.

Letsencrypt in this docker image is set to work with one domain only. You can use two domains with this container as long as you do the cert retrieval and renewal manually for the second domain
Link to comment
ebnerjoh Apprentice

ebnerjoh

Posted
Posted
12 minutes ago, aptalca said:

Letsencrypt in this docker image is set to work with one domain only. You can use two domains with this container as long as you do the cert retrieval and renewal manually for the second domain

 

 

Manual Process is always bad...

 

Then another question as I am new with UnRaid and Docker.

 

I have a DSL with multiple static IP Adresses.

 

Can I install the Letsencrypt Docker a second time with a different internal (+mapped external) IP Adress for my second domain?

 

Br,

Johannes

Link to comment
ebnerjoh Apprentice

ebnerjoh

Posted
Posted (edited)
1 hour ago, ebnerjoh said:

 

Manual Process is always bad...

 

Then another question as I am new with UnRaid and Docker.

 

I have a DSL with multiple static IP Adresses.

 

Can I install the Letsencrypt Docker a second time with a different internal (+mapped external) IP Adress for my second domain?

 

Br,

Johannes

 

Ok, I solved it by "TRial and Error". 

 

I setup a second LetsEncrypt Docker on a seperate internal IP with a seperate static public IP and forwarding the requests to the Nextcloud-Docker.

 

The Nextcloud-Docker I am using for both domains. Just added both domains as "trusted domains" and it is working now.

 

But I still have issues with an Apache Docker together with LetsEncrypt. I have already posted my configs on the apache thread: Linuxserver.io Apache

 

Br,

Johannes

Edited by ebnerjoh
Link to comment
ebnerjoh Apprentice

ebnerjoh

Posted
Posted

Hi, 

 

Maybe I am thinking to complicated...

 

So I try to explain again what I want to achieve with my public domain:

1) One Nextcloud installation

2) A Webserver Installation to host multiple other sites (e.g. wordpress, joomla,...)

 

I have installed the nextcloud and the letsencrypt docker like described here in the thread. This is working like a charme.

 

But now I am struggeling with the additional websites.

 

So now questions:

1) As I have already running LetsEncrypt do I then need another apache docker or could I use the letsencrpyt docker for presenting wordpress and joomla? 

2) If yes, how does a simple config looks like to catch subdomain.domain.com and point to the webspace /www/subdomain ?

 

Br,

Johannes

Link to comment
CHBMB Veteran

CHBMB

Posted
Posted

I'm not exactly clear on what you want to accomplish.

 

Is it

 

1.  nextcloud.server.com, wordpress.server.com, joomla.server.com?

2.  nextcloud.server.com, wordpress.server1.com, joomla.server2.com?

 

The first is possible, the second is not....

Link to comment
ebnerjoh Apprentice

ebnerjoh

Posted
Posted
1 minute ago, CHBMB said:

I'm not exactly clear on what you want to accomplish.

 

Is it

 

1.  nextcloud.server.com, wordpress.server.com, joomla.server.com?

2.  nextcloud.server.com, wordpress.server1.com, joomla.server2.com?

 

The first is possible, the second is not....

 

nextcloud.server.com --> letsencrypt-docker --> nextcloud-docker (already working)

wordpress.server.com --> letsencrypt-docker

joomla.server.com --> letsencrypt-docker

 

or alternativaly

nextcloud.server.com --> letsencrypt-docker --> nextcloud-docker (already working)

wordpress.server.com --> letsencrypt-docker --> apache-docker

joomla.server.com --> letsencrypt-docker --> apache-docker

 

Br,

Johannes

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing