[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

ijuarez Community Regular

ijuarez

Posted
Posted

###Extra Settings###
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
    add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
    add_header Front-End-Https on;

    client_max_body_size 0;

    location / {
        proxy_pass https://10.20.1.39:8383/;
        proxy_max_temp_file_size 2048m;
        include /config/nginx/proxy.conf;
    }
}
/mnt/cache/appdata/letsencrypt/nginx/site-confs#  this is where i modified it and it stopped that error for me.

 

kamhighway

  • Advanced Member
  •  
  • kamhighway
  • Members
  • 2
  • 277 posts

Solved File Upload Size Limitation 

 

I had been fiddling with the LSIO's letsencrypt container to make it work as a reverse proxy for LSIO's Nextcloud.  The reverse proxy works, but file uploads are limited to 10MB.  The solution is to edit the file proxy.conf which for me resides in /mnt/cache/appdata/letsencrypt_lsio/nginx. The first line in that file is:

 

client_max_body_size 10m;

 

Change to:

 

 

 

I hope this helps

  • Like 1
Link to comment
  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

Altair Noob

Altair

Posted
Posted (edited)
4 hours ago, aptalca said:

 

Then it's your site config. Without seeing that, we have no idea

 

I found the problem.

I was working outside today and realized, that everything works fine from outside my LAN.

Turns out, my router ignores the port mapping I've created to map 80 from outside to 84 for let'sencrypt (as 80 is the Unraid GUI).

 

Probably going to change the gui port to 8080 so everything works fine even inside my LAN

Edited by Altair
Typo
Link to comment
JPDom1 Rookie

JPDom1

Posted
Posted

Hi,

 

I was using Letsencrypt for about 4 months then had to reset my router and remap my ports and with some extra fiddling around (updated to beta version) I broke it all.

 

Currently having to set it all back up again however i cannot get the docker to start and not sure why.

I am running latest 6.4.0 beta release rc11i and i did read some letsencrypt SSL renewal stuff but here is my container log.

It keeps saying something else is using port 443 but nothing else is and i can change the port to anything it still says 443 is being used.

please help?

  

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d XXX
E-mail address entered: XXX
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for XXX
Cleaning up challenges
Could not bind TCP port 443 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

[s6-finish] sending all processes the KILL signal and exiting.

Here is all my current port mappings,

 

binhex-plex

binhex-sonarr8989 9897

binhex-radarr7878

plexrequests3001

netdata

jackett9117

dolphin8080

openvpn-as943 9444 1194

binhex-teamspeak

headphones8282

binhex-rtorrentvpn3000 5000 9080 9443 8118

filezilla7809 7909

binhex-airsonic4040

letsencrypt 81 443

nextcloud 444

mariadb3306

plexpy8181

deluge

 

Sorry they look rough, as you can see i cannot see what is using "443"

 

On a separate note though my nextcloud when i open the gui it loads my UNraid gui however i do not have the option to map a port apart from the 444 that it already has not sure why it is using UNraid Gui port.

 

Ports are mapped correctly on the router and i use no-ip (ddns.net) also checked ports are open 

 

Any help will be appreciated. 

Link to comment
ijuarez Community Regular

ijuarez

Posted
Posted
1 hour ago, MowMdown said:

 

Unraid uses 80 & 443 on 6.4.0

 

set lets encrypt to something like 445

 

then on your router forward port 445 -->(to) 443

But doesn't let's encrypt require 443. Every other way ive seen installed it requires that 443 be the port. Going be interesting when 6.4 comes around.

 

 

Link to comment
aptalca Proficient

aptalca

Posted
Posted
15 minutes ago, ijuarez said:

But doesn't let's encrypt require 443. Every other way ive seen installed it requires that 443 be the port. Going be interesting when 6.4 comes around.

 

 

 

The port has to be 443 inside the container and on the router (wan side) so in between those two, it can go through a different port (on unraid host)

 

ie. 443 on the router forwarded to 444 on unraid, and the letsencrypt docker container maps 444to 443

Link to comment
bonienl Veteran

bonienl

Posted
Posted
7 hours ago, aptalca said:

 

The port has to be 443 inside the container and on the router (wan side) so in between those two, it can go through a different port (on unraid host)

 

ie. 443 on the router forwarded to 444 on unraid, and the letsencrypt docker container maps 444to 443

 

With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address.

 

  • Upvote 1
Link to comment
JPDom1 Rookie

JPDom1

Posted
Posted
1 minute ago, bonienl said:

 

With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address.

 

 

Correct me if i am wrong here @bonienl. Are you saying i can assign a different IP to Letsencrypt and not worry about the port problems? for example my UNraid runs on 192.168.1.2 and i can assign 192.168.1.3 for letsencrypt? is this in the "edit" template of the docker then?

Link to comment
JPDom1 Rookie

JPDom1

Posted
Posted
3 hours ago, bonienl said:

First you need to change the network type to br0 (or eth0), the new type is automatically detected and added when the docker service is started.

 

Once a custom network is selected, the option appears to set a fixed IP address for this specific container.

 

This explains why the container started when i switched from "host" to "br0" thank you.

 

 

Link to comment
JPDom1 Rookie

JPDom1

Posted
Posted

I got it all back up and running now. Thank you to everyone who advised me where to go the 6.4.0 update surely messed up my LE docker.

 

This is where i am now with my settings for anyone else who has issues

 

Settings - Identification - SSL Certificate settings

 

Use SSL - Auto

HTTP - 8080

HTTPS - 400

 

now access uunRAID GUI with serverrname:8080

 

in the settings when you expand the SSL section it reads this line below so i put my cert in but not sure if it makes a difference.

 

"A Lets Encrypt or other user-generated SSL certificate, must be stored in the file /boot/config/ssl/csrts/certificate_bundle.pem. nginx will prefer ths certificate if present."

 

I run 2 NIC's so my LE docker runs as Host with port 80 & 443 with those ports also forwarded on my router.

 

I did try and run the container with br0 setting for network type however it only assigns the IP when the container runs and it did not stay running for long enough to get the cert and with my stup** vodafone router i have to map ports to an IP or device so it basically just did not work for me. Should work if you have a decent router unlike me.

 

Finally i switched from NO-IP to DUCKDNS and i had to manually update my IP as DUCKDNS did not so to do that just use this URL.

https://www.duckdns.org/update/domainname/token

  

 

Link to comment
peter_sm Rising Star

peter_sm

Posted
Posted (edited)
On 2017-11-07 at 10:30 PM, GilbN said:

I'm having some trouble with this. 

 

My jail.local in /config looks like this 


# This is the custom version of the jail.conf for fail2ban
# Feel free to modify this and add additional filters
# Then you can drop the new filter conf files into the fail2ban-filters
# folder and restart the container

[DEFAULT]

# "bantime" is the number of seconds that a host is banned.
bantime  = 600

# A host is banned if it has generated "maxretry" during the last "findtime"
# seconds.
findtime  = 600

# "maxretry" is the number of failures before a host get banned.
maxretry = 5


[ssh]

enabled = false


[nginx-http-auth]

enabled  = true
filter   = nginx-http-auth
port     = http,https
logpath  = /config/log/nginx/error.log
mta = sendmail
action = sendmail-whois[name=letsencrypt, dest=<[email protected]>]

[nginx-badbots]

enabled  = true
port     = http,https
filter   = nginx-badbots
logpath  = /config/log/nginx/access.log
maxretry = 2


[nginx-botsearch]

enabled  = true
port     = http,https
filter   = nginx-botsearch
logpath  = /config/log/nginx/access.log

And in config/action.d I copied the sendmail-whois.conf to sendmail-whois.local  


# Fail2Ban configuration file
#
# Author: Cyril Jaquier
#
#

[INCLUDES]

before = sendmail-common.conf

[Definition]

# Option:  actionban
# Notes.:  command executed when banning an IP. Take care that the
#          command is executed with Fail2Ban user rights.
# Tags:    See jail.conf(5) man page
# Values:  CMD
#
actionban = printf %%b "Subject: [Fail2Ban] <name>: banned <ip> from `uname -n`
            Date: `LC_ALL=C date +"%%a, %%d %%h %%Y %%T %%z"`
            From: <sendername> <<sender>>
            To: <dest>\n
            Hi,\n
            The IP <ip> has just been banned by Fail2Ban after
            <failures> attempts against <name>.\n\n
            Here is more information about <ip> :\n
            `/usr/bin/whois <ip> || echo missing whois program`\n
            Regards,\n
            Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<username> -ap<password> <dest>

[Init]

# Default name of the chain
#
name = default

But I get this in fail2ban.log  


2017-11-07 22:16:42,999 fail2ban.jail           [310]: INFO    Jail 'nginx-http-auth' started
2017-11-07 22:16:43,001 fail2ban.jail           [310]: INFO    Jail 'nginx-botsearch' started
2017-11-07 22:16:43,002 fail2ban.jail           [310]: INFO    Jail 'nginx-badbots' started
2017-11-07 22:16:43,009 fail2ban.utils          [310]: ERROR   printf %b "Subject: [Fail2Ban] letsencrypt: started on `uname -n`
Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <fail2ban>
To: <email@gmail.com>\n
Hi,\n
The jail letsencrypt has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban <email@gmail.com> -- stderr:
2017-11-07 22:16:43,009 fail2ban.utils          [310]: ERROR    -- stderr: '/bin/sh: syntax error: unexpected end of file'
2017-11-07 22:16:43,009 fail2ban.utils          [310]: ERROR   printf %b "Subject: [Fail2Ban] letsencrypt: started on `uname -n`
Date: `LC_ALL=C date +"%a, %d %h %Y %T %z"`
From: Fail2Ban <fail2ban>
To: <email@gmail.com>\n
Hi,\n
The jail letsencrypt has been started successfully.\n
Regards,\n
Fail2Ban" | /usr/sbin/sendmail -f fail2ban <email@gmail.com> -- returned 2
2017-11-07 22:16:43,010 fail2ban.actions        [310]: ERROR   Failed to start jail 'nginx-http-auth' action 'sendmail-whois': Error starting action Jail('nginx-http-auth')/sendmail-whois

It's like it skips the .local file and uses the sendmail-whois.conf file???

I event completely removed the container and deleted the image and /config folder, but this still happens. 

 

When I bash into the container and do this:  


sendmail -t -v  -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -auMYEMAILADDRESS -apMYPASSWORD <mail.txt

it works just fine. 

 

Anyone know whats wrong?

I have the same in my logfile! any solution on this?

Edited by peter_sm
Link to comment
Muff Rookie

Muff

Posted
Posted

Hi,

 

I'm having some problem with renewal of my certificate and I haven't got the hang of all the part of a "certificate" and it's proces needed.

 

When I SSH into my unRaid server the tool "certbot" doesn't exist and when I run "certtool" I got stuck on: 

root@Muff:/# certtool -u --load-ca-privkey="/mnt/user/appdata/letsencrypt/keys/cert.key" --load-ca-certificate="/mnt/user/appdata/letsencrypt/keys/cert.crt"
Generating a signed certificate...
missing --load-certificate
root@Muff:/#

I don't know where I can find "--load-certificate".

 

And this is the log from the container: 

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d secret.duckdns.org
E-mail address entered: [email protected]
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Nov 23 16:23:28 CET 2017
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/secret.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: s6-svc -d /var/run/s6/services/nginx
Hook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111

Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for secret.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/secret.duckdns.org.conf produced an unexpected error: Failed authorization procedure. cizco.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.

Running post-hook command: s6-svc -u /var/run/s6/services/nginx ; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/secret.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: secret.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

DuckDNS.org has the correct WAN IP and it gets it's update from my router (ubnt UniFi Security Gateway 3P).

 

Thank you!

Link to comment
sirkuz Rookie

sirkuz

Posted
Posted
On 11/16/2017 at 5:43 AM, bonienl said:

 

With unRAID 6.4 this becomes a bit easier. You can give the docker container its own IP address and let the router forward port 443 to this container address.

 

This feature alone makes 6.4 so worth the wait. As soon as its released I am upgrading my second license just for the heck of it so I have two pro versions for my live and my test machines. 

Link to comment
aptalca Proficient

aptalca

Posted
Posted
13 hours ago, Muff said:

Hi,

 

I'm having some problem with renewal of my certificate and I haven't got the hang of all the part of a "certificate" and it's proces needed.

 

When I SSH into my unRaid server the tool "certbot" doesn't exist and when I run "certtool" I got stuck on: 


root@Muff:/# certtool -u --load-ca-privkey="/mnt/user/appdata/letsencrypt/keys/cert.key" --load-ca-certificate="/mnt/user/appdata/letsencrypt/keys/cert.crt"
Generating a signed certificate...
missing --load-certificate
root@Muff:/#

I don't know where I can find "--load-certificate".

 

And this is the log from the container: 


-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d secret.duckdns.org
E-mail address entered: [email protected]
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Thu Nov 23 16:23:28 CET 2017
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/secret.duckdns.org.conf
-------------------------------------------------------------------------------
Cert is due for renewal, auto-renewing...
Running pre-hook command: s6-svc -d /var/run/s6/services/nginx
Hook command "s6-svc -d /var/run/s6/services/nginx" returned error code 111

Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory

Renewing an existing certificate
Performing the following challenges:
tls-sni-01 challenge for secret.duckdns.org
Waiting for verification...
Cleaning up challenges
Attempting to renew cert from /etc/letsencrypt/renewal/secret.duckdns.org.conf produced an unexpected error: Failed authorization procedure. cizco.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout. Skipping.

Running post-hook command: s6-svc -u /var/run/s6/services/nginx ; cd /config/keys/letsencrypt && openssl pkcs12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass:
Error output from s6-svc:

s6-svc: fatal: unable to control /var/run/s6/services/nginx: No such file or directory


All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/secret.duckdns.org/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: secret.duckdns.org
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

 

DuckDNS.org has the correct WAN IP and it gets it's update from my router (ubnt UniFi Security Gateway 3P).

 

Thank you!

 

Looks like you didn't forward the port on your router

Link to comment
steve1977 Community Regular

steve1977

Posted
Posted

Thanks for developing this docker.

 

I am on Unraid 6.4.0_rc14. Not fully clear to me from reading this thread whether this is making things easier with letsecrypt or more difficult.

 

I have not succeeded yet to set up the docker. Few issues:

 

* Setting the https port in docker settings to 443 does not work (related to 6.4?). Also tried 445, which also doesn't work (though not taken by Unraid). I tried 444, which happens to work. Would love to understand though why 443 and 445 are not working

 

* I cannot access the UI. Log shows me two error message:

certbot: error: argument --cert-path: No such file or directory

 

Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

[s6-finish] sending all processes the KILL signal and exiting.

 

 

I have not forwarded any ports in my router yet, so this may be related? Also, I am not sure whether I can even forward ports in my router as my IPS may restrict this?

Link to comment
sparklyballs Proficient

sparklyballs

Posted
Posted
7 minutes ago, steve1977 said:

Thanks for developing this docker.

 

I am on Unraid 6.4.0_rc14. Not fully clear to me from reading this thread whether this is making things easier with letsecrypt or more difficult.

 

I have not succeeded yet to set up the docker. Few issues:

 

* Setting the https port in docker settings to 443 does not work (related to 6.4?). Also tried 445, which also doesn't work (though not taken by Unraid). I tried 444, which happens to work. Would love to understand though why 443 and 445 are not working

 

* I cannot access the UI. Log shows me two error message:

certbot: error: argument --cert-path: No such file or directory

 

Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

[s6-finish] sending all processes the KILL signal and exiting.

 

 

I have not forwarded any ports in my router yet, so this may be related? Also, I am not sure whether I can even forward ports in my router as my IPS may restrict this?

 

 

you have multiple issues to resolve here

in no particular order

 

resolve the webui and container port clash

ensure your dynamic dns address is updated otherwise the domain name won't resolve to your ip

sort out port forwarding as without this nothing will function

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing