Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

Perhaps you could include the relevant apache and nginx sample reverse proxy configs in the documentation of each of the containers? Maybe even in the overview section of the template?

 

Stay tuned... where'd you think I got all them from so quick...  ;)

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

 

IIRC plex requests links to a plex username.  So probably best just to leave that without .htpasswd.

 

You can setup different .htpasswd files.  But you need one per "group"

Thank you,

 

This community is amazing!

 

All up and running now :)

 

the last query I had was if I could set up multiple 'htpasswd' files.

 

I want the server to be encrypted but it would be good if I could allow access to plexrequests with a separate password that way I could allow my users to make requests without giving them an overall admin logon which could be use to change settings etc.

 

IIRC plex requests links to a plex username.  So probably best just to leave that without .htpasswd.

 

You can setup different .htpasswd files.  But you need one per "group"

You can also add multiple user pass combos to the same htpasswd file

I converted from aptalca's Letsencrypt container over to this one today, thanks aptalca and the rest of LSIO for all your work on this!

 

A few questions:

1) In the old container, I could docker exec into it and run

nginx -t

to have it check the config. But in the new container I have to specify which config file to test:

nginx -c /config/nginx/nginx.conf -t

Is there any way to make this the default?

 

2) In the old container I could restart nginx with "service nginx restart".  How do you restart nginx in the new container, without actually restarting the whole container?

 

3) In /etc/init.d/nginx, the pid is defined as /run/nginx/nginx.pid.  I think that should be /run/nginx.pid?  Hmm, when I try to exec that script it says:

/sbin/openrc-run: bad interpreter: No such file or directory

Is /etc/init.d/nginx even used then?

 

4) Since most people are using this for reverse proxy and not hosting a public website, it might make sense to drop a basic robots.txt file in the default www directory to keep search engines away:

User-agent: *
Disallow: /

 

 

I converted from aptalca's Letsencrypt container over to this one today, thanks aptalca and the rest of LSIO for all your work on this!

 

A few questions:

1) In the old container, I could docker exec into it and run

nginx -t

to have it check the config. But in the new container I have to specify which config file to test:

nginx -c /config/nginx/nginx.conf -t

Is there any way to make this the default?

 

2) In the old container I could restart nginx with "service nginx restart".  How do you restart nginx in the new container, without actually restarting the whole container?

 

3) In /etc/init.d/nginx, the pid is defined as /run/nginx/nginx.pid.  I think that should be /run/nginx.pid?  Hmm, when I try to exec that script it says:

/sbin/openrc-run: bad interpreter: No such file or directory

Is /etc/init.d/nginx even used then?

 

4) Since most people are using this for reverse proxy and not hosting a public website, it might make sense to drop a basic robots.txt file in the default www directory to keep search engines away:

User-agent: *
Disallow: /

 

1) Not that I know of. Old container used a lot of symlinks, which aren't ideal. New container defines files in place.

 

2) s6-svc -h /var/run/s6/services/nginx

 

3) Nginx is started by the s6 service manager. Check out the file /etc/services.d/nginx/run

 

4) Some people host public wordpress sites. We design for the lowest common denominator, but you can always put whatever you need in the www folder as the container doesn't touch that as long as it exists

Hello everyone, first of all, i'd like to thank everyone for making this container. I do, however have a problem. When I try to run it, it gives me an error in the logs.

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] still could not bind()
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

This is going on indefinitely. I managed to set it up by killing the webgui process from the command line. Iset up the network as host and forwarded the right ports but unless i kill the webgui i can't reach the webserver. When I set the network to bridge it does not give me the errors but I still can't reach the websites. I hope someone can help me.

Hello everyone, first of all, i'd like to thank everyone for making this container. I do, however have a problem. When I try to run it, it gives me an error in the logs.

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] still could not bind()
nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

nginx: [emerg] bind() to 0.0.0.0:80 failed (98: Address in use)

This is going on indefinitely. I managed to set it up by killing the webgui process from the command line. Iset up the network as host and forwarded the right ports but unless i kill the webgui i can't reach the webserver. When I set the network to bridge it does not give me the errors but I still can't reach the websites. I hope someone can help me.

 

Post your docker run command.  You can't set the host port to 80 as that the default port Unraid webui uses, instead set it to 81 and then port forward 80 on your router to 81 on your Unraid machine.

 

And have you made any changes to any of the files that are in your appdata folder?  I'm unclear if this is a fresh pull or trying to run a container you've already attempted to configure further.

Wow, thanks for the fast reply. I wasn expecting this.

The command that unraid is doing is this(after i now changed the port to 81):

Command:
root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="host" --privileged="true" -e TZ="Europe/Berlin" -e HOST_OS="unRAID" -e "TCP_PORT_81"="81" -e "EMAIL"="[email protected]" -e "URL"="oliverengelhardt.de" -e "SUBDOMAINS"="www," -e "ONLY_SUBDOMAINS"="false" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt
7b66d45a4077800d8590c2576907b3490a09d36ddb27bc3191233fa57ce73a7f

The command finished successfully!

It's a fresh pull. I have not yet touched anything in appdata. I made a screenshot of my config page:

4P9fmW2.png

It still appears to try to bind to port 80 though. the log is unchanged.

OK, map port 443 to 443 and make sure that you've got port forwards in your router to forward 81 ==> 80 and 443 ==>443

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

I don't really know :D

Ok, i have done that. It's still the same in the log. Still can't connect.

 

Got teamviewer? I got a spare ten minutes...

Oh my god,  I now set the network back to bridge and it works. I got no idea why, but it does. Thank you so much for your time though.

 

Begs the question why you set it to host?  Glad you got it working.  ;)

I don't really know :D

 

I admire the honesty of that answer..... lol  ;D

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

 

Save this as requests in the same folder as default.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.0.1:3000/;
  }
}

 

Alternatively, paste this into default to access plexrequests at server.com/requests (You will need to set the URLBASE to /requests)

 

	location /requests {
	proxy_pass http://192.168.0.1:3000/requests;
	include /config/nginx/proxy.conf;
}

 

Obviously for both you'll need to change the IP address +/- port

Just got this docker setup for my domain, real simple thanks guys. 

 

However, I have no experience with nginx (coming from Apache docker).  Can someone point me to a good reference for how to configure this docker to redirect say my requests.domain.com to my PlexRequests docker?

 

Save this as requests in the same folder as default.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.0.1:3000/;
  }
}

 

Alternatively, paste this into default to access plexrequests at server.com/requests (You will need to set the URLBASE to /requests)

 

	location /requests {
	proxy_pass http://192.168.0.1:3000/requests;
	include /config/nginx/proxy.conf;
}

 

Obviously for both you'll need to change the IP address +/- port

 

The second method works probably because I already had the URLBASE set for PlexRequests to /requests.  The first method gets me a 502 Bad Gateway.  I'm guessing this is because my URLBASE is set?

Yep

 

Sent from my LG-H815 using Tapatalk

 

I've taken out my URLBASE for PlexRequests and confirmed it is now accessed via IP:3000 (no longer /requests).  I've taken out any reference to mydomain.com/requests in 'default.'  I've added a file named 'requests' in the same folder as default containing the following:

 

server {
       listen         80;
       server_name    requests.MYDOMAIN.COM;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.MYDOMAIN.COM;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
        proxy_pass https://10.0.10.26:3000/;
  }
}

 

 

Still getting 502 Bad Gateway.  Am I missing something in my config or placing the 'requests' file in the wrong location?

 

Got some logs?  Docker container and the logs from the /config/logs folder?

 

Redact your domain name.

 

Sent from my LG-H815 using Tapatalk

 

 

Got some logs?  Docker container and the logs from the /config/logs folder?

 

Redact your domain name.

 

Sent from my LG-H815 using Tapatalk

 

/config/logs folder is empty.  Here is the container log:

 

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/index.php/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid:    1000
User gid:    1000
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are:  -d www.MYDOMAIN -d requests.MYDOMAIN
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Wed Dec 7 19:45:01 EST 2016
Running certbot renew

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/MYDOMAIN.conf
-------------------------------------------------------------------------------

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/MYDOMAIN/fullchain.pem (skipped)
No renewals were attempted.
2016-12-07 19:45:02,231 fail2ban.server         [258]: INFO    Starting Fail2ban v0.9.4
2016-12-07 19:45:02,231 fail2ban.server         [258]: INFO    Starting in daemon mode
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

 

 

EDIT:  Found the issue.  It was the httpS under location /.  Had to remove the S.

Just got home from work and was going to look at this, so glad you've sorted it.

Are there any guides or tutorials around on how to have Letsencrypt interact with my other dockers on unraid?

 

I understand the general concept behind Letsencrypt, but I'm not sure what files need to be modified, and how to modify these files.

 

My current setup is your standard dynamic IP address provided by my ISP.  I have this tracked by duckdns so I can associated the IP with the static name.  I'd like to be able to attach to all of my different dockers through https:

 

https://insertname.duckdns.org:2020 - Docker 1c

https://insertname.duckdns.org:3030 - Docker 2

https://insertname.duckdns.org:4040 - Docker 3

 

A few of the dockers I run now are:

 

crashplan

owncloud

plex

plexpy

plexrequests

couchpotato

sonarr

 

Any fingers to point me in the right direction would be greatly appreciated :)

 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.