[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

4 hours ago, Darksurf said:

 

If I were to post screenshots of what I'm seeing, would that help people diagnose my issue and give me some feedback?

 

 

Unifi is much easier to do with subdomain. https://gist.github.com/vidia/fbef2ee643b23848d8b24211d5860b78

 

homeassistant: https://home-assistant.io/docs/ecosystem/nginx_subdomain/ https://home-assistant.io/docs/ecosystem/nginx/

 

qbit: https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI just add proxy_pass http://ip:port

 

Also: Do not reverse proxy the unraid gui.  Use a vpn instead. https://www.youtube.com/watch?v=I58LTMKyeYw

 

Edited by GilbN
Link to comment
1 hour ago, GilbN said:

 

Unifi is much easier to do with subdomain. https://gist.github.com/vidia/fbef2ee643b23848d8b24211d5860b78

 

homeassistant: https://home-assistant.io/docs/ecosystem/nginx_subdomain/

 

qbit: https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI just add proxy_pass http://ip:port

 

Also: Do not reverse proxy the unraid gui.  Use a vpn instead. https://www.youtube.com/watch?v=I58LTMKyeYw

 

thanks, I'll give these a try. I actually don't plan to use unraid GUI through forwarding, I was just using it to make a point to show what I was seeing with Lychee where the page isn't rendering properly. I already access unraid GUI through SSH tunnel as a safety measure.

Link to comment
1 hour ago, Darksurf said:

thanks, I'll give these a try. I actually don't plan to use unraid GUI through forwarding, I was just using it to make a point to show what I was seeing with Lychee where the page isn't rendering properly. I already access unraid GUI through SSH tunnel as a safety measure.

 

There's no "one size fits all" for reverse proxying stuff, if a page isn't rendered properly, it's because it isn't configured properly.  That may be on the LE container side, it could be on the Lychee side, sometimes you need to alter the configs for both to get stuff working.

 

This is a Lychee config that works with photos.server.com

 

server {
       listen         80;
       server_name    photos.server.com;
       return         301 https://$server_name$request_uri;
}

server {

	listen 443 ssl;
	server_name photos.server.com;
	
    	location ^~ / {
		proxy_pass http://192.168.0.1:83/;
		include /config/nginx/proxy.conf;
	}
}

 

  • Upvote 1
Link to comment
On 10/9/2017 at 6:09 PM, FreeMan said:

I'm getting very slow response times from my LE/NGINX server. Slow to the point that it times out.

 

I have shows.mydomain.ddns.us pointed at my binhex-libresonic docker on port 4040. That times out before I ever get the NGNIX login. However, when I reopen port 4040 at the router and direct it to my server, I get near instant access to my music/video library on my phone with WiFi turned off (i.e., ensuring I'm accessing externally) or with the phone on WiFi. Therefore I believe that it's an issue with the LE/N container, not with my internet connection in general (though Comcrap has been less than reliable the last couple of weeks), my internal network, or the server itself.

 

I have it working (some installation issues were resolved around pages 30-32ish), and I've accessed it via my phone and my computer at work, however, it's always been sluggish.

 

I'm not sure what you might need for diagnosis, so I'm attaching Diagnostics, let me know what else might be needed for trouble shooting.

 

 

nas-diagnostics-20171009-1808.zip

 

Turns out I'm a complete and utter nimnod.

 

When it says "Dynamic IP Address" on the tin, that means the IP address within can change. :(  It seems that my IP changed between when I initially got this setup and working and when I started trying to use it. Like within that 12ish hour window.

 

I'm using ChangeIP.com for my DDNS, and I've got their "Homing Beacon" running. It did a fine job of changing the "@" record, but all my subdomains remained on the IP I'd originally set them to. I just found the docs that explain how to maintain all the host names, so I think I should be good to go from here.

 

 

Link to comment

Hello, Im a new Unraid user, two or so odd weeks in. I did a lot of research into LetsEncrypt and setting up a Reverse Procy via this guide here, by Cyan Labs.

 

 

I was wondering for the life of me on how to get it to work with Sub domains instead of folder like structure ReverseProxy.

Example:

Its set like this at the moment https://domain.tld/plex

 

 

I want it to setup like this https://plex.domain.tld/

 

 

It has been driving me nuts these past few days and I am unable to modify the default in the config to reflect the subdomain. Can anyone please assist?

Link to comment

@Bisu - there are lots of examples throughout this thread of doing so. You'll need to modify the configuration files within \\tower\appdata\letsencrypt\nginx\site-confs (that the Windows relative path there, not from the server).

 

You can put it in the "default" config file, or, what I've done is to make a config file for each subdomain that contains these lines:

 



# sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above
# notice this is a new server block, you need a new server block for each subdomain
server {
    listen 443 ssl;

    root /config/www;
    index index.html index.htm index.php;

    server_name books.*;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location / {
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.5:8092/;    
    }
}

 

I copied that from "default" and modified. You'd change "books" to "plex" near the top and change the IP address and port down there at the bottom. Should work. If not, search this thread for "plex" - I'm pretty sure I've seen a lot of people asking about it.

  • Upvote 1
Link to comment
9 hours ago, Bisu said:

Hello, Im a new Unraid user, two or so odd weeks in. I did a lot of research into LetsEncrypt and setting up a Reverse Procy via this guide here, by Cyan Labs.

 

 

I was wondering for the life of me on how to get it to work with Sub domains instead of folder like structure ReverseProxy.

Example:

Its set like this at the moment https://domain.tld/plex

 

 

I want it to setup like this https://plex.domain.tld/

 

 

It has been driving me nuts these past few days and I am unable to modify the default in the config to reflect the subdomain. Can anyone please assist?

 

There is an example for that in the default site config ;)

Link to comment

I think I was able to finally figure out how to install nextcloud. However, when I try to access it from my chrome, I get this error message. Any ideas?: 

xxx.duckdns.org normally uses encryption to protect your information. When Google Chrome tried to connect to xxx.duckdns.org this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be xxx.duckdns.org, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged.

You cannot visit xxx.duckdns.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

Link to comment
On 12/9/2016 at 3:01 PM, CHBMB said:

 

Let's look at the above as an example.

 

 


location ^~ /plexpy/
 

 

Tells the webserver that this will be located at the server.com/plexpy address

 

 


 proxy_pass http://192.168.1.28:8181;
    include /config/nginx/proxy.conf;
 

 

Tells nginx where to find the plexpy app and to use the proxy settings in the proxy.conf file

 

 


 proxy_bind $server_addr;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Ssl     on;
 

 

Tells plexpy to use some extra settings necessary to get this working.  Don't worry about these, app specific settings can often be found with a bit of googling though.

 

 


auth_basic "Restricted";
auth_basic_user_file /config/.htpasswd;
 

 

Now to add password protection, you need to add the above lines to that config but you also need to create a .htpasswd file.  There are instructions here in the readme or if you prefer you can use an online tool like this one.

 

RTnDohS.png

 

Copying the last line of chbmb:osQXeEdll4XFk to a file called .htpasswd and placing it in the /config folder (/mnt/user/appdata/nginx or something similar)  Note whatever text editor you use (NOT NOTEPAD ON WINDOWS) must use linux line endings.  If you want to use multiple users then just add a new line for each user.  So the linuxserver .htpasswd may end up looking like this.

 

username:hashedpassword  Obviously this example below doesn't have real hashed passwords in...  ;-)

 

 


aptalca:weneedatokenyank
asshopo:notanotheryankwhokeepswaving
chbmb:theonlysaneone
danioj:britabroaddownunder
ironicbadger:gladbadgerbaitingisillegal
j0nnymoe:toocoolforschool
kode:phpninjamaster
saarg:tokenswedishguy
smdion:wethinkhesstillalivebutnotreallysure
sparklyballs:grumpyoldman
stark:anyexcusetowearleather
squid:yumyumcouldbedinner
xe:themannoonereallyknowsexists
stark:anyexcusetowearleather
 

 

 

So final "block" looks like this:

 

 


location ^~ /plexpy/ {
    proxy_pass http://192.168.1.28:8181;
    include /config/nginx/proxy.conf;
    proxy_bind $server_addr;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Ssl     on;
    auth_basic "Restricted";
    auth_basic_user_file /config/.htpasswd;
}
 

 

 

 

 

 

No, you'd place .htpasswd in the /config folder.  As shown in the example above.

 

 

 

Yes it is, has more functionality, so is more complicated, essentially it's a pretty much fully blown webserver, rather than a single app that runs on a webserver.

 

 

 

That's achievable and what this docker is designed for.  Once you've done one or two apps, it kind of click.  However you've got the above bit a little wrong.  The whole point of this is so you DON'T open a ton of ports on your router.  Just 80 & 443 both forwarded to your Unraid box.  Then all communication with any app is proxied through the nginx container.  The config out of the box will automatically forward all port 80 requests to 443, so all communication actually takes place over https and is encrypted.  Now go and close those ports again!  ;-)

 

 

 

It's difficult to point at one single resource.  We're working on something to try and make this a bit easier but, don't worry, we'll get you going.  Just bear with it.

I tried the above for plexpy 

    location ^~ /plexpy {
        proxy_pass http://192.168.99.224:8181/plexpy;
        include /config/nginx/proxy.conf;
        proxy_bind $server_addr;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Ssl on;
        auth_basic "Restricted";
        auth_basic_user_file /config/.htpasswd;
    }

 

Without the auth_basic it works and I can get in with plexpy login, but with the auth_basic in there I get a pop up for u/pw.

I put in my username and password from my .htaccess file which is stored in /config/ directory but it takes me to a 403 Forbidden page. Thoughts?

My .htaccess file only has

username:hashedpw

 

does it need to have the other stuff in there as well?

*Edit: ran docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd <username>

to generate the .htaccess file and it works now. 

Edited by blurb2m
fixed
Link to comment

Looking for some help here, running this container successfully except for one thing.

 

Proxy works flawlessly for any locations but one, plex.

 

As soon as I setup the /web location in nginx the url to plex redirects without the port added. If my plex is on http://192.168.1.10:32400/web it redirects to http://192.68.1.10/web/index.html asking for my unraid login prompt, if I enter the unraid credentials I get a 404.

 

Any other location works as intended to the designated port.

 

I've been sitting hours and hours trying to find the error, I've tried multiple different configs, at the moment I'm running a complete default LE container install (reinstalled LE container from scratch, deleting all config files before new install), with only two locations added to the default file as following:

        location /web {
        proxy_pass http://192.168.1.10:32400;
		include /config/nginx/proxy.conf;
}

 location /radarr {
        proxy_pass http://192.168.1.10:7878;
        include /config/nginx/proxy.conf;
}

All other nginx configs is currently as default.

 

 

Radarr works as intended. Plex does not, I get redirected to http://192.68.1.10/web/index.html ???

 

Theres no caching issue, I'm trying 3 different browsers and clearing everything.

 

Connecting to plex directly works fine, no issues. I've tried using different ports for the LE container, no difference. I'm using unraid 6.3.5 so no ssl on unraid.

 

What is going on? It's as if it refuses to redirect to port 32400. I don't understand

Edited by Andreen
Link to comment
On 07/11/2017 at 9:30 PM, GilbN said:

I'm having some trouble with this. 

 

Anyone know whats wrong?

 

You need to go back and make the other changes I mentioned, as what you quoted was not what I posted. changing the action will stop it trying to send the mail from localhost:

 

Edit jail.local and add the following to the nextcloud or other jail;

  Quote

mta      = sendmail
action   = sendmail-whois[name=nextcloud, dest=<destination email address>]

 

 

Copy ..action.d/sendmail-whois.conf to sendmail-whois.local and then edit the last line of the action, changing the sendmail command line part;

 

  Quote

Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<from email account name> -ap<account password> <dest>

Link to comment
8 hours ago, Andreen said:

Looking for some help here, running this container successfully except for one thing.

 

Proxy works flawlessly for any locations but one, plex.

 

As soon as I setup the /web location in nginx the url to plex redirects without the port added. If my plex is on http://192.168.1.10:32400/web it redirects to http://192.68.1.10/web/index.html asking for my unraid login prompt, if I enter the unraid credentials I get a 404.

 

Any other location works as intended to the designated port.

 

I've been sitting hours and hours trying to find the error, I've tried multiple different configs, at the moment I'm running a complete default LE container install (reinstalled LE container from scratch, deleting all config files before new install), with only two locations added to the default file as following:


        location /web {
        proxy_pass http://192.168.1.10:32400;
		include /config/nginx/proxy.conf;
}

 location /radarr {
        proxy_pass http://192.168.1.10:7878;
        include /config/nginx/proxy.conf;
}

All other nginx configs is currently as default.

 

 

Radarr works as intended. Plex does not, I get redirected to http://192.68.1.10/web/index.html ???

 

Theres no caching issue, I'm trying 3 different browsers and clearing everything.

 

Connecting to plex directly works fine, no issues. I've tried using different ports for the LE container, no difference. I'm using unraid 6.3.5 so no ssl on unraid.

 

What is going on? It's as if it refuses to redirect to port 32400. I don't understand


I use this for plex:

 

# PLEX SUB DIR	
	    location /plex/ {
        proxy_pass http://192.168.1.34:32400/;
        include /config/nginx/SSO.conf;
    }
    if ($http_referer ~* /plex/) {
        rewrite ^/web/(.*) /plex/web/$1? redirect;
    }


SSO.conf
 

client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_bind $server_addr;
proxy_buffers 32 4k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
proxy_hide_header X-Frame-Options;
# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_no_cache $cookie_session;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;

 

Edited by GilbN
Link to comment
8 hours ago, local.bin said:

 

You need to go back and make the other changes I mentioned, as what you quoted was not what I posted. changing the action will stop it trying to send the mail from localhost:

 

Edit jail.local and add the following to the nextcloud or other jail;

  Quote

mta      = sendmail
action   = sendmail-whois[name=nextcloud, dest=<destination email address>]

 

 

Copy ..action.d/sendmail-whois.conf to sendmail-whois.local and then edit the last line of the action, changing the sendmail command line part;

 

  Quote

Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<from email account name> -ap<account password> <dest>

Thanks will try that

Link to comment
3 hours ago, Andreen said:

 

This worked for me too, thanks alot man. Any clue as to why /web won't work?

You were missing some parts 

 

 

location /web {
    proxy_pass http://127.0.0.1:32400;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

location /plex {
    proxy_pass http://127.0.0.1/web;
  }

 

Link to comment
16 minutes ago, GilbN said:

You were missing some parts 

 

 


location /web {
    proxy_pass http://127.0.0.1:32400;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  }

location /plex {
    proxy_pass http://127.0.0.1/web;
  }

 

Missing what? proxy_set_header params is in proxy.conf

 

the location /plex is just a redirect to /web so shouldn't affect /web in any way. Correct?

Link to comment

I'm a bit confused now that I am trying to add another subdomain.

 

When I look at the certificates for all my domains they are issued to plex.mydomain.com.  Even if the domain is grafana.mydomain.com but its still coming up as valid.  Do I have this setup right?  I would have expected it to be issue for each subdomain?  (Note: I am not using letsencrypt docker for the top level domain.  That is hosted separate) 

 

Second, I was trying to add a subdomain for crashplan and it appears right, but it didn't load the actual VNC content.  It loads the title bar and the certificate is green (but issued to plex.mydomain.com).  

 

To resolve this I had to add the following 2 lines to the /location block.  Maybe it will help someone if they have the same issue.

 

        location / {

                # Added block for websockets
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

                auth_basic "Restricted";
                auth_basic_user_file /config/nginx/.htpasswd;
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.0.100:7810;
        }

 

Link to comment
24 minutes ago, benpete22 said:

Hello! Does anyone know if there is a way to update/add new subdomains without deleting and re-creating the container? 

 

In the configuration you can add subdomains comma separated in the subdomains field.  This will restart the container when you save it so not sure if this what you mean by delete and re-create. I believe this is the only way though as it creates the certificates when it loads.

Link to comment
4 minutes ago, RAINMAN said:

 

In the configuration you can add subdomains comma separated in the subdomains field.  This will restart the container when you save it so not sure if this what you mean by delete and re-create. I believe this is the only way though as it creates the certificates when it loads.

so would that be doing this? 

sudo docker run -e SUBDOMAINS=list,of,sub,domains,here --name=letsencrypt linuxserver/letsencrypt

Also, would that reset any of my existing other options on that container? 

Link to comment
9 minutes ago, benpete22 said:

so would that be doing this? 


sudo docker run -e SUBDOMAINS=list,of,sub,domains,here --name=letsencrypt linuxserver/letsencrypt

Also, would that reset any of my existing other options on that container? 

 

Ahh, from the command line I am unsure.  I was just doing it from the webUI for dockers.

 

image.thumb.png.010c42803b32de7f79fdacd60484f4cb.png

 

When I make a change and apply it this is the command it shows.

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="REMOVED" -e "URL"="DOMAIN.net" -e "SUBDOMAINS"="plex,cloud,grafana,home,crashplan" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="4096" -e "PUID"="99" -e "PGID"="100" -p 443:443/tcp -p 81:80/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

Edited by RAINMAN
Link to comment
3 hours ago, benpete22 said:

so would that be doing this? 


sudo docker run -e SUBDOMAINS=list,of,sub,domains,here --name=letsencrypt linuxserver/letsencrypt

Also, would that reset any of my existing other options on that container? 

 

Why are you using command line? Sudoku is not used on unraid, so if you are running anything other than unraid, please go to our forum at linuxserver.io to get help. 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.