[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

sgt_spike Apprentice

sgt_spike

Posted
Posted
On 12/22/2017 at 9:34 AM, aptalca said:

 

Don't set only subdomains to true. Set the domain/url to bacnet.duckdns.org

 

Did you reboot the router after you set the port forward? Maybe you have to

 

 

On 12/21/2017 at 11:30 PM, blurb2m said:

@sgt_spike Did the above help?

 

 

I figured out my problem.  My ISP was giving me a different IP than the one being broadcast.  Call them and they hooked me up with a public dynamic IP.  The server started correctly and got the keys.

 

I do have a question about the web pages.  I have pages stored on a share and want to use that instead of the www directory.  How do I configure default to point to those pages?

The default has a line; root /config/www.  does root = /mnt/user/appdata/letsencrypt?

Link to comment
aptalca Proficient

aptalca

Posted
Posted (edited)
8 hours ago, sgt_spike said:

 

 

 

 

I figured out my problem.  My ISP was giving me a different IP than the one being broadcast.  Call them and they hooked me up with a public dynamic IP.  The server started correctly and got the keys.

 

I do have a question about the web pages.  I have pages stored on a share and want to use that instead of the www directory.  How do I configure default to point to those pages?

The default has a line; root /config/www.  does root = /mnt/user/appdata/letsencrypt?

 

Check the mapped paths in the container settings. 

 

/config inside the container is whatever you mapped it to on the host (I'm assuming /mnt/user/appdata/letsencrypt from your post) 

 

You can map additional paths

Edited by aptalca
Link to comment
Greygoose Enthusiast

Greygoose

Posted
Posted

im still trying, im about 10hrs invested and i cant get it to work :/

 

I am starting from scratch, removed each dockers and doing each step, id be gratful for guidance

 

1. install lets encrypt docker

2. register namecheap domain and point back to my static IP address

3. ping domain name and i get a ping back from my static IP address

4. I try to start lets encrypt docker and i get Error (port 443 in use)

 

1.png

Link to comment
saarg Mentor

saarg

Posted
Posted
49 minutes ago, Greygoose said:

im still trying, im about 10hrs invested and i cant get it to work :/

 

I am starting from scratch, removed each dockers and doing each step, id be gratful for guidance

 

1. install lets encrypt docker

2. register namecheap domain and point back to my static IP address

3. ping domain name and i get a ping back from my static IP address

4. I try to start lets encrypt docker and i get Error (port 443 in use)

 

1.png

 

Are you running unraid 6.4? If you are, you need to change port 443 to something else. You also need to change the port forward on your ISP router to match the new port. 

Link to comment
bonienl Veteran

bonienl

Posted
Posted (edited)

Alternatively (if you are on 6.4) the network type can be changed to br0 and the container can get its own IP address. This allows to keep using port 443, but still needs a change on the router and set forwarding to the new IP address of the container.

 

Edited by bonienl
Link to comment
Greygoose Enthusiast

Greygoose

Posted
Posted (edited)

im on 6.4 rb17

 

I hve changed port to 444

 

I got this response

 

_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d www.mydomain.com -d nextcloud.mydomain.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.mydomain.com
tls-sni-01 challenge for nextcloud.mydomain.com
Waiting for verification...
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.mydomain.com
tls-sni-01 challenge for nextcloud.mydomain.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.mydomain.com/fullchain.pem. Your cert
will expire on 2018-03-31. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot


- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/www.mydomain.com/fullchain.pem. Your cert
will expire on 2018-03-31. To obtain a new or tweaked version of
this certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot


- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server ready

Edited by Greygoose
Link to comment
mostlydave Contributor

mostlydave

Posted
Posted

I'm having some trouble getting things up and running, I used this tutorial, but it seems a little out of date:

 

https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/#comment-190

 

I ended up changing the ports in the docker config to 80 > 81 and 443 > 444

 

Here is my config file: 

 

upstream backend {
    server 192.168.1.2:19999;
    keepalive 64;
}

server {
    listen 444 ssl default_server;
    listen 81 default_server;
    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:8989/sonarr;
    }
    
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:7878/radarr;
    }

    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.1.2:32400;
    }

    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.1.2:32400/web;
    }

}

 

whenever I try to access any of the apps by visiting mysubdomain.duckdns.org/radarr I get the "Welcome to our server" page. I'm not sure what I have wrong.

 

 

Link to comment
aptalca Proficient

aptalca

Posted
Posted
23 hours ago, mostlydave said:

I'm having some trouble getting things up and running, I used this tutorial, but it seems a little out of date:

 

https://cyanlabs.net/tutorials/the-complete-unraid-reverse-proxy-duck-dns-dynamic-dns-and-letsencrypt-guide/#comment-190

 

I ended up changing the ports in the docker config to 80 > 81 and 443 > 444

 

Here is my config file: 

 

upstream backend {
    server 192.168.1.2:19999;
    keepalive 64;
}

server {
    listen 444 ssl default_server;
    listen 81 default_server;
    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:8989/sonarr;
    }
    
    location /radarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:7878/radarr;
    }

    #PLEX
    location /web {
        # serve the CSS code
        proxy_pass http://192.168.1.2:32400;
    }

    # Main /plex rewrite
    location /plex {
        # proxy request to plex server
        proxy_pass http://192.168.1.2:32400/web;
    }

}

 

whenever I try to access any of the apps by visiting mysubdomain.duckdns.org/radarr I get the "Welcome to our server" page. I'm not sure what I have wrong.

 

 

 

When you change ports, only change the host mapped ports, not the internal container ones. 

 

Then, in the nginx site config, you'll set it to listen on 80 and 443 still. 

 

If you're confused, read the docker faq and pay attention to the port mapping info

Link to comment
local.bin Contributor

local.bin

Posted
Posted

Answer is likely no, but is there a way of hosting two separate domains using this docker, with their associated subdomains?

 

I thought of two letsencrypt dockers but they of course will both require port 443 for use with two https websites.

 

Thanks for any ideas of a workable method :)

 

 

Link to comment
joshuaavalon Rookie

joshuaavalon

Posted
Posted
9 minutes ago, local.bin said:

Answer is likely no, but is there a way of hosting two separate domains using this docker, with their associated subdomains?

 

I thought of two letsencrypt dockers but they of course will both require port 443 for use with two https websites.

 

Thanks for any ideas of a workable method :)

 

 



Use "-e EXTRA_DOMAINS". Assume you have domain1.com and domain2.com
  

  ...
  -e URL=domain1.com \
  -e SUBDOMAINS=subdomain1,subdomain2,subdomain3 \
  -e EXTRA_DOMAINS subdomain1.domain2.com,subdomain2.domain2.com,subdomain3.domain2.com
  ...


Or you can setup a second docker behind the first docker and use Nginx to forward all the traffic.

First method is simpler though.

Link to comment
aptalca Proficient

aptalca

Posted
Posted
3 hours ago, local.bin said:

@joshuaavalon Thanks, I wasn't familiar with that option.

 

I have a website configured in the root of the letsencrypt docker so not sure how or where my second domain website files go, but I will explore the options you suggest, thanks.

 

Edit: Got it thanks, found the original post in the thread.

 

Put them somewhere in the config folder and set the root variable in the site config to point to it. 

 

One way is to have /config/www/site1 and /config/www/site2

Link to comment
joshuaavalon Rookie

joshuaavalon

Posted
Posted
32 minutes ago, aptalca said:

 

Put them somewhere in the config folder and set the root variable in the site config to point to it. 

 

One way is to have /config/www/site1 and /config/www/site2


I doubt that would work. You need the environment variable for the script to get the cert for you. Adding conf in nginx will only allow access the second domain without cert.

Link to comment
local.bin Contributor

local.bin

Posted
Posted (edited)

@aptalca @joshuaavalon I have added the addtional domains and letsencrypt shows it has certs added for them ion the log.

 

I understand changing the root directory for each, but how do I create a nginx config that redirects a https (443) connection to the appopriate website?

 

I have all the site-confs configured for my original website but how do I create two 'default' confs for each website?

 

Thanks for any further tips :)

 

Edit: I was trying to keep the subdomains the same so the names of the sub domain site-confs would be the same.....

so for nextcloud; cloud.domain1.com and cloud.domain2.com

Edited by local.bin
Link to comment
joshuaavalon Rookie

joshuaavalon

Posted
Posted
10 minutes ago, local.bin said:

@aptalca @joshuaavalon I have added the addtional domains and letsencrypt shows it has certs added for them ion the log.

 

I understand changing the root directory for each, but how do I create a nginx config that redirects a https (443) connection to the appopriate website?

 

I have all the site-confs configured for my original website but how do I create two 'default' confs for each website?

 

Thanks for any further tips :)

 

Edit: I was trying to keep the subdomains the same so the names of the sub domain site-confs would be the same.....

so for nextcloud; cloud.domain1.com and cloud.domain2.com


There can be only 1 default conf (server_name _). You can filter by server name and use * for wildcard.
  

server {
    listen 443 ssl;
    server_name subdomain1.domain1.com;

    location / {
        proxy_pass http://192.168.1.2:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

server {
    listen 443 ssl;
    server_name domain2.com *.domain2.com;

    location / {
        proxy_pass http://192.168.1.2:8080;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

 

Link to comment
aptalca Proficient

aptalca

Posted
Posted
15 hours ago, joshuaavalon said:


I doubt that would work. You need the environment variable for the script to get the cert for you. Adding conf in nginx will only allow access the second domain without cert.

 

?? He already has the cert generated for 2 domains. He just needs to separate the web files

Link to comment
aptalca Proficient

aptalca

Posted
Posted
12 hours ago, local.bin said:

That seems to work with 2 websites now running on each domain with only this warning;

 

nginx: [warn] conflicting server name "domain.org" on 0.0.0.0:443, ignored

 

Do you get the same, or I have more config to do...

 

Post your site conf and we'll take a look

Link to comment
local.bin Contributor

local.bin

Posted
Posted
4 hours ago, aptalca said:

 

Post your site conf and we'll take a look

 

Thanks.

With this I can access both website domains on www.domain[x] and domain 1 without adding www, so just https://domain1 but if I try the same with https://domain2 I get a 502 bad gateway proxy error.

 

Thanks in advance.

 

Quote

# redirect all traffic to https
server {
        listen 80;
        server_name domain1 www.domain1 domain2 www.domain2;
        return 301 https://$server_name$request_uri; #enforce https
}

# domain1 server block
server {
        listen 443 ssl;
        root /config/www/domain1;
        index index.html index.htm index.php;
        server_name domain1 www.domain1;

        include /config/nginx/proxy.conf;
        include /config/nginx/ssl_default.conf;
}

# domain2 server block

server {
        listen 443 ssl;
        root /config/www/domain2;
        index index.html index.htm index.php;
        server_name domain2 www.domain2;

        include /config/nginx/proxy.conf;
        include /config/nginx/ssl_default.conf;
}

 

Link to comment
aptalca Proficient

aptalca

Posted
Posted
4 hours ago, local.bin said:

 

Thanks.

With this I can access both website domains on www.domain[x] and domain 1 without adding www, so just https://domain1 but if I try the same with https://domain2 I get a 502 bad gateway proxy error.

 

Thanks in advance.

 

 

 

Could be browser cache (301 redirect from an earlier try). Try in a different browser, or mobile and see if it works

Link to comment
testtubetony Noob

testtubetony

Posted
Posted (edited)

Has anyone gotten this to work with a noip.com domain? Here's the errors i keep getting...

  

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d mydomain.ddns.net
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
usage:
certbot [SUBCOMMAND] [options] [-d DOMAIN] [-d DOMAIN] ...

Certbot can obtain and install HTTPS/TLS/SSL certificates. By default,
it will attempt to use a webserver both for obtaining and installing the
cert.
certbot: error: argument --cert-path: No such file or directory

Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for ddns.net
tls-sni-01 challenge for mydomain.ddns.net
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. ddns.net (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: ddns.net
Type: connection
Detail: Timeout

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

That was my last attempt. of course i edited out my personal infos... seems just having mydomain.ddns.net isn't enough, and in the noip panel I cant seem to add a www to my domain. any suggestions?

 

EDIT:

I got it to start finally. had to change the subdomains only flag. now i have webserver access. is there supposed to be a user interface, or do i have to configure the proxies manually via terminal?

Edited by testtubetony
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing