[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Here's what I got in nginx

 

    	location /plexpy/ {
   		proxy_pass http://192.168.0.1:8181;
	include /config/nginx/proxy.conf;
      		proxy_bind $server_addr;
      		proxy_set_header X-Forwarded-Host $server_name;
	proxy_set_header X-Forwarded-Ssl     on;
	auth_basic "Restricted";
      		auth_basic_user_file /config/.htpasswd;
	}

 

Here's what I got in Plexpy

 

eEZNwwJ.png

And in my plexpy docker log

 

2016-12-11 15:25:11 - INFO :: MainThread : PlexPy WebStart :: Starting PlexPy web server on http://0.0.0.0:8181/plexpy/

Link to comment

Thumbs up!

 

Finally working!

 

Time to start closing down some ports, and adding this to other dockers.

 

If you guys are interested, I could certainly try and put together some sort of generic tutorial on how to get this working.  Sometimes it's best understood coming from someone with minimal knowledge on the stuff so it's dumbed down.

Link to comment

I've gotten a few others working messing around with this.  I love it!

 

One issue I'm having is with Plex.

 

I can get it to work with https://server.com/plex.

 

But now, after removing the forwarding of port 32400 on my router, I can no longer access it through my apps.  Only through a web interface.  Is there a way to fix this?

 

No, sorry should have told you, Plex requires you to forward the port for apps.  You'd still be able to watch through the webui I think with the port closed, but the apps require the port open.

Link to comment

Yeah, the WEB GUI works, but apps don't.

 

Oh well!

 

I read some complicated stuff about attempting to resolve this, but far above what I can deal with.

 

As far as I can work out it's because the apps are hardcoded to get your server address from the Plex site, which functions as a dynamic DNS essentially.  There's no way to tell the apps to "cut out the middle man" as it were.

Link to comment

Now attempting to configure letsencrypt to work with nextcloud.

 

I'm trying to piece things together from different posts.  This is what I have done:

 

1. On the nextcloud end:

 

Edit nextcloud/www/nextcloud/config/config.php

 

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => '192.168.1.3:444',
    1 => 'server.com',
  ),
  'overwrite.cli.url' => 'https://server.com',
  'overwritehost'     => 'server.com',
  'overwriteprotocol' => 'https',
  'overwritewebroot'  => '/nextcloud',
  'dbtype' => 'mysql',
  'version' => '9.1.2.2',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.3:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_xxxxxx',
  'dbpassword' => 'xxxxxxxxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
);

 

2. On the letsencrypt end

 

Edit letsencrypt/nginx/site-confs/default

 

location /nextcloud {
	proxy_pass https://192.168.1.3:444/nextcloud;
}

 

On a local machine I try to go to:

192.168.1.3:444

It auto redirects to https://server.com/nextcloud/index.php/apps/files

 

Y8ZJ4Yl.jpg

 

Same error for https://server.com/nextcloud.

 

Addtionally, if I edit the letsencrypt file and leave out the /nextcloud in the proxy_pass section, I get this error:

 

89049534981d4381b3ea97c3450ebae0.png

 

Thanks again for the help!  And don't forget my offer to write up a n00bie guide on how to do stuff.  Check my signature.  So severely outdated, but I wrote up a very basic how to back in the day on how to add mysql.

Link to comment

I can only recommend setting up nextcloud as nextcloud.server.com

 

Seen too many issues trying to set it up server.com/nextcloud tbh

 

To do the former.

 

Create a file called nextcloud in /config/nginx/site-confs/ containing this.

 

server {
       listen         80;
       server_name    nextcloud.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name nextcloud.server.com;

root /config/www;
index index.html index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location / {
    	proxy_pass https://192.168.0.1:444/;
  }
}

 

Edit config.php of nextcloud

 

<?php  
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxxxxxxxxxxx',
  'passwordsalt' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'secret' => 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
  'trusted_domains' => 
  array (
    0 => '192.168.0.1:444',
    1 => 'nextcloud.server.com',
  ),
  'overwrite.cli.url' => 'https://nextcloud.server.com',
  'overwritehost' => 'nextcloud.server.com',
  'overwriteprotocol' => 'https',
  'dbtype' => 'mysql',
  'version' => '9.0.52.0',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.0.1:3305',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_CHBMB1',
  'dbpassword' => 'xxxxxxxxxxxxxxxxxxxx',
  'logtimezone' => 'UTC',
  'installed' => true,
);

 

 

Both containers should obviously be stopped when editing..

Link to comment

Ah yes, that was it!  On the letsncrypt template, I never added "nextcloud" as a new subdomain.  Where does this actually make a change within one of the config files?

 

For uniformity purposes, do you have all of your dockers listed as docker.server.com?  Or do you have them mixed in with other server.com/docker?  I think I'm an all one way type of guy to try and keep things neat and not have to remember anything.

 

Also, sent you a PM, CHBMB.

Link to comment

Ah yes, that was it!  On the letsncrypt template, I never added "nextcloud" as a new subdomain.  Where does this actually make a change within one of the config files?

 

For uniformity purposes, do you have all of your dockers listed as docker.server.com?  Or do you have them mixed in with other server.com/docker?  I think I'm an all one way type of guy to try and keep things neat and not have to remember anything.

 

Also, sent you a PM, CHBMB.

 

I have most as server.com/app apart from nextcloud.  Occasionally you find that some things just work better that way.

Link to comment

Could someone provide me a cheat sheet for getting this to work with PlexRequests?  FWIW, I was able to setup my cert for requests.mydomain.com

 

Now I am a little unclear on the nginx config part.  I see everyone doing server.com/requests but I prefer to do subdomain since my main domain is pointed at a hosting site.

Off the top of my head, I'd follow the instructions for nextcloud, but call the file requests....

 

Sent from my LG-H815 using Tapatalk

 

 

Link to comment

Could someone provide me a cheat sheet for getting this to work with PlexRequests?  FWIW, I was able to setup my cert for requests.mydomain.com

 

Now I am a little unclear on the nginx config part.  I see everyone doing server.com/requests but I prefer to do subdomain since my main domain is pointed at a hosting site.

Off the top of my head, I'd follow the instructions for nextcloud, but call the file requests....

 

Sent from my LG-H815 using Tapatalk

 

Thanks, I did copy that config but was still greeted with the letsncrpyt landing page.  Do I need to edit anything on the plex requests side?  I saw in another post by CHBMB that you can edit the docker template but that seemed to be for /request instead of request.

Link to comment

Errrr, I am CHBMB...

 

Problem is once you decide you want to do something other than what's posted is there are a lot of variables.  Impossible to just know what to do unless your an expert.  I just play around until I figure it out myself, only been using Nginx a couple of months and only learned Apache about a year ago and I'm no IT professional....

 

This works with this config.  As we know that we don't need the URL_BASE variable...

 

1. Remove the URL_BASE variable from the docker template of Plex Requests.

 

5cZLGDH.png

 

As we know Plex Requests proxys just fine with the previous config posted, create a new file called requests, copying the default config.  Make sure that only one is set as default.  So will need to edit this line in the new config

 

	listen 443 ssl default_server;

 

so change this to

 

	listen 443 ssl;

 

then just place this at the end.

 

	location / {
	proxy_pass http://192.168.0.1:3000;
	include /config/nginx/proxy.conf;
}

 

Which gives us:

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {

listen 443 ssl;
server_name requests.server.com;

###Set root directory
root /config/www;
index index.html index.htm index.php;

###Turn off client checking of client request body size
client_max_body_size 0;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';


location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# With php5-cgi alone:
	fastcgi_pass 127.0.0.1:9000;
	# With php5-fpm:
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php;
	include /etc/nginx/fastcgi_params;

}

location / {
	proxy_pass http://192.168.0.1:3000;
	include /config/nginx/proxy.conf;
}
}

 

That works....

Link to comment

Hi, thanks for this docker and all the others!

 

Sorry if this has been asked before but i do not find any search in thread function.

 

Is there a way to restart nginx from within the docker so i dont have to restart the entire thing every time i do a little change in the config file?

 

service nginx restart does not work :/

 

// Grasfer

Link to comment

Hi, thanks for this docker and all the others!

 

Sorry if this has been asked before but i do not find any search in thread function.

 

Is there a way to restart nginx from within the docker so i dont have to restart the entire thing every time i do a little change in the config file?

 

service nginx restart does not work :/

 

// Grasfer

s6-svc -h /var/run/s6/services/nginx

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.