Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

I'm always afraid to modify my config because I tend to break things since I don't really know what does what. It would be nice to increase security though.

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

Dear friends, I tried to setup this container for a couple of days and arrived at a stupid position.

 

Using https://hme.domain.com,  I can connect to my server and see the "Welcome to our server" banner. So, nginx, certs, port forwarding, subdomain setup are all OK.

 

If I use https://hme.domain.com/sonarr, then I just get "Sonarr Ver." in the top left corner and nothing else. Similarly, https://hme.domain.com/radarr prints "Radarr Ver." in the top left corner. Obviously, these are from the very bottom of sonarr and radarr pages. I think this shows that connection from the internet is OK. But, why can't I see the whole page of sonarr and radarr instead of just two words from the very bottom of these pages.

 

The only additions to the /mnt/user/appdata/letsencrypt/nginx/site-confs/default are below:

 

        location  /sonarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:8989/sonarr;
        }

        location  /radarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:7878/radarr;
        }
Does this problem ring any bell for anybody?

 

Thank you for your support.

 

 

1 hour ago, sse450 said:

Dear friends, I tried to setup this container for a couple of days and arrived at a stupid position.

 

Using https://hme.domain.com,  I can connect to my server and see the "Welcome to our server" banner. So, nginx, certs, port forwarding, subdomain setup are all OK.

 

If I use https://hme.domain.com/sonarr, then I just get "Sonarr Ver." in the top left corner and nothing else. Similarly, https://hme.domain.com/radarr prints "Radarr Ver." in the top left corner. Obviously, these are from the very bottom of sonarr and radarr pages. I think this shows that connection from the internet is OK. But, why can't I see the whole page of sonarr and radarr instead of just two words from the very bottom of these pages.

 

The only additions to the /mnt/user/appdata/letsencrypt/nginx/site-confs/default are below:

 

        location  /sonarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:8989/sonarr;
        }

        location  /radarr {
                include /config/nginx/proxy.conf;
                proxy_pass http://192.168.1.100:7878/radarr;
        }
Does this problem ring any bell for anybody?

 

Thank you for your support.

 

 

Did you set base url in the apps? eg. /sonarr

73F7E0D9-5F29-482E-9C01-9B20E7F9234A.thumb.png.23bb8127a80d5e8bbd93ae0bb8b3da53.png

Edited by GilbN

That was it. Strange thing is that the question mark next to URL Base says "For reverse proxy support, default is empty". But, it works anyway with /sonarr.

Thank you.

That was it. Strange thing is that the question mark next to URL Base says "For reverse proxy support, default is empty". But, it works anyway with /sonarr.
Thank you.
Why is that strange?

Sent from my LG-H815 using Tapatalk

My interpretation is that "leave it blank if reverse proxy is used". But, Sonarr didn't work when I left it blank. 

I'm trying to get this working for the first time. I have installed the docker as directed but keep getting this error repeating

 

nginx: [emerg] BIO_new_file("/config/keys/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/config/keys/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file)

 

Currently i just want to get the docker working before i actually begin reverse proxy access to other containers etc.

 

And here is the container params

 

nginx.jpg.1f94a78a75acd70b0f3df2405401fd21.jpg

11 hours ago, tazire said:

I'm trying to get this working for the first time. I have installed the docker as directed but keep getting this error repeating

 

nginx: [emerg] BIO_new_file("/config/keys/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/config/keys/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file)

 

Currently i just want to get the docker working before i actually begin reverse proxy access to other containers etc.

 

And here is the container params

 

nginx.jpg.1f94a78a75acd70b0f3df2405401fd21.jpg

 

Try changing /mnt/user to /mnt/cache or /mnt/diskX

19 minutes ago, aptalca said:

 

Try changing /mnt/user to /mnt/cache or /mnt/diskX

Tried unfortunately gives the exact same results.

ok i figured this out... stupid me i tried to get this working in the past and was using a different default config.... i found it and fixed it... so at least i have a base working. 

I did a search on this thread for "mqtt" and "mosquitto", but yielded no results.

 

I currently use spants/mqtt docker in conjunction with homeassistant/home-assistant docker.

 

All of my remote accessing is done through this docker, linuxserver/letsencrypt.

 

Because of this, I've been able to greatly reduce the ports I have open on my router.

 

I currently have 5.  The basic 80, 8080, 443.  And then 32400 for Plex and 1194 for OpenVPN as I have found no other way to get this working without doing so.

 

I'm using OwnTracks on an Android OS phone to remotely send device location via MQTT.  Because of this, I need to be able to access this docker remotely.

 

I tried the most generic change to the default file under "site-confs":
 

location /mqtt {
        proxy_pass http://192.168.1.3:1883/;
        include /config/nginx/proxy.conf;
    }

Unfortunately, this does not work.

 

Any experience with a similar setup that could possibly point me in the right direction so I can try to avoid opening up more ports on my router?

2 hours ago, Living Legend said:

I did a search on this thread for "mqtt" and "mosquitto", but yielded no results.

 

I currently use spants/mqtt docker in conjunction with homeassistant/home-assistant docker.

 

All of my remote accessing is done through this docker, linuxserver/letsencrypt.

 

Because of this, I've been able to greatly reduce the ports I have open on my router.

 

I currently have 5.  The basic 80, 8080, 443.  And then 32400 for Plex and 1194 for OpenVPN as I have found no other way to get this working without doing so.

 

I'm using OwnTracks on an Android OS phone to remotely send device location via MQTT.  Because of this, I need to be able to access this docker remotely.

 

I tried the most generic change to the default file under "site-confs":
 


location /mqtt {
        proxy_pass http://192.168.1.3:1883/;
        include /config/nginx/proxy.conf;
    }

Unfortunately, this does not work.

 

Any experience with a similar setup that could possibly point me in the right direction so I can try to avoid opening up more ports on my router?

I haven't opened up port 1883 to get owntracks to work.  It's been a while since i setup, but I think owntracks responds to 'polls' from the local instance so you don't need to open up a port.

3 hours ago, DZMM said:

I haven't opened up port 1883 to get owntracks to work.  It's been a while since i setup, but I think owntracks responds to 'polls' from the local instance so you don't need to open up a port.

Yep, just double-checked by putting my phone on cellular and pinging home-assistant and my owntracks works with the MQTT docker by ensuring the outgoing ports are open, not the incoming.  I have for my appdata\MQTT\conf.d\myphone_mqtt.conf:

 

connection cloudmqtt
address mXX.cloudmqtt.com:non-ssl port
remote_username MAIN CLOUDMQTT USERNAME
remote_password MAIN CLOUDMQTT PASSWORD
clientid cloudmqtt
try_private false
start_type automatic
topic # in
topic owntracks out

 

and I've allowed outgoing the non-ssl and websockets port from the cloudmqtt instance in my router (running this ports using selective routing over my vpn for more peace of mind) .   'owntracks out' is so that cloudmqtt doesn't get flooded with my smartthings messages, or anything else I add in the future. 

I have been reading from page 46 and I could not find this HTTPVAL. I have enabled the “advanced view” and all I see at the bottom are PUID and PGID.

 

I have port forward on my firewall 80:81 and 443:442.

 

Here is my settings:

 

7c79ea3a3e414d67833e92f901ca4c28.jpg&key=008dbff935d4b40eb981816a218b9925ecd09547c7f15e7e929c81bda73f411c

 

 

Here is the error :

 

a91caf0363a429a8b380e2ec3e5f2457.jpg&key=9efe168759653e7a2da09fea3b4d1357d3c6c0976f84312ba8626951501771f3

 

I have been reading from page 46 and I could not find this HTTPVAL. I have enabled the “advanced view” and all I see at the bottom are PUID and PGID.
 
I have port forward on my firewall 80:81 and 443:442.
 
Here is my settings:
 
7c79ea3a3e414d67833e92f901ca4c28.jpg&key=008dbff935d4b40eb981816a218b9925ecd09547c7f15e7e929c81bda73f411c
 
 
Here is the error :
 
a91caf0363a429a8b380e2ec3e5f2457.jpg&key=9efe168759653e7a2da09fea3b4d1357d3c6c0976f84312ba8626951501771f3
 
It's changed again. Take a look at the Github readme for up to date info.

Sent from my LG-H815 using Tapatalk

It's changed again. Take a look at the Github readme for up to date info.

Sent from my LG-H815 using Tapatalk

Although to be honest looking at the info you provided it does look like either your port forward or DNS isn't correct.

Sent from my LG-H815 using Tapatalk

Ok just looking for a little help getting nextcloud working as i'd like. I tried following the directions given in the earlier posts on the nextcloud support thread but it mostly applies to if you want to use the address xxx.server.com. I am trying to get it working with server.com/nextcloud. Currently I am having a couple of issues. Firstly I can access my nextcloud perfectly fine from outside my network with server.com/network however... within my network I am having issues and also I cant get it to play nice with the android app and the windows app either. At present while on the network I cant connect when using the unraid GUI. it sends me to 192.168.1.18:4433 but in order to access it on my network I have to input 192.168.1.18/nextcloud in order to access it. Also if I am on my own network and I go to server.com/nextcloud it redirects me to the correct local ip but does not seem to connect through letsencrypt as I get the insecure notice. Ill attach my configs for reference. Just FYI sonarr and couchpotato work exactly as i'd like with the setup I have. 

 

 

config.php

default.txt

Ok just looking for a little help getting nextcloud working as i'd like. I tried following the directions given in the earlier posts on the nextcloud support thread but it mostly applies to if you want to use the address xxx.server.com. I am trying to get it working with server.com/nextcloud. Currently I am having a couple of issues. Firstly I can access my nextcloud perfectly fine from outside my network with server.com/network however... within my network I am having issues and also I cant get it to play nice with the android app and the windows app either. At present while on the network I cant connect when using the unraid GUI. it sends me to 192.168.1.18:4433 but in order to access it on my network I have to input 192.168.1.18/nextcloud in order to access it. Also if I am on my own network and I go to server.com/nextcloud it redirects me to the correct local ip but does not seem to connect through letsencrypt as I get the insecure notice. Ill attach my configs for reference. Just FYI sonarr and couchpotato work exactly as i'd like with the setup I have. 
 
 
config.php
default.txt
This is one of the reasons I don't support the subfolder method.

You probably need to look at hairpin NAT or NAT reflection on your router.

Sent from my LG-H815 using Tapatalk

Although to be honest looking at the info you provided it does look like either your port forward or DNS isn't correct.

Sent from my LG-H815 using Tapatalk



What do you mean by DNS?

This is the stateful flow from my SRX firewall. (I replaced my public IP with 1.1.1.1)

Session ID: 48579, Policy name: untrust_TO_LENGINX/80, Timeout: 2, Valid
In: 66.118.142.167/43834 --> 1.1.1.1/80;tcp, Conn Tag: 0x0, If: ge-0/0/0.0, Pkts: 1, Bytes: 40,
Out: 10.0.20.11/81 --> 66.118.142.167/43834;tcp, Conn Tag: 0x0, If: irb.20, Pkts: 1, Bytes: 40,



Sent from my iPad using Tapatalk
4 hours ago, pingmanping said:

I have been reading from page 46 and I could not find this HTTPVAL. I have enabled the “advanced view” and all I see at the bottom are PUID and PGID.

 

I have port forward on my firewall 80:81 and 443:442.

 

Here is my settings:

 

7c79ea3a3e414d67833e92f901ca4c28.jpg&key=008dbff935d4b40eb981816a218b9925ecd09547c7f15e7e929c81bda73f411c

 

 

Here is the error :

 

a91caf0363a429a8b380e2ec3e5f2457.jpg&key=9efe168759653e7a2da09fea3b4d1357d3c6c0976f84312ba8626951501771f3

 

 

Your outgoing connection to the letsencrypt server is failing

 
Your outgoing connection to the letsencrypt server is failing


I put my letsencrypt container to my DMZ subnet. Do you think this is the problem?
I put a VM in the DMZ and I was able to browse the Internet. I disabled my pihole and letsencrypt was still failing with the same error.

I did some testing to verified the destination NAT by installing the Linuxserver.io NGINX container and I was able to hit the page. But letsencrypt fails to work.


Sent from my iPad using Tapatalk
1 hour ago, aptalca said:

 

Your outgoing connection to the letsencrypt server is failing

Here is update. I used the bridge mode and everything works.

 

I really don't want to use my unraid IP when opening inbound ports from the Internet. 

How are you deploying your letsencrypt?

 

My plan was to put the LE container in my DMZ and this seems to fail to work. I would like to put my pivpn, emby, nextcloud behind the letsencrypt container.

10 hours ago, pingmanping said:

Here is update. I used the bridge mode and everything works.

 

I really don't want to use my unraid IP when opening inbound ports from the Internet. 

How are you deploying your letsencrypt?

 

My plan was to put the LE container in my DMZ and this seems to fail to work. I would like to put my pivpn, emby, nextcloud behind the letsencrypt container.

 

DMZ means opening up every single port. No firewall. Don't do it. 

 

Forward a single port (443) if you're using dns validation or 80 and 443 if using http validation, to letsencrypt on unraid and reverse proxy everything else. Configure the built in fail2ban for additional security like against ddos and brute force attempts (recidive does wonders) 

14 hours ago, CHBMB said:

This is one of the reasons I don't support the subfolder method.

You probably need to look at hairpin NAT or NAT reflection on your router.

Sent from my LG-H815 using Tapatalk
 

 Ok I'm not going to lie I dont really know much about that NAT stuff. As you can probably see from my default config I have the method you suggest there but commented out. I did this as I was having issues getting that to work also. Should your method work fine even with the subfolder method on other containers? I'm willing to go back at it if its just going to work as intended.

8 minutes ago, tazire said:

 Ok I'm not going to lie I dont really know much about that NAT stuff. As you can probably see from my default config I have the method you suggest there but commented out. I did this as I was having issues getting that to work also. Should your method work fine even with the subfolder method on other containers? I'm willing to go back at it if its just going to work as intended.

 

Yeah it works fine with other stuff as subfolders, but you'll still have the issue with hairpin NAT.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.