[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hi all,

 

I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://.

 

My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues.

Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me.

 

I don't know enough about it and its keeping me up at night!

 

The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance.

 

Can anyone shed some light on this for me?

 

Cheers.

Link to comment

Hi all,

 

I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://.

 

My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues.

Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me.

 

I don't know enough about it and its keeping me up at night!

 

The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance.

 

Can anyone shed some light on this for me?

 

Cheers.

Password protection if you haven't set it up already. See the docker hub page about htpasswd

 

Link to comment

Hi all,

 

I have this docker setup nicely and its doing everything i want it to do, ie. reverse proxy for a few dockers over https:// and serving some game files over standard http://.

 

My question is about security and what, if anything, I need to make sure i'm doing to prevent security issues.

Seeing that this docker is on my main unRAID machine with all my personal stuff on it as well as all my media is concerning me.

 

I don't know enough about it and its keeping me up at night!

 

The server has a A+ rating on SSL Labs which I assume is a good start but after that I need some guidance/reassurance.

 

Can anyone shed some light on this for me?

 

Cheers.

Password protection if you haven't set it up already. See the docker hub page about htpasswd

Yep I'm using htpasswd for all of the reverse proxies apart from plex requests. Anything else you can think of?

 

Sent from my SM-G930F using Tapatalk

 

 

Link to comment

I'm having an issue moving from the old docker to the new one. The old one, i was running a PHPBB forum using PHP5. I used the following settings in my default file:

 

location ~ \.php$   {
try_files $uri =404;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param modHeadersAvailable true;
include fastcgi_params;
}

 

my forum worked great in the old docker. When I moved to the new docker, i noticed that there is already prexisting PHP5 code in the stock default file. I commented it out and used mine. Didnt' work, there is no "php5-fpm.sock" file in /var/run.  So I tried using the existing code:

 

location ~ \.php$   {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
# With php5-fpm:
#fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}

 

and PHP5 is not working for me. I tried a simple php test file and it's blank. my forum doesn't work, gives an error that indicates something is wrong with PHP.

 

Any advice? Should i copy php5-fpm.sock from the old docker over the new? or will that get wiped out in a future update?

Link to comment

Ok, i tried a completely different forum software. Same one Limetech is using (SMF) and i get to the install screen and it gives me this error

 

"Critical Error!

The installer was unable to detect any database support in PHP. Please ask your host to ensure that PHP was compiled with the desired database, or that the proper extension is being loaded. "

 

Looks like the PHP installation in this docker was not configured for any particular database. Is this something I can remedy myself? or would the base image have to be changed?

Link to comment

I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01

challenge"

 

It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it?

Link to comment

I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01

challenge"

 

It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it?

 

2 things that come to mind as i also just bought a new namecheap domain and went through this yesterday:

 

1) You need an A + Dynamic DNS record for @ and also anything else you define. In my case that was also 'www' and 'nextcloud'

 

2) do you have dynamic dns setup? is that your correct WAN ip? I'm using Mace's DDClient docker to update namecheap with my IP address.

Link to comment

I can't get this to work at all.. It keeps killing itself. The most useful thing I see in the docker log is "Detail: Failed to connect to 192.64.119.73:443 for TLS-SNI-01

challenge"

 

It's a domain I purchased tonight from namecheap. I have created "A + Dynamic DNS" record at namecheap pointing to my public ip address. My router is forwarding 80 and 443 to 88 and 443 as defined in the docker template. I'm just at a loss.. Has anyone else seen this error and knows how to fix it?

 

2 things that come to mind as i also just bought a new namecheap domain and went through this yesterday:

 

1) You need an A + Dynamic DNS record for @ and also anything else you define. In my case that was also 'www' and 'nextcloud'

 

2) do you have dynamic dns setup? is that your correct WAN ip? I'm using Mace's DDClient docker to update namecheap with my IP address.

 

I've already done point 1. As for 2, I haven't set up ddclient yet. I manually entered my WAN IP at namecheap, but I have no clue where it got 192.64.119.73

Link to comment

regarding PHP5 and mySQL, i see in the dockerfile you have the following:

 

# install packages
RUN \
apk add --no-cache \
certbot \
curl \
fail2ban \
php5-curl \
php5-gd \
php5-mcrypt && \

 

I think php5-mysqlnd would be the module I'd need added. I was reading this guide which had a section for adding mysql for PHP5 in an nginx installation: https://www.howtoforge.com/tutorial/installing-nginx-with-php-fpm-and-mariadb-lemp-on-debian-jessie/

 

I'm missing the MySQL and MySQLi sections in my phpinfo page (see attached example from howtoforge link

php_info_mysql.png.902ced65b348601837247ba5f63338ef.png

Link to comment

regarding PHP5 and mySQL, i see in the dockerfile you have the following:

 

# install packages
RUN \
apk add --no-cache \
certbot \
curl \
fail2ban \
php5-curl \
php5-gd \
php5-mcrypt && \

 

I think php5-mysqlnd would be the module I'd need added. I was reading this guide which had a section for adding mysql for PHP5 in an nginx installation: https://www.howtoforge.com/tutorial/installing-nginx-with-php-fpm-and-mariadb-lemp-on-debian-jessie/

 

I'm missing the MySQL and MySQLi sections in my phpinfo page (see attached example from howtoforge link

There are a ton of php modules and we only included the most commonly used ones (so as not to bloat the image unnecessarily). We can add more modules as we get requests. I'll look into  adding a sql one before the next Friday update

Link to comment

So eventually letsencrypt started. Now I can't get it to redirect traffic to nextcloud. I have port 443 open and I've followed, to the best of my knowledge, the configuration instructions I've found, but using nextcloud.myserver.com results in connection refused. If I try nextcloud.myserver.com:7443 (the port forwarded for nextcloud), it does connect to my server so the domain is resolving to my ip

Link to comment

I won't say I figured it out, but I beat my head against the keyboard until it started working

 

That's the way to go  ;D  try 5 different things, find out it worked and have no idea which of the 5 did it. but whatever, it's working now  ::)  the majority of what i get working is done using this method.

Link to comment

Hey all. This is probably stupidly simple but beginner with nginx configs, 4 hours and many many google searches later im not too much further into my problem.

 

Essentially i have stats.domain.co.uk loading up PlexPy perfectly using letsencrypt. Now trying to get requests.domain.co.uk to point to Plex Requests.

 

My default config file below. The first and second "server_name" seem to work perfectly. http traffic is denied and https gets to PlexPy perfectly, but the 3rd server_name doesnt make it to Plex Requests. Tried even using the stats.domain.co.uk with the port for Requests and that works fine so doesnt seem to be the Docker.

 

Any pointers as to what i need to change below? Just want requests.domain.co.uk to work alongside stats.domain.co.uk

 

# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name stats.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX STATS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:8181;	
}
}


server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name requests.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX REQUESTS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:3000/request;	
}
}

Link to comment

Hey all. This is probably stupidly simple but beginner with nginx configs, 4 hours and many many google searches later im not too much further into my problem.

 

Essentially i have stats.domain.co.uk loading up PlexPy perfectly using letsencrypt. Now trying to get requests.domain.co.uk to point to Plex Requests.

 

My default config file below. The first and second "server_name" seem to work perfectly. http traffic is denied and https gets to PlexPy perfectly, but the 3rd server_name doesnt make it to Plex Requests. Tried even using the stats.domain.co.uk with the port for Requests and that works fine so doesnt seem to be the Docker.

 

Any pointers as to what i need to change below? Just want requests.domain.co.uk to work alongside stats.domain.co.uk

 

# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name stats.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX STATS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:8181;	
}
}


server {
listen 443 ssl;

root /config/www;
index index.html index.htm index.php;

server_name requests.*;

ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;

client_max_body_size 0;

#PLEX REQUESTS

location / {
#		auth_basic "Restricted";
#		auth_basic_user_file /config/nginx/.htpasswd;
	include /config/nginx/proxy.conf;
	proxy_pass http://10.0.0.11:3000/request;	
}
}

 

Likely an issue because https://domain.com is proxied to http://ip/requests

 

It is usually a good idea to keep that base url (in this case "requests") the same between the domain address and the proxied address.

 

You can either try to remove the base url from the plex requests container so that you access it at just http://serverip:port and so the proxied address would match the domain address (no base url) or you can try "location /requests" in the config and access it at requests.domain.com/requests (not pretty).

 

You can also try adding a trailing slash at the end of the requests in your existing config. It *may* work

 

Link to comment

What I found works was separate config files for each subdomain.  So as well as default I got files and nextcloud in there.  Not sure looking at yours how you got it setup.

 

Also, remove the URL_BASE parameter as you don't need it and like aptalca says it's probably overcomplicating things.

 

RNWSRCr.png

 

Then place a file called requests in the same folder as default and use this as the contents.

 

server {
       listen         80;
       server_name    requests.server.com;
       return         301 https://$server_name$request_uri;
}

server {
listen 443 ssl;
server_name requests.server.com;

root /config/www/;
index index.htm index.php;

###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

###Diffie–Hellman key exchange ###
ssl_dhparam /config/nginx/dhparams.pem;

###SSL Ciphers
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

###Extra Settings###
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

        ### Add HTTP Strict Transport Security ###
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
add_header Front-End-Https on;

client_max_body_size 0;

location ~ \.php$ {
	fastcgi_split_path_info ^(.+\.php)(/.+)$;
	# With php5-cgi alone:
	fastcgi_pass 127.0.0.1:9000;
	# With php5-fpm:
	#fastcgi_pass unix:/var/run/php5-fpm.sock;
	fastcgi_index index.php; 
	include /etc/nginx/fastcgi_params;
}
    	
location / {
	proxy_pass http://10.0.0.11:3000;
	include /config/nginx/proxy.conf;	
}

}

Link to comment

This Plugin works like a charm :), but I have one question: When I connect from my external URL to my application (like emby), the application get only the IP «172.17.0.2 » at every online user, and not the real IP. Is this normal?

 

Thanks and happy new year.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.