[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

26 minutes ago, hawihoney said:

 

Could it be that easy? Wow, worked immediately. Out of the box. Have plex1.t***.duckdns.org and plex2.t***.duckdns.org now. Thanks a million.

 

One last question - more Plex related: If I remove port forwarding of 3240x from my router Plex tells me about missing direct connection. I mean, what is that 3240x port used for if the connection works over 443? This one puzzles me a bit.

 

 

That's the port plex's cloud servers use to connect to your local plex server. They try over 32400, can't connect, hence the missing direct connection

 

Since you are now serving plex over port 443 (via proxy), perhaps you need to tell plex to use that in the gui settings? Again, I never proxied plex so take my suggestions with a grain of salt. 

Link to comment

@aptalca I'm having problems with the CloudFlare DNS-01.  Is it main stream or should I still be on the preview update you made 3 months ago? I'm getting this error in the log:

 

<------------------------------------------------->
cronjob running on Sat Apr 7 12:33:51 CDT 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/MYDOMAIN.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/MYDOMAIN.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/MYDOMAIN.com.conf is broken. Skipping.

-------------------------------------------------------------------------------

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/MYDOMAIN.com.conf (parsefail)
-------------------------------------------------------------------------------
0 renew failure(s), 1 parse failure(s)
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)
Server ready
nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

Link to comment
1 hour ago, Rudder2 said:

@aptalca I'm having problems with the CloudFlare DNS-01.  Is it main stream or should I still be on the preview update you made 3 months ago? I'm getting this error in the log:

 

<------------------------------------------------->
cronjob running on Sat Apr 7 12:33:51 CDT 2018
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

-------------------------------------------------------------------------------
Processing /etc/letsencrypt/renewal/MYDOMAIN.conf
-------------------------------------------------------------------------------
expected /etc/letsencrypt/live/MYDOMAIN.com/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/MYDOMAIN.com.conf is broken. Skipping.

-------------------------------------------------------------------------------

No renewals were attempted.

Additionally, the following renewal configuration files were invalid:
/etc/letsencrypt/renewal/MYDOMAIN.com.conf (parsefail)
-------------------------------------------------------------------------------
0 renew failure(s), 1 parse failure(s)
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)
Server ready
nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

 

It is stable, no need to use the preview build

 

Can you post your renewal config file? It's under the config folder etc letsencrypt 

Link to comment
3 minutes ago, aptalca said:

 

It is stable, no need to use the preview build

 

Can you post your renewal config file? It's under the config folder etc letsencrypt 

Here is is.  I purposely changed my domain to MYDOMAIN.com and my account number to ACCT# trying to prevent privet data from being posted in a form. 

 

AWESOME!   just changed it back to the linuxserver/letsencrypt channel.

MYDOMAIN.com.conf

Link to comment
14 minutes ago, aptalca said:

 

It is stable, no need to use the preview build

 

Can you post your renewal config file? It's under the config folder etc letsencrypt 

4 minutes ago, Rudder2 said:

Here is is.  I purposely changed my domain to MYDOMAIN.com and my account number to ACCT# trying to prevent privet data from being posted in a form. 

 

AWESOME!   just changed it back to the linuxserver/letsencrypt channel.

MYDOMAIN.com.conf

 

I changed the channel back to main channel and now I get this error:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.MYDOMAIN.com -d nextcloud.MYDOMAIN.com -d vpn.MYDOMAIN.com -d onlyoffice.MYDOMAIN.com -d collabora.MYDOMAIN.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to load: [('PEM routines', 'CRYPTO_internal', 'no start line')],[('asn1 encoding routines', 'CRYPTO_internal', 'header too long')]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment
10 hours ago, Rudder2 said:

 

I changed the channel back to main channel and now I get this error:

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
4096 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.MYDOMAIN.com -d nextcloud.MYDOMAIN.com -d vpn.MYDOMAIN.com -d onlyoffice.MYDOMAIN.com -d collabora.MYDOMAIN.com
E-mail address entered: [email protected]
Different sub/domains entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Unable to load: [('PEM routines', 'CRYPTO_internal', 'no start line')],[('asn1 encoding routines', 'CRYPTO_internal', 'header too long')]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
IMPORTANT NOTES:
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

That doesn't look like the log of the latest image. Make sure you pull the latest linuxserver/letsencrypt

 

If that doesn't work, try backing up your default site config, then nuke the container, image and config folder and start over because something is messed up on your system

Link to comment
8 hours ago, aptalca said:

 

That doesn't look like the log of the latest image. Make sure you pull the latest linuxserver/letsencrypt

 

If that doesn't work, try backing up your default site config, then nuke the container, image and config folder and start over because something is messed up on your system

Your right.  I think I know what killed it.  I had a problem where I lost 2 DATA disks (Make sure that the new controller card you buy is compatible with unRAID...) When I recovered the Disks I had to restore my APPs folder from a back up to recover my Databases because they scanned and saw the missing DATA and I didn't feel like rebuilding it my self because I would have to correct a lot of incorrect matches.  Not thinking about it I recovered all APPs DATA instead of just the ones I needed.  I wander if this broke LetsEncrypt.

 

I nuked the APPs folder and Docker Image let it start using the LinuxServer/LetsEncrypt repository to create the APP DATA and them copied back in the CloudFlare.ini and the site-confs back in and it's back up.  Should of done this to begin with...This is the beauty of the way the Docker Images from LinuxServer.io are written, easy recovery.

 

One good thing from all this is I discovered I was still on the Preview Channel when I should of been back on the Main update channel.  This happens often (usually BETA channel) and I never figure it out till the Docker brakes. 

 

Thank you for all your help!  Your AWESOME! 

Link to comment
6 hours ago, Rudder2 said:

Your right.  I think I know what killed it.  I had a problem where I lost 2 DATA disks (Make sure that the new controller card you buy is compatible with unRAID...) When I recovered the Disks I had to restore my APPs folder from a back up to recover my Databases because they scanned and saw the missing DATA and I didn't feel like rebuilding it my self because I would have to correct a lot of incorrect matches.  Not thinking about it I recovered all APPs DATA instead of just the ones I needed.  I wander if this broke LetsEncrypt.

 

I nuked the APPs folder and Docker Image let it start using the LinuxServer/LetsEncrypt repository to create the APP DATA and them copied back in the CloudFlare.ini and the site-confs back in and it's back up.  Should of done this to begin with...This is the beauty of the way the Docker Images from LinuxServer.io are written, easy recovery.

 

One good thing from all this is I discovered I was still on the Preview Channel when I should of been back on the Main update channel.  This happens often (usually BETA channel) and I never figure it out till the Docker brakes. 

 

Thank you for all your help!  Your AWESOME! 

 

Glad it worked

Link to comment
1 hour ago, EdgarWallace said:

Hi, I am having an issue with my Letsencrypt Docker whenever I am updating it. The log is showing: LOG

 

After each update I have to remove the Subdomain(s) but I am sure that there is a smarter way to deal with this. Anyone able to help?

 

Thanks a lot.

I always have the same issue as well, it's very annoying as it means I can't have it set to auto update the docker. Would love to know how to solve this.

Link to comment
4 hours ago, EdgarWallace said:

Hi, I am having an issue with my Letsencrypt Docker whenever I am updating it. The log is showing: LOG

 

After each update I have to remove the Subdomain(s) but I am sure that there is a smarter way to deal with this. Anyone able to help?

 

Thanks a lot.

 

I'm guessing unraid keeps putting in the subdomains field because it is in the template? Then instead of deleting it, try setting it to either blank, or if that doesn't work set it to just a comma

Link to comment
On 4/1/2018 at 12:32 AM, fivestones said:

 

I went back and looked at cloudflare again, and while I'm pretty sure that a few months ago when I was trying it it wouldn't let me use *.mydomain.com to make a DNS A record, now it does. They say that using a wildcard DNS like this will make the wildcard subdomains not be protected by the cloudflare network (unless you pay for the enterprise version), but it will still point to your server as intended.

 

So I set it up for my domain, made the wildcard subdomain in cloudflare, and then set the letsencrypt docker to make a wildcard cert, and it all works! Now I can go to any random subdomain random.mydomain.com and it points to mydomain.com if nothing is specified in letsencrypt config/nginx/site-confs/default. Or if I specify something in that file random.mydomain.com can point to a particular port on my server like ghost or plex.

 

I'm so excited to see it all working! Thanks for the tip on cloudflare.

 

Mind giving a step by step for us Noobs that have a slight idea on how you got this to work?

Link to comment

I'm not getting what you mean about using cloudflare with dns.

edit//

 

Made a cloudflare account.

added my website.

went to namecheap and pointed nameservers to cloudflare servers as indicated

updated file in dns-conf named cloudflare.ini with cloudflare email and api key, which i grabbed through their site

updated docker values with dns validation and 'cloudflare' in dns-plugin field

keep port 80->81 forward to route incoming connections correctly

 

restarted docker and we're in business.

 

double edit//

Was working perfectly. Now I'm getting error 522 (cloudflare) when trying to connect.

 

Edited by munit85
figured it out
Link to comment
36 minutes ago, munit85 said:

I'm not getting what you mean about using cloudflare with dns.

 

I'm hosted on namecheap. what setting am I changing to make this work?  today was renewal day and that failed. port forwarding didn't change, but I keep getting errors. I'm really at a frustrated point here.

 

the dns solution sounds nice, but I'm missing some step as to what I need to do.

 

edit//

 

Made a cloudflare account.

added my website.

went to namecheap and pointed nameservers to cloudflare servers as indicated

updated file in dns-conf named cloudflare.ini with cloudflare email and api key, which i grabbed through their site

updated docker values with dns validation and 'cloudflare' in dns-plugin field

went into router and kept port 443 forwarded over unraid IP

deleted port 80->81 forward since that isn't needed anymore.

 

restarted docker and we're in business.

In namecheap you need to set the dns to cloud flare once that is done   cloudflare will authenticate and then you will work.

 

It took about 20 minutes for mine to resolve using namecheap and cloudflare

 

*On mobile please excuse the bad engrish

  • Like 1
Link to comment

Quick question beiore I get too detailed.

 

If I install the docker and start it, should I at least get some sort of page when I go to https://192.168.1.10 and/or http://192.168.1.10:81  I have port forwarded the router 443 to the container 443 and the router 80 to container 81.  81 is set to the containers 80 and 443 to 443.

 

I am getting errors in the log file about not being able to get validation data etc but before I delve there I just want to make sure that ngix and the port forwarding is working at least internally before looking at the outside world.

 

This was originally set up with it's own IP address but it's now back to the server's IP in case that was a pre-req.

Link to comment
27 minutes ago, dalben said:

Quick question beiore I get too detailed.

 

If I install the docker and start it, should I at least get some sort of page when I go to https://192.168.1.10 and/or http://192.168.1.10:81  I have port forwarded the router 443 to the container 443 and the router 80 to container 81.  81 is set to the containers 80 and 443 to 443.

 

I am getting errors in the log file about not being able to get validation data etc but before I delve there I just want to make sure that ngix and the port forwarding is working at least internally before looking at the outside world.

 

This was originally set up with it's own IP address but it's now back to the server's IP in case that was a pre-req.

Unraid uses port 443 on 6.4.0 so you will need to change that.

Link to comment
1 hour ago, GilbN said:

Unraid uses port 443 on 6.4.0 so you will need to change that.

OK, done.  But https://192.168.1.10:7443/ gives me nothing

 

here's the run command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='br-letsencrypt' --net='bridge' --privileged=true -e TZ="Asia/Singapore" -e HOST_OS="unRAID" -e 'EMAIL'='[email protected]' -e 'URL'='mydomain.com' -e 'SUBDOMAINS'='www' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='2048' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'PUID'='99' -e 'PGID'='100' -p '81:80/tcp' -p '7443:443/tcp' -v '/mnt/cache/appdata/letsencrypt':'/config':'rw' 'linuxserver/letsencrypt' 

OK, I have confirmed my port forwarding / DNS settings are working fine by installing the plain ngix docker from LSIO and managed to access the default site it throws up via 80 and 443.

Edited by dalben
Link to comment
3 hours ago, dalben said:

OK, I have confirmed my port forwarding / DNS settings are working fine by installing the plain ngix docker from LSIO and managed to access the default site it throws up via 80 and 443.

So, when you type in your FQDN(not IP address) on a device NOT connected to your internal LAN, it brings up the plain nginx page? If not, the LE-nginx isn't going to work.

Link to comment
8 hours ago, jonathanm said:

So, when you type in your FQDN(not IP address) on a device NOT connected to your internal LAN, it brings up the plain nginx page? If not, the LE-nginx isn't going to work.

 

Correct.  When I have the standalone nginx docker running, it gives me the default web pages whether I use http or https. This is is consistent on whether intranet or internet using my phone.

 

 I stop that docker and start the letsencrypt docker (same ports being used so no router or dns changes] and I get nothing. Again this is consistent whether intra or internet.  I’ve killed the container a couple of times and recreated but the symptoms are the same. 

Link to comment
16 hours ago, dalben said:

I am getting errors in the log file about not being able to get validation data

 

1 hour ago, dalben said:

 When I have the standalone nginx docker running, it gives me the default web pages whether I use http or https. This is is consistent on whether intranet or internet using my phone.

Given those two statements, you definitely need to pursue the log errors.

 

16 hours ago, dalben said:

If I install the docker and start it, should I at least get some sort of page when I go to https://192.168.1.10 and/or http://192.168.1.10:81

This docker won't fully start the webserver until it has a valid certificate, so the direct answer to your question is no.

Link to comment
8 hours ago, dalben said:

 

Correct.  When I have the standalone nginx docker running, it gives me the default web pages whether I use http or https. This is is consistent on whether intranet or internet using my phone.

 

 I stop that docker and start the letsencrypt docker (same ports being used so no router or dns changes] and I get nothing. Again this is consistent whether intra or internet.  I’ve killed the container a couple of times and recreated but the symptoms are the same. 

 

Post a docker log

Link to comment

Is there a guide or tutorial on setting up the \nginx\site-confs\default file?

 

I'm on unRAID 6.1.9 (I know old), and when I configure a fresh install everything works great, meaning I can remote to my mail server 400 miles away, browse to subdomain.mydomain.com and get it to redirect me to the https://subdomain.mydomain.com default index.html.

I actually impressed myself because I got it to work through Godaddy redirecting a CNAME to my free-dns subdomain back to the dynamic IP here at home, while keeping the secure lock and correct address in the address bar.

 

Problem is, I've been hitting a severe roadblock trying to get the correct format in the default site-confs file to get to my OMBI docker container. It seems like everytime I edit the default file, it borks the whole system, and no matter where I connect from I get an ERROR_CONNECTION_REFUSED.  Trying to undo edits and save, or replacing the file with a backup resolves nothing, and I end up having to uninstall/reinstall the container, to get back to functional.

 

EDIT: I did try newperms Tool on my appdata folder, which actually help to speed up my server GUI navigation, but nothing else...

 

Maybe someone can give me the quick version, but a guide or reference for editing that file would be just as appreciated.

 

My base url for ombi: /request

Ports are default at 3579 for both container and host as I can't seem to find where I can change that.

and the server's host address is 192.168.0.69

 

I know I'm close, but just can't seem to get it...  It would also be nice to utilize just the sub-domain.domain address for my users navigating to the site omitting </request>.

From what I can tell in the default file example this is possible, no?

 

Bonus Round:

 

I have basic authentication turned on for myself and my users, using the built in PLEX account authentication, but what's the most secure way to implement this?

 

To quote linuxserver.io:

Quote
  • If you'd like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd <username>

 

Is this something I should be interested in setting as well?  Any guides, or reference for implementation?

 

 

I appreciate the help, as i'm finally getting around to actually using the 2xE5-2670 128GB RAM beast I built a couple years back, ... (The first one at least...) 

Edited by Drider
Missed/Added information
Link to comment
On 9.4.2018 at 2:32 PM, aptalca said:

 

I'm guessing unraid keeps putting in the subdomains field because it is in the template? Then instead of deleting it, try setting it to either blank, or if that doesn't work set it to just a comma

 

Thank you very much @aptalca adding a comma into the subdomain(s) field is working well (adding a blank isn't working btw. this is what I tried earlier..) 

 

@allanp81 you might want to try that as well. Let me know if it is working for you too.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.