[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

5 minutes ago, CHBMB said:

You say it doesn't work on WAN, have you tried using your mobile phone on mobile data?  Could be a problem with your router settings

 

And to confirm, it's working on LAN?

 

Yeah same error LAN or WAN. Router settings:

image.png.bb06ee0fc585fb4dd2e7a68efd0c2690.png

Link to comment
Correct, I cannot access using my duckdns domain on WAN or LAN. 
OK, here's the deal, the container is working perfectly, it's grabbed the certs and started nginx, but I think somewhere you've configured Nginx wrong and now it's not working, there's no easy fix for this, what I'd recommend, is reinstalling the container, with new appdata and then editing the nginx default file and try to work out where you've introduced the error.

Link to comment
6 hours ago, Odessa said:

 

@CHBMB Thank you very much, here is my LE run command:

https://pastebin.com/sTnfSFkk

 

My LE log:

https://pastebin.com/9DawkVww

[personal info obfuscated]

 

I see the error regarding port in the log, but 443 does not show as used in my docker mappings. Note I cannot currently access the default web page from outside, I get "ERR_CONNECTION_REFUSED" in browser.

 

 

Issue 1: you are redirecting from www.yourdomain to yourdomain, however you have the option only_subdomains set to true, so your cert only covers www, but not yourdomain

 

Issue 2: are you using ldap for authorization? How is that set up? 

 

Issue 3: nginx isn't even starting for you because you have another site config enabled somewhere with a server block that contains the "default_server" directive

Link to comment

So I'm attempting to get this set up while still using Cloudflare as my DNS.

 

In the docker set up fields, it asks for the following (among other things):

- Subdomains: I put "wildcard" here without the quotes, since CF has all the CNAME breakouts and everything

- Validation Type: I've put "dns" without the quotes

- dns-plugin: Not sure what to put for this one?

 

Thoughts? Any help is appreciated!

Link to comment
5 minutes ago, Magic815 said:

So I'm attempting to get this set up while still using Cloudflare as my DNS.

 

In the docker set up fields, it asks for the following (among other things):

- Subdomains: I put "wildcard" here without the quotes, since CF has all the CNAME breakouts and everything

- Validation Type: I've put "dns" without the quotes

- dns-plugin: Not sure what to put for this one?

 

Thoughts? Any help is appreciated!

https://github.com/linuxserver/docker-letsencrypt#parameters

  • Like 1
Link to comment
On 6/4/2018 at 2:36 PM, aptalca said:

 

That's just the problem. Acme challenge key is generated on the fly by letsencrypt servers. So you can't really do that with a variable. Manual validation process goes like this:

 

--snipp---

 

PS. I personally don't think using cloudflare is a workaround. It delivers about 10% of the internet (cdn, proxy) and I bet it is a lot more reliable as a dns provider than any hosting company

20

 

Thanks for clarification on LE workflow. Got why it won't work, I assume that my usecase is not intended due to the fact that my Unraid Server is not available from WAN. Ofc you can argue about importance of ssl encryption in a LAN-Only Mode. The only access to the server can be done via VPN into the Lan and then going to unnraid.domain.tld.

Link to comment
3 hours ago, Aluavin said:

 

Thanks for clarification on LE workflow. Got why it won't work, I assume that my usecase is not intended due to the fact that my Unraid Server is not available from WAN. Ofc you can argue about importance of ssl encryption in a LAN-Only Mode. The only access to the server can be done via VPN into the Lan and then going to unnraid.domain.tld.

 

As far as validation goes, your server does not need to be reachable from the internet as long as you use dns validation. Your server (the container) will connect to the letsencrypt servers and get a key, post it on cloudflare (or another supported dns provider) and then the letsencrypt servers will connect to the dns server to check the txt record. They won't try and connect to your unraid machine. The only connection from unraid will be outgoing. 

 

My question is, what is your purpose for getting the cert? If you want to use the cert for openvpn, you can use letsencrypt to get it and manage it, and then you can mount the folder in the openvpn container and point to the cert. 

 

If you want to use it for local connections but still with third party validation, I guess you can do that as long as your dns directs local clients to the local address when they query for the domain name (pfsense will do it with dns resolver). 

Edited by aptalca
  • Like 1
Link to comment

I'm receiving this error in the letsencrpyt logfile but can't find a solution.

   

nginx: [emerg] PEM_read_bio_X509_AUX("/config/keys/letsencrypt/fullchain.pem") failed (SSL: error:09FFF06C:PEM routines:CRYPTO_internal:no start line:Expecting: TRUSTED CERTIFICATE)

 

Link to comment
17 hours ago, aptalca said:

 

Issue 1: you are redirecting from www.yourdomain to yourdomain, however you have the option only_subdomains set to true, so your cert only covers www, but not yourdomain

Issue 2: are you using ldap for authorization? How is that set up? 

Issue 3: nginx isn't even starting for you because you have another site config enabled somewhere with a server block that contains the "default_server" directive

Ok I removed the rule for #1.
#2 sorry I couldn't figure out what this means - no reference ldap in my settings

#3 - I discovered other versions of my site-conf/default file which seemed to be interfering - removed these and I can now access the  ngix home page externally! I have hope that this could work.

 

Ok, so I know LE is working! But how do I access my dockers?

 

[domain].duckdns.org/ombi gives a 500 error

here's my ombi setting in site-conf/default

 

#OMBI CONTAINER
location /ombi {
auth_request /auth-4;
proxy_pass http://192.168.1.146:3579/ombi;
include /config/nginx/proxy.conf;
}

TY!

Edited by Odessa
Link to comment
34 minutes ago, Odessa said:

Ok I removed the rule for #1.
#2 sorry I couldn't figure out what this means - no reference ldap in my settings

#3 - I discovered other versions of my site-conf/default file which seemed to be interfering - removed these and I can now access the  ngix home page externally! I have hope that this could work.

 

Ok, so I know LE is working! But how do I access my dockers?

 

[domain].duckdns.org/ombi gives a 500 error

here's my ombi setting in site-conf/default

 


#OMBI CONTAINER
location /ombi {
auth_request /auth-4;
proxy_pass http://192.168.1.146:3579/ombi;
include /config/nginx/proxy.conf;
}

TY!

 

What are you trying to accomplish with the auth_request line? What is /auth-4 referring to?

 

Just remove that ombi config and use the built-in one. Instructions here: https://github.com/linuxserver/docker-letsencrypt/blob/master/README.md#site-config-and-reverse-proxy

Edited by aptalca
Link to comment
20 minutes ago, aptalca said:

 

What are you trying to accomplish with the auth_request line? What is /auth-4 referring to?

Just remove that ombi config and use the built-in one. Instructions here: https://github.com/linuxserver/docker-letsencrypt/blob/master/README.md#site-config-and-reverse-proxy

 

Ok thank you I found the readme file. I used the built in config and set ombi base URL but is still gives a 500 error:

 

location /ombi {
    return 301 $scheme://$host/ombi/;
}

location /ombi/ {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_ombi ombi;
    proxy_pass http://$upstream_ombi:3579;
}

if ($http_referer ~* /ombi/) {
    rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;
}

 

Link to comment
8 minutes ago, Odessa said:

 

Ok thank you I found the readme file. I used the built in config and set ombi base URL but is still gives a 500 error:

 


location /ombi {
    return 301 $scheme://$host/ombi/;
}

location /ombi/ {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_ombi ombi;
    proxy_pass http://$upstream_ombi:3579;
}

if ($http_referer ~* /ombi/) {
    rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;
}

 

 

Did you put both letsencrypt and ombi on the same custom network as described in the readme? Are you using the default default site config, which has the include statement inside the server block for the proxy-confs? If you modified that part, delete the default site config and restart. After that navigate to https://yourdomain/ombi

Link to comment
On 6/2/2018 at 9:09 PM, aptalca said:

 

I use unifi, but only for APs. The router is pfsense

OK, thanks.

 

Looking back, the initial problems I had setting up this container look like they were because of this need to restart the USG router to get the port forwarding working again.  Also explains why it "magically" started working for me.  I imagine the router upgraded itself and rebooted.

Link to comment
21 hours ago, aptalca said:

Did you put both letsencrypt and ombi on the same custom network as described in the readme? 

tbh this is way over my head. How would you explain this to someone who isn't a networking expert?

 

Quote

If you are using unraid, create a custom network in command line, then go to docker service settings (under advanced) and 
set the option "Preserve user defined networks:" to "Yes". Then in each container setting, do one of the following:
  2) Unraid 6.5.1 or later - in the network type dropdown, select "Custom : [networkname]".
  You would have to do the above for the letsencrypt container as well, so they are all on the same custom network.

 

I am looking in docker advanced view, tools, network settings... I don't see any of these options.

 

thanks

 

Link to comment
1 hour ago, Odessa said:

tbh this is way over my head. How would you explain this to someone who isn't a networking expert?

 

 

I am looking in docker advanced view, tools, network settings... I don't see any of these options.

 

thanks

 

Creating a custom network in command line, just four lines above: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L24

 

The preserve setting is under docker settings, advanced view (see screenshot). The rest is in container settings. It says "Then in each container setting, do one of the following:" so you need to look for that option in container settings, not docker settings. 

 

I recommend reading the entire document first, before attempting changes so you understand all the steps first. 

Screenshot_20180607-010914_Chrome.jpg

Link to comment
On 6/6/2018 at 2:01 AM, aptalca said:

My question is, what is your purpose for getting the cert? If you want to use the cert for openvpn, you can use letsencrypt to get it and manage it, and then you can mount the folder in the openvpn container and point to the cert. 

3

 

The main purpose is that I have a clean URL while maintaining a TLS Connection so my Drives can be encrypted. I know that I could mock the URL with a custom DNS, but for now, an A-Level record to my local IP does the deal. same goes for nextcloud.domain.tld pointing to nextclouds docker IP address.

 

However, I think I have to accept that I have to use Cloudflare (or a different supported provider, preferably route53), open up my server so I can use http validation (won't do that) or to obtain the cert manually. In this case, option #3 seems to be I have to take until I've got some spare time to evaluate a domain movement to route53, Cloudflare is to sketchy for me.

Edited by Aluavin
Link to comment
31 minutes ago, Aluavin said:

 

The main purpose is that I have a clean URL while maintaining a TLS Connection so my Drives can be encrypted. I know that I could mock the URL with a custom DNS, but for now, an A-Level record to my local IP does the deal. same goes for nextcloud.domain.tld pointing to nextclouds docker IP address.

 

However, I think I have to accept that I have to use Cloudflare (or a different supported provider, preferably route53), open up my server so I can use http validation (won't do that) or to obtain the cert manually. In this case, option #3 seems to be I have to take until I've got some spare time to evaluate a domain movement to route53, Cloudflare is to sketchy for me.

 

Ok, I get it now.

 

But how is cloudflare sketchy if you're only going to use it to set the A record to a local ip that will only work inside your lan? You don't have to move your domain anywhere. You just point your nameservers on your domain host to cloudflare's nameservers.

Link to comment
On 6/6/2018 at 10:12 PM, aptalca said:

Creating a custom network in command line, just four lines above: https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L24

The preserve setting is under docker settings, advanced view (see screenshot). The rest is in container settings. It says "Then in each container setting, do one of the following:" so you need to look for that option in container settings, not docker settings. 

I recommend reading the entire document first, before attempting changes so you understand all the steps first. 

 

OMG it worked, thank you @aptalca. I will make a donation. I must say it is extremely difficult for a docker newbie to figure out. No other docker approached this level of troubleshooting. Thanks for walking me through. I may create a user friendly guide.

Link to comment

Hello guys.

I'm having a little trouble right from the start. So I installed the docker, but I get an execution error(server error) when I try to start it.

When I try to change the ports I get this error message:

/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (562d830479261e90e8ad0a784fb2d05da0e1e122aae19e393fab7bf4d4c5bcc8): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use.

The command failed.

What am I doing wrong? (I am running on Unraid 6.5.0)

420936993_Screenshot(7).thumb.png.97294f1c02d4c31f94d9ff0ecceaf8ca.png

Screenshot (8).png

Edited by Heciruam
Link to comment
1 hour ago, Heciruam said:

Hello guys.

I'm having a little trouble right from the start. So I installed the docker, but I get an execution error(server error) when I try to start it.

When I try to change the ports I get this error message:


/usr/bin/docker: Error response from daemon: driver failed programming external connectivity on endpoint letsencrypt (562d830479261e90e8ad0a784fb2d05da0e1e122aae19e393fab7bf4d4c5bcc8): Error starting userland proxy: listen tcp 0.0.0.0:445: bind: address already in use.

The command failed.

What am I doing wrong? (I am running on Unraid 6.5.0)

420936993_Screenshot(7).thumb.png.97294f1c02d4c31f94d9ff0ecceaf8ca.png

Screenshot (8).png

 

It says that port 445 is in use by something else. Pick a different port

  • Like 2
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.