[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, bmdegraaf said:

I am using the preset. The only thing I changed was the port number of the proxy pass :

server {
listen 443 ssl;

server_name nextcloud.*;

include /config/nginx/ssl.conf;

client_max_body_size 0;

location / {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_nextcloud nextcloud;
proxy_max_temp_file_size 2048m;
proxy_pass https://$upstream_nextcloud:444/;

 

You're not supposed to change the port

 

It tells you what you need to do at the top. It does not tell you to change the port ?

Edited by aptalca
Link to comment

Having troubles with the LE container :(

All i did was edit the site-config/default and uncomment the 80 to 443 redirect with nano.

 

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
Server ready
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28

 

-edit-

Found the culprit. All the proxy-conf subfolder conf files have a /servicename and organizr just has the /

Edited by Tuumke
Found the problem
Link to comment
1 hour ago, Tuumke said:

Having troubles with the LE container :(

All i did was edit the site-config/default and uncomment the 80 to 443 redirect with nano.

 

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
Server ready
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28
nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28

 

-edit-

Found the culprit. All the proxy-conf subfolder conf files have a /servicename and organizr just has the /

 

https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/organizr.subfolder.conf.sample#L2

?

  • Like 1
Link to comment
3 minutes ago, hermy65 said:

Im getting emails from letsencrypt about my certs expiring soon, do i need to do anything or does it take care of it on its own?

 

Have you recently made any changes from say registering specific subdomains to now using wildcards?

 

Also, I believe the certs need to renew every 90 days so if you haven't rebooted your container within the past 90 days you may be nearing that deadline.

Link to comment
3 minutes ago, IamSpartacus said:

 

Have you recently made any changes from say registering specific subdomains to now using wildcards?

 

Also, I believe the certs need to renew every 90 days so if you haven't rebooted your container within the past 90 days you may be nearing that deadline.

 

 

no need to reboot the container as there's a cronjob that checks for renewal of the certs

Link to comment

hi

on the instructions it states to forward port you using for this container to the docker host in your router.

i have got the container listening on specific ip on bridgemode and my router can see this IP for the container. 

so got forwarding configured.

however nginx does not seem to start at all.

i have a custom config in site-config

running netstat shows nginx not running

 

any ideas?

Edited by nekromantik
Link to comment
25 minutes ago, nekromantik said:

hi

on the instructions it states to forward port you using for this container to the docker host in your router.

i have got the container listening on specific ip on bridgemode and my router can see this IP for the container. 

so got forwarding configured.

however nginx does not seem to start at all.

i have a custom config in site-config

running netstat shows nginx not running

 

any ideas?

 

Docker run command and logs

Link to comment
8 hours ago, nekromantik said:

 

So docker logs show it cant connect to port 80 for validation.

Its not my router as other ports I have forwarded from WAN work. 

 

Does the container run iptables so blocking all incoming connections?

 

No, something else is blocking port 80.  Check your ISP isn't blocking port 80.  This isn't a container issue, it's an issue outside the container.  Nginx won't start unless LetsEncrypt completes validation. 

Link to comment
7 hours ago, CHBMB said:

 

No, something else is blocking port 80.  Check your ISP isn't blocking port 80.  This isn't a container issue, it's an issue outside the container.  Nginx won't start unless LetsEncrypt completes validation. 

 

Got that issue fixed.

It was not ISP blocking, it was router not forwarding 80 so changed to 8080 on container and forwarding from 80 to 8080.

But now I am getting 404 not found error when it tried to validate.

 

here is log

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...
usermod: no changes

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=nekromantik.io
SUBDOMAINS=www,nextcloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=xx@xx.com
STAGING=

Backwards compatibility check. . .
No compatibility action needed
2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.nekromantik.io -d nextcloud.nekromantik.io
E-mail address entered: nekromantik@outlook.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nekromantik.io
http-01 challenge for nextcloud.nekromantik.io
http-01 challenge for www.nekromantik.io
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. www.nekromantik.io (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.nekromantik.io/.well-known/acme-challenge/M7U5BloCEAFN4O9RC8nGjDfF5R_xrIfpQ35lDaKE1x8: "<html>

<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: www.nekromantik.io
Type: unauthorized
Detail: Invalid response from
http://www.nekromantik.io/.well-known/acme-challenge/M7U5BloCEAFN4O9RC8nGjDfF5R_xrIfpQ35lDaKE1x8:
"<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
Quote

nginx: [warn] "ssl_stapling" ignored, issuer certificate not found for certificate "/config/keys/cert.crt"

 

 

I wondered if anything had changed recently and I've missed it?

 

I am using http validation.

 

The odd thing is, I have not pointed any configs to that cert as the letsencrypt certs are elsewhere....

 

Thanks

 

 

Edited by local.bin
Link to comment

Request for support for the ngx_stream_geoip module to be added please.

 

load_module modules/ngx_stream_geoip_module.so;

 

--with-stream_geoip_module

 

Thanks for the consideration.

 

Edit: I added apk add nginx-mod-stream-geoip which seamed to solve the module loading issue.

Edited by local.bin
Link to comment
2 hours ago, local.bin said:

Request for support for the ngx_stream_geoip module to be added please.

 

load_module modules/ngx_stream_geoip_module.so;

 

--with-stream_geoip_module

 

Thanks for the consideration.

 

Edit: I added apk add nginx-mod-stream-geoip which seamed to solve the module loading issue.

 

It's already in there:

https://github.com/linuxserver/docker-letsencrypt/blob/master/Dockerfile#L36

Link to comment

Are you supposed to be able to see the default index.html landing page even if there are errors loading certs?

I have the ports forwarded on my firewall, but even if I go to the local ip:port I don't get anything like I do if I just load up a plain nginx docker. I just get the default "This site can’t be reached" page in chrome.
and
I also tried using a custom br0 interface so this docker would get it's own IP and could use port 80 and 443 on it's own and still no landing page.

Here's the error I'm getting, but I fear it's because nginx isn't starting up correctly for some reason.
 

Failed authorization procedure. zyphermonkey.strangled.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://zyphermonkey.strangled.net/.well-known/acme-challenge/0FLixOl9CLlYQEihDp7YvgO-I6GnyYZGjM7Jvb2Vvjg: Timeout during connect (likely firewall problem)

and

Domain: zyphermonkey.strangled.net
Type: connection
Detail: Fetching
http://zyphermonkey.strangled.net/.well-known/acme-challenge/0FLixOl9CLlYQEihDp7YvgO-I6GnyYZGjM7Jvb2Vvjg:
Timeout during connect (likely firewall problem)

 

Link to comment

Okay so I got that part fixed. I have no idea how it happened but the "container ports" got changed to match the "host ports" and obviously nothing worked after that.

Now I'm trying to set up some subfolder services and the only way I can get them to work without getting a 500 error is to have the following with a lot of the default settings commented out. I don't think I should be doing this. Is there something I need to configure in proxy.conf to get the default way to work?

 

# first go into tautulli settings, under "Web Interface", click on show advanced, set the HTTP root to /tautulli and restart the tautulli container
# to enable password access, uncomment the two auth_basic lines

location /tautulli {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
#    resolver 127.0.0.11 valid=30s;
#    set $upstream_tautulli tautulli;
#    proxy_pass http://$upstream_tautulli:8181;
    proxy_pass http://192.168.1.10:8282;
}

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.