[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5641 posts in this topic Last Reply

Recommended Posts

On 8/3/2018 at 2:35 AM, CHBMB said:

Same as what I do. Generally I try and use .htpasswd but for some services it just doesn't work well, such as those you've mentioned.

Sent from my Mi A1 using Tapatalk
 

 

 

Thanks for the feedback!

Link to post
  • Replies 5.6k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

I'm in the process of building a landing page that has built in authentication and Google Recaptcha support.  I need to port my custom PHP framework to PHP7 and it relies on Composer for package management.  My goal is to build something simple yet secure with bcrypt hashing and support for MySQL or MongoDB.  If all goes well I will be hosting the code on Github for others to use.  

 

Planned features:

- Authentication with username/password

- MongoDB and MySQL support

- Admin CMS for adding links and icons

- Landing page that looks similar to the Chrome Apps view

- User management

- Activation email support (not sure how this will work just yet)

 

Nice to haves:

- Google account linking with 2 factor authentication

 

Probably some lofty goals but being a developer by trade I already have most of the code ready to go.  Just need help getting Composer set up.  I'm not sure which install method would be best suited for a docker environment.  Should I install directly to this container or stand up a composer docker and map its volumes to letsencrypt?

 

Any help would be greatly appreciated

Link to post
I'm in the process of building a landing page that has built in authentication and Google Recaptcha support.  I need to port my custom PHP framework to PHP7 and it relies on Composer for package management.  My goal is to build something simple yet secure with bcrypt hashing and support for MySQL or MongoDB.  If all goes well I will be hosting the code on Github for others to use.  
 
Planned features:
- Authentication with username/password
- MongoDB and MySQL support
- Admin CMS for adding links and icons
- Landing page that looks similar to the Chrome Apps view
- User management
- Activation email support (not sure how this will work just yet)
 
Nice to haves:
- Google account linking with 2 factor authentication
 
Probably some lofty goals but being a developer by trade I already have most of the code ready to go.  Just need help getting Composer set up.  I'm not sure which install method would be best suited for a docker environment.  Should I install directly to this container or stand up a composer docker and map its volumes to letsencrypt?
 
Any help would be greatly appreciated
Awesome, I hope lsio team can lend a helping .

Sent from my BND-L34 using Tapatalk

Link to post

Thanks to @CHBMB and @bonienl for their very clear responses. It clears a lot of stuff up.

 

Now I have yet another question. Yesterday when I clicked on the docker icon in the docker page on the GUI I had the option to look at the logs, but now for some reason it's gone and I can't find the logs in the appdata folder either. Does anyone know how I can get that option back?

Link to post
8 minutes ago, crazygambit said:

Thanks to @CHBMB and @bonienl for their very clear responses. It clears a lot of stuff up.

 

Now I have yet another question. Yesterday when I clicked on the docker icon in the docker page on the GUI I had the option to look at the logs, but now for some reason it's gone and I can't find the logs in the appdata folder either. Does anyone know how I can get that option back?

 

As far as I know the way to view logs is by clicking the icon on the far right.

Link to post

I see that sendmail is installed in the docker container.

Is there a particular way to set it up in a way so that after every reboot/update the settings will stick? (To work for PHP sites and scripts)

 

And I can't actually see the "/etc/mail/sendmail.conf" config file though for example?

Otherwise, I would just create a Path variable and map it under "appdata/letsencrypt/sendmail.conf" for example and make it permanent that way.

 

Edit:

In the meanwhile, I utilized ssmtp and mailutils and filled in the blanks so to speak.

Edited by Arndroid
Link to post
1 hour ago, CHBMB said:

 

As far as I know the way to view logs is by clicking the icon on the far right.

 

That's weird, I'm 100% sure that option was there yesterday. Indeed clicking on the icon on the far right works, I hadn't noticed because I was using advanced view.

 

I finally managed to get Tautulli working well, but I'm having some issues with Ombi. I get to the login page fine, but after I login I'm getting "400 Bad Request The plain HTTP request was sent to HTTPS port". I'm following the template of the readme, but not the custom docker network, so I put in my IP address.

Edited by crazygambit
Link to post
2 hours ago, CHBMB said:

You've put https somewhere where it should be http

 

I don't think that's quite it. In fact if I change it from http to https in the Ombi section I immediately get a 502 Bad Getaway error and don't even get to see the login info. I suspect it has to do with Ombi requiring the blocks of code before and after the typical proxy pass stuff. Here's my current try, I'd love to see how you have it setup if you're using Ombi.

 

location /ombi {
    return 301 $scheme://$host/ombi/;
}

location /ombi/ {
    include /config/nginx/proxy.conf;
    proxy_pass http://192.168.0.11:3579;
}

if ($http_referer ~* /ombi/) {
    rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;
}

 

Link to post
1 minute ago, crazygambit said:

 

I don't think that's quite it. In fact if I change it from http to https in the Ombi section I immediately get a 502 Bad Getaway error and don't even get to see the login info. I suspect it has to do with Ombi requiring the blocks of code before and after the typical proxy pass stuff. Here's my current try, I'd love to see how you have it setup if you're using Ombi.

 


location /ombi {
    return 301 $scheme://$host/ombi/;
}

location /ombi/ {
    include /config/nginx/proxy.conf;
    proxy_pass http://192.168.0.11:3579;
}

if ($http_referer ~* /ombi/) {
    rewrite ^/dist/(.*) $scheme://$host/ombi/dist/$1 permanent;
}

 

 

 

Link to post
Just now, crazygambit said:

I'll take a look. I just realize that if I manually type "https://" before the url giving the 400 Bad Request error it actually works. Of course it's not ideal though.

 

Then it's not redirecting.  No error.  I use this to redirect all my traffic from http to https.

 

server {
	listen 80;
	server_name server.com;
	return 301 https://server.com$request_uri;
}

 

Link to post
27 minutes ago, CHBMB said:

 

Then it's not redirecting.  No error.  I use this to redirect all my traffic from http to https.

 


server {
	listen 80;
	server_name server.com;
	return 301 https://server.com$request_uri;
}

 

For some reason it's not making any difference. It still works if I manually redirect, but otherwise, no dice.

Link to post
21 hours ago, sansoo22 said:

I'm in the process of building a landing page that has built in authentication and Google Recaptcha support.  I need to port my custom PHP framework to PHP7 and it relies on Composer for package management.  My goal is to build something simple yet secure with bcrypt hashing and support for MySQL or MongoDB.  If all goes well I will be hosting the code on Github for others to use.  

 

Planned features:

- Authentication with username/password

- MongoDB and MySQL support

- Admin CMS for adding links and icons

- Landing page that looks similar to the Chrome Apps view

- User management

- Activation email support (not sure how this will work just yet)

 

Nice to haves:

- Google account linking with 2 factor authentication

 

Probably some lofty goals but being a developer by trade I already have most of the code ready to go.  Just need help getting Composer set up.  I'm not sure which install method would be best suited for a docker environment.  Should I install directly to this container or stand up a composer docker and map its volumes to letsencrypt?

 

Any help would be greatly appreciated

 

We already developed a landing page which is called Heimdall. You can check it out at https://github.com/linuxserver/Heimdall. Might be you could contribute there? 

Link to post
34 minutes ago, saarg said:

 

We already developed a landing page which is called Heimdall. You can check it out at https://github.com/linuxserver/Heimdall. Might be you could contribute there? 

 

That's awesome!  Working on setting it up now.  My main goal for starting this was to add a more secure authentication layer and the ability to invite friends and family.  I will pull the repo down and take a look at it.  Thanks for sharing this!

Link to post
 
That's awesome!  Working on setting it up now.  My main goal for starting this was to add a more secure authentication layer and the ability to invite friends and family.  I will pull the repo down and take a look at it.  Thanks for sharing this!
Pop by our Discord channel, https://discord.gg/YWrKVTn
@Kode is the author of Heimdall and can be found there, as well as a dedicated channel for Heimdall.

Sent from my Mi A1 using Tapatalk

Link to post

So followed Gridrunner's video and everything went fine until now. I'm just not sure why I'm getting this loop in the log: " nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7

Can I go ahead with the tutorial or is something wrong?

 



ErrorWarningSystemArrayLogin

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=MYDOMAIN
SUBDOMAINS=nextcloud,emby,sonarr,radarr
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
DHLEVEL=2048
VALIDATION=http
DNSPLUGIN=
EMAIL=MYEMAIL
STAGING=

2048 bit DH parameters present
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d nextcloud.MYDOMAIN -d emby.MYDOMAIN -d sonarr.MYDOMAIN -d radarr.MYDOMAIN
E-mail address entered: MYEMAIL
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for emby.MYDOMAIN
http-01 challenge for radarr.MYDOMAIN
http-01 challenge for sonarr.MYDOMAIN
http-01 challenge for nextcloud.MYDOMAIN
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/nextcloud.MYDOMAIN/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/nextcloud.MYDOMAIN/privkey.pem
Your cert will expire on 2018-11-04. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
Server ready
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7
nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /config/nginx/site-confs/default.txt:7

 

Link to post
16 minutes ago, Heciruam said:

Can I go ahead with the tutorial or is something wrong?

Something is definitely wrong, and you can't proceed until you straighten it out.

 

Was this a fresh pull or have you already played with it before following the tutorial?

 

In a nutshell, the error is telling you that there are multiple places in your config files where a default server is defined, so you need to go through them and remove the duplicate entry.

 

If this was a fresh pull, and you are SURE you followed the directions exactly, you may want to message @gridrunner and let him know where and how it went wrong.

Link to post

Yep it wasn't a fresh pull. I have been trying to set this up before. If I delete the docker and the data in the appdata share, will that be enough for a fresh pull or do I have to delete something else (like something of the bootstick) as well?

 

Edit:

Ok a fresh pull helped! Thank you!

Edited by Heciruam
Link to post

I’m getting a warning in my log about hash and can’t seem to fix it.

I can’t post a config right now but this is a clean install and the only thing changed is proxy.conf files subdomain. Everything seams to work fine but I’m getting this in the log

 nginx: [warn] could not build optimal types_hash, you should increase either types_hash_max_size: 2048 or types_hash_bucket_size: 64; ignoring types_hash_bucket_size



I’ve tried changing the

 types_hash_max_size

to 4096 and still get the warn

Link to post

Can someone explain to me how to get unifi controller to work with this???

 

I just watched eds video and i am able to get almost all of my containers but i am stuck with this one... i am using brettm357/unifi docker.

 

thanks

Link to post
54 minutes ago, shremi said:

Can someone explain to me how to get unifi controller to work with this???

 

I just watched eds video and i am able to get almost all of my containers but i am stuck with this one... i am using brettm357/unifi docker.

 

thanks

 

I don't use brett357's container (obviously :) )

 

But this works for our container.

server {
       listen         80;
       server_name    unifi.server.com;
       return         301 https://$server_name$request_uri;
}

server {

	listen 443 ssl;
	server_name unifi.server.com;

	include /config/nginx/ssl.conf;
	
        location / {
		proxy_pass https://192.168.0.1:8443/;
		include /config/nginx/proxy.conf;
		#proxy_http_version 1.1;
		#proxy_buffering off;
		#proxy_set_header Upgrade $http_upgrade;
		#proxy_set_header Connection "Upgrade";
		#proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		#proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
		satisfy any;
        allow 192.168.0.0/24;
        deny all;
        }
}

 

Link to post
4 minutes ago, CHBMB said:

 

I don't use brett357's container (obviously :) )

 

But this works for our container.


server {
       listen         80;
       server_name    unifi.server.com;
       return         301 https://$server_name$request_uri;
}

server {

	listen 443 ssl;
	server_name unifi.server.com;

	include /config/nginx/ssl.conf;
	
        location / {
		proxy_pass https://192.168.0.1:8443/;
		include /config/nginx/proxy.conf;
		#proxy_http_version 1.1;
		#proxy_buffering off;
		#proxy_set_header Upgrade $http_upgrade;
		#proxy_set_header Connection "Upgrade";
		#proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		#proxy_set_header X-Forward-For $proxy_add_x_forwarded_for;
		satisfy any;
        allow 192.168.0.0/24;
        deny all;
        }
}

 

Thank you for the reply ..... i installed the wrong unifi container and now i think i am stuck with it ..... sucks but thanks for trying to help i tried that already changing with those parameters and no dice ......

 

just to verify i need to rename the server_name also right??? the proxy_pass to match my subnet?

Link to post
Just now, shremi said:

just to verify i need to rename the server_name also right??? the proxy_pass to match my subnet?

 

IP addresses and server name do need to be changed

 

	satisfy any;
        allow 192.168.0.0/24;
        deny all;

This bit just means it can only be accessed by clients on the 192.168.0.0 subnet. (My LAN)

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.