[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

 
I might have not been clear. I have a personal domain (not the duckdns). So that domain needs DNS settings for the CNAME's, which I like Cloudlfare's interface for.
I also use my own domain, (Google) and use cloudflare for DNS validation because my ISP blocks Port 80. But when I did my certs I use did a wild card so any subdomains would be covered.

As far as the cname I have not done that as I use my firewall to the dynamic DNS client so I am going to assume once my LE config file is configured it will work..

Sent from my BND-L34 using Tapatalk

Link to comment
On 8/19/2018 at 1:17 AM, Kaizac said:

 

I might have not been clear. I have a personal domain (not the duckdns). So that domain needs DNS settings for the CNAME's, which I like Cloudlfare's interface for.

 

 

I had the same problem today took me awhile to figure it out, if you leave the proxy on in cloudflare you are using their proxy and it does not read you config file, it reads theirs.

Link to comment

Hi all,

 

I'm having a small problem trying to get reverse proxy working for specific containers.
Following SpaceInvaderOne's YT video (https://www.youtube.com/watch?v=I0lhZc25Sro) - I have Radarr, Sonarr & Heimdall working perfectly fine, but I'd like to pass through the chvb/docker-apache-php docker (named "apache").

 

Things I've done;

  • I have a custom domain with subdomains CNAME'd to a no-ip ddns address (working)
  • I have passed through all the required ports on my router (working)
  • The LetsEncrypt container has my custom domain set and subdomains are listed (unraid,radarr,sonarr,heimdall,apache,) and it starts and successfully as per the video
  • There wasn't a sample conf file in the LetsEncrypt container for the apache container, so I created one (apache.subdomain.conf) and copied the contents of the heimdall conf file into this file and changed:
    • server_name apache.*;
    • set $upstream_ApachePHP apache;
    • proxy_pass https://$upstream_ApachePHP:8443; # Matches apache container host port 2 :8443, container port :443
    • Saved, and restarted the letsencrypt container.

The problem I'm getting, is that while Radarr, Sonarr & Heimdall work perfectly, if I navigate to apache.mydomain.com I get a 502 Bad Gateway error from nginx.

I also get the LetsEncrypt default web site  when I try to access unraid.mydomain.com, which is fine as I don't need it, but I don't know why this works.

 

If I change the apache.subdomain.conf file and only change set $upstream_ApachePHP apache; to set $upstream_ApachePHP heimdall; I get Heimdall and not apache (as I expected), so I don't know if this is an issue with the apache container or something else.

 

If someone can help point me in the right direction that would be really great!

Thanks

 

Link to comment
11 hours ago, GilbN said:

can I ask why you are trying to proxy the apache webserver when you already have a better webserver running?

 

Out of curiosity and inexperience.

I eventually want to pass through a Windows VM running an ASP.NET application, but with the router forwarding all requests to the letsencrypt container I figured I should start there with something less complex first and work my way through.

 

Also, what better web server are you referring to? The LetsEncrypt one?

Link to comment
On 8/20/2018 at 10:42 PM, ijuarez said:

 

 

I had the same problem today took me awhile to figure it out, if you leave the proxy on in cloudflare you are using their proxy and it does not read you config file, it reads theirs.

 

Solution is to put the SSL mode in Cloudflare on the Strict mode. Then it works with the CF proxy and your own LE config.

Link to comment

I followed Spaceinvaderone's video in getting Nextcloud running with letsencrypt and a personal DNS and everything seems to be working great. However, if I go to my public IP address I land on a page that shows:

 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: me@example.com

 

Is there a way to prevent that?  

Link to comment
I followed Spaceinvaderone's video in getting Nextcloud running with letsencrypt and a personal DNS and everything seems to be working great. However, if I go to my public IP address I land on a page that shows:
 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: me@example.com

 

Is there a way to prevent that?  

You can change the default index.html page to a meme of can I haz a cheeseburger if you want.

Very easy it's in the ngix/www subfolder of the let'sencrypt config folder.

Sent from my BND-L34 using Tapatalk

Link to comment
19 minutes ago, ijuarez said:

You can change the default index.html page to a meme of can I haz a cheeseburger if you want.

Very easy it's in the ngix/www subfolder of the let'sencrypt config folder.

Sent from my BND-L34 using Tapatalk
 

 

Can I have it not respond at all?

Link to comment

Hi, may i ask if there is a working solution to get unraid webgui working, im stuck to get it running on a friends place where i installed unraid.

 

he uses 1 dyndns address, so i tried location / ... as /unraid shouldnt work at all what i readed so far.

 

but i get no chance to get it properly displayed, and as i need both ports (80 and 443) for certbot renewal ... i would then prefer

unraid behind the reverse proxy.

 

may a sample config therefore ? thanks ahead.

 

 

### solved

 

had to remove following default values

 

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # With php7-cgi alone:
        fastcgi_pass 127.0.0.1:9000;
        # With php7-fpm:
        #fastcgi_pass unix:/var/run/php7-fpm.sock;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

 

may a hint what this is good for ?

 

i use nginx as reverse proxy only ...

Edited by alturismo
solved
Link to comment
13 hours ago, alturismo said:

Hi, may i ask if there is a working solution to get unraid webgui working, im stuck to get it running on a friends place where i installed unraid.

 

he uses 1 dyndns address, so i tried location / ... as /unraid shouldnt work at all what i readed so far.

 

but i get no chance to get it properly displayed, and as i need both ports (80 and 443) for certbot renewal ... i would then prefer

unraid behind the reverse proxy.

 

may a sample config therefore ? thanks ahead.

 

 

### solved

 

had to remove following default values

 

    location ~ \.php$ {
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        # With php7-cgi alone:
        fastcgi_pass 127.0.0.1:9000;
        # With php7-fpm:
        #fastcgi_pass unix:/var/run/php7-fpm.sock;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

 

may a hint what this is good for ?

 

i use nginx as reverse proxy only ...

It's for serving php web pages. 

Don't reverse proxy the unraid gui, use a VPN instead.. 1000x more secure. 

Link to comment

i know VPN ... still not an option and i would be fine with htauth (also listening ONLY on dns name), no idea what i did, now its not working anymore properly with disabling the php lines ... so, if someone has an tutorial would be nice.

 

im just confused cause on my server with its own unraid.mydomain.com its just easy as ...

 

on my friends server i only have 1 domain for everything, so name.mydomain.com should be unraid, and the sub like name.mydomain.com/plex should point to plex ...

Link to comment

Hello All,

 

I've been trying to get this docker to work, however I'm not able to even get the default nginx page to be displayed. If I put the nginx container on the same ports I get the default page. 

 

I don't get anything in the logs for the docker, so I'm not sure where to look.

 

Chess

Link to comment
12 hours ago, Chess said:

Hello All,

 

I've been trying to get this docker to work, however I'm not able to even get the default nginx page to be displayed. If I put the nginx container on the same ports I get the default page. 

 

I don't get anything in the logs for the docker, so I'm not sure where to look.

 

Chess

You're in the crystal ball territory

Link to comment
On 8/24/2018 at 11:28 AM, Saldash said:

 

Out of curiosity and inexperience.

I eventually want to pass through a Windows VM running an ASP.NET application, but with the router forwarding all requests to the letsencrypt container I figured I should start there with something less complex first and work my way through.

 

Also, what better web server are you referring to? The LetsEncrypt one?

Just as a matter of closure, I managed to achieve everything I wanted to (docker apps + windows server vm serving asp.net app).

It's actually been quite fun discovering that the LetsEncrypt app is handling the SSL for me - IIS on the server only knows how to deal with HTTP but with this I get full SSL on my public sub.domain.com address.

 

So I'm happy as a clam (until someone tells me I've done something critically foolish, which is bound to happen sooner or later!)

Link to comment
Just as a matter of closure, I managed to achieve everything I wanted to (docker apps + windows server vm serving asp.net app).
It's actually been quite fun discovering that the LetsEncrypt app is handling the SSL for me - IIS on the server only knows how to deal with HTTP but with this I get full SSL on my public sub.domain.com address.
 
So I'm happy as a clam (until someone tells me I've done something critically foolish, which is bound to happen sooner or later!)
Only used IIS for about a year and nearly put me off using web servers for life. Apache and Nginx are a damn dream after using that abomination.

Sent from my Mi A1 using Tapatalk

Link to comment
Only used IIS for about a year and nearly put me off using web servers for life. Apache and Nginx are a damn dream after using that abomination.

Sent from my Mi A1 using Tapatalk

I agree, having to manage an iis server is painful.


But it comes with Windows and has nice buttons that you can click on



Sent from my BND-L34 using Tapatalk

Link to comment

Need a little help, setup ApacheGuacamole container and modified the sonarr proxy-conf with the guac settings. When i try to get it to it i get a 502 bad gateway.  I am using dns validation since isp blocks port 80 (cloudflare) added the subdomain to CF as i did with my others.

Container is on the same docker network called proxynet.  Added my new subdomain to LE config so it created a new cert.  i can access guac internally. Not sure what i am missing. this is working on test vps that i use before modifying my server.  Below is code and attached picture. The only error i get is in the ngix error log about not being able to resolve, but not sure where to look.

Fairly certain I missing something obvious.

 

# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url
# to enable password access, uncomment the two auth_basic lines

server {
    listen 443 ssl;

    server_name guacamole.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_guacamole ApacheGuacamole;
        proxy_pass http://$upstream_guacamole:8080;
    }
}
2018/09/04 10:24:51 [error] 381#381: *20 apacheguacamole could not be resolved (3: Host not found), client: 172.69.68.37, server: guacamole.*, request: "GET / HTTP/1.1", host: "guacamole.lahoma.org"
2018/09/04 10:31:21 [error] 381#381: *21 apacheguacamole could not be resolved (3: Host not found), client: 172.69.68.4, server: guacamole.*, request: "GET / HTTP/1.1", host: "guacamole.lahoma.org"

 

guac_container.PNG

letsen_container.PNG

docker_network.PNG

Link to comment
2 hours ago, ijuarez said:

Need a little help, setup ApacheGuacamole container and modified the sonarr proxy-conf with the guac settings. When i try to get it to it i get a 502 bad gateway.  I am using dns validation since isp blocks port 80 (cloudflare) added the subdomain to CF as i did with my others.

Container is on the same docker network called proxynet.  Added my new subdomain to LE config so it created a new cert.  i can access guac internally. Not sure what i am missing. this is working on test vps that i use before modifying my server.  Below is code and attached picture. The only error i get is in the ngix error log about not being able to resolve, but not sure where to look.

Fairly certain I missing something obvious.

 


# make sure that your dns has a cname set for sonarr and that your sonarr container is not using a base url
# to enable password access, uncomment the two auth_basic lines

server {
    listen 443 ssl;

    server_name guacamole.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_guacamole ApacheGuacamole;
        proxy_pass http://$upstream_guacamole:8080;
    }
}

2018/09/04 10:24:51 [error] 381#381: *20 apacheguacamole could not be resolved (3: Host not found), client: 172.69.68.37, server: guacamole.*, request: "GET / HTTP/1.1", host: "guacamole.lahoma.org"
2018/09/04 10:31:21 [error] 381#381: *21 apacheguacamole could not be resolved (3: Host not found), client: 172.69.68.4, server: guacamole.*, request: "GET / HTTP/1.1", host: "guacamole.lahoma.org"

 

guac_container.PNG

letsen_container.PNG

docker_network.PNG

It seems the issue may be uppercase/lowercase related in the container name

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.