The Complete UnRAID reverse proxy, Duck DNS (dynamic dns) and letsencrypt guide


Recommended Posts

I followed the tutorial entirely but I can not access from outside the Unraid main page.

However I can access my Plex application from outside ...

I changed the port 80 to 81 and leave the 443 as in the tutorial, I also opened the ports on my router but when I type as address http://subdomain.duckdns.org:81 my browser runs in the Empty and I never get to the main page of unraid ...

On the other hand if I type https://subdomain.duckdns.org:443 I get a 502 Bad Gateway error message and I see that the address in my browser bar has changed to:
https://subdomain.duckdns.org:443/htpc

so normal I have this error message because I have not installed htpc and I can not access the main page of unraid I do not understand what is happening.

Thanks for your info.

Edited by snake382
Link to comment
1 hour ago, snake382 said:

OK what do you advise me to safely access Unraid webui?
Then I still leave duckdns + let'sencrypt + Nginx to be able to access my applications by https?

Thank you.

 

For the Unraid webui a VPN, for everthing else you're good with duckdns, LE, Nginx

Link to comment
  • 1 month later...
8 minutes ago, WexfordStyle said:

 

Okay. But is using a reverse proxy with https and password protection actually a security risk!? I imagine it would be very secure as well, no?

 

 

 

Technically everything is a security risk. If a device is connected to others, there is always a security risk. ;-)

 

Openvpn happens to be much more secure than https and a password, because the password can be brute forced. Unless you use a firewall like fail2ban (works great when properly configured). 

 

If a reverse proxied docker container gets hacked into, it would be like someone breaking into your car and stealing what's in the glove box. Not much. But getting the unraid gui hacked is like someone stealing your alarm code and getting into your home, where they can get all the valuables, and the car keys. That's why they recommend using a vpn for the unraid gui. 

Link to comment

have anyone tried this with the Minio docker and make it work?

I get it to work from a browser, but when I try to connect a backup client to the proxy adress I get " cause="Signature does not match" source="[auth-handler.go:122:checkRequestAuthType()]" "

 

Edit: I found the answer here: https://docs.minio.io/docs/setup-nginx-proxy-with-minio

 

so I added this:

server {
    listen 443 ssl default_server;
    server_name domain.name.;

 

location / {
       # include /config/nginx/proxy.conf;
        proxy_set_header Host $http_host;
        proxy_pass http://192.168.0.2:50001;
    }

 

 

I have not made it work with an /location

Edited by isvein
Link to comment
  • 2 weeks later...
  • 1 month later...

@NeoDude I'm using LE, duckdns, nginx with my nextcloud docker. I can access from https://<server>.duckdns.org/nextcloud but internally I cannot access NextCloud. Driving me nuts!

https://192.168.1.224/nextcloud/ brings me to a blank page within my unRAID webUI??

https://192.168.1.224:444/nextcloud/ redirects me to https://server.duckdns.org/nextcloud

 

Anyone's help would be greatly appreciated!

 

Link to comment
15 minutes ago, blurb2m said:

@NeoDude I'm using LE, duckdns, nginx with my nextcloud docker. I can access from https://<server>.duckdns.org/nextcloud but internally I cannot access NextCloud. Driving me nuts!

https://192.168.1.224/nextcloud/ brings me to a blank page within my unRAID webUI??

https://192.168.1.224:444/nextcloud/ redirects me to https://server.duckdns.org/nextcloud

 

Anyone's help would be greatly appreciated!

 

 

Your issue is likely due to your router not allowing nat loopback. Depending on what the router is, there are different solutions

Link to comment
  • 2 weeks later...

First of all big thanks to @Fma965 for the great write-up. This is very heplful.

 

As a first step I'd just like to get Nextcloud to work, but I like to have the options of adding sabnzbd (not specified in write-up?) and other dockers at later stage.

 

Unfortunately, I am failing with some of the very basic, so will need some advice:

 

1) I cannot specify port 443 as it is used by something else. I don't know by what and "deployed host ports" within the docker settings does not show any docker using 443. Any idea how to find out what is using this port?

 

2) After setting up the docker, I cannot access unraid with my-IP:81 from my home networK. Any idea why not working. Related to (1)? Below some error messages from the log:

certbot: error: argument --cert-path: No such file or directory

 

Failed authorization procedure. myname.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

 

3) I have not forwarded the ports in my router yet. I have not tried in recent times, but I am not sure whether my ISP allows me to forward ports 443. If so, can I use a different port? Is there some app for Unraid or others that allows me to learn what ports can be forwarded and which ones are blocked by my ISP?

 

4) I actually "own" a domain and may want to use this eventually. Do I still need duckerdns in this case or how would I set it up directly? It is a domain hosted by strato.de

 

5) Any reason why sabnzbd is not part of the tutorial? More difficult to do or not suggested for security?

 

6) This thread includes something alarming. I hadn't thought about what I am doing with reverse proxy would impact what I do in my home network. Can required changes for the respective dockers to still work in the home network after setting up reverse proxies be added to the tutorial?

 

 

Thanks again for your help!

Link to comment
  • 1 month later...

Hi

I follow the tutorial to set reverse proxy for my dockers images but I have some issues : 

Sickrage doesn't load css and shows You have reached this page by accident, please check the url. (I check the box Reverse proxy headers in the general configuration tab)

 

Headphones displays

The path '/headphones' was not found.

Traceback (most recent call last): File "/app/headphones/lib/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/app/headphones/lib/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/app/headphones/lib/cherrypy/_cperror.py", line 411, in __call__ raise self NotFound: (404, "The path '/headphones' was not found.")

TT-rss shows 404 not found

 

Can someone can give me his configuration or help ?

Thanks !

 

Link to comment

I set up DuckDNS but am having troubles with Letsencrypt. In my logs, it just keeps repeating --

 

Quote

No renewals were attempted.
No hooks were run.
-------------------------------------------------------------------------------
[cont-init.d] 50-config: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] location "/sonarr" cannot be inside the exact location "/" in /config/nginx/site-confs/default:25
Server ready
nginx: [emerg] location "/sonarr" cannot be inside the exact location "/" in /config/nginx/site-confs/default:25
nginx: [emerg] location "/sonarr" cannot be inside the exact location "/" in /config/nginx/site-confs/default:25

In my site-confs/default file, this is what I have for sonarr:

Quote

 

upstream backend {
    server 192.168.1.2:19999;
    keepalive 64;
}

server {
    listen 443 ssl default_server;
    listen 81 default_server;
    root /config/www;
    index index.html index.htm index.php;

    server_name _;

    ssl_certificate /config/keys/letsencrypt/fullchain.pem;
    ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
    ssl_dhparam /config/nginx/dhparams.pem;
    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:...';
    ssl_prefer_server_ciphers on;

    client_max_body_size 0;

    location = / {
        return 301 /sabnzbd;

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:8989/sonarr;
    }

 

Did I do something wrong? Any help would be great! Thanks so much!

 

Edited by ipreferpie
Link to comment
On 09/01/2018 at 9:13 PM, deadnote said:

Hi

I follow the tutorial to set reverse proxy for my dockers images but I have some issues : 

Sickrage doesn't load css and shows You have reached this page by accident, please check the url. (I check the box Reverse proxy headers in the general configuration tab)

 

Headphones displays

The path '/headphones' was not found.

Traceback (most recent call last): File "/app/headphones/lib/cherrypy/_cprequest.py", line 670, in respond response.body = self.handler() File "/app/headphones/lib/cherrypy/lib/encoding.py", line 217, in __call__ self.body = self.oldhandler(*args, **kwargs) File "/app/headphones/lib/cherrypy/_cperror.py", line 411, in __call__ raise self NotFound: (404, "The path '/headphones' was not found.")

TT-rss shows 404 not found

 

Can someone can give me his configuration or help ?

Thanks !

 

Sounds like you aren't setting the base url's correctly

 

 

5 hours ago, ipreferpie said:

I set up DuckDNS but am having troubles with Letsencrypt. In my logs, it just keeps repeating --

 

In my site-confs/default file, this is what I have for sonarr:

Did I do something wrong? Any help would be great! Thanks so much!

 

this

 location = / {
        return 301 /sabnzbd;

    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:8989/sonarr;
    } 

should be (always close a location block off with a } before doing another)

 location = / {
        return 301 /sabnzbd;
	}
    
    location /sonarr {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.1.2:8989/sonarr;
    } 

 

32 minutes ago, NotYetRated said:

Awesome write up, thanks!

 

Dumb question, is this more secure than my current method of Firewall blocking all but certain IP's? I feel like my method is more secure, but less accessible, that sound accurate?

so with this you have 2 ports accessible to the internet 80 and 443, with your way you would have to forward many ports (one for each service) in order to access them from outside your LAN (internet)

 

---

 

 

@all here is the config i currently use. https://gist.github.com/Fma965/540219ade8133e65542e9ec15651fe82

Edited by Fma965
Link to comment

Quick comment. Some of us might only add a docker every year or two. Such a person might be completely literal, and spend a lot of time looking for the Add button shown under the logo for the dockers in your wonderful tutorial. After much gnashing of teeth, such person might eventually figure out the interface has changed since your tutorial was made, and one needs to hover over the logo in order to see a window with a much more cryptic "add" button. 

 

Possibly.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.