The Complete UnRAID reverse proxy, Duck DNS (dynamic dns) and letsencrypt guide


Recommended Posts

@Fma965, Actually, restarted everything, except for letsencrypt docker app :D   It was a gross oversight!  After restarting, Deluge is working already.  Can't get Sonarr to work yet.  Will keep trying.  At least I know it's working already.

 

BTW, can OpenVPN Server and Letsencrypt (with NginX reverse proxy) docker container both be up at the same time?  Meaning, even with Reverse Proxy running, I can still VPN into the NAS and manage it?

Link to comment

Well I managed to fix my issues.  Unfortunately, I don't know what fixed it.  I just started from scratch, reinstalled the container and reconfigured.  I could swear I did everything the same but this time it worked.  I hate that because you don't learn anything that way.  Glad it's working though.  Thanks for the guide @Fma965!

Edited by RockDawg
Link to comment

I do have another question.  I decided get a domain (myserver.com) from namecheap.comrather than use the one I have at duckdns.  I have it set up to to work with my dynamic IP and it knows my current IP.  So I edit the Letsencrypt container simply changing the Domain Name field from mydomain.duckdns.org to myserver.com.  Now the log shows the following error:

 

Failed authorization procedure. www.myserver.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.myserver.com/.well-known/acme-challenge/frBvtzHSCyTZlFDxm6HDnxMdRiFCKLCCF8fzciyZfP4: Error getting validation data

 

and

 

Error getting validation data

 

If I simply change the domain back to my duckdns one it gives no error and it gets certs.  So it's not a port issue.  Any idea why I can't get certs for me new domain?

Link to comment
On 7/17/2018 at 4:11 PM, RockDawg said:

Now it appears that I've played around with things too much and my duckdns domain has been given too many certificates and now it won't validate!  What the heck do I do now?!

 

One step forward.  Two steps back.

You have to wait now before it will let you cert again, most likely your DNS hadn't propogated across the net so letsnecrypt wasn't going to the correct domain/ip

  • Upvote 1
Link to comment

Thanks.  Everything is mostly working now but one thing I notice is the if I type myserver.com/app or www.myserver.com/app inside my network, both are redircted to HTTPS and show the secure symbol.

 

Outside my network (cell phone on cellular network), myserver.com/app connects without being redirected to HTTPS and, obviously, doesn't show the secure symbol.  On the the other hand, www.myserver.com/app doesn't connect at all.

 

How do I fix that?

Link to comment

Additionally, there is usually a 30-40 second delay when accessing the apps.  After typing the address and hitting enter it just sits there for 30-40 seconds and the the page will usually load quickly like it should.  Sometimes it never loads the page and it will just say request timed out.  Once the page is loaded I can usually try that one again or some of the others and they will load just fine.  If I try again later, I will either get the delay or the timeout.

 

Any ideas what could be going on?

Link to comment
On 6/6/2017 at 8:04 PM, Forusim said:

Solved the issue with the help of this guide https://www.linuxserver.io/2017/05/10/installing-nextcloud-on-unraid-with-letsencrypt-reverse-proxy/

As I found out it is possible to use sub-subdomains like "https://cloud.mysubdomain.duckdns.org".

 

No need to change the web configs of the applications any more.

As a bonus I get now A+ instead of A from https://scan.nextcloud.com/

how do you realize that?
Currently I have a domain with duckdns.org that refers to my NAS but I can not create sub-subdomains with duckdns.org.

Nextcloud works very well locally with Mariadb but can not access from outside, I followed the link you give but I do not understand the end.

Link to comment
3 hours ago, snake382 said:

how do you realize that?
Currently I have a domain with duckdns.org that refers to my NAS but I can not create sub-subdomains with duckdns.org.

Nextcloud works very well locally with Mariadb but can not access from outside, I followed the link you give but I do not understand the end.

 

You can use sub-subdomains with duckdns. They all automatically forward to your main subdomain ip. 

 

You do need to add those to your subdomains variable in the container settings, though

Link to comment

What container ? Letsencrypt ? i have try to add in my container letsencrypt but i don't work ...

 

everything works well locally until the point explained to reach nextcloud outside my local network. If anyone could guide me by posting a simplified procedure with screen I start on unraid thank you.

Edited by snake382
Link to comment
On 7/24/2018 at 11:16 AM, snake382 said:

What container ? Letsencrypt ? i have try to add in my container letsencrypt but i don't work ...

 

everything works well locally until the point explained to reach nextcloud outside my local network. If anyone could guide me by posting a simplified procedure with screen I start on unraid thank you.

 

Actually it pretty straight forward, here my configs:

 

/mnt/cache/appdata/letsencrypt/nginx/site-confs/yourdomain.duckdns.org

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
#server {
#	listen 80;
#	server_name _;
#	return 301 https://$host$request_uri;
#}

# main server block
server {
	listen 443 ssl http2;
	server_name cloud.yourdomain.duckdns.org;

	root /config/www;
	index index.html index.htm index.php;


	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';

	###Extra Settings###
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;

	### Add HTTP Strict Transport Security ###
	add_header Strict-Transport-Security "max-age=63072000; includeSubdomains";
	add_header Front-End-Https on;

	client_max_body_size 0;

	location / {
		include /config/nginx/proxy.conf;
		proxy_max_temp_file_size 2048m;
		proxy_pass https://<nextclouddockerip>:443/;
	}
}

You may have to change the root of nextcloud webserver:

/mnt/cache/appdata/nextcloud/nginx/site-confs/default

# Path to the root of your installation
  root /config/www/nextcloud/;

/mnt/cache/appdata/nextcloud/www/nextcloud/config/config.php

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => '<instance>',
  'passwordsalt' => '<salt>',
  'secret' => '<secret>',
  'trusted_domains' => 
  array (
    0 => '<nextclouddockerip>',
    1 => 'cloud.yourdomain.duckdns.org',
  ),
  'overwriteprotocol' => 'https',
  'overwritehost' => 'cloud.yourdomain.duckdns.org',
  'overwrite.cli.url' => 'https://cloud.yourdomain.duckdns.org',
  'version' => '12.0.6.1',
  'dbtype' => 'mysql',
  'dbname' => 'nextcloud',
  'dbhost' => '<mariadbdockerip>:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'dbuser' => 'oc_admin',
  'dbpassword' => '<pw>',
  'installed' => true,
  'theme' => '',
  'loglevel' => 2,
  'maintenance' => false,
);

Of course you have to edit your LetsEncrypt docker:

Domain Name:      yourdomain.duckdns.org

Subdomain(s):      cloud

Edited by Forusim
Link to comment
  • 2 weeks later...
  • 3 weeks later...

well i recently moved and now i have a new ISP, router and so on.

I managed to get almost everything working, exept letsencryt/ nginx. 

all my reverse proxys seem to be down, and i can't reach anything via my public domain.

 

I went through the site-configs and changed the ip adresses to the new one, but i have no idea what else i need to do :/

 

I get only "Site can't be reached" messages, so it seems like nothing is working. Ports are open.

 

Any ideas?

Link to comment
well i recently moved and now i have a new ISP, router and so on.
I managed to get almost everything working, exept letsencryt/ nginx. 
all my reverse proxys seem to be down, and i can't reach anything via my public domain.
 
I went through the site-configs and changed the ip adresses to the new one, but i have no idea what else i need to do
 
I get only "Site can't be reached" messages, so it seems like nothing is working. Ports are open.
 
Any ideas?
Is your new isp blocking port 80 or 443?

Sent from my SM-G955U using Tapatalk

  • Like 1
Link to comment
22 minutes ago, jonathanm said:

How did you come to that conclusion?

 

Does your new IP respond to pings externally? Does your domain properly resolve to that IP?

i checked for open ports with http://canyouseeme.org/ and for 443 i get an open port message.

 

i checked for pings with https://ping.eu/ping/ the packages get lost, but the ip seems to be right.

 

Also my VPN connction works just fine...

Edited by Random.Name
Link to comment
  • 1 month later...

I'm on Cox residential.  Is there no way for me to do this since port 80 is blocked?  I've tried to go around this by circumventing DuckDNS and registering a domain, and using CloudFlare as my name server, but I still can't figure out how to make DNS Validation work.

Edited by adammerkley
Link to comment
1 hour ago, adammerkley said:

I'm on Cox residential.  Is there no way for me to do this since port 80 is blocked?  I've tried to go around this by circumventing DuckDNS and registering a domain, and using CloudFlare as my name server, but I still can't figure out how to make DNS Validation work.

 

It's all explained in the docker image description on both github and docker hub

  • Like 1
Link to comment
12 hours ago, adammerkley said:

I'm on Cox residential.  Is there no way for me to do this since port 80 is blocked?  I've tried to go around this by circumventing DuckDNS and registering a domain, and using CloudFlare as my name server, but I still can't figure out how to make DNS Validation work.

I'm on COX residential as well. Please refer to these posts as to how I was able to get it set up (per aptalca's excellent dockers and documentation!)

and

 

 

Hope it helps!

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.