The Complete UnRAID reverse proxy, Duck DNS (dynamic dns) and letsencrypt guide


Recommended Posts

2 minutes ago, jang430 said:

Unfortunately, my ISP tries to block whatever they can, and no other way to get them to cooperate.

image.png.7642518c59effcf8fe90266b4000c762.png

run the nginx docker (by linuxserver without all the SSL letsnecrypt stuff) and map it as port 81 in docker then see if you can access the nginx web page from your ip and from your duckdns domain.

Link to comment
9 minutes ago, jang430 said:

I guess this means it's working.  So Duckdns is having issue?  

 

Got to go, but please leave me a message if you see this.

nginx.png

no you need to access it from your external IP or from your DNS not from the 192.168.1.104 address

 

so you need to forward port 80 on your router to 85 and then try it from your duck dns address

Edited by Fma965
  • Like 1
Link to comment
Just now, jonathanm said:

Also, your example url shows the webserver answering on port 85, so for this test to be valid you need to change the internal port forward to 85 so it maps to the working server.

just edited to say that before you posted but yeah :D

Link to comment
2 hours ago, jang430 said:

Hi.  It works!  I forwarded port 80 to internal port 85, and shows the same display screen above.  I accessed from outside the house, via IP, and via jxxxxx1.duckdns.org, with same successful result.  May I know what to do next?

Without changing anything in the router, try changing your LE docker to map container 80 to host 85 and see if it starts correctly. Obviously the plain nginx docker will need to be shut down.

  • Like 1
Link to comment

 

Still the same.

 

Failed authorization procedure. jxxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: jxxxxx1.duckdns.org
Type: connection
Detail: Fetching
http://jxxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
7 hours ago, jang430 said:

 

Still the same.

 

Failed authorization procedure. jxxxxx1.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://jxxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY: Connection refused
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: jxxxxx1.duckdns.org
Type: connection
Detail: Fetching
http://jxxxxx1.duckdns.org/.well-known/acme-challenge/boKxf6D_5_zgK27HQt2LSwowiMaHcicSWgtnm12EDbY:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

you need to ask in the letsencrypt docker thread. also make sure all your values are right in the docker such as domain name and stuff, no simple typo's, also try setting it to not use subdomains and put your domain jxxxxx1.duckdns.org as the main url/domain

Link to comment

I am trying to follow the guide and I got through step 4 in setting up the Letsencrypt container but when I type 192.168.1.42:81 (unraidip:81) in my browser it just takes me to a page that says "This page can't be reached" instead of the nginx home page.

 

192.168.1.42 is my internal IP for unraid

HTTP set to 81

HTTPS set to 444

No ports forwarded yet since this is only internal at this point

 

What could I be doing wrong?

Link to comment
49 minutes ago, RockDawg said:

I am trying to follow the guide and I got through step 4 in setting up the Letsencrypt container but when I type 192.168.1.42:81 (unraidip:81) in my browser it just takes me to a page that says "This page can't be reached" instead of the nginx home page.

 

192.168.1.42 is my internal IP for unraid

HTTP set to 81

HTTPS set to 444

No ports forwarded yet since this is only internal at this point

 

What could I be doing wrong?

you cant use letsencrypt without public ip access you need to forward those ports

Link to comment

I went into to pfsense and forwarded port 80 to 192.168.1.42:81 and 443 to 192.168.1.42:444.  When I type 192.168.1.81 I still get the "Site can't be reached" page.  If I type mysubdomain.duckdns,org I get a Chrome "not secure" page and if I click proceed I get a pfsense error page that says "Potential DNS Rebind attack detected".

 

I also get this in my Letsencryot container log:

 

tls-sni validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I'm sure I have something stupid wrong but I can;t figure out what.

Link to comment
5 minutes ago, RockDawg said:

I went into to pfsense and forwarded port 80 to 192.168.1.42:81 and 443 to 192.168.1.42:444.  When I type 192.168.1.81 I still get the "Site can't be reached" page.  If I type mysubdomain.duckdns,org I get a Chrome "not secure" page and if I click proceed I get a pfsense error page that says "Potential DNS Rebind attack detected".

 

I also get this in my Letsencryot container log:

 


tls-sni validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
Client with the currently selected authenticator does not support any combination of challenges that will satisfy the CA.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I'm sure I have something stupid wrong but I can;t figure out what.

VALIDATION http 

 

you need to add that value to the docker

Link to comment
13 minutes ago, RockDawg said:

That seems to have fixed the error in the log but 192.168.1.42:81 still does not take me to the nginx default page.

its https you need to go to https://192.168.1.43:444 but really you should be accessing it from a domain externally even when internal

Link to comment

I was doing that because step 4 of your guide says:

 

Quote

Since we have set the internal docker port to be 81 you can currently visit the nginx default webpage by going to your UnRAID ip at port 81. For me it would be this http://192.168.1.3:81 or https://192.168.1.3

 

So I was doing the same to test functionality.  I went ahead and downloaded your nginx file and substituted my server's IP for yours.  I don't use most of the apps you have configured in it but I do use Sonarr at the default port of 8989 the same as in your file so I figured that should work.  I deleted the original default file and replaced it with yours.  I restarted both the Letsencrypt and Sonarr containers and went to mysubdomain.duckdna.org/sonarr.  Chrome changed the address to HTTPS://mysubdomain.duckdns.org/sonarr but the HTTPS is crossed out and says Not Secure.  The page loaded is an nginx page saying 404 Not Found.

Edited by RockDawg
Link to comment

Almost there, but not quite.  

 

I'm following this guide up to here:

 

Configuring Nginx as a reverse proxy.

Now that we have both DuckDNS and Letsencrypt set up it’s time to configure Nginx as a reverse proxy.

  1. The first thing we need to do is access your appdata folder on windows, for me this is \\192.168.1.3\appdata.
  2. Once in your appdata folder go to the folder called letsencrypt then nginx then site-conf (so for me this is \\192.168.1.3\appdata\letsencrypt-\nginx\site-confs).
  3. This docker is pretty good for getting the configuration right automatically, however i have configured it to work with sonarr, radarr, htpc, deluge, plex, nextcloud and even netdata. the file can be downloaded from here. (i plan on explaining this file further in the future)
  4. Now simple delete the existing default file and replace it with the one linked above, make sure to rename it to default if it’s called default.txt. you may also need to run newperms to allow you to replace it.
  5. Next open the file in notepad++ or similar and change any references to 192.168.1.3 to your UnRAID server IP and also make sure the port numbers match your services.
  6. You also need to set the settings for these services, the webdir, webroot or base directory need to be set to the relevant paths.
    • HTPC-Manager is /htpc and the port is 8085
    • Sonarr is /sonarr and the port is 8989
    • Couchpotato is /couchpotato and the port is 5050
    • Radarr is /radarr and the port is 7878
    • Deluge is /downloads (could be changed to deluge if preferred) and the port is 8112
    • Plex requires the advanced setting “Server > Network >Custom server access URLs” to include “https://YOURSUBDOMAIN.duckdns.org”.
    • Nextcloud is /nextcloud, the port is 444 and requires manual modification (see section below)
    • Netdata is /netdata and the port is 19999 (slightly different syntax in the nginx config file)
  7. Once this is done you can restart the dockers for these services and you should be able to access your services from https://YOURSUBDOMAIN.duckdns.org/service, if you need help with additional services or having any issues at all let me know in the comments below.

I downloaded file from link above, clicked on it, and selected download.  It gave me a text file.  Put the text file onto the folder mentioned above ....\site-confs, then renamed it to default, without any file extension.  Used Notepad++ to edit all IP address from 192.168.1.3 to 192.168.1.104 (mine).  Since I am using sonarr anyway, I just restarted the sonarr docker container, and accessed https://jxxxx1.duckdns.org/sonarr , and I arrived to the page that says:

 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: [email protected]

 

I also changed radarr to couchpotato, and changed port number to 5050, upon accessing https://jxxxx1.duckdns.org/couchpotato, I also reach the same "Welcome to our server" page.  

 

Don't know what's wrong.  Please help.

Link to comment

Still trying to work this out.  @Fma965 - I'm looking at the default file contents you lined to and I have a question about the first few lines:

 

upstream backend {
    server 192.168.1.3:19999;
    keepalive 64;
}

I know you say to change the IP to our unriad IP and I did that, but what about that port 19999?  Should that stay?  What's it for?

Link to comment
5 minutes ago, RockDawg said:

Still trying to work this out.  @Fma965 - I'm looking at the default file contents you lined to and I have a question about the first few lines:

 


upstream backend {
    server 192.168.1.3:19999;
    keepalive 64;
}

I know you say to change the IP to our unriad IP and I did that, but what about that port 19999?  Should that stay?  What's it for?

thats only to do with netdata, tbh i need to update my config example as mine is so much cleaner now.

Link to comment
2 hours ago, jang430 said:

Almost there, but not quite.  

 

I'm following this guide up to here:

 

Configuring Nginx as a reverse proxy.

Now that we have both DuckDNS and Letsencrypt set up it’s time to configure Nginx as a reverse proxy.

  1. The first thing we need to do is access your appdata folder on windows, for me this is \\192.168.1.3\appdata.
  2. Once in your appdata folder go to the folder called letsencrypt then nginx then site-conf (so for me this is \\192.168.1.3\appdata\letsencrypt-\nginx\site-confs).
  3. This docker is pretty good for getting the configuration right automatically, however i have configured it to work with sonarr, radarr, htpc, deluge, plex, nextcloud and even netdata. the file can be downloaded from here. (i plan on explaining this file further in the future)
  4. Now simple delete the existing default file and replace it with the one linked above, make sure to rename it to default if it’s called default.txt. you may also need to run newperms to allow you to replace it.
  5. Next open the file in notepad++ or similar and change any references to 192.168.1.3 to your UnRAID server IP and also make sure the port numbers match your services.
  6. You also need to set the settings for these services, the webdir, webroot or base directory need to be set to the relevant paths.
    • HTPC-Manager is /htpc and the port is 8085
    • Sonarr is /sonarr and the port is 8989
    • Couchpotato is /couchpotato and the port is 5050
    • Radarr is /radarr and the port is 7878
    • Deluge is /downloads (could be changed to deluge if preferred) and the port is 8112
    • Plex requires the advanced setting “Server > Network >Custom server access URLs” to include “https://YOURSUBDOMAIN.duckdns.org”.
    • Nextcloud is /nextcloud, the port is 444 and requires manual modification (see section below)
    • Netdata is /netdata and the port is 19999 (slightly different syntax in the nginx config file)
  7. Once this is done you can restart the dockers for these services and you should be able to access your services from https://YOURSUBDOMAIN.duckdns.org/service, if you need help with additional services or having any issues at all let me know in the comments below.

I downloaded file from link above, clicked on it, and selected download.  It gave me a text file.  Put the text file onto the folder mentioned above ....\site-confs, then renamed it to default, without any file extension.  Used Notepad++ to edit all IP address from 192.168.1.3 to 192.168.1.104 (mine).  Since I am using sonarr anyway, I just restarted the sonarr docker container, and accessed https://jxxxx1.duckdns.org/sonarr , and I arrived to the page that says:

 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: [email protected]

 

I also changed radarr to couchpotato, and changed port number to 5050, upon accessing https://jxxxx1.duckdns.org/couchpotato, I also reach the same "Welcome to our server" page.  

 

Don't know what's wrong.  Please help.

did you restart the letsencrypt docker?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.