Djoss Posted March 5, 2019 Author Share Posted March 5, 2019 10 hours ago, flippedcracker said: Tunable is set to Auto. File system is reiserfs. I've had this server for many many years. The problem is the filesystem. Mariadb uses an operation (fallocate) which is not supported by reiserfs... Quote Link to comment
Djoss Posted March 5, 2019 Author Share Posted March 5, 2019 4 hours ago, Kaizac said: I have the NginxProxyManager docker on it's own IP in the same VLAN as my other dockers. All other dockers also have their own IP in this VLAN. So I put the NginxProxyManager on ports 80 and 443 and I opened and forwarded these ports on my router to the IP of the NginxProxyManager. Then when I add my proxy hosts and request the certificates I always get the error "Internal Error". When I look in my log it says the following: Failed authorization procedure. bitwarden.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://bitwarden.mydomain.com/.well-known/acme-challenge/As3xDn2mZgCJzRpsFyGtlXKog3UZBRzrsHVaActeN6s: Connection refused The container is not reachable from the Internet. Note that when assigning an IP to the container, you cannot choose the ports used by the container. So you need to forward to the container HTTPs port 4443 and HTTP port 8080. Quote Link to comment
Kaizac Posted March 5, 2019 Share Posted March 5, 2019 14 minutes ago, Djoss said: The container is not reachable from the Internet. Note that when assigning an IP to the container, you cannot choose the ports used by the container. So you need to forward to the container HTTPs port 4443 and HTTP port 8080. Ok so I changed this and it give the error below. So then I disabled the Cloudflare CDN protection. And it works. So is it possible to get this working with the Cloudflare CDN/protection on you think? Failed authorization procedure. bitwarden.mydomain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://bitwarden.mydomain/.well-known/acme-challenge/Z6vJRYrurz18JbcCPEeexbC1IhmWJoxfOFIY3jVRatw [2606:4700:30::681b:80cc]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js " Quote Link to comment
Djoss Posted March 5, 2019 Author Share Posted March 5, 2019 15 minutes ago, Kaizac said: Ok so I changed this and it give the error below. So then I disabled the Cloudflare CDN protection. And it works. So is it possible to get this working with the Cloudflare CDN/protection on you think? Failed authorization procedure. bitwarden.mydomain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://bitwarden.mydomain/.well-known/acme-challenge/Z6vJRYrurz18JbcCPEeexbC1IhmWJoxfOFIY3jVRatw [2606:4700:30::681b:80cc]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js " What the protection is doing? If it forces redirection to HTTPs, then I guess it won't work. Unless you can disable the protection for specific URLs... Quote Link to comment
Kaizac Posted March 5, 2019 Share Posted March 5, 2019 6 minutes ago, Djoss said: What the protection is doing? If it forces redirection to HTTPs, then I guess it won't work. Unless you can disable the protection for specific URLs... You made me remember, it's not the IP/CDN protection it's a setting in Cloudflare. Someone else in this topic mentioned it. You have to disable the HTTPS rewrites. So I got most of my subdomains working. Two aren't though or not as desired (Nextcloud and OnlyOffice). Both which require a more specific configuration. So what I can do is put my older NGINX config in, but then it has includes which it can't find. I see that the standard configs are including files like block-exploits.conf. Are those accessible and editable somewhere? I can't find them, so I wonder if they are hardcoded/somewhere hidden. Quote Link to comment
Djoss Posted March 6, 2019 Author Share Posted March 6, 2019 10 hours ago, Kaizac said: I see that the standard configs are including files like block-exploits.conf. Are those accessible and editable somewhere? I can't find them, so I wonder if they are hardcoded/somewhere hidden. Yes they are hard-coded files. They are located under /etc/nginx in the container. Quote Link to comment
Djoss Posted March 6, 2019 Author Share Posted March 6, 2019 For people who were waiting for it: subfolders support is now there 2 Quote Link to comment
Jclendineng Posted March 6, 2019 Share Posted March 6, 2019 Just a heads up, the latest build does not respect custom ports. Default right back to the stock ports :) Quote Link to comment
Djoss Posted March 7, 2019 Author Share Posted March 7, 2019 2 hours ago, Jclendineng said: Just a heads up, the latest build does not respect custom ports. Default right back to the stock ports What do you mean exactly by "does not respect custom ports"? You mean the port mappings between the host and the container? Quote Link to comment
Jclendineng Posted March 7, 2019 Share Posted March 7, 2019 I change the ports when I set up the container but it does not see them for some reason. I deleted the container and xml and started over with same results. I changed the ports to 80, 443 and 8080 but the default ports still override it. Quote Link to comment
Raz Posted March 7, 2019 Share Posted March 7, 2019 Are you talking about host ports or container ports? I have an nginx proxy manager container running on a vps with custom ports and it's working. It's not the latest version tho Quote Link to comment
Nyghthawk Posted March 7, 2019 Share Posted March 7, 2019 do i still need like duck dns to give it a name or something? Quote Link to comment
Raz Posted March 7, 2019 Share Posted March 7, 2019 Just now, Nyghthawk said: do i still need like duck dns to give it a name or something? If you don't have a static public IP, you need something like DuckDNS point your domain/subdomains to your unRaid Server Quote Link to comment
Nyghthawk Posted March 7, 2019 Share Posted March 7, 2019 (edited) 16 minutes ago, Raz said: If you don't have a static public IP, you need something like DuckDNS point your domain/subdomains to your unRaid Server have static ip....but then need to remember my IP for each "subdomain"? sonarr.##.##.##.## etc? Edited March 7, 2019 by Nyghthawk Quote Link to comment
Raz Posted March 7, 2019 Share Posted March 7, 2019 Just now, Nyghthawk said: have static ip....but then need to remember my IP for each "subdomain"? sonarr.##.##.##.## etc? Don't you have a domain name? You still need a domain name! If you don't have it, you have to use Duck DNS Quote Link to comment
Nyghthawk Posted March 7, 2019 Share Posted March 7, 2019 (edited) 3 minutes ago, Raz said: Don't you have a domain name? You still need a domain name! If you don't have it, you have to use Duck DNS so if i just buy a domain name from <insert provider> I just create subdomains there and nameserver it to my static ip? or sonarr.mydomain.com points to 111.222.333.444:1234 ? or should i still use this to hide the ports? so then its sonarr.mydomain points to sonarr.mypublicip Edited March 7, 2019 by Nyghthawk Quote Link to comment
Raz Posted March 7, 2019 Share Posted March 7, 2019 6 minutes ago, Nyghthawk said: so if i just buy a domain name from <insert provider> I just create subdomains there and nameserver it to my static ip? or sonarr.mydomain.com points to 111.222.333.444:1234 ? or should i still use this to hide the ports? so then its sonarr.mydomain points to sonarr.mypublicip If you buy your domain, you have to change the dns records to point it to your public ip. So something like "sonarr.mydomain.com" points to "yourpublicip" and on nginx proxy manager you setup everything according to your configurations Quote Link to comment
Nyghthawk Posted March 7, 2019 Share Posted March 7, 2019 4 minutes ago, Raz said: If you buy your domain, you have to change the dns records to point it to your public ip. So something like "sonarr.mydomain.com" points to "yourpublicip" and on nginx proxy manager you setup everything according to your configurations thank you, will get on that! Quote Link to comment
KG_NV Posted March 7, 2019 Share Posted March 7, 2019 On 3/2/2019 at 7:38 PM, Djoss said: So if you have specific domain names, can't you block the ones you don't want by adding "404 Hosts"? Btw, the ability to customize/disable the default page is a feature that as been requested on the project. I can add 404 hosts, have have add the IP address as one as a temporary bandaid, but that works until my dynamic IP changes. Then I have to know that and manually change the 404 host. Ideally, anything other than requests from mysubdomain.mydomain.com would just gets dropped. Even with 404 I see foreign bad guys trying to run exploits in the dead-hosts log. Quote Link to comment
KG_NV Posted March 7, 2019 Share Posted March 7, 2019 (edited) On 3/2/2019 at 7:38 PM, Djoss said: So if you have specific domain names, can't you block the ones you don't want by adding "404 Hosts"? Btw, the ability to customize/disable the default page is a feature that as been requested on the project. I just saw in the new version of the container that updated while I was back at the day job that there is a settings open to change the default site. Well done, thanks! My next question would be which is the best option for deterring bad guys? 404, 444, or maybe redirect? Or do they all say enough to the prying eyes that the server is responding to reqeuests so they keep at it? Also, is fail2ban implementation forthcoming? That would help solve the problem. Edited March 7, 2019 by KG_NV Quote Link to comment
Dragnoballz Posted March 8, 2019 Share Posted March 8, 2019 (edited) First of all, I would like to thank you for developing this docker. This is a fantastic tool for users with limited understanding of networking (like myself). Now, on to the problem: I configured Nginx Proxy Manager for 5 different proxy hosts - Sabnzbd, Sonarr, Radarr, Lidarr and Ombi Everything else seems to work flawlessly except Ombi. With Ombi, although I am able to get to the login page, it keeps looping back to the same page, when I click on the login button. i.e. Instead of logging me into Ombi, it open a new tab / window and goes back to the login screen. Also, the same behavior is persistent on both Ombi native login and plex authorization. Have even tried the option to log a user based on just the username, but even that does not work. I have checked the configuration file for Ombi and the options selected on that file are exactly the same as other proxy host config files. I have included my config file below for your assistance: # ------------------------------------------------------------ # ombi.mydomain.com # ------------------------------------------------------------ server { set $forward_scheme http; set $server "x.x.x.x"; set $port 3579; listen 8080; listen 4443 ssl http2; server_name ombi.mydomain.com; # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem; # Asset Caching include conf.d/include/assets.conf; # Block Exploits include conf.d/include/block-exploits.conf; access_log /data/logs/proxy_host-5.log proxy; location / { # Force SSL include conf.d/include/force-ssl.conf; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; # Proxy! include conf.d/include/proxy.conf; } } --------------------------- Any help would be much appreciated. Edit : Managed to fix the issue by disabling the support websockets option. Edited March 8, 2019 by Dragnoballz Quote Link to comment
malac Posted March 8, 2019 Share Posted March 8, 2019 Is fail2ban also in place? Quote Link to comment
Djoss Posted March 8, 2019 Author Share Posted March 8, 2019 20 hours ago, KG_NV said: My next question would be which is the best option for deterring bad guys? 404, 444, or maybe redirect? I would use 444, which makes nginx to close the connection. Quote Link to comment
Djoss Posted March 8, 2019 Author Share Posted March 8, 2019 20 hours ago, KG_NV said: Also, is fail2ban implementation forthcoming? That would help solve the problem. 24 minutes ago, malac said: Is fail2ban also in place? This container doesn't have fail2ban. I'm not sure this is the right place to implement it. Doing so will probably cause issues if another container also implements it. I think the best way would be to have one container (or the host) implementing fail2ban. This instance could be used to monitor multiple log files from multiple containers. Quote Link to comment
Nyghthawk Posted March 8, 2019 Share Posted March 8, 2019 (edited) So i had this long post about things not working. And I got it working. However, need a bit of help on this last one. Trying to get my unifi controller accessible. When I am local and i type http://localip:port to access the login, it lets me log in, then gives me an error on the certificate, etc. When I type in http://unifi.domain it asks to log in like normal, but then does not log in giving me an error. is this a setting I am missing, do i need to customize my commands for this one? So far I think everything else is working. (crosses fingers) also, I did a blanket wildcard record on my domain, so all subdomains will point to "proxy manager has not been setup yet" is this ok? also tried to add SSL, and i get an "internal error", and nothing works, any help with that? apparently creates an SSL but then i get a cipher mismatch or something like that error. Edited March 9, 2019 by Nyghthawk Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.