April 26, 20206 yr I am in the process of trying to allow friends to monitor the status of Plex and Ombi. This will avoid texts coming to me asking "Is Plex up"? 🙂  I am looking at Monitorr and OrganizrV2. I have been checking out a set of blog posts from @GilbN (which are awesome). His one areticle discussed how he got an A+ score on both https://securityheaders.com/ and https://www.ssllabs.com/  Blog Post: https://technicalramblings.com/blog/how-to-setup-organizr-with-letsencrypt-on-unraid/ (it is a bit old but I still think there is good stuff in this)  Right now, I am exposing Ombi and Ubooquity. When I type in URLS for these - I get an F. Probably not good? I am wondering:  Does the above matter? That is, my services geting an F? Is there a way to configure Ombi and Ubooquity so I can get better scores? Any pointers?  Thanks s always.... PS: will be posting some actual questions on using Monitorr and OrganizrV2 in a seperate thread.
April 26, 20206 yr Author Atached. I use the indivdua conf files rather than the master. No real reason - I think because that is how SpaceInvader One's videos did it? Â Thanks for any suggestions and thanks for your articles. I may be posting for some help on what lead me to your original blog post. Â Having some issues with OrganizrV2 and Monitorr...Is there a good place to post those questions?
April 26, 20206 yr Author  proxy-confs/ubooquity.subdomain.conf  # make sure that your dns has a cname set for ubooquity and that your ubooquity container is not using a base url server { listen 443 ssl; listen [::]:443 ssl; server_name dz-comics.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2202; } location ~ (/ubooquity)?/api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2202; } }  site-confs/default  ## Version 2019/08/01 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default # redirect all traffic to https server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } # main server block server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; root /config/www; index index.html index.htm index.php; server_name _; # enable subfolder method reverse proxy confs include /config/nginx/proxy-confs/*.subfolder.conf; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; # enable for ldap auth #include /config/nginx/ldap.conf; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub # location ^~ /cp { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050/cp; # } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # # root /config/www; # index index.html index.htm index.php; # # server_name cp.*; # # include /config/nginx/ssl.conf; # # client_max_body_size 0; # # location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050; # } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # # root /config/www; # index index.html index.htm index.php; # # server_name heimdall.*; # # include /config/nginx/ssl.conf; # # include /config/nginx/ldap.conf; # # client_max_body_size 0; # # location / { # # the next two lines will enable ldap auth along with the included ldap.conf in the server block # auth_request /auth; # error_page 401 =200 /login; # # include /config/nginx/proxy.conf; # resolver 127.0.0.11 valid=30s; # set $upstream_heimdall heimdall; # proxy_pass https://$upstream_heimdall:443; # } #} # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m;  I am using the individual conf files instead of a site one. Thanks!!
April 26, 20206 yr Try this. Create a new file called strong-ssl.conf in the nginx folder and add this: https://github.com/gilbN/Nostromo/blob/master/Server/nginx/strong-ssl.conf  Then where is says "include /config/nginx/ssl.conf;"  Replace that line with include /config/nginx/strong-ssl.conf;
April 26, 20206 yr Author @GilbN - Boom! You nailed it - Thanks!! See attached . 😀 I made the change in both the indivdual conf files and the single one. Was not sure which ones to change.  Question: Is this more of a housekeeping / nice to have thing? Or does it help secure the services I expose? Or just give others confidence that these are legit sites. Just curious. Now to get back to why I was originaly reading your blog - to pimp a page I want to share with friends so they can see Plex Ststus. Thanks so much for your help and blog posts!
November 12, 20205 yr I just recently switched swag and a validation by DNS vs http and I now get an F from https://securityheaders.com/ .... previously I used http and letsencrypt. Even when I switch the old docker container on, it still fails the security test. Any thoughts? I am using the strong-ssl.conf that you recommended and worked previously.  Thanks in advance.
November 12, 20205 yr @GilbN Also when looking at the strong-ssl.conf, when would I also need to use the sub-strong-ssl.conf?   And for: add_header Content-Security-Policy "frame-ancestors https://*.DOMAIN.COM https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on add_header X-Frame-Options "allow-from https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on. https://$server_name = sub.domain.com in this server block do I actual put in my domain? For example ... would it be mysubdomain.mydomain.com. Â
November 13, 20205 yr 21 hours ago, Biff Bojangles said: @GilbN Also when looking at the strong-ssl.conf, when would I also need to use the sub-strong-ssl.conf?   And for: add_header Content-Security-Policy "frame-ancestors https://*.DOMAIN.COM https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on add_header X-Frame-Options "allow-from https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on. https://$server_name = sub.domain.com in this server block do I actual put in my domain? For example ... would it be mysubdomain.mydomain.com.  yup
Archived
This topic is now archived and is closed to further replies.