TexasDave Posted April 26, 2020 Share Posted April 26, 2020 I am in the process of trying to allow friends to monitor the status of Plex and Ombi. This will avoid texts coming to me asking "Is Plex up"? 🙂  I am looking at Monitorr and OrganizrV2. I have been checking out a set of blog posts from @GilbN (which are awesome). His one areticle discussed how he got an A+ score on both https://securityheaders.com/ and https://www.ssllabs.com/  Blog Post: https://technicalramblings.com/blog/how-to-setup-organizr-with-letsencrypt-on-unraid/ (it is a bit old but I still think there is good stuff in this)  Right now, I am exposing Ombi and Ubooquity. When I type in URLS for these - I get an F. Probably not good? I am wondering:  Does the above matter? That is, my services geting an F? Is there a way to configure Ombi and Ubooquity so I can get better scores? Any pointers?  Thanks s always.... PS: will be posting some actual questions on using Monitorr and OrganizrV2 in a seperate thread. Quote Link to comment
GilbN Posted April 26, 2020 Share Posted April 26, 2020 Hi. Does it say why you get an F? Quote Link to comment
TexasDave Posted April 26, 2020 Author Share Posted April 26, 2020 Atached. I use the indivdua conf files rather than the master. No real reason - I think because that is how SpaceInvader One's videos did it? Â Thanks for any suggestions and thanks for your articles. I may be posting for some help on what lead me to your original blog post. Â Having some issues with OrganizrV2 and Monitorr...Is there a good place to post those questions? Quote Link to comment
GilbN Posted April 26, 2020 Share Posted April 26, 2020 It's getting a 500 error. Says it's the wrong url Quote Link to comment
TexasDave Posted April 26, 2020 Author Share Posted April 26, 2020 Now with correct URL - sorry! Quote Link to comment
GilbN Posted April 26, 2020 Share Posted April 26, 2020 Share your nginx config  for the domain Quote Link to comment
TexasDave Posted April 26, 2020 Author Share Posted April 26, 2020  proxy-confs/ubooquity.subdomain.conf  # make sure that your dns has a cname set for ubooquity and that your ubooquity container is not using a base url server { listen 443 ssl; listen [::]:443 ssl; server_name dz-comics.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2202; } location ~ (/ubooquity)?/api { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_ubooquity ubooquity; proxy_pass http://$upstream_ubooquity:2202; } }  site-confs/default  ## Version 2019/08/01 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default # redirect all traffic to https server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } # main server block server { listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; root /config/www; index index.html index.htm index.php; server_name _; # enable subfolder method reverse proxy confs include /config/nginx/proxy-confs/*.subfolder.conf; # all ssl related config moved to ssl.conf include /config/nginx/ssl.conf; # enable for ldap auth #include /config/nginx/ldap.conf; client_max_body_size 0; location / { try_files $uri $uri/ /index.html /index.php?$args =404; } location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; fastcgi_pass 127.0.0.1:9000; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } # sample reverse proxy config for password protected couchpotato running at IP 192.168.1.50 port 5050 with base url "cp" # notice this is within the same server block as the base # don't forget to generate the .htpasswd file as described on docker hub # location ^~ /cp { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050/cp; # } } # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # # root /config/www; # index index.html index.htm index.php; # # server_name cp.*; # # include /config/nginx/ssl.conf; # # client_max_body_size 0; # # location / { # auth_basic "Restricted"; # auth_basic_user_file /config/nginx/.htpasswd; # include /config/nginx/proxy.conf; # proxy_pass http://192.168.1.50:5050; # } #} # sample reverse proxy config for "heimdall" via subdomain, with ldap authentication # ldap-auth container has to be running and the /config/nginx/ldap.conf file should be filled with ldap info # notice this is a new server block, you need a new server block for each subdomain #server { # listen 443 ssl http2; # listen [::]:443 ssl http2; # # root /config/www; # index index.html index.htm index.php; # # server_name heimdall.*; # # include /config/nginx/ssl.conf; # # include /config/nginx/ldap.conf; # # client_max_body_size 0; # # location / { # # the next two lines will enable ldap auth along with the included ldap.conf in the server block # auth_request /auth; # error_page 401 =200 /login; # # include /config/nginx/proxy.conf; # resolver 127.0.0.11 valid=30s; # set $upstream_heimdall heimdall; # proxy_pass https://$upstream_heimdall:443; # } #} # enable subdomain method reverse proxy confs include /config/nginx/proxy-confs/*.subdomain.conf; # enable proxy cache for auth proxy_cache_path cache/ keys_zone=auth_cache:10m;  I am using the individual conf files instead of a site one. Thanks!! Quote Link to comment
GilbN Posted April 26, 2020 Share Posted April 26, 2020 Try this. Create a new file called strong-ssl.conf in the nginx folder and add this: https://github.com/gilbN/Nostromo/blob/master/Server/nginx/strong-ssl.conf  Then where is says "include /config/nginx/ssl.conf;"  Replace that line with include /config/nginx/strong-ssl.conf; 1 Quote Link to comment
TexasDave Posted April 26, 2020 Author Share Posted April 26, 2020 @GilbN - Boom! You nailed it - Thanks!! See attached . 😀 I made the change in both the indivdual conf files and the single one. Was not sure which ones to change.  Question: Is this more of a housekeeping / nice to have thing? Or does it help secure the services I expose? Or just give others confidence that these are legit sites. Just curious. Now to get back to why I was originaly reading your blog - to pimp a page I want to share with friends so they can see Plex Ststus. Thanks so much for your help and blog posts! Quote Link to comment
Biff Bojangles Posted November 12, 2020 Share Posted November 12, 2020 I just recently switched swag and a validation by DNS vs http and I now get an F from https://securityheaders.com/ .... previously I used http and letsencrypt. Even when I switch the old docker container on, it still fails the security test. Any thoughts? I am using the strong-ssl.conf that you recommended and worked previously.  Thanks in advance. Quote Link to comment
Biff Bojangles Posted November 12, 2020 Share Posted November 12, 2020 @GilbN Also when looking at the strong-ssl.conf, when would I also need to use the sub-strong-ssl.conf?   And for: add_header Content-Security-Policy "frame-ancestors https://*.DOMAIN.COM https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on add_header X-Frame-Options "allow-from https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on. https://$server_name = sub.domain.com in this server block do I actual put in my domain? For example ... would it be mysubdomain.mydomain.com.  Quote Link to comment
GilbN Posted November 13, 2020 Share Posted November 13, 2020 21 hours ago, Biff Bojangles said: @GilbN Also when looking at the strong-ssl.conf, when would I also need to use the sub-strong-ssl.conf?   And for: add_header Content-Security-Policy "frame-ancestors https://*.DOMAIN.COM https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on add_header X-Frame-Options "allow-from https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on. https://$server_name = sub.domain.com in this server block do I actual put in my domain? For example ... would it be mysubdomain.mydomain.com.  yup Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.