[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

After reading a bit on certbot I think I understand better - the script runs certbot in standalone mode - it itself listens on 443 to perform the verification.

 

I did some troubleshooting (built the image w/o the starter script, nginx turned off) from the container itself:

certbot certonly --verbose --non-interactive --renew-by-default --standalone --preferred-challenges tls-sni --rsa-key-size 4096 --email "[email protected]" --agree-tos -d "x.mydomain.com"

Same error, only this time, I ran watch on curl https://localhost, and after a few seconds, got this:

Quote

Every 2s: curl -v -k https://localhost

* Rebuilt URL to: https://localhost/
*   Trying 127.0.0.1...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: none
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS alert, Server hello (2):
* error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure
* Curl_http_done: called premature == 1
* Closing connection 0
curl: (35) error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure

After that certbot finished and from then it was  connection refused (which is fine)..

 

btw, here's my docker run cmd (Router routes both 443 and 80 to 443 and 81):

docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e HOST_OS="unRAID" -e "EMAIL"="[email protected]" -e "URL"="mydomain.com" -e "SUBDOMAINS"="x," -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="2048" -e "PUID"="99" -e "PGID"="100" -p 81:80/tcp -p 443:443/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt

 

Link to comment

Well, I feel a bit ashamed :o:P

 

I tried removing/changing as you suggested, and then I started triple-checking my router is forwarding as it should :|

As it turns out, I'm using a VERY old firmware version of DD-WRT (DD-WRT v24-sp2 (12/24/13) std). After some reading, there seem to be a known issue around NAT loopback/port forwarding which was fixed in later versions

There's a workaround available but I decided to upgrade to the latest firmware, which seem to resolve the issue.

 

All is working as expected - thanks @CHBMB:)

Link to comment

Good evening,

 

i hope that one of you can help me. I tried let's encrypt today using this guide.I didn't have much trouble with emby and nextcloud (Also using no-ip instead of duckdns) but mymcadmin is giving me a headache. I can reach it but all images, js and css files are missing.

I searched this forum and google and found different solutions for similar problems but couldn't get it to work. 

 

location /mcmyadmin2 
	{
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.178.29:8080/;
	}

This is my code at the moment, I tried adding all sorts of commands to no avail. I read something about using a subdomain but I guess that is not possible on a free dyndns? 

 

That is how the interface looks opening it via https://<servername>.ddns.net/mcmyadmin2

 

Help would be much appreciated!

McMyAdmin.png

 

Edit: I think I solved it! I don't know how but I found this to be working:

	location /mcmyadmin2/ {
		rewrite ^/mcmyadmin2(/.*)$ $1 break;
		proxy_pass http://192.168.178.29:8080/;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto https;
		proxy_redirect    off;
	}

Is doing it like this advisable?

Edited by GoodOlCap
Link to comment

Hey guys,

 

I've been banging my head against the wall trying to get this going. But I'm having a bear of a time.

 

I checked in the logs and found a couple errors:

 

certbot: error: argument --cert-path: No such file or directory

and

 

Detail: Failed to connect to 192.64.119.116:443 for tls-sni-01

I have ports 443 and 80 passed to 81 on my unRAID box, so that shouldn't be an issue. Is there a way to test that those are going through fine?

 

Any thoughts?

 

Thanks in advance.

Link to comment

I would like to set this docker up but have some issues involving conflicting ports. 

I have a stand alone dvr recording 18 security cameras, This dvr has port 80, 8082 and 443 used for outside access. 

I have a static IP which the dvr forwards to. 

I think I can change ports on the dvr and then set the router to forward those ports but the 80 port for web access gets me messed up with how to distinguish between the dvr internal ip and and my other computers on the network,  

Any help on this or direction would be appreciated..

Link to comment
5 minutes ago, jonathanm said:

Why do you need 80 externally for this docker? I'm not being a smart alec, I'm genuinely asking. I don't forward anything other than 443.

I guess that is what I am confused about. If I use duckdns for a domain to my static ip. Any connection to that domain name will open the dvr viewer. How to get other internal ip's on lan available to the static ip is where I am confused on.

Whether that be on port 80 or whatever.

Link to comment
1 hour ago, Harro said:

I think I can change ports on the dvr and then set the router to forward those ports

 

21 minutes ago, Harro said:

Even if that dvr is using port 443?

Nope, forward your dvr to another port, 444 or something. Your router should allow you to redirect IP.FOR.DVR:443 to external:444 or something like that, and IP.FOR.UNRAID:443 to external:443

 

You would then go to https://your.domain.name for nginx, and https://your.domain.name:444 for your DVR.

 

I wouldn't forward port 80 at all, unless your DVR requires it for some function. Much better to use SSL for everything if possible.

 

Subdomain redirection may be possible, as well as possibly reverse proxy to your DVR through nginx, but that gets a little more hairy. Simply pointing your browser to different ports will work easily.

 

  • Upvote 1
Link to comment
2 hours ago, jonathanm said:

 

Nope, forward your dvr to another port, 444 or something. Your router should allow you to redirect IP.FOR.DVR:443 to external:444 or something like that, and IP.FOR.UNRAID:443 to external:443

 

You would then go to https://your.domain.name for nginx, and https://your.domain.name:444 for your DVR.

 

I wouldn't forward port 80 at all, unless your DVR requires it for some function. Much better to use SSL for everything if possible.

 

Subdomain redirection may be possible, as well as possibly reverse proxy to your DVR through nginx, but that gets a little more hairy. Simply pointing your browser to different ports will work easily.

 

Thank jonathanm.

I have it up and running. took some time with restarting router and dvr to new ports but I think it will be worth while in the long run.

Link to comment

I'm trying to configure this to block access by country.  I came across instructions on using GeoIP module on Ubuntu, but not being very conversant with linux I'm having trouble getting this to work.  Running nginx -V shows " --with-http_geoip_module=dynamic" so it's compiled with the right module, but it doesnt seem to have geoip-database and libgeoip1 installed.

 

Any way to get this working, or do these modules need to be part of the letsencrypt container?

Link to comment
I'm trying to configure this to block access by country.  I came across instructions on using GeoIP module on Ubuntu, but not being very conversant with linux I'm having trouble getting this to work.  Running nginx -V shows " --with-http_geoip_module=dynamic" so it's compiled with the right module, but it doesnt seem to have geoip-database and libgeoip1 installed.
 
Any way to get this working, or do these modules need to be part of the letsencrypt container?

Geoip is an nginx module and is included in this image. You may have to enable it in the nginx config or site config, that I'm not sure as I haven't used it myself
Link to comment
3 hours ago, aptalca said:


Geoip is an nginx module and is included in this image. You may have to enable it in the nginx config or site config, that I'm not sure as I haven't used it myself

 

Hey, got it working!  The problem was the location of the GeoIP.dat file, it defaulted to /usr/share/GeoIP/GeoIP.dat so I created /config/geodata, changed the config, and manually downloaded the data

Link to comment

I have this installed so that I can access certain dockers from a outside network. I was thinking it would be nice to use the reverse proxy for internal network access only. Is there an easy way have the outside and internal network separate from within this single docker or would it be best to install a separate nginx docker for internal only items?

Link to comment
43 minutes ago, archedraft said:

I have this installed so that I can access certain dockers from a outside network. I was thinking it would be nice to use the reverse proxy for internal network access only. Is there an easy way have the outside and internal network separate from within this single docker or would it be best to install a separate nginx docker for internal only items?

 

Well you can go to https//$UNRAID-IP/$application and it will work (as long as you're using 443:443) but the SSL won't be valid.  Otherwise I can't see how you can get a valid cert for your internal network using LE.

Edited by CHBMB
Link to comment
Just now, CHBMB said:

 

Well you can go to https//$UNRAID-IP/$application and it will work (as long as you're using 443:443) but the SSL won't be valid.  Otherwise I can't see how you can get a valid cert for your internal network using LE.

 

Yeah the IP/app_name is what I am looking for. It wouldn't necessary need to have a valid SSL as most of them are just http currently. I just do not want to be able to access them through my external ip address.

Link to comment

I am getting this error when trying to connect from outside my home network: NET:ERR_CERT_AUTHORITY_INVALID, but it works fine within my network. I am using HSTS. Nothing has changed from a configuration standpoint to cause this. However, we did just have AT&T out here to install U-verse the other day and they were messing with the gateway. Does this behavior sound like an issue with LetsEncrypt or the gateway/router settings?

 

EDIT:

Think I found the issue. I hate AT&T. Apparently if you use wireless set top boxes they require port 443 and you cannot change that. Ridiculous.

https://forums.att.com/t5/AT-T-Internet-Features/Forwarding-port-443-for-WHS-conflict-with-connectToCiscoAP/td-p/3365983

Edited by johnsanc
Link to comment
I am getting this error when trying to connect from outside my home network: NET:ERR_CERT_AUTHORITY_INVALID, but it works fine within my network. I am using HSTS. Nothing has changed from a configuration standpoint to cause this. However, we did just have AT&T out here to install U-verse the other day and they were messing with the gateway. Does this behavior sound like an issue with LetsEncrypt or the gateway/router settings?
 
EDIT:
Think I found the issue. I hate AT&T. Apparently if you use wireless set top boxes they require port 443 and you cannot change that. Ridiculous.
https://forums.att.com/t5/AT-T-Internet-Features/Forwarding-port-443-for-WHS-conflict-with-connectToCiscoAP/td-p/3365983


Wow that is pretty ridiculous. Can you bypass it and use your own router? That's what I did with Verizon. I turned my Verizon modem into a simple bridge and my router behind it gets the dhcp lease directly from verizon
  • Upvote 1
Link to comment

I installed this docker last night and got the following errors.  It mentions www.dlink.com but I don't run dlink routers.  I do have some dlink webcams that are exposed to the intraweb via the dlink myhome software but there is no port forwarding of 443 required for that.  I'm wondering if letsencrypt is hanging onto a previous cert tied to the IP my domain has at the moment.

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
2048 bit DH parameters present
SUBDOMAINS entered, processing
Sub-domains processed are: -d www.<mydomain>
Generating new certificate
WARNING: The standalone specific supported challenges flag is deprecated.

Please use the --preferred-challenges flag instead.
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Starting new HTTPS connection (1): acme-v01.api.letsencrypt.org
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for www.dlink.com
tls-sni-01 challenge for <mydomain>
/usr/lib/python2.7/site-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
result_code = _lib.RAND_bytes(result_buffer, num_bytes)
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com", <mydomain> (tls-sni-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Incorrect validation certificate for tls-sni-01 challenge. Requested 8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid from <myip>:443. Received 1 certificate(s), first certificate had names "www.dlink.com"

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: <mydomain>
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
aec5e3e7f34dde8c7cce57e6d1771dc1.81ab33f90fa1bed9df091e4aa8ed108d.acme.invalid
from <myip>:443. Received 1 certificate(s), first
certificate had names "www.dlink.com"

Domain: <mydomain>
Type: unauthorized
Detail: Incorrect validation certificate for tls-sni-01 challenge.
Requested
8fffff13a46234f55f4bdcdb7b5e7b07.19a22a976cb3972071f41176337ae159.acme.invalid
from <myip>:443. Received 1 certificate(s), first
certificate had names "www.dlink.com"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A record(s) for that domain
contain(s) the right IP address.
/var/run/s6/etc/cont-init.d/50-config: line 108: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.