[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Thanks. I had read through it and tried to follow it.

 

I have no clue what is occupying port 444. I assume from this thread that 443 is taken by Unraid. I can see i the docker settings what other dockers are using, but port 444 is not among them. Is there some other software or plugin for Unraid that can tell me what ports are being used by what?

 

I have signed up for duckdns amd included all respective information (following the how-to). Duckdns is running. Not sure what I am missing within Letsecrypt though?

Link to comment
1 hour ago, steve1977 said:

Thanks. I had read through it and tried to follow it.

 

I have no clue what is occupying port 444. I assume from this thread that 443 is taken by Unraid. I can see i the docker settings what other dockers are using, but port 444 is not among them. Is there some other software or plugin for Unraid that can tell me what ports are being used by what?

 

I have signed up for duckdns amd included all respective information (following the how-to). Duckdns is running. Not sure what I am missing within Letsecrypt though?

 

You're missing the port forwarding on your router as sparklyballs wrote above. 

 

Validation requests from letsencrypt come to your router, but they need to be forwarded to your unraid's ip and the port you selected for letsencrypt

Link to comment

Hi Guys,

 

    New to unraid and letsencrypt, cant seem to figure out what I am doing wrong.

I am forwarding ports 80 and 443 from the router to my unraid box

My domain is registered with namecheap

I have replaced my domain with FooDomain in the log

It certainly seems to have created certificates

The log says - Saving debug log to /var/log/letsencrypt/letsencrypt.log - but there is no log there

 

What can I do to debug it? Can I turn on extra logging? 

 

Here is the container log. Any help would be amazing!

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a 2048 bit RSA private key
....................................................................................................+++

+
writing new private key to '/config/keys/cert.key'
-----
Subject Attribute /C has no known NID, skipped
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................
DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Sub-domains processed are: -d unraid.FooDomain.com
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for FooDomain.com
tls-sni-01 challenge for unraid.FooDomain.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/FooDomain.com/fullchain.pem. Your cert will
expire on 2018-02-27. To obtain a new or tweaked version of this

certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot


- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
 

Link to comment
On 11/25/2017 at 7:33 AM, steve1977 said:

Why is 445 "working", but 444 not.

 

It is not really safe to randomly pick ports under 1023, as they are often already in use.  Here is a list of known ports:
  https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers 
you'll want to avoid reusing anything with an "official" IANA status.

 

Good alternatives for port 443 are 2443 and 8443, as those are available and easy to remember.

Link to comment
14 hours ago, Unthred said:

Hi Guys,

 

    New to unraid and letsencrypt, cant seem to figure out what I am doing wrong.

I am forwarding ports 80 and 443 from the router to my unraid box

My domain is registered with namecheap

I have replaced my domain with FooDomain in the log

It certainly seems to have created certificates

The log says - Saving debug log to /var/log/letsencrypt/letsencrypt.log - but there is no log there

 

What can I do to debug it? Can I turn on extra logging? 

 

Here is the container log. Any help would be amazing!

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ _ _
| |___| (_) ___
| / __| | |/ _ \
| \__ \ | | (_) |
|_|___/ |_|\___/
|_|

Brought to you by linuxserver.io
We gratefully accept donations at:
https://www.linuxserver.io/donations/
-------------------------------------
GID/UID
-------------------------------------
User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
generating self-signed keys in /config/keys, you can replace these with your own keys if required
Generating a 2048 bit RSA private key
....................................................................................................+++

+
writing new private key to '/config/keys/cert.key'
-----
Subject Attribute /C has no known NID, skipped
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Creating DH parameters for additional security. This may take a very long time. There will be another message once this process is completed
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
..............................
DH parameters successfully created - 2048 bits
SUBDOMAINS entered, processing
Sub-domains processed are: -d unraid.FooDomain.com
E-mail address entered: [email protected]
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Obtaining a new certificate
Performing the following challenges:
tls-sni-01 challenge for FooDomain.com
tls-sni-01 challenge for unraid.FooDomain.com
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at
/etc/letsencrypt/live/FooDomain.com/fullchain.pem. Your cert will
expire on 2018-02-27. To obtain a new or tweaked version of this

certificate in the future, simply run certbot again. To
non-interactively renew *all* of your certificates, run "certbot


- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory
[cont-init.d] 50-config: exited 1.
[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] syncing disks.
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.
 

 

Most likely a mapping issue. What settings did you use? Where is your config folder stored?

Link to comment
3 hours ago, aptalca said:

 

Most likely a mapping issue. What settings did you use? Where is your config folder stored?

 

Thanks for the prompt response 

Settings I used were pretty much the default as follows

 

http: - Port 80

https: Port 443

email: [email protected]

Domain Name: FooDomain.com

subdomains: unraid,

Only Subdomains: false

Diffie Hellman: 2048

AppData Config Path: /mnt/user/appdata/letsencrypt

 

 

After installing the docker I have this file structure in /mnt/user/appdata/letsencrypt

drwxr-xr-x 1 root   root    8 Nov 29 12:24 crontabs
drwxr-xr-x 1 root   root   22 Nov 29 12:24 etc
drwxr-xr-x 1 root   root   52 Nov 29 12:24 fail2ban
drwxr-xr-x 1 nobody users  54 Nov 29 12:24 keys
drwxr-xr-x 1 nobody users  54 Nov 29 12:24 log
drwxrwxr-x 1 nobody users  84 Nov 29 12:24 nginx
drwxrwxr-x 1 nobody users  20 Nov 29 12:24 www
-rw-r--r-- 1 root   root  118 Nov 29 12:24 donoteditthisfile.conf
 

the logs dir contains 

drwxr-xr-x 1 root   root    0 Nov 29 12:24 fail2ban
drwxr-xr-x 1 root   root    0 Nov 29 12:24 letsencrypt
drwxr-xr-x 1 nobody users   0 Nov 29 12:24 nginx
drwxr-xr-x 1 nobody users   0 Nov 29 12:24 php
 

but nothing in any of these directories. without logs I am struggling to workout what is wrong.

 

Is there anything I can do to increase the logging?

 

Thanks

Link to comment
6 hours ago, Unthred said:

 

Thanks for the prompt response 

Settings I used were pretty much the default as follows

 

http: - Port 80

https: Port 443

email: [email protected]

Domain Name: FooDomain.com

subdomains: unraid,

Only Subdomains: false

Diffie Hellman: 2048

AppData Config Path: /mnt/user/appdata/letsencrypt

 

 

After installing the docker I have this file structure in /mnt/user/appdata/letsencrypt

drwxr-xr-x 1 root   root    8 Nov 29 12:24 crontabs
drwxr-xr-x 1 root   root   22 Nov 29 12:24 etc
drwxr-xr-x 1 root   root   52 Nov 29 12:24 fail2ban
drwxr-xr-x 1 nobody users  54 Nov 29 12:24 keys
drwxr-xr-x 1 nobody users  54 Nov 29 12:24 log
drwxrwxr-x 1 nobody users  84 Nov 29 12:24 nginx
drwxrwxr-x 1 nobody users  20 Nov 29 12:24 www
-rw-r--r-- 1 root   root  118 Nov 29 12:24 donoteditthisfile.conf
 

the logs dir contains 

drwxr-xr-x 1 root   root    0 Nov 29 12:24 fail2ban
drwxr-xr-x 1 root   root    0 Nov 29 12:24 letsencrypt
drwxr-xr-x 1 nobody users   0 Nov 29 12:24 nginx
drwxr-xr-x 1 nobody users   0 Nov 29 12:24 php
 

but nothing in any of these directories. without logs I am struggling to workout what is wrong.

 

Is there anything I can do to increase the logging?

 

Thanks

 

Try changing the config path to /mnt/cache or /mnt/disk

Link to comment
1 hour ago, aptalca said:

 

Try changing the config path to /mnt/cache or /mnt/disk

Tried changing it to /mnt/cache/appdata/letsencrypt still the same error

 

So there is a symlink of letsencrypt in the dir its complaining about that does not go anywhere

letsencrypt -> ../etc/letsencrypt/live/FooDomain

 

the live dir is where it fails as it does not exist. Do you know what is trying to create that dir?

 

oh also I dont have a /mnt/disk.... I have /mnt/disk1 and mnt/disk2 does that mean I have messed up somehow when installing unraid? This is my first play with it as an evaluation to buying it if it all goes well..... so far this is the only real issue I am having.

 

Thanks

Link to comment
3 hours ago, Unthred said:

Tried changing it to /mnt/cache/appdata/letsencrypt still the same error

 

So there is a symlink of letsencrypt in the dir its complaining about that does not go anywhere

letsencrypt -> ../etc/letsencrypt/live/FooDomain

 

the live dir is where it fails as it does not exist. Do you know what is trying to create that dir?

 

oh also I dont have a /mnt/disk.... I have /mnt/disk1 and mnt/disk2 does that mean I have messed up somehow when installing unraid? This is my first play with it as an evaluation to buying it if it all goes well..... so far this is the only real issue I am having.

 

Thanks

 

Does your domain name contain any weird characters? You can pm me if you don't want to post it publicly. 

 

I think a user had a similar issue that stemmed from the domain name being different (can't remember exactly how)  that broke the scripts that create the folders 

Link to comment

I'm currently trying to get lychee working in this docker underneath the www folder and I get "Server error: API not found". Lychee has no issues in apache when accessed locally, but for some reason lychee doesn't want to work correctly when passed over from nginx to apache OR when just using the www folder in letsencrypt. This stuff is literally drag and drop into a www folder and it should work.

 

As for the unraid UI, it seems to completely strip EVERYTHING but some text leaving the page bare and white with some text in one column.

 

Whenever I try to access index.php it just downloads the php file instead of running it.

 

Is there something wrong with this docker when it comes to php? Logs to docker look clean. No errors in log files. whats happening here?

 

Link to comment
I'm currently trying to get lychee working in this docker underneath the www folder and I get "Server error: API not found". Lychee has no issues in apache when accessed locally, but for some reason lychee doesn't want to work correctly when passed over from nginx to apache OR when just using the www folder in letsencrypt. This stuff is literally drag and drop into a www folder and it should work.
 
As for the unraid UI, it seems to completely strip EVERYTHING but some text leaving the page bare and white with some text in one column.
 
Whenever I try to access index.php it just downloads the php file instead of running it.
 
Is there something wrong with this docker when it comes to php? Logs to docker look clean. No errors in log files. whats happening here?
 
Impossible to say without you posting any config files.

Wouldn't recommend reverse proxying your Unraid webui either.

I have lychee working on it's own subdomain photos.server.com without any issues.

Sent from my LG-H815 using Tapatalk

Link to comment

I've tried getting unifi passed through (has trouble loading), homeassist (has trouble loading), qbittorrent (502 bad gateway), lychee on apache (loads really big icons on white background out of order), lychee in  www folder (Server error: API not found), and unraid has the same issue as if I were handing off to lychee on apache with all white background some text, but no acutal website.

 

I'll be honest, I've never even used nginx before this docker. Any assistance would be extremely helpful.

 

proxy.conf

default

Edited by Darksurf
Link to comment

I would appreciate some assistance setting this webserver up to host just a website.  I don't need to access any dockers at this time.

 

I am new to website hosting.  I have setup the duckdns docker and have registered with the site.  I have put my html files on a separate share in unraid.

 

It seems was able to get a key from letenscypt.

 

Which file do I edit, default, to get the server to publish the site

 

 

Link to comment
6 minutes ago, alturismo said:

hi, as im testing this to change from apache to letsencrypt i start with a questions ;)

 

webdav, when i see this correctly it is builded with the regular webdav where OPTIONS and PROPFIND are missing ...

 

https://github.com/arut/nginx-dav-ext-module

 

any chance to add that module in some way for me into this container ?

 

Not likely as it stands currently as that requires compiling nginx adding that to the configure stage and we use the apk package manager version of nginx 

Link to comment
On 12/4/2017 at 8:34 AM, Darksurf said:

I've tried getting unifi passed through (has trouble loading), homeassist (has trouble loading), qbittorrent (502 bad gateway), lychee on apache (loads really big icons on white background out of order), lychee in  www folder (Server error: API not found), and unraid has the same issue as if I were handing off to lychee on apache with all white background some text, but no acutal website.

 

I'll be honest, I've never even used nginx before this docker. Any assistance would be extremely helpful.

 

proxy.conf

default

 

If I were to post screenshots of what I'm seeing, would that help people diagnose my issue and give me some feedback?

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.