GilbN Posted December 6, 2017 Share Posted December 6, 2017 (edited) 4 hours ago, Darksurf said: If I were to post screenshots of what I'm seeing, would that help people diagnose my issue and give me some feedback? Unifi is much easier to do with subdomain. https://gist.github.com/vidia/fbef2ee643b23848d8b24211d5860b78 homeassistant: https://home-assistant.io/docs/ecosystem/nginx_subdomain/ https://home-assistant.io/docs/ecosystem/nginx/ qbit: https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI just add proxy_pass http://ip:port Also: Do not reverse proxy the unraid gui. Use a vpn instead. https://www.youtube.com/watch?v=I58LTMKyeYw Edited December 6, 2017 by GilbN Quote Link to comment
Darksurf Posted December 6, 2017 Share Posted December 6, 2017 1 hour ago, GilbN said: Unifi is much easier to do with subdomain. https://gist.github.com/vidia/fbef2ee643b23848d8b24211d5860b78 homeassistant: https://home-assistant.io/docs/ecosystem/nginx_subdomain/ qbit: https://github.com/qbittorrent/qBittorrent/wiki/NGINX-Reverse-Proxy-for-Web-UI just add proxy_pass http://ip:port Also: Do not reverse proxy the unraid gui. Use a vpn instead. https://www.youtube.com/watch?v=I58LTMKyeYw thanks, I'll give these a try. I actually don't plan to use unraid GUI through forwarding, I was just using it to make a point to show what I was seeing with Lychee where the page isn't rendering properly. I already access unraid GUI through SSH tunnel as a safety measure. Quote Link to comment
CHBMB Posted December 6, 2017 Share Posted December 6, 2017 1 hour ago, Darksurf said: thanks, I'll give these a try. I actually don't plan to use unraid GUI through forwarding, I was just using it to make a point to show what I was seeing with Lychee where the page isn't rendering properly. I already access unraid GUI through SSH tunnel as a safety measure. There's no "one size fits all" for reverse proxying stuff, if a page isn't rendered properly, it's because it isn't configured properly. That may be on the LE container side, it could be on the Lychee side, sometimes you need to alter the configs for both to get stuff working. This is a Lychee config that works with photos.server.com server { listen 80; server_name photos.server.com; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name photos.server.com; location ^~ / { proxy_pass http://192.168.0.1:83/; include /config/nginx/proxy.conf; } } 1 Quote Link to comment
FreeMan Posted December 7, 2017 Share Posted December 7, 2017 On 10/9/2017 at 6:09 PM, FreeMan said: I'm getting very slow response times from my LE/NGINX server. Slow to the point that it times out. I have shows.mydomain.ddns.us pointed at my binhex-libresonic docker on port 4040. That times out before I ever get the NGNIX login. However, when I reopen port 4040 at the router and direct it to my server, I get near instant access to my music/video library on my phone with WiFi turned off (i.e., ensuring I'm accessing externally) or with the phone on WiFi. Therefore I believe that it's an issue with the LE/N container, not with my internet connection in general (though Comcrap has been less than reliable the last couple of weeks), my internal network, or the server itself. I have it working (some installation issues were resolved around pages 30-32ish), and I've accessed it via my phone and my computer at work, however, it's always been sluggish. I'm not sure what you might need for diagnosis, so I'm attaching Diagnostics, let me know what else might be needed for trouble shooting. nas-diagnostics-20171009-1808.zip Turns out I'm a complete and utter nimnod. When it says "Dynamic IP Address" on the tin, that means the IP address within can change. It seems that my IP changed between when I initially got this setup and working and when I started trying to use it. Like within that 12ish hour window. I'm using ChangeIP.com for my DDNS, and I've got their "Homing Beacon" running. It did a fine job of changing the "@" record, but all my subdomains remained on the IP I'd originally set them to. I just found the docs that explain how to maintain all the host names, so I think I should be good to go from here. Quote Link to comment
CHBMB Posted December 7, 2017 Share Posted December 7, 2017 14 hours ago, FreeMan said: Turns out I'm a complete and utter nimnod. Love the word nimnod, going to add that to my repertoire! lol Quote Link to comment
FreeMan Posted December 7, 2017 Share Posted December 7, 2017 Love the word nimnod, going to add that to my repertoire! lolYou're welcome and please feel free. Only 0.29¢ (US) per use royalty fee.Sent from Tapatalk Quote Link to comment
Bisu Posted December 7, 2017 Share Posted December 7, 2017 Hello, Im a new Unraid user, two or so odd weeks in. I did a lot of research into LetsEncrypt and setting up a Reverse Procy via this guide here, by Cyan Labs. I was wondering for the life of me on how to get it to work with Sub domains instead of folder like structure ReverseProxy. Example: Its set like this at the moment https://domain.tld/plex I want it to setup like this https://plex.domain.tld/ It has been driving me nuts these past few days and I am unable to modify the default in the config to reflect the subdomain. Can anyone please assist? Quote Link to comment
FreeMan Posted December 8, 2017 Share Posted December 8, 2017 @Bisu - there are lots of examples throughout this thread of doing so. You'll need to modify the configuration files within \\tower\appdata\letsencrypt\nginx\site-confs (that the Windows relative path there, not from the server). You can put it in the "default" config file, or, what I've done is to make a config file for each subdomain that contains these lines: # sample reverse proxy config without url base, but as a subdomain "cp", ip and port same as above # notice this is a new server block, you need a new server block for each subdomain server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name books.*; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.1.5:8092/; } } I copied that from "default" and modified. You'd change "books" to "plex" near the top and change the IP address and port down there at the bottom. Should work. If not, search this thread for "plex" - I'm pretty sure I've seen a lot of people asking about it. 1 Quote Link to comment
aptalca Posted December 8, 2017 Share Posted December 8, 2017 9 hours ago, Bisu said: Hello, Im a new Unraid user, two or so odd weeks in. I did a lot of research into LetsEncrypt and setting up a Reverse Procy via this guide here, by Cyan Labs. I was wondering for the life of me on how to get it to work with Sub domains instead of folder like structure ReverseProxy. Example: Its set like this at the moment https://domain.tld/plex I want it to setup like this https://plex.domain.tld/ It has been driving me nuts these past few days and I am unable to modify the default in the config to reflect the subdomain. Can anyone please assist? There is an example for that in the default site config Quote Link to comment
puncho Posted December 12, 2017 Share Posted December 12, 2017 I think I was able to finally figure out how to install nextcloud. However, when I try to access it from my chrome, I get this error message. Any ideas?: xxx.duckdns.org normally uses encryption to protect your information. When Google Chrome tried to connect to xxx.duckdns.org this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be xxx.duckdns.org, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Google Chrome stopped the connection before any data was exchanged. You cannot visit xxx.duckdns.org right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later. Quote Link to comment
blurb2m Posted December 15, 2017 Share Posted December 15, 2017 (edited) On 12/9/2016 at 3:01 PM, CHBMB said: Let's look at the above as an example. location ^~ /plexpy/ Tells the webserver that this will be located at the server.com/plexpy address proxy_pass http://192.168.1.28:8181; include /config/nginx/proxy.conf; Tells nginx where to find the plexpy app and to use the proxy settings in the proxy.conf file proxy_bind $server_addr; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Ssl on; Tells plexpy to use some extra settings necessary to get this working. Don't worry about these, app specific settings can often be found with a bit of googling though. auth_basic "Restricted"; auth_basic_user_file /config/.htpasswd; Now to add password protection, you need to add the above lines to that config but you also need to create a .htpasswd file. There are instructions here in the readme or if you prefer you can use an online tool like this one. Copying the last line of chbmb:osQXeEdll4XFk to a file called .htpasswd and placing it in the /config folder (/mnt/user/appdata/nginx or something similar) Note whatever text editor you use (NOT NOTEPAD ON WINDOWS) must use linux line endings. If you want to use multiple users then just add a new line for each user. So the linuxserver .htpasswd may end up looking like this. username:hashedpassword Obviously this example below doesn't have real hashed passwords in... aptalca:weneedatokenyank asshopo:notanotheryankwhokeepswaving chbmb:theonlysaneone danioj:britabroaddownunder ironicbadger:gladbadgerbaitingisillegal j0nnymoe:toocoolforschool kode:phpninjamaster saarg:tokenswedishguy smdion:wethinkhesstillalivebutnotreallysure sparklyballs:grumpyoldman stark:anyexcusetowearleather squid:yumyumcouldbedinner xe:themannoonereallyknowsexists stark:anyexcusetowearleather So final "block" looks like this: location ^~ /plexpy/ { proxy_pass http://192.168.1.28:8181; include /config/nginx/proxy.conf; proxy_bind $server_addr; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Ssl on; auth_basic "Restricted"; auth_basic_user_file /config/.htpasswd; } No, you'd place .htpasswd in the /config folder. As shown in the example above. Yes it is, has more functionality, so is more complicated, essentially it's a pretty much fully blown webserver, rather than a single app that runs on a webserver. That's achievable and what this docker is designed for. Once you've done one or two apps, it kind of click. However you've got the above bit a little wrong. The whole point of this is so you DON'T open a ton of ports on your router. Just 80 & 443 both forwarded to your Unraid box. Then all communication with any app is proxied through the nginx container. The config out of the box will automatically forward all port 80 requests to 443, so all communication actually takes place over https and is encrypted. Now go and close those ports again! It's difficult to point at one single resource. We're working on something to try and make this a bit easier but, don't worry, we'll get you going. Just bear with it. I tried the above for plexpy location ^~ /plexpy { proxy_pass http://192.168.99.224:8181/plexpy; include /config/nginx/proxy.conf; proxy_bind $server_addr; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Ssl on; auth_basic "Restricted"; auth_basic_user_file /config/.htpasswd; } Without the auth_basic it works and I can get in with plexpy login, but with the auth_basic in there I get a pop up for u/pw. I put in my username and password from my .htaccess file which is stored in /config/ directory but it takes me to a 403 Forbidden page. Thoughts? My .htaccess file only has username:hashedpw does it need to have the other stuff in there as well? *Edit: ran docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd <username> to generate the .htaccess file and it works now. Edited December 15, 2017 by blurb2m fixed Quote Link to comment
goodGame Posted December 15, 2017 Share Posted December 15, 2017 (edited) Looking for some help here, running this container successfully except for one thing. Proxy works flawlessly for any locations but one, plex. As soon as I setup the /web location in nginx the url to plex redirects without the port added. If my plex is on http://192.168.1.10:32400/web it redirects to http://192.68.1.10/web/index.html asking for my unraid login prompt, if I enter the unraid credentials I get a 404. Any other location works as intended to the designated port. I've been sitting hours and hours trying to find the error, I've tried multiple different configs, at the moment I'm running a complete default LE container install (reinstalled LE container from scratch, deleting all config files before new install), with only two locations added to the default file as following: location /web { proxy_pass http://192.168.1.10:32400; include /config/nginx/proxy.conf; } location /radarr { proxy_pass http://192.168.1.10:7878; include /config/nginx/proxy.conf; } All other nginx configs is currently as default. Radarr works as intended. Plex does not, I get redirected to http://192.68.1.10/web/index.html Theres no caching issue, I'm trying 3 different browsers and clearing everything. Connecting to plex directly works fine, no issues. I've tried using different ports for the LE container, no difference. I'm using unraid 6.3.5 so no ssl on unraid. What is going on? It's as if it refuses to redirect to port 32400. I don't understand Edited December 15, 2017 by Andreen Quote Link to comment
local.bin Posted December 15, 2017 Share Posted December 15, 2017 On 07/11/2017 at 9:30 PM, GilbN said: I'm having some trouble with this. Anyone know whats wrong? You need to go back and make the other changes I mentioned, as what you quoted was not what I posted. changing the action will stop it trying to send the mail from localhost: Edit jail.local and add the following to the nextcloud or other jail; Quote mta = sendmailaction = sendmail-whois[name=nextcloud, dest=<destination email address>] Copy ..action.d/sendmail-whois.conf to sendmail-whois.local and then edit the last line of the action, changing the sendmail command line part; Quote Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<from email account name> -ap<account password> <dest> Quote Link to comment
GilbN Posted December 15, 2017 Share Posted December 15, 2017 (edited) 8 hours ago, Andreen said: Looking for some help here, running this container successfully except for one thing. Proxy works flawlessly for any locations but one, plex. As soon as I setup the /web location in nginx the url to plex redirects without the port added. If my plex is on http://192.168.1.10:32400/web it redirects to http://192.68.1.10/web/index.html asking for my unraid login prompt, if I enter the unraid credentials I get a 404. Any other location works as intended to the designated port. I've been sitting hours and hours trying to find the error, I've tried multiple different configs, at the moment I'm running a complete default LE container install (reinstalled LE container from scratch, deleting all config files before new install), with only two locations added to the default file as following: location /web { proxy_pass http://192.168.1.10:32400; include /config/nginx/proxy.conf; } location /radarr { proxy_pass http://192.168.1.10:7878; include /config/nginx/proxy.conf; } All other nginx configs is currently as default. Radarr works as intended. Plex does not, I get redirected to http://192.68.1.10/web/index.html Theres no caching issue, I'm trying 3 different browsers and clearing everything. Connecting to plex directly works fine, no issues. I've tried using different ports for the LE container, no difference. I'm using unraid 6.3.5 so no ssl on unraid. What is going on? It's as if it refuses to redirect to port 32400. I don't understand I use this for plex: # PLEX SUB DIR location /plex/ { proxy_pass http://192.168.1.34:32400/; include /config/nginx/SSO.conf; } if ($http_referer ~* /plex/) { rewrite ^/web/(.*) /plex/web/$1? redirect; } SSO.conf client_max_body_size 10m; client_body_buffer_size 128k; proxy_bind $server_addr; proxy_buffers 32 4k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_hide_header X-Frame-Options; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_no_cache $cookie_session; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_headers_hash_max_size 51200; proxy_headers_hash_bucket_size 6400; Edited December 15, 2017 by GilbN Quote Link to comment
GilbN Posted December 15, 2017 Share Posted December 15, 2017 8 hours ago, local.bin said: You need to go back and make the other changes I mentioned, as what you quoted was not what I posted. changing the action will stop it trying to send the mail from localhost: Edit jail.local and add the following to the nextcloud or other jail; Quote mta = sendmailaction = sendmail-whois[name=nextcloud, dest=<destination email address>] Copy ..action.d/sendmail-whois.conf to sendmail-whois.local and then edit the last line of the action, changing the sendmail command line part; Quote Fail2Ban" | /usr/sbin/sendmail -t -v -H 'exec openssl s_client -quiet -tls1 -connect smtp.gmail.com:465' -au<from email account name> -ap<account password> <dest> Thanks will try that Quote Link to comment
goodGame Posted December 15, 2017 Share Posted December 15, 2017 2 hours ago, GilbN said: I use this for plex: SSO.conf This worked for me too, thanks alot man. Any clue as to why /web won't work? Quote Link to comment
GilbN Posted December 15, 2017 Share Posted December 15, 2017 3 hours ago, Andreen said: This worked for me too, thanks alot man. Any clue as to why /web won't work? You were missing some parts location /web { proxy_pass http://127.0.0.1:32400; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /plex { proxy_pass http://127.0.0.1/web; } Quote Link to comment
goodGame Posted December 15, 2017 Share Posted December 15, 2017 16 minutes ago, GilbN said: You were missing some parts location /web { proxy_pass http://127.0.0.1:32400; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /plex { proxy_pass http://127.0.0.1/web; } Missing what? proxy_set_header params is in proxy.conf the location /plex is just a redirect to /web so shouldn't affect /web in any way. Correct? Quote Link to comment
local.bin Posted December 16, 2017 Share Posted December 16, 2017 16 hours ago, GilbN said: Thanks will try that If you use any other fail2ban filters that send mail then you have to update it to the full sendmail command else it will try and use localhost. Quote Link to comment
benpete22 Posted December 17, 2017 Share Posted December 17, 2017 (edited) Hello! Does anyone know if there is a way to update/add new subdomains without deleting and re-creating the container? Edited December 17, 2017 by benpete22 Quote Link to comment
RAINMAN Posted December 17, 2017 Share Posted December 17, 2017 I'm a bit confused now that I am trying to add another subdomain. When I look at the certificates for all my domains they are issued to plex.mydomain.com. Even if the domain is grafana.mydomain.com but its still coming up as valid. Do I have this setup right? I would have expected it to be issue for each subdomain? (Note: I am not using letsencrypt docker for the top level domain. That is hosted separate) Second, I was trying to add a subdomain for crashplan and it appears right, but it didn't load the actual VNC content. It loads the title bar and the certificate is green (but issued to plex.mydomain.com). To resolve this I had to add the following 2 lines to the /location block. Maybe it will help someone if they have the same issue. location / { # Added block for websockets proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.0.100:7810; } Quote Link to comment
RAINMAN Posted December 17, 2017 Share Posted December 17, 2017 24 minutes ago, benpete22 said: Hello! Does anyone know if there is a way to update/add new subdomains without deleting and re-creating the container? In the configuration you can add subdomains comma separated in the subdomains field. This will restart the container when you save it so not sure if this what you mean by delete and re-create. I believe this is the only way though as it creates the certificates when it loads. Quote Link to comment
benpete22 Posted December 17, 2017 Share Posted December 17, 2017 4 minutes ago, RAINMAN said: In the configuration you can add subdomains comma separated in the subdomains field. This will restart the container when you save it so not sure if this what you mean by delete and re-create. I believe this is the only way though as it creates the certificates when it loads. so would that be doing this? sudo docker run -e SUBDOMAINS=list,of,sub,domains,here --name=letsencrypt linuxserver/letsencrypt Also, would that reset any of my existing other options on that container? Quote Link to comment
RAINMAN Posted December 17, 2017 Share Posted December 17, 2017 (edited) 9 minutes ago, benpete22 said: so would that be doing this? sudo docker run -e SUBDOMAINS=list,of,sub,domains,here --name=letsencrypt linuxserver/letsencrypt Also, would that reset any of my existing other options on that container? Ahh, from the command line I am unsure. I was just doing it from the webUI for dockers. When I make a change and apply it this is the command it shows. root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name="letsencrypt" --net="bridge" --privileged="true" -e TZ="America/New_York" -e HOST_OS="unRAID" -e "EMAIL"="REMOVED" -e "URL"="DOMAIN.net" -e "SUBDOMAINS"="plex,cloud,grafana,home,crashplan" -e "ONLY_SUBDOMAINS"="true" -e "DHLEVEL"="4096" -e "PUID"="99" -e "PGID"="100" -p 443:443/tcp -p 81:80/tcp -v "/mnt/user/appdata/letsencrypt":"/config":rw linuxserver/letsencrypt Edited December 17, 2017 by RAINMAN Quote Link to comment
saarg Posted December 17, 2017 Share Posted December 17, 2017 3 hours ago, benpete22 said: so would that be doing this? sudo docker run -e SUBDOMAINS=list,of,sub,domains,here --name=letsencrypt linuxserver/letsencrypt Also, would that reset any of my existing other options on that container? Why are you using command line? Sudoku is not used on unraid, so if you are running anything other than unraid, please go to our forum at linuxserver.io to get help. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.