rcmpayne Posted December 14, 2016 Share Posted December 14, 2016 I have sonarr plugin installed from PhAzE Plugins and i wanted to enable SSL with a ssl certificate that i have. its a proper ca signed and i have a .cer, .key as well as the .pvk that Sonarr needs. In the blow wiki link, it says to run the httpcfg as the user which would be nobody. how do i go about adding this? do i just putty into the unraid server and run the below? i assume not as that would be the root account. Importing Load the certificate with httpcfg (comes with mono) with the user that runs Sonarr: httpcfg -add -port <SSL_PORT> -pvk yourdomain.pvk -cert yourdomain.cert Replace <SSL_PORT> with the SSL port you set in Sonarr. https://github.com/Sonarr/Sonarr/wiki/SSL Quote Link to comment
CHBMB Posted December 14, 2016 Share Posted December 14, 2016 Probably better off asking in the support thread I would have thought. Personally I would skip this and just run everything behind one secure web server as a reverse proxy. Quote Link to comment
rcmpayne Posted December 14, 2016 Author Share Posted December 14, 2016 Do you have any steps on doing this proxy setup? also if required can i move this thread to the correct sub forum? Quote Link to comment
CHBMB Posted December 14, 2016 Share Posted December 14, 2016 Do you have any steps on doing this proxy setup? also if required can i move this thread to the correct sub forum? Start with this docker container. Quote Link to comment
CHBMB Posted December 14, 2016 Share Posted December 14, 2016 Fixed... copy pasta in wrong place.... Sent from my LG-H815 using Tapatalk Quote Link to comment
rcmpayne Posted December 15, 2016 Author Share Posted December 15, 2016 OK so i have nginx-proxy and letsencrypt-nginx-proxy-companion dockers configured but they keep failing to assign certificates to my sabnzbd docker. Seems like its a known issue due to some update that took place in December but the author has not updated the docker letsencrypt-nginx-proxy-companion Yet. Followed this: https://jamiemagee.co.uk/2016/03/28/setting-up-nginx-reverse-proxy-with-lets-encrypt-on-unraid/ Known issue: https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/134 and https://github.com/JrCs/docker-letsencrypt-nginx-proxy-companion/issues/131 Looking at the docker page, i dont see any thats taken the newest update yet. https://hub.docker.com/search/?isAutomated=0&isOfficial=0&page=1&pullCount=0&q=letsencrypt-nginx-proxy-companion&starCount=0 Quote Link to comment
CHBMB Posted December 15, 2016 Share Posted December 15, 2016 Yeah, I linked to our version, know nothing about setting up jwilders.... Quote Link to comment
rcmpayne Posted December 15, 2016 Author Share Posted December 15, 2016 Ok thanks, i will try your link now. Is your link a all in one docker? Quote Link to comment
CHBMB Posted December 15, 2016 Share Posted December 15, 2016 Ok thanks, i will try your link now. Is your link a all in one docker? Yes, you just edit the default file in /config/nging/site-confs/ Quote Link to comment
rcmpayne Posted December 15, 2016 Author Share Posted December 15, 2016 Thanks, seems i got it working for sab, sonarr, couchpatato, router but i cant get it to work for the unraid UI. it just keeps prompting for nginx password. server { listen 443 ssl; root /config/www; index index.html index.htm index.php; server_name server.*; ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; include /config/nginx/proxy.conf; proxy_pass http://192.168.0.100; } } Quote Link to comment
CHBMB Posted December 15, 2016 Share Posted December 15, 2016 Don't reverse proxy your Unraid webui. Bad idea. Sent from my LG-H815 using Tapatalk Quote Link to comment
rcmpayne Posted December 15, 2016 Author Share Posted December 15, 2016 Ok thanks, last question. if i try to access something that i have not created (bla.ddnsdomain.com) i get "Your connection is not private" "NET:ERR_CERT_COMMON_NAME_INVALID". do we have a way to set a catch all in the file /config/nging/site-confs/default that it throws a 500 erorr or something? Quote Link to comment
CHBMB Posted December 15, 2016 Share Posted December 15, 2016 Ok thanks, last question. if i try to access something that i have not created (bla.ddnsdomain.com) i get "Your connection is not private" "NET:ERR_CERT_COMMON_NAME_INVALID". do we have a way to set a catch all in the file /config/nging/site-confs/default that it throws a 500 erorr or something? Not quite sure what you mean, but if it helps, I have my own domain and have put it in the default file like so server { listen 80; server_name rcmpayne.org; return 301 https://$server_name$request_uri; } server { listen 443 ssl default_server; server_name rcmpayne.org; ###Set root directory root /config/www; index index.html index.htm index.php; ###Turn off client checking of client request body size client_max_body_size 0; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; location ~ \.php$ { fastcgi_split_path_info ^(.+\.php)(/.+)$; # With php5-cgi alone: fastcgi_pass 127.0.0.1:9000; # With php5-fpm: #fastcgi_pass unix:/var/run/php5-fpm.sock; fastcgi_index index.php; include /etc/nginx/fastcgi_params; } I also run nextcloud on nextcloud.server.com by creating another file in the same folder calling it nextcloud. server { listen 80; server_name nextcloud.rcmpayne.org; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name nextcloud.rcmpayne.org; root /config/www; index index.html index.htm index.php; ###SSL Certificates ssl_certificate /config/keys/letsencrypt/fullchain.pem; ssl_certificate_key /config/keys/letsencrypt/privkey.pem; ###Diffie–Hellman key exchange ### ssl_dhparam /config/nginx/dhparams.pem; ###SSL Ciphers ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ###Extra Settings### ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ### Add HTTP Strict Transport Security ### add_header Strict-Transport-Security "max-age=63072000; includeSubdomains"; add_header Front-End-Https on; client_max_body_size 0; location / { proxy_pass https://192.168.0.1:444/; } } If i try and access owncloud.server.com for instance, which I do not have a (sub)domain name for, i get a DNS error as no record is found. Quote Link to comment
aptalca Posted December 16, 2016 Share Posted December 16, 2016 Ok thanks, last question. if i try to access something that i have not created (bla.ddnsdomain.com) i get "Your connection is not private" "NET:ERR_CERT_COMMON_NAME_INVALID". do we have a way to set a catch all in the file /config/nging/site-confs/default that it throws a 500 erorr or something? In your main server blocks, define the server addresses, then create another server block with no server address defined, set that as the default and have it serve an error page. Any domain/subdomain you set will match to one of the main server blocks, everything else will match to the default server block and get the error page Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.