Docker Updating, Nginx certs??

[JCBiggs]

I set up a docker container for my unifi controller about 6 months ago. And now Im not sure how to update the thing.  Can anyone here give me the quick "bullet points" on what to do?  Im assuming copy the image (ie make a back up) then just do a pull request, but is there more too it?

 

 

Next question.  I want to set up some LE certs.  The server is named Jeff, but the web address for the controller is "Frank.myserver.com.  (a second service running on the server is located at  Gary.myserver.com)     How do I make it so that when you call up frank and gary, Nginx knows your supposed to be connected a server named Jeff?  Im just trying to figure out what the techincal terminolgy is for this so I know what to google.  

[Master Disaster]

Can't answer the first question but for the second you need a DNS server running to translate domain names to IP addresses.

[Jarsky]

1 hour ago, JCBiggs said:

I set up a docker container for my unifi controller about 6 months ago. And now Im not sure how to update the thing.  Can anyone here give me the quick "bullet points" on what to do?  Im assuming copy the image (ie make a back up) then just do a pull request, but is there more too it?

Docker isnt supported by UniFi, but what docker container are you using? This one? https://hub.docker.com/r/jacobalberty/unifi/

Typically what I do when theres no automatic update but it does have 'latest' tags is to do a docker pull. Keep in mind this only pulls the latest image to your local repository of images, you still have to start up a new container with the new image. I typically keep all of my container commands in shell scripts, so I just stop & delete the old container and re-create it. With the :latest tag, you don't actually have to do a pull, it will automatically check and pull when you re-create the container. 

 

Heres an example: https://ma.ttias.be/update-docker-container-latest-version/

 

Quote

 

Next question.  I want to set up some LE certs.  The server is named Jeff, but the web address for the controller is "Frank.myserver.com.  (a second service running on the server is located at  Gary.myserver.com)     How do I make it so that when you call up frank and gary, Nginx knows your supposed to be connected a server named Jeff?  Im just trying to figure out what the techincal terminolgy is for this so I know what to google.  

It sounds like you want a nginx reverse proxy. 

So for example if you go to https://mydomain.com that is a reverse proxy to Apache on another server. If you go to https://unifi.mydomain.com  then thats reverse proxied to my Raspberry Pi. If you go to https://plex.mydomain.com then thats reverse proxied to my media server.

 

So to do that, my subdomains are CNAME's to my main domain name, then my domain name has an A record to the public IP address of my Nginx server.  

Then on the Nginx server im effectively using Virtualhost to translate each domain/subdomain and then proxy_pass to pass the request on to the machine I want. 

 

Heres an example of my Unifi configuration this is a file i called 'unifi' in /etc/nginx/sites-available/ (which you then symlink to /etc/nginx/sites-enabled to enable it) As you can see in the config at the bottom, my Raspberry Pi's hostname is 'elementsdns' (it primarily hosts my Pi-hole/Cloudflared hence the name). But Nginx redirects the https://unifi.mydomain.com request to https://elementsdns:8443 and acts as a proxy

 

https://pastebin.com/Nj0yPpgn

 

[JCBiggs]

17 hours ago, Jarsky said:

Docker isnt supported by UniFi, but what docker container are you using? This one? https://hub.docker.com/r/jacobalberty/unifi/

Typically what I do when theres no automatic update but it does have 'latest' tags is to do a docker pull. Keep in mind this only pulls the latest image to your local repository of images, you still have to start up a new container with the new image. I typically keep all of my container commands in shell scripts, so I just stop & delete the old container and re-create it. With the :latest tag, you don't actually have to do a pull, it will automatically check and pull when you re-create the container. 

 

Heres an example: https://ma.ttias.be/update-docker-container-latest-version/

 

It sounds like you want a nginx reverse proxy. 

So for example if you go to https://mydomain.com that is a reverse proxy to Apache on another server. If you go to https://unifi.mydomain.com  then thats reverse proxied to my Raspberry Pi. If you go to https://plex.mydomain.com then thats reverse proxied to my media server.

 

So to do that, my subdomains are CNAME's to my main domain name, then my domain name has an A record to the public IP address of my Nginx server.  

Then on the Nginx server im effectively using Virtualhost to translate each domain/subdomain and then proxy_pass to pass the request on to the machine I want. 

 

Heres an example of my Unifi configuration this is a file i called 'unifi' in /etc/nginx/sites-available/ (which you then symlink to /etc/nginx/sites-enabled to enable it) As you can see in the config at the bottom, my Raspberry Pi's hostname is 'elementsdns' (it primarily hosts my Pi-hole/Cloudflared hence the name). But Nginx redirects the https://unifi.mydomain.com request to https://elementsdns:8443 and acts as a proxy

 

https://pastebin.com/Nj0yPpgn

 

well that got complicated.

 

[2FA]

Depending on the exact image you used and whether you set the volume mapping, all of your configs should be saved. I like to use docker compose as a method of saving the initial configuration as well as adding some fucntionality. For example, I can use the command docker-compose pull <docker-compose.yml> to pull the latest versions of the images and the command docker-compose up -d <docker-compose.yml>. Specifying the compose file location isn't necessary if it is the current directory and named exactly docker-compose.yml. I have multiple files to make management a little bit easier as I have a few different stacks of apps.

[JCBiggs]

8 minutes ago, 2FA said:

Depending on the exact image you used and whether you set the volume mapping, all of your configs should be saved. I like to use docker compose as a method of saving the initial configuration as well as adding some fucntionality. For example, I can use the command docker-compose pull <docker-compose.yml> to pull the latest versions of the images and the command docker-compose up -d <docker-compose.yml>. Specifying the compose file location isn't necessary if it is the current directory and named exactly docker-compose.yml. I have multiple files to make management a little bit easier as I have a few different stacks of apps.

I used the jacob alberty stable image.   By volume mapping, im assuming you mean where all the configs and logs are stored. All that is in a persistent file on the hard drive. doesnt dissapear when you do a new pull.  I figured this out last night. it was just a matter of renaming the old container and re-runing the run command with all the arguments.  because the run command was mapped to all that persistent data, everything "just worked"     

 

my goal now is to get certificates working so I can start accessing it over the internet.  But to do that  i need to learn how/where to put the certs, and how to harden the server since it will be public facing. 

[2FA]

6 minutes ago, JCBiggs said:

my goal now is to get certificates working so I can start accessing it over the internet.  But to do that  i need to learn how/where to put the certs, and how to harden the server since it will be public facing. 

Since you're already using Docker and plan to expose services publicly, I suggest using NginxProxyManager (https://github.com/jlesage/docker-nginx-proxy-manager) which makes it very easy to set up a reverse proxy and will handle all the cert stuff for you.

[Jarsky]

6 hours ago, JCBiggs said:

well that got complicated.

 

It can be a little overwhelming if you arent a power user used to Linux & webservers. 

Caddy is a popular solution for a reverse proxy, it also handles your SSL: https://caddyserver.com

[JCBiggs]

well... this was a battle.. and i still havent solved it. I managed to get nginx setup and working.  And when i connect to the  server via the domain, I get a good certificate.    However, when i input my credentials, the controller errors and wont log in.    it DOES however, log in locally.    So I think there is some kind of error with my unifi controller docker container, or some sort of mis configuration that Im not smart enough to fix.   But at least i learned to get nginx working as a reverse proxy with certs!

[Jarsky]

13 hours ago, JCBiggs said:

well... this was a battle.. and i still havent solved it. I managed to get nginx setup and working.  And when i connect to the  server via the domain, I get a good certificate.    However, when i input my credentials, the controller errors and wont log in.    it DOES however, log in locally.    So I think there is some kind of error with my unifi controller docker container, or some sort of mis configuration that Im not smart enough to fix.   But at least i learned to get nginx working as a reverse proxy with certs!

 

Since this is for Unifi Controller, did you check out my pastebin above? It has the config I use which works just fine. 

It's normal to get WebSocket errors when you login, but I can login just fine to mine and it works perfectly as below (mines not secure because of a CN name mismatch to this subdomain)

 

Make sure you mimic my config as you do need the proxy header configuration under /wss to make it work properly. 

 

 

 

 

[JCBiggs]

8 hours ago, Jarsky said:

 

Since this is for Unifi Controller, did you check out my pastebin above? It has the config I use which works just fine. 

It's normal to get WebSocket errors when you login, but I can login just fine to mine and it works perfectly as below (mines not secure because of a CN name mismatch to this subdomain)

 

Make sure you mimic my config as you do need the proxy header configuration under /wss to make it work properly. 

 

 

 

 

The only browser i have actually be able to get to log in was IE.  and when it does log in the screen is basically blank. There is 2 garbled alert messages on the top right corner.   One of those is a websocket error.   I think you have given me the answer and I will try it as soon as I get time today.

 

Thanks!

[JCBiggs]

8 hours ago, Jarsky said:

 

Since this is for Unifi Controller, did you check out my pastebin above? It has the config I use which works just fine. 

It's normal to get WebSocket errors when you login, but I can login just fine to mine and it works perfectly as below (mines not secure because of a CN name mismatch to this subdomain)

 

Make sure you mimic my config as you do need the proxy header configuration under /wss to make it work properly. 

 

 

 

 

one more question.   in your config you have a section that deals with that deals with the SSL config.   How much  of that should I leave or remove since certbot is managing my certificates and parameters?
 

[Jarsky]

31 minutes ago, JCBiggs said:

one more question.   in your config you have a section that deals with that deals with the SSL config.   How much  of that should I leave or remove since certbot is managing my certificates and parameters?
 

 

Certbot just renews your certificate, basically if you want Nginx as secure as possible you should pretty much keep all of the config; theyre basically all general configuration. 

 

Quote

1.         ssl_certificate /etc/apache2/ssl/certificate.pem;
2.         ssl_certificate_key /etc/apache2/ssl/certificate.key;

These just reference your cert/key, yours should be similar

1.         # Use only TLS
2.         ssl_protocols TLSv1.2;

This disables older ssl protocols for stricter security....compatible with anything newer than IE6

1.         # Tell client which ciphers are available
2.         ssl_prefer_server_ciphers on;
3.         ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

This is the cipher suite I use, it's quite strict while basically giving you compatibility with anything newer than IE6 or Android 2.x browsers

1.         # Use our own DH params
2.         ssl_dhparam /etc/nginx/certs/dhparam.pem;

You should look up generating a Diffie-Hellman group, this creates strong security

1.         # Enable OCSP stapling
2.         ssl_stapling on;
3.         ssl_stapling_verify on;
4.         ssl_trusted_certificate /etc/apache2/ssl/certificate.pem;

LetsEncrypt works fine with OCSP stapling which is an extra form of validation done by the webserver by checking the CA for the revocation status of the cert

1.         # Enable HSTS
2.         add_header Strict-Transport-Security "max-age=31536000" always;
3.         # Optimize session cache
4.         ssl_session_cache   shared:SSL:40m;
5.         ssl_session_timeout 4h;
6.         # Enable session tickets
7.         ssl_session_tickets on;

Again just more validation and security, I find this just works well for me  to ignore issues. 

 

Essentially between my certificate, security fixes and the above SSL configuation it gives me an A+ rating with very good compatibility

 

 

[JCBiggs]

1 hour ago, Jarsky said:

 

Certbot just renews your certificate, basically if you want Nginx as secure as possible you should pretty much keep all of the config; theyre basically all general configuration. 

 

 

Essentially between my certificate, security fixes and the above SSL configuation it gives me an A+ rating with very good compatibility

 

 

This is very very helpful.  Thanks alot for your detailed response, Ill make the changes and let you know how it went!

 

JC

[JCBiggs]

3 hours ago, Jarsky said:

 

Certbot just renews your certificate, basically if you want Nginx as secure as possible you should pretty much keep all of the config; theyre basically all general configuration. 

 

 

Essentially between my certificate, security fixes and the above SSL configuation it gives me an A+ rating with very good compatibility

 

Jarsky if this was reddit i would give you gold.  That worked like a champ man!!   I think that websocket stuff was the real kicker.    Only thing I have now, is your "ipwhitelist" settings didnt work for me. i think because i dont have the .htpasswd file setup.  I did add the whitelist file with "allow myip"  but it didnt work.  I had to make it like this to work.  

 

    access_log /var/log/nginx/$server_name.log;

        #Allow certain IP's only else basic auth
        satisfy any;
        #include /etc/nginx/IPwhitelist.conf;
        #deny all;
        #Basic Auth
        auth_basic "Restricted";
        #auth_basic_user_file /etc/nginx/.htpasswd;

So.. Ill go back and fix that later after i do some learning about it. (any suggestions?)

 

 

So now Ill repeat this process for my owncloud docker container and see if I can get that working.  My goal is to have everything running on one machine in docker containers so all I have to worry about is getting an image of the whole thing for backup, and keeping my other storage server up  on capacity.    

 

thanks again for the help. 

[Jarsky]

8 hours ago, JCBiggs said:

Jarsky if this was reddit i would give you gold.  That worked like a champ man!!   I think that websocket stuff was the real kicker.   

Awesome to hear Yeah that /wss (websocket) part had me stumped, it took a bit of trial and error with the headers to get it working. 

 

Quote

Only thing I have now, is your "ipwhitelist" settings didnt work for me. i think because i dont have the .htpasswd file setup.  I did add the whitelist file with "allow myip"  but it didnt work.  I had to make it like this to work.  

        #Allow certain IP's only else basic auth
        satisfy any;
        #include /etc/nginx/IPwhitelist.conf;
        #deny all;
        #Basic Auth
        auth_basic "Restricted";
        #auth_basic_user_file /etc/nginx/.htpasswd;

 

 

I just added this to add an extra level of security for myself, you can remove it, or change this section as you see fit. 

Essentially it checks the IPwhitelist.conf to see if your IP address is allowed direct access, if not then it prompts for username/password. If you can satisfy the username/password then it will allow you access. 

 

The format of the IPwhitelist.conf is using the ; as a delimiter, and listing 1 IP or subnet per line. So the file looks like below where I have my private (internal) subnets. 

jarsky@elements:~$ cat /etc/nginx/IPwhitelist.conf
allow 192.168.1./24;
allow 192.168.5./24;

 

 

You can create multiple lists, another site I have looks like this. 

Where the IPwhitelist.conf is only my internal network, while the other 3 are external ISP IP ranges which I get from https://ipinfo.io using the Providers AS number. You can use a map as well, but this works fine for the purpose I use it for. 

        #Allow certain IP's only else basic auth
        satisfy any;
        include /etc/nginx/IPwhitelist.conf;
        include /etc/nginx/IPwhitelist-spark.conf;
        include /etc/nginx/IPwhitelist-2degrees.conf;
        include /etc/nginx/IPwhitelist-vodafone.conf;
        deny all;
        #Basic Auth
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;

P.S to create these files I basically use Excel to merge column A with the word "allow", column B I copy paste all the ranges, and then column C has the ';' delimiter, then I use a formula to merge them all to generate my conf. 

 

This is what one of those files looks like

 

 

 

As for the htpasswd file, theyre format "username:md5saltedpassword", you can use a generator such as this: https://www.web2generators.com/apache-tools/htpasswd-generator Then paste the generated line into a file called .htpasswd.

 

[JCBiggs]

20 hours ago, Jarsky said:

Awesome to hear Yeah that /wss (websocket) part had me stumped, it took a bit of trial and error with the headers to get it working. 

 

,,,

 

 

Jarsky I got all that worked out.  

 

Question,  Now I have my other docker up and running, and I added another server block to nginx. basically I just copied exactly what you  gave me and pasted it twice, the second under the first copy which i already modified and is working great.  Then I of course changed all the server names, cert locations, etc. in the second copy... problem now is that I am getting a the error 

 

nginx: [emerg] a duplicate default server for 0.0.0.0:443 in /etc/nginx/conf.d/server.conf:101

 

 

I know this is because i have the name "default server" in both server blocks and I need to change it, but when i do change it, i end up with  the error,

 

nginx: [emerg] invalid parameter "server2_server" in /etc/nginx/conf.d/server.conf:103
nginx: configuration file /etc/nginx/nginx.conf test failed

 

I even tried copying the default file and renaming it "server2"  and that didnt make it work either.  any idea what i might be doing wrong? 

[JCBiggs]

I deleted the "default_server'' parameter after the "listen 443"  line and that corrected the issue.  but now im getting a 502 error. bad gateway....sweet jesus..  i see why people get paid so much for this now. 

[Jarsky]

2 hours ago, JCBiggs said:

I deleted the "default_server'' parameter after the "listen 443"  line and that corrected the issue.  but now im getting a 502 error. bad gateway....sweet jesus..  i see why people get paid so much for this now. 

 

Ah i just checked the pastebin I gave you and I accidentally had default_server on that config. Make sure default_server is removed from the unifi and docker config file server blocks. For the 502 error, check your server log e.g cat /var/log/nginx/error.log

 

[JCBiggs]

14 hours ago, Jarsky said:

 

Ah i just checked the pastebin I gave you and I accidentally had default_server on that config. Make sure default_server is removed from the unifi and docker config file server blocks. For the 502 error, check your server log e.g cat /var/log/nginx/error.log

 

in order for nextcloud to work over the net, it requires SSL.  OR it requires a connection from the local network (ie the host machine)  So the answer to make the 502 gateway go away, was to terminate ssl at the proxy.   Simply changed the proxy pass from  https to http and it now works.    .....again... I see why people get paid so much to do this. 

 

next step.... the data base LOL.    

data base is up and running, logging into nextlcoud "error, Can't create or write into the data directory /var/lib/mysql"  

 

shoot me.