Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New container added with template YAML not accessible #43

Closed
nesbcn opened this issue Nov 19, 2018 · 7 comments
Closed

New container added with template YAML not accessible #43

nesbcn opened this issue Nov 19, 2018 · 7 comments

Comments

@nesbcn
Copy link

nesbcn commented Nov 19, 2018
edited

TL;DR a custom container I added is not accessible through its url redirected by the reverse proxy.

Hello,

I wanted to install a torrent app that works with VPN, and after reviewing different options I settled with this one. I have a working VPN (custom server openvpn) and configured the docker compose yaml script as follows (I took the deluge one as a reference):

#
# transmission - Torrent download engine
#
  transmission:
    restart: unless-stopped
    image: haugene/transmission-openvpn
    cap_add:
      - NET_ADMIN
    devices:
      - /dev/net/tun
    container_name: transmission
    hostname: transmission
    cpu_shares: 1024
    ports:
      - 9091:9091
      - 8888:8888
    dns:
      - 8.8.8.8
      - 8.8.4.4
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - ${CONFIGS}/Transmission:/config
      - ${DOWNLOADS}:/Downloads
      - ${DOWNLOADS}/transmission:/data
      - ${GOOGLE}:/Media
      - ${CONFIGS}/Transmission/openvpn/default.ovpn:/etc/openvpn/custom/default.ovpn
      - ${CONFIGS}/Transmission/openvpn/ca.crt:/etc/openvpn/custom/ca.crt
      - /var/local/Gooby/Transmission/openvpn-credentials.txt:/config/openvpn-credentials.txt
      - /var/local/Gooby/Transmission/openvpn:/etc/openvpn/custom
    environment:
      - PUID=${USERID}
      - PGID=${GROUPID}
      - TZ=${TIMEZONE}
      - UMASK_SET=022
      - VIRTUAL_HOST=transmission.${MYDOMAIN}
      - VIRTUAL_PORT=80
      - VIRTUAL_NETWORK=nginx-proxy
      - LETSENCRYPT_HOST=transmission.${MYDOMAIN}
      - LETSENCRYPT_EMAIL=${MYEMAIL}
      - OPENVPN_PROVIDER=CUSTOM
      - OPENVPN_USERNAME=[User]
      - OPENVPN_PASSWORD=[Password]
#      - OPENVPN_OPTS=--inactive 3600 --ping 10 --ping-exit 60
      - LOCAL_NETWORK=127.0.0.1
    healthcheck:
      test: ["CMD-SHELL", "netstat -ntlp | grep :80"]
      interval: 10s
      timeout: 2s
      retries: 3

I believe this docker compose script is correct, as the application starts and I know for a fact that it is running, and connected to the internet through the VPN.

Now, when I try to access the app through the address transmission.mydomain.com, I get a '502 bad gateway' error, alternatively '503 Service Temporarily Unavailable' or even 'NET::ERR_CERT_AUTHORITY_INVALID' . I think that the culprit is the nginx reverse proxy, because when I open a bash CLI inside the container and check the contents of /etc/nginx/conf.d/default.conf , I get the following:

bash-4.4# cat /etc/nginx/conf.d/default.conf | more
# If we receive X-Forwarded-Proto, pass it through; otherwise, pass along the
# scheme used to connect to this server
map $http_x_forwarded_proto $proxy_x_forwarded_proto {
  default $http_x_forwarded_proto;
  ''      $scheme;
}
# If we receive X-Forwarded-Port, pass it through; otherwise, pass along the
# server port the client connected to
map $http_x_forwarded_port $proxy_x_forwarded_port {
  default $http_x_forwarded_port;
  ''      $server_port;
}
# If we receive Upgrade, set Connection to "upgrade"; otherwise, delete any
# Connection header that may have been passed to this server
map $http_upgrade $proxy_connection {
  default upgrade;
  '' close;
}
# Apply fix for very long server names
server_names_hash_bucket_size 128;
# Default dhparam
ssl_dhparam /etc/nginx/dhparam/dhparam.pem;
# Set appropriate X-Forwarded-Ssl header
map $scheme $proxy_x_forwarded_ssl {
  default off;
  https on;
}
gzip_types text/plain text/css application/javascript application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
log_format vhost '$host $remote_addr - $remote_user [$time_local] '
                 '"$request" $status $body_bytes_sent '
                 '"$http_referer" "$http_user_agent"';
access_log off;
resolver 127.0.0.11;
# HTTP 1.1 support
proxy_http_version 1.1;
proxy_buffering off;
proxy_set_header Host $http_host;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $proxy_connection;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $proxy_x_forwarded_proto;
proxy_set_header X-Forwarded-Ssl $proxy_x_forwarded_ssl;
proxy_set_header X-Forwarded-Port $proxy_x_forwarded_port;
# Mitigate httpoxy attack (see README for details)
proxy_set_header Proxy "";
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 80;
        access_log /var/log/nginx/access.log vhost;
        return 503;
}
server {
        server_name _; # This is just an invalid value which will never trigger on a real hostname.
        listen 443 ssl http2;
        access_log /var/log/nginx/access.log vhost;
        return 503;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/default.crt;
        ssl_certificate_key /etc/nginx/certs/default.key;
}
# jackett.mydomain.com
upstream jackett.mydomain.com {
                                ## Can be connected with "docker_default" network
                        # jackett
                        server 172.26.0.4:9117;
}
server {
        server_name jackett.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name jackett.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/jackett.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/jackett.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/jackett.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/jackett.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://jackett.mydomain.com;
        }
}
# menu.mydomain.com
upstream menu.mydomain.com {
                                ## Can be connected with "docker_default" network
                        # organizr
                        server 172.26.0.11:80;
}
server {
        server_name menu.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name menu.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/menu.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/menu.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/menu.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/menu.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://menu.mydomain.com;
        }
}
# netdata.mydomain.com
upstream netdata.mydomain.com {
                                ## Can be connected with "docker_default" network
                        # netdata
                        server 172.26.0.7:19999;
}
server {
        server_name netdata.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name netdata.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/netdata.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/netdata.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/netdata.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/netdata.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://netdata.mydomain.com;
                auth_basic      "Restricted netdata.mydomain.com";
                auth_basic_user_file    /etc/nginx/htpasswd/netdata.mydomain.com;
        }
}
# plex.mydomain.com
upstream plex.mydomain.com {
                                ## Can be connected with "docker_default" network
                        # plex
                        server 172.26.0.2:32400;
}
server {
        server_name plex.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name plex.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/plex.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/plex.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/plex.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/plex.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass https://plex.mydomain.com;
        }
}
# portainer.mydomain.com
upstream portainer.mydomain.com {
                                ## Can be connected with "docker_default" network
                        # portainer
                        server 172.26.0.8:9000;
}
server {
        server_name portainer.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name portainer.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/portainer.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/portainer.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/portainer.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/portainer.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://portainer.mydomain.com;
        }
}
# radarr.mydomain.com
upstream radarr.mydomain.com {
                                ## Can be connected with "docker_default" network
                        # radarr
                        server 172.26.0.9:7878;
}
server {
        server_name radarr.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name radarr.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/radarr.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/radarr.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/radarr.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/radarr.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://radarr.mydomain.com;
        }
}
# sonarr.mydomain.com
upstream sonarr.mydomain.com {
                                ## Can be connected with "docker_default" network
                        # sonarr
                        server 172.26.0.10:8989;
}
server {
        server_name sonarr.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name sonarr.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/sonarr.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/sonarr.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/sonarr.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/sonarr.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://sonarr.mydomain.com;

As you can see, there is no reference to transmission, which I guess is the reason why the address doesn't load up properly. What am I doing wrong? Is there a proper way to add a custom container and have it load with its own subdomain through the reverse proxy?

Thanks!
@nesbcn
Copy link
Author

nesbcn commented Nov 19, 2018
edited

Sorry for the long post!

@nesbcn
Copy link
Author

nesbcn commented Nov 19, 2018

What is really interesting is that I tried accessing the webUI through http://[server IP]:9091 and it works, I can connect to it. So definitely the reverse proxy isn't doing its thing...

@nesbcn
Copy link
Author

nesbcn commented Nov 19, 2018

I updated the yaml to change the ip address range - LOCAL_NETWORK=127.0.0.1 to 172.27.0.0/16, seems it was too restrictive. Now the reverse proxy seems to pickup the fact that there is a service running; this is the section from /etc/nginx/conf.d/default.conf that now refers to transmission:

# transmission.mydomain.com
upstream transmission.mydomain.com {
                                ## Can be connected with "docker_default" network
                # transmission
                        server 172.27.0.5 down;
}
server {
        server_name transmission.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name transmission.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/transmission.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/transmission.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/transmission.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/transmission.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://transmission.mydomain.com;
        }
}

Also, the webUI is left wide open, I can't set a password or any form of authentication...

@TechPerplexed
Copy link
Owner

Interesting! Yeah a reverse proxy would probably not work out of the box with Open VPN... not sure what can be done. And it seems like you have been doing quite a bit of homework on this yourself :D

Let me know what you come up with - and I'll keep my eyes open too (but no promises, this is quite a bit beyond the scope of what Gooby was intended for haha).

@kelinger
Copy link

I would leave off any of the network settings to begin with. This includes the DNS and local_network. If you NEED a local network, then the /16 should work but this won't be very portable (ie, if Docker switches to 192.168.x.x/16 for example).

The next thing is that you're VPNing from remote TO this container, if it even works, it will probably terminate inside the Docker container's network. That is, you'll be "local" to Transmission, Plex, etc., but won't have host access. If that's your intention, then it's a reasonable goal. You'll still have Internet access via your VPN I believe, but it will be going from inside the container through the Docker NAT system to the host and then out from the host to the "real" Internet.

@nesbcn
Copy link
Author

nesbcn commented Nov 20, 2018

Thanks for your comments! I'm holding off on this thing until I can figure out how to get more bandwidth out of the VPN, since I could connect using the IP address of the VPS.
The local network address range seems to be needed in order to be able to 'see' the container from within the 'local' network, since the container only uses the VPN to access the internet and do its thing. The amended local address range allows the other containers to see this one, but I still haven't figured out how to get the reverse proxy going. In any case, if I can't get more speed out of the VPN this point is moot.

@TechPerplexed
Copy link
Owner

Nice, let us know what you come up with @nesbcn :) Always great to see people making the system their own... and adding useful information in the meantime 🥇 I'll close this issue for the moment, but please do share how things went with your enhancements!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@nesbcn @kelinger @TechPerplexed