mastrmind11 717 Posted August 24, 2018 Share Posted August 24, 2018 and, I can't get it to work, and it's not anything I have visibility into. I can access the external IP (externally) fine, and I set up another DDNS w/ another company and can access my host fine. I would prefer this to not happen ever again since I have no interest in walking my users through updating the hostname, but I am short on time, and already have nginx/etc set up locally. I am also not interested in using Connect. Can someone give the quick and dirty about switching to something permanent? I don't care whether I lose my local nginx, and am willing to pay for a cert (using letsencrypt now), but obviously whatever the solution it has to support dynamic IP. Ideally something I don't have to think about ever again. I know there's a massive cloudflare topic, but I literally have part-time EST this weekend to solve the problem before all hell breaks loose. Appreciate any insight. Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 25, 2018 Share Posted August 25, 2018 you can use cloudflare. they have their own DDNS client which you install on your server and it updates Cloudflare everytime your IP changes. Cloudflare certs are 20 year certs. You will need to create a cloudflare account, then you will need to change the nameservers with your current domain registrar to point them to Cloudflare. Fairly straight forward after this. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 25, 2018 Author Share Posted August 25, 2018 you can use cloudflare. they have their own DDNS client which you install on your server and it updates Cloudflare everytime your IP changes. Cloudflare certs are 20 year certs. You will need to create a cloudflare account, then you will need to change the nameservers with your current domain registrar to point them to Cloudflare. Fairly straight forward after this. Ok, got everything set up w/ namecheap and cloudflare. Seems to be working great. One question I have, and this might be directed at @@pir8radio is that I have created a subdomain emby.mydomain.com, but I can still access emby using mydomain.com, as well as my other subdomains (vpn, ssh) that I set up through cloudflare. my nginx config explicitly lists emby.mydomain.com only. I've gone down the server_name _; deny all; path in a distinct server block, which subsequently blocks everything (including the emby sub domain). Any ideas? My impression was that the deny all; block only applies to server blocks not already defined?? Thanks Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 26, 2018 Author Share Posted August 26, 2018 All of the subdomains are CNAMEs, which obviously all point back to my WAN IP. It's like nginx is ignoring the server_name directive. If my default site is deny all, but I have a server_name set up as emby.whatever.com in a different block, according to the nginx docs that's all that's required. Instead, everything is denied until I remove the detault site. Breakdown: I have emby.whatever.com set up in CF as orange. I deleted the *.whatever.com CNAME. I have ssh.whatever.com and vpn.whatever.com set up in CF as gray. Whenever I go to emby/ssh/vpn/www.whatever.com via the browser, they get the Emby login page. I want ssh/vpn/* to get denied and only the emby subdomain to go through. This seems like the most basic config, but I'm at a loss at this point. Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 26, 2018 Share Posted August 26, 2018 All of the subdomains are CNAMEs, which obviously all point back to my WAN IP. It's like nginx is ignoring the server_name directive. If my default site is deny all, but I have a server_name set up as emby.whatever.com in a different block, according to the nginx docs that's all that's required. Instead, everything is denied until I remove the detault site. Breakdown: I have emby.whatever.com set up in CF as orange. I deleted the *.whatever.com CNAME. I have ssh.whatever.com and vpn.whatever.com set up in CF as gray. Whenever I go to emby/ssh/vpn/www.whatever.com via the browser, they get the Emby login page. I want ssh/vpn/* to get denied and only the emby subdomain to go through. This seems like the most basic config, but I'm at a loss at this point. the cnames all need to point to whatever.com (you A record) that is how you have it correct? Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 27, 2018 Author Share Posted August 27, 2018 the cnames all need to point to whatever.com (you A record) that is how you have it correct? yes Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 28, 2018 Share Posted August 28, 2018 yes Humm maybe I am misunderstanding your issue then. can you try to explain it again.. I'm a little slow. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 (edited) Humm maybe I am misunderstanding your issue then. can you try to explain it again.. I'm a little slow. Nah I'm probably describing it wrong, I'll try again: I have a CF account pointing to a registered domain. I have CF set up w/ a few CNAME entries, eg, emby, ssh, vpn that all point back to my WAN. (ssh and vpn are passthrough on CF (gray cloud)) When I go to *.mydomain.com, they ALL go to the emby login page. What I want is for everything besides emby.mydomain.com to get a 404 or something when they come over http/s . When I add emby.mydomain.com to nginx and add a separate block for server_name _; deny all; as a default server, it blocks everything, including the emby subdomain. When I remove the block, *.mydomain.com all go to my emby login page. This is anti everything the nginx docs are stating, and I'm trying to figure out whether I'm missing an nginx setting or what. All I'm trying to accomplish is to block everything that isn't electively proxied by CF, while still maintaining my local nginx so I can see access data in netdata. Hope that clears it up? Edited August 28, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 28, 2018 Share Posted August 28, 2018 (edited) Nah I'm probably describing it wrong, I'll try again: I have a CF account pointing to a registered domain. I have CF set up w/ a few CNAME entries, eg, emby, ssh, vpn that all point back to my WAN. (ssh and vpn are passthrough on CF (gray cloud)) When I go to *.mydomain.com, they ALL go to the emby login page. What I want is for everything besides emby.mydomain.com to get a 404 or something when they come over http/s . When I add emby.mydomain.com to nginx and add a separate block for server_name _; deny all; as a default server, it blocks everything, including the emby subdomain. When I remove the block, *.mydomain.com all go to my emby login page. This is anti everything the nginx docs are stating, and I'm trying to figure out whether I'm missing an nginx setting or what. All I'm trying to accomplish is to block everything that isn't electively proxied by CF, while still maintaining my local nginx so I can see access data in netdata. Hope that clears it up? Post your nginx config.. I think i get what you are saying now.. nginx should ignore anything not set in the server line.. you should only have emby.blah.com in your nginx config. and you should not have a block set to default, or everything else will default to that one. So i have a default block that looks like this: server { listen [::]:80 default_server; listen 80 default_server; listen [::]:443 ssl http2 default_server; listen 443 ssl http2 default_server; return 444; ssl_session_timeout 10m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/public.pem; ssl_certificate_key ssl/private.pem; ssl_session_cache shared:SSL:10m; } That block will catch anything I dont have setup and throw them a 444 error, which basically just cuts them off without a response. then i start my other blocks below that. all of the below blocks should contain a full domain name like emby.site.com or blah.site.com Edited August 28, 2018 by pir8radio Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 (edited) Yeah, that's what I'm trying to accomplish too, except everything gets denied. Here's my conf w/o the deny server block. Pretty standard. edit: Just tried w/ your deny block and it denies everything too... server { # SSL configuration include /etc/nginx/proxy.conf; listen 443 ssl http2; listen [::]:443 ssl http2; server_name emby.mydomain.net 10.0.1.152; #Add HSTS Header add_header Strict-Transport-Security "max-age=15552000; preload" always; include /etc/nginx/snippets/strong-ssl.conf; ssl on; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; # Root location root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php index.nginx-debian.html; # Change the client side error pages (4xx) to prevent some information disclosure error_page 401 403 404 /404.html; # Deny access to .htaccess files, if Apache's document # root concurs with nginx's one location ~ /\.ht { deny all; } location / { proxy_pass http://10.0.1.152:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; #fixed connection header } } Edited August 28, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 28, 2018 Share Posted August 28, 2018 Yeah, that's what I'm trying to accomplish too, except everything gets denied. Here's my conf w/o the deny server block. Pretty standard. edit: Just tried w/ your deny block and it denies everything too... server { # SSL configuration include /etc/nginx/proxy.conf; listen 443 ssl http2; listen [::]:443 ssl http2; server_name emby.mydomain.net 10.0.1.152; #Add HSTS Header add_header Strict-Transport-Security "max-age=15552000; preload" always; include /etc/nginx/snippets/strong-ssl.conf; ssl on; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; # Root location root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php index.nginx-debian.html; # Change the client side error pages (4xx) to prevent some information disclosure error_page 401 403 404 /404.html; # Deny access to .htaccess files, if Apache's document # root concurs with nginx's one location ~ /\.ht { deny all; } location / { proxy_pass http://10.0.1.152:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; #fixed connection header } } Why do you have a local ip in the server_name? If you are local you probably want to skip nginx anyway. I would remove that. what is in your /etc/nginx/proxy.conf config? Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 Why do you have a local ip in the server_name? If you are local you probably want to skip nginx anyway. I would remove that. what is in your /etc/nginx/proxy.conf config? No reason I suppose I can remove it, but that wouldn't be causing the issue I'd imagine. Here's proxy.conf client_max_body_size 10m; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_hide_header X-Frame-Options; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 28, 2018 Share Posted August 28, 2018 (edited) No reason I suppose I can remove it, but that wouldn't be causing the issue I'd imagine. Here's proxy.conf client_max_body_size 10m; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_hide_header X-Frame-Options; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; It could be, if you have no header info it could be directing to that server section based on the bound IP instead. Catching everything including emby.domain.com When you removed it do you still have the same issue? And did you put my server section (with your cert info) first? So the block server section should be first, then your regular sites below. Edited August 28, 2018 by pir8radio Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 It could be, if you have no header info it could be directing to that server section based on the bound IP instead. Catching everything including emby.domain.com When you removed it do you still have the same issue? And did you put my server section (with your cert info) first? So the block server section should be first, then your regular sites below. removed the local IP and added your default block w/ my cert paths to the top, everything including the emby domain gets blocked. removed the default block and every subdomain loads the emby login page. I wonder if I've got some legacy port forwarding rules set up on my USG. Haven't looked at it in quite a while. Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 28, 2018 Share Posted August 28, 2018 removed the local IP and added your default block w/ my cert paths to the top, everything including the emby domain gets blocked. removed the default block and every subdomain loads the emby login page. I wonder if I've got some legacy port forwarding rules set up on my USG. Haven't looked at it in quite a while. Humm... something is goofy... if you have time, pm me your whole config if you are willing.. maybe missing an open or close bracket. strange. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 Humm... something is goofy... if you have time, pm me your whole config if you are willing.. maybe missing an open or close bracket. strange. Wouldn't nginx -t catch a missing bracket? My entire config is posted above as is the included proxy.conf. Thanks for the help. Could this be a Cloudflare setting I'm missing or something? Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 28, 2018 Share Posted August 28, 2018 Wouldn't nginx -t catch a missing bracket? My entire config is posted above as is the included proxy.conf. Thanks for the help. Could this be a Cloudflare setting I'm missing or something? I dont think its CF, but you can grey cloud it to test. when you say everything gets blocked, what error are you getting? DId that error change when you used my block? Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 I dont think its CF, but you can grey cloud it to test. when you say everything gets blocked, what error are you getting? DId that error change when you used my block?Yeah gray cloud shouldn't make a difference since https traffic is making it, and I'm forcing https. I'm on the train right now but iirc its a 545 invalid cert or something along those lines. But I'm definitely using the same cert path in the deny block as i am in the working route. It's like the route is completely getting ignored... I hit the emby login page if I don't use a subdomain at all, and I've explicitly removed the www CNAME from CF. Sent from my SM-G965U using Tapatalk Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 28, 2018 Share Posted August 28, 2018 Yeah gray cloud shouldn't make a difference since https traffic is making it, and I'm forcing https. I'm on the train right now but iirc its a 545 invalid cert or something along those lines. But I'm definitely using the same cert path in the deny block as i am in the working route. It's like the route is completely getting ignored... I hit the emby login page if I don't use a subdomain at all, and I've explicitly removed the www CNAME from CF. Sent from my SM-G965U using Tapatalk well when you get time post the cloudflare dns setup page. I assume it is correct though. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 (edited) well when you get time post the cloudflare dns setup page. I assume it is correct though.[emoji1303] I'm also gonna tail nginx logs which would likely be super helpful, just need to find the time. Thanks for the help. Sent from my SM-G965U using Tapatalk Edited August 28, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 28, 2018 Author Share Posted August 28, 2018 (edited) One thing I've noticed since switching to CF, and I highly doubt it's related, is nginx: [warn] "ssl_stapling" ignored, issuer certificate not found I'd love to get that to go away, but I'd prefer to get my subs to work first. edit: So tailing the logs w/ explicit subdomain blocks, nginx reports a 444, which is the correct error, except it happens for emby.whatever.com too. FFS. I'll keep digging. edit2: so requests to mydomain.com get logged as 444, anything else doesn't even hit my server. edit3: If I accept the no cert warning in the browser, I can hit the server from the subdomains but get a 444 when I get there. Edited August 28, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 29, 2018 Share Posted August 29, 2018 (edited) what's in your SSL include config (/etc/nginx/snippets/strong-ssl.conf)? something in your nginx is redirecting which is why you keep hitting emby.. The configs you posted in the forum above does not show any kind of redirects, yet nginx is redirecting (302) me to your emby. Scratch that, still want to see whats in the ssl include though.. can you pm me a screenshot of your CF setup... Edited August 29, 2018 by pir8radio Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 29, 2018 Author Share Posted August 29, 2018 (edited) what's in your SSL include config (/etc/nginx/snippets/strong-ssl.conf)? something in your nginx is redirecting which is why you keep hitting emby.. The configs you posted in the forum above does not show any kind of redirects, yet nginx is redirecting (302) me to your emby. Scratch that, still want to see whats in the ssl include though.. can you pm me a screenshot of your CF setup... ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; # Set Google's public DNS servers as upstream resolver resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains" always; # Modify X-Frame-Option from DENY to SAMEORIGIN, required for Deluge Web UI, ownCloud, etc. add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; # Use the 2048 bit DH key ssl_dhparam /etc/ssl/certs/dhparam.pem; I'll PM you a screenshot in a minute. Actually did it last night but forgot to send it edit: However, I've commented that line and the conf line out before and it still doesn't work. Edited August 29, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted August 29, 2018 Share Posted August 29, 2018 server { listen [::]:80 default_server; listen 80 default_server; listen [::]:443 ssl http2 default_server; listen 443 ssl http2 default_server; return 444; ssl_session_timeout 10m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/public.pem; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; } server { # SSL configuration include /etc/nginx/proxy.conf; listen 443 ssl http2; listen [::]:443 ssl http2; server_name emby.mydomain.net; #Add HSTS Header add_header Strict-Transport-Security "max-age=15552000; preload" always; include /etc/nginx/snippets/strong-ssl.conf; ssl on; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; # Root location root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php index.nginx-debian.html; # Change the client side error pages (4xx) to prevent some information disclosure error_page 401 403 404 /404.html; # Deny access to .htaccess files, if Apache's document # root concurs with nginx's one location ~ /\.ht { deny all; } location / { proxy_pass http://10.0.1.152:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; #fixed connection header } } So what does this exact config do after a save/nginx reload. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 30, 2018 Author Share Posted August 30, 2018 (edited) server { listen [::]:80 default_server; listen 80 default_server; listen [::]:443 ssl http2 default_server; listen 443 ssl http2 default_server; return 444; ssl_session_timeout 10m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/public.pem; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; } server { # SSL configuration include /etc/nginx/proxy.conf; listen 443 ssl http2; listen [::]:443 ssl http2; server_name emby.mydomain.net; #Add HSTS Header add_header Strict-Transport-Security "max-age=15552000; preload" always; include /etc/nginx/snippets/strong-ssl.conf; ssl on; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; # Root location root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php index.nginx-debian.html; # Change the client side error pages (4xx) to prevent some information disclosure error_page 401 403 404 /404.html; # Deny access to .htaccess files, if Apache's document # root concurs with nginx's one location ~ /\.ht { deny all; } location / { proxy_pass http://10.0.1.152:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; #fixed connection header } } So what does this exact config do after a save/nginx reload. bill@XeonServer:/etc/nginx/sites-available$ sudo nginx -t nginx: [emerg] "ssl_certificate" directive is duplicate in /etc/nginx/sites-enabled/reverse:12 which makes sense. Is that what you were expecting? edit: so I commented out the dupe ssl_certificate line (public.pem), and commented out the strong-ssl.conf line, and now it works as expected. Also got rid of the ssl_stapling error, which was expected. Sadly, I'm fairly certain I tried this solution already, iteratively, but probably lost track? In any case, thank you so much for your help bro, I owe you a round or 4. Edited August 30, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now