Beiträge von mpbtwok

mpbtwok

Okay.... Ich hatte wohl noch vom cyanlabs.net eine ältere Version. Habe nun die von hier nochmals 1:1 von vorne bearbeitet. Einzig die Zeile mit

Code

ssl_ciphers 'MIIDMjCCAhoCCQDj1/RgLVgxzDANBgkqhkiG9w0BAQsFADBbMQswCQYDVQQIDAJD
QTERMA8GA1UEBwwIQ2FybHNiYWQxFzAVBgNVBAoMDkxpbnV4c2VydmVyLmlvMRQw
EgYDVQQLDAtMU0lPIFNlcnZlcjEKMAgGA1UEAwwBKjAeFw0xODAxMTIyMDQ1MDla
Fw0yODAxMTAyMDQ1MDlaMFsxCzAJBgNVBAgMAkNBMREwDwYDVQQHDAhDYXJsc2Jh
ZDEXMBUGA1UECgwOTGludXhzZXJ2ZXIuaW8xFDASBgNVBAsMC0xTSU8gU2VydmVy
MQowCAYDVQQDDAEqMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAt4rT
nbga4kHCXI5hLB0yBj0PSGRTbFUFzC0vb9gAnJ6ZZny8lgYNNjBZVF15r/9rt7x9
xWMXaxIVA/G1gufYIwiTLtfgocu/Pf+FZ2QuV6zoq9AYtcapVcqPyzSIM0Gx0mmd
VS9Zbb1VKXeO0MD4AIzjnfMpOMeoy/XrJOdsheW418GZAHe7CN1Lf6K8FQmK/s/W
zwG/9jMrXoQ2NZTlG8QRe+yq0MJAXNmiIscod0BTtIJ5yu+c1jXal+bOkqzwwT/U
AHSixt879jS8i8Vqs2Rj5LsX5vwV6OSxHECtwZ4GIRXPv1c92qrGD/2YmK17fs1Y
4mXrpJnUprwrvTW0NwIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBFI6EuTSOlJCfx
cyqTGcl+0C7IWEF7jysUAvl9yvZrbMDIIk7lAkdfrwMYhfLp9CfvWGyAe6XNKLPT
SUOP1o3DZQfPjebbBFntI3vqjpKJn6LC9EP42H7ZoZ2LQTs1SHgIS3yxUm8FOsd1
l/8D//JjsYpd63aSDMDgJucOAbZrrIN1T+V+FvZwYPtTvZIiW9yhCV1KEhN7TwUY
pXKyeTXZY6oin0viYebM5aCuFqO2HYLRCDkrJrhamvKkjW86O69AI8kiJUC3ciar
ObwRBmJiB1fhZ5i9FpW8N8NPBQ2e3rNm9etoaJbw5edxmAfbhNYlQzLWDyeLlIKF
JD4d+HsS';

Alles anzeigen

musste ich ebenfalls durch

Code

ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA

ersetzen.

Weiters durfte ich nicht die NextCloud config ändern bis auf den weiteren trusted Domain.

Nun funktioniert es. Danke für die Hints.

mpbtwok

Hallo,

danke für die Rückmeldung.

Bisher 6.4.1. habe es aber jetzt bereits ebenso in 6.5. probiert.
Unraid Ports sind auf andere als 80/443 geändert.
Ports - Ja. Mit Jwilders Nginx + LetsEncrypt funktioniert's (außer Nextcloud)
Config habe ich meines wissens befolgt, jedoch nicht mit Duckdns, sondern eigener Domain und eben nur für 2 Docker-Container und nur als Subdomain Config.

mpbtwok

Servus,

nach dem ich jetzt 2 Tage verschissen habe in der Hoffnung "Traefik" am laufen zu kommen und dann doch aufzugeben habe ich nun jetzt auch Probleme mit meinen LetsEnycrpt Config, womöglich entdeckt jemand von Euch meinen Fehler - ich blick nicht mehr durch.

Schon mal ein Danke-Vorab.

LetsEncrypt Container

LetsEncrypt Default-Config

Code

upstream backend {
	server 192.168.0.99:19999;
	keepalive 64;
}


server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;


	server_name _;


	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;


	client_max_body_size 0;


	location = / {
		return 301;
	}
	location / {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.0.99:1316/;
	}
}
server {
	listen 443 ssl;
	listen 80;
	root /config/www;
	index index.html index.htm index.php;


	server_name cloud.domain.com;


	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;


	client_max_body_size 0;


	location = / {
		return 301;
	}
	location / {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.0.99:1317/;
	}
}
server {
	listen 443 ssl;
	listen 80;
	root /config/www;
	index index.html index.htm index.php;


	server_name guacamole.domain.com;


	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;


	client_max_body_size 0;


	location = / {
		return 301;
	}
	location / {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.0.99:1317/;
	}
}

Alles anzeigen

NextCloud Config.php

PHP: config.php

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => '123',
  'passwordsalt' => '123',
  'secret' => '123',
  'trusted_domains' => 
  array (
    0 => '192.168.0.99:13164',
    1 => 'cloud.domain.com',
	2 => 'domain.com',
  ),
'trusted_proxies' => '192.168.0.99',
'overwritewebroot' => '/',
'overwrite.cli.url' => '/',
  'dbtype' => 'sqlite3',
  'version' => '13.0.0.14',
  'installed' => true,
);

Alles anzeigen

NextCloud Default

Code: nextcloud.default

upstream php-handler {
  server 127.0.0.1:9000;
# server unix:/var/run/php/php7.0-fpm.sock;
}


server {
  listen 80;
  server_name _;
  # enforce https
  return 301 https://$server_name$request_uri;
}


server {
  listen 443 ssl;
  server_name _;


  ssl_certificate /config/keys/cert.crt;
  ssl_certificate_key /config/keys/cert.key;


  # Add headers to serve security related headers
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  add_header X-Content-Type-Options nosniff;
  # add_header X-Frame-Options "SAMEORIGIN";
  add_header X-XSS-Protection "1; mode=block";
  add_header X-Robots-Tag none;
  add_header X-Download-Options noopen;
  add_header X-Permitted-Cross-Domain-Policies none;


  # Path to the root of your installation
  root /config/www/;
  # set max upload size
  client_max_body_size 10G;
  fastcgi_buffers 64 4K;


  # Disable gzip to avoid the removal of the ETag header
  gzip off;


  # Uncomment if your server is build with the ngx_pagespeed module
  # This module is currently not supported.
  #pagespeed off;


  index index.php;
  error_page 403 /core/templates/403.php;
  error_page 404 /core/templates/404.php;


  rewrite ^/.well-known/carddav /remote.php/dav/ permanent;
  rewrite ^/.well-known/caldav /remote.php/dav/ permanent;


  # The following 2 rules are only needed for the user_webfinger app.
  # Uncomment it if you're planning to use this app.
  #rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  #rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json last;


  location = /robots.txt {
    allow all;
    log_not_found off;
    access_log off;
  }


  location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ {
    deny all;
  }


  location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) {
    deny all;
  }


  location / {


    rewrite ^/remote/(.*) /remote.php last;


    rewrite ^(/core/doc/[^\/]+/)$ $1/index.html;


    try_files $uri $uri/ =404;
  }


  location ~ \.php(?:$|/) {
    fastcgi_split_path_info ^(.+\.php)(/.+)$;
    include /etc/nginx/fastcgi_params;
    fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
    fastcgi_param PATH_INFO $fastcgi_path_info;
    fastcgi_param HTTPS on;
    fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice
    fastcgi_pass php-handler;
    fastcgi_intercept_errors on;
  }


  # Adding the cache control header for js and css files
  # Make sure it is BELOW the location ~ \.php(?:$|/) { block
  location ~* \.(?:css|js)$ {
    add_header Cache-Control "public, max-age=7200";
    # Add headers to serve security related headers
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
    add_header X-Content-Type-Options nosniff;
    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Robots-Tag none;
    add_header X-Download-Options noopen;
    add_header X-Permitted-Cross-Domain-Policies none;
    # Optional: Don't [definition='1','0']log[/definition] access to assets
    access_log off;
  }


  # Optional: Don't [definition='1','0']log[/definition] access to other assets
  location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ {
    access_log off;
  }
}

Alles anzeigen

Vielen Dank.

Beiträge von mpbtwok

Mini-Tutorial / How to: Reverse Proxy unter Unraid

Mini-Tutorial / How to: Reverse Proxy unter Unraid

Mini-Tutorial / How to: Reverse Proxy unter Unraid