Hey there,
I have a SWAG Docker setup up and running and I'm thinking, is there any possibility to point the certificate to the OMV web config (instead of manually import the file?).
This way, the certificate will be automatically renewed by SWAG and no interaction is needed by the Admin (me 
anylonger.
Thanks
Yes.
I'm away from the PC but I'll post a sample as soon as I can.
is there any possibility to point the certificate to the OMV web config (instead of manually import the file?).
Here is the one that I use.
It's best to first, change the port OMV runs on to something high (in this case is port=50000)
You don't say how you are running SWAG but this sample was created to work with a SWAG and Duckdns with wildcard setup and with subdomain access.
Before you try it, better to explain (and show) how you are using SWAG (post your docker-compose/STACK, hiding sensible data)
Please, take note of lines #11, 38 and 39
They need to match your server
Go to /path_to Swag_config/nginx/proxy-confs/ and make a file named omv.subdomain.conf.
Past the contents of this code, save and restart SWAG.
# Conf Sample to be used by SWAG Reverse Proxy for access via HTTPS to OpenMediaVault.yourdomain.url
# Example: 'h**ps://omv<yourservername>.yoursubdomain.duckdns.org/'
# If 2 or more instances of OMV are running on the same network, it is necessary to create a .conf
# to each one, with different names and pointing to the proper IPs.
# .
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name omv.*; # note: Set this with a unique name IF running 2 or more OMV servers
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
#
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app 192.168.1.200; # note: edit with the LAN IP of your OpenMediaVault server.
set $upstream_port 50000; # note: same port used on the server for OpenMediaVault.
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# proxy_read_timeout 120s;
access_log off;
}
}Alles anzeigenHey there,
I have a SWAG Docker setup up and running and I'm thinking, is there any possibility to point the certificate to the OMV web config (instead of manually import the file?).
This way, the certificate will be automatically renewed by SWAG and no interaction is needed by the Admin (me
Thanks
Never done it with subfolder, but with subdomain it's easy. This should work the same with OMV 5 or 6. Below assumes you want to access at openmediavault.your.url. Since you already seem to have a cert through the webUI... delete that cert.
1. Change the port that OMV uses from 80, to any other available port (I'll use 99) in the webUI. Now to get to OMV loally, you'll hae to go to IP:port
2. If you purchased a domain, create a CNAME for openmediavault. If you are using duckdns you don't need to do this.
3. cd to your /swag/nginx/proxy-confs folder
4. Copy the subdomain template to a new openmediavault.subdomain.conf
cp _template.subdomain.conf.sample openmediavault.subdomain.conf5. nano openmediavault.subdomain.conf
6. It will look similar to below...
## Version 2021/05/18
# REMOVE THIS LINE BEFORE SUBMITTING: The structure of the file (all of the existing lines) should be kept as close as possible to this template.
# REMOVE THIS LINE BEFORE SUBMITTING: Look through this file for <tags> and replace them. Review other sample files to see how things are done.
# REMOVE THIS LINE BEFORE SUBMITTING: The comment lines at the top of the file (below this line) should explain any prerequisites for using the proxy such as DNS or app settings.
# make sure that your dns has a cname set for <container_name> and that your <container_name> container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name openmediavault.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.1.166;
set $upstream_port 99;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
}
# REMOVE THIS LINE BEFORE SUBMITTING: Some proxies require one or more additional location blocks for things like API or RPC endpoints.
# REMOVE THIS LINE BEFORE SUBMITTING: If the proxy you are making a sample for does not require an additional location block please remove the commented out section below.
# location ~ (/<container_name>)?/api {
# include /config/nginx/proxy.conf;
# include /config/nginx/resolver.conf;
# set $upstream_app <container_name>;
# set $upstream_port <port_number>;
# set $upstream_proto <http or https>;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#
# # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
# }
}Change line 11 to your subomdain name (openmediavault)
Chnage line 37 to your OMV IP address
Change line 38 to your OMV port
Change line 39 to http
7. Save the new openmediavault.subdomain.conf
8. Now add openmediavault to your list of subdomains to swag. If you're using wildcards, then just redeploy swag.
9. Watch your swag log and make sure it pulls a new cert.
Assuming it successfully pulls a new cert... navigate to openmediavault.yourdomain.url and you should have the OMV webUI panel secured w/ SSL.
am curious, what will be the final outcome?
The outcome will be HTTPS://omv.yoursubdomain.duckdns.org
If you follow KM0201 sample, it will be https://openmediavault.yoursubdomain.duckdns.org
The outcome will be HTTPS://omv.yoursubdomain.duckdns.org
If you follow KM0201 sample, it will be https://openmediavault.yoursubdomain.duckdns.org
Correct... I think we were posting at the same time.
Hmm.., when trying to access my server on https://omv.myduckdnsname.duckdns.org:50000 I get:
CodeSSL_ERROR_RX_RECORD_TOO_LONG
Why are you putting the port? Just use the domain.
Edit: And yes, you have to pull a new swag cert, as I detailed. Because you're adding a new domain (omv, openmediavault, whatever you used) it has to pull a new cert.
You should not have opened Port 50000 on your router.
What you are doing is to use swag as a proxy for OMV, so you only access swag, which will proxy your web requests to omv.
The error message you posted tells, you are trying to access a http site by https.
Why are you putting the port? Just use the domain.
I just did for better understanding. So with this config I will enable a reverse proxy on port 50000 which connects itself to 443 for the OMV web page.
I did renew the certificate in SWAG, but it still does not work.
My reverse proxy config file as I use it currently:
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name omv.*; # note: Set this with a unique name IF running 2 or more OMV servers
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
#
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app 172.16.10.100; # note: edit with the LAN IP of your OpenMediaVault server.
set $upstream_port 50000; # note: same port used on the server for OpenMediaVault.
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# proxy_read_timeout 120s;
access_log off;
}
}When opening the web page, I get an SSL error instead of a destination unreachable, so the port 50000 is open for incoming connections (which is good). But I still get working connection and only the error:
SSL_ERROR_RX_RECORD_TOO_LONGYou should not have opened Port 50000 on your router.
What you are doing is to use swag as a proxy for OMV, so you only access swag, which will proxy your web requests to omv.
The error message you posted tells, you are trying to access a http site by https.
I did not open the port on my router, because I don't want to make OMV available from the Internet (via port forwarding).
I just added the host name to the DNS hosts list, so that omv.blablabla.duckdns.org is able to be resolved.
My local dns-domain is blablabbla.duckdns.org and so I am able to access all my apps from the LAN (like emby.blablabla.duckdns.org, heimdall.blablabla.duckdns.org etc.). Since there will be automatically renewals the certificate will always be up to date and all clients will be able to verify those certificates without any interaction (because they are from a trusted CA => let's encrypt).
Alles anzeigenI just did for better understanding. So with this config I will enable a reverse proxy on port 50000 which connects itself to 443 for the OMV web page.
I did renew the certificate in SWAG, but it still does not work.
My reverse proxy config file as I use it currently:
CodeAlles anzeigenserver { listen 443 ssl; listen [::]:443 ssl; server_name omv.*; # note: Set this with a unique name IF running 2 or more OMV servers include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; # location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app 172.16.10.100; # note: edit with the LAN IP of your OpenMediaVault server. set $upstream_port 50000; # note: same port used on the server for OpenMediaVault. set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; # proxy_read_timeout 120s; access_log off; } }When opening the web page, I get an SSL error instead of a destination unreachable, so the port 50000 is open for incoming connections (which is good). But I still get working connection and only the error:
CodeSSL_ERROR_RX_RECORD_TOO_LONG
Well given what you put there I would not expected to work
stefan1983 So I'm genuinely curious, when you log in to the webUI, you go to:
http://172.16.10.100:50000
Because you're adding a new domain (omv, openmediavault, whatever you used) it has to pull a new cert.
Not if you are using wildcard in the swag/Duckdns docker-compose and subdomain in the proxy.conf. Swag is generating a cert for your-domain.duckdns.org. You merely have to setup a proxy.conf file for omv and restart Swag. I’ll dig out my proxy.conf file and swag docker-compose in the morning and post it. I reach my server with
omv.my-domain.duckdns.org.
Better yet, I remember I wrote up a How-To about it several months ago: [How-To] Install a Custom Network for Reverse Proxy in Swag from the Command Line
I did renew the certificate in SWAG, but it still does not work.
My reverse proxy config file as I use it currently:
CodeAlles anzeigenserver { listen 443 ssl; listen [::]:443 ssl; server_name omv.*; # note: Set this with a unique name IF running 2 or more OMV servers include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; # location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /login; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_app 172.16.10.100; # note: edit with the LAN IP of your OpenMediaVault server. set $upstream_port 50000; # note: same port used on the server for OpenMediaVault. set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; # proxy_read_timeout 120s; access_log off; } }When opening the web page, I get an SSL error instead of a destination unreachable, so the port 50000 is open for incoming connections (which is good). But I still get working connection and only the error:
CodeSSL_ERROR_RX_RECORD_TOO_LONG
You built a reverse proxy from port 443 to port 50000. not the other way round.
Is 172.16.10.100 the IP of your OMV server on the local network?
Does nslookup omv.blablabla.duckdns.org resolve to your external IP of OMV
Does http://omv.blablabla.duckdns.org:50000 open the OMV Web-UI (it should not, as the name should resolve to your external t)
Does http://172.16.10.100:50000 open the OMV web ui (it should, as this is what you are pointing swag to)
In the end you will have the folloging
your clinet computer -> omv.blablabla.duckdns.org:443 (your router) -> 172.16.10.100:443 (swag on omv) -> 172.16.10.100:5000 (omv web-ui)
And if you opened 443 on the router, your systems will be accassible from the internet. And you need to open the port for cert renewal. Choose strong passwords.
stefan1983 So I'm genuinely curious, when you log in to the webUI, you go to:
http://172.16.10.100:50000
Correct, after changing the port 80 to something else (>50000) I have to login now via this URL.
Not if you are using wildcard in the swag/Duckdns docker-compose and subdomain in the proxy.conf. Swag is generating a cert for your-domain.duckdns.org. You merely have to setup a proxy.conf file for omv and restart Swag. I’ll dig out my proxy.conf file and swag docker-compose in the morning and post it. I reach my server with
omv.my-domain.duckdns.org.
Better yet, I remember I wrote up a How-To about it several months ago: [How-To] Install a Custom Network for Reverse Proxy in Swag from the Command Line
Correct, that's what I did as well.
I just thought, could it then be a rights problem of the proxy.conf file?
Alles anzeigenYou built a reverse proxy from port 443 to port 50000. not the other way round.
Is 172.16.10.100 the IP of your OMV server on the local network?
Does nslookup omv.blablabla.duckdns.org resolve to your external IP of OMV
Does http://omv.blablabla.duckdns.org:50000 open the OMV Web-UI (it should not, as the name should resolve to your external t)
Does http://172.16.10.100:50000 open the OMV web ui (it should, as this is what you are pointing swag to)
In the end you will have the folloging
your clinet computer -> omv.blablabla.duckdns.org:443 (your router) -> 172.16.10.100:443 (swag on omv) -> 172.16.10.100:5000 (omv web-ui)
And if you opened 443 on the router, your systems will be accassible from the internet. And you need to open the port for cert renewal. Choose strong passwords.
Yes, 172.16.10.100 is my server and where OMV runs.
nslookup works:
Server: 172.16.10.1
Address: 172.16.10.1#53
Name: omv.blablabla.duckdns.org
Address: 172.16.10.100yes, http://omv.blablabla.duckdns.org:50000 opens the web UI of OMV (as I access OMV from the lan and my local domain in the router is blablabla.duckdns.org (so the domain is resolved locally as seen in nslookup).
http://172.16.10.100:50000 also opens the web UI
So finally I should have to be able to access: https://172.16.10.100:443 or https://omv.blablabla.duckdns.org ?
That does not work currently.
Not if you are using wildcard in the swag/Duckdns docker-compose and subdomain in the proxy.conf. Swag is generating a cert for your-domain.duckdns.org. You merely have to setup a proxy.conf file for omv and restart Swag. I’ll dig out my proxy.conf file and swag docker-compose in the morning and post it. I reach my server with
omv.my-domain.duckdns.org.
Better yet, I remember I wrote up a How-To about it several months ago: [How-To] Install a Custom Network for Reverse Proxy in Swag from the Command Line
Really? I thought you'd still need to pull a new cert.. At the very least you're going to have to restart the container to pick up the new subdomain.conf. I don't use wildcard domains with my personal domain, so I have to identify each subdomain in my domain panel... which will require redeployment.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!