Any chance to include encryption for TVH (the http side of it port 9981)?

Ok I retried the plex subfolder config with the linuxserver/docker-letsencrypt image but I get stuck earlier.

So basically I setup the image :

docker run \
  --name=nginx_letsencrypt \
  --cap-add=NET_ADMIN \
  -e PUID=1000 \
  -e PGID=1000 \
  -e TZ=Europe/Berlin \
  -e URL=mydomain \
  -e VALIDATION=http \
  -e EMAIL=myemail \
  -e DHLEVEL=2048 `#optional` \
  -e ONLY_SUBDOMAINS=false `#optional` \
  -e STAGING=false `#optional` \
  -p 443:443 \
  -p 80:80 `#optional` \
	--network=mydockernetwork \
  -v /hd/nginx_letsencrypt:/config \
  --restart unless-stopped \
  linuxserver/letsencrypt

That looks fine so far and I can reach the server with https and it shows a nice "Welcome to our server". Then I try to setup plex as follow:

cp plex.subfolder.conf.sample plex.subfolder.conf
docker restart nginx_letsencrypt 

Plex container is running fine and I can reach it via http://$ip:32400
But via mydomain/plex it returns a 500 gateway error.

So I read further on the readme here "Ensure you have a custom docker network" that I should create a custom docker network for plex. So I do that:
docker network create mydockernetwork
And recreate the plex container using just --network=mydockernetwork, no port mapping. Before I was using --network=host

How should the nginx_letsencrypt container now know to use this network?
It doesn't say where else the network should be used or given as parameter.

And still plex is not reachable via mydomain/plex -> 502 Bad Gateway nginx/1.14.2
Also plex is now not reachable via http://$ip:32400.
I don't know how docker networks are working, do you have a hint what I did wrong?

Thanks a lot!

Hi, I'm trying to use the linuxserver ldap-auth to front end all of my containers. It seems that Grafana uses a /login URI for its own authentication. I tried to implement the suggestion stated in issue #60 which is has been closed.

Hi, I tried this, unfortunately it still doesn't work. Instead of being directed to the ldap-auth login page, I get a result that just says: Hello, world! Requested URL: /ldaplogin

Here's my updated grafana.subdomain.conf:

server {
    listen 443 ssl;
#   listen [::]:443 ssl;

    server_name grafana.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    include /config/nginx/ldap.conf;
    include /config/nginx/ldap2.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        auth_request /auth;
        error_page 401 =200 /ldaplogin;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s ipv6=off;
        set $upstream_grafana [redacted];
        proxy_pass http://$upstream_grafana:3000;
    }
}

And the new location I added to ldap2.conf:

location /ldaplogin {
        resolver 127.0.0.11 valid=30s ipv6=off;
        set $upstream_ldap [redacted];
        proxy_pass http://$upstream_ldap:9001;
        proxy_set_header X-Target $request_uri;
    }

Thanks for the great config guys!
I ran into some issues with the plex subfolder config though. I tried around for quite some time using a plain nginx instance (not the docker container) because of the otherwise working configs.

The subfolder configs seem to work as far as the website goes, however the connection always appears as indirect. Do you have anything else you tweaked in the nginx configs besides the location { ... } block I copied? I also added the proxy.conf from the repo into /etc/nginx/sites-available/ to make sure it imports the same as you do.

This is my /etc/nginx/sites-available/mydomain.ddnss.ch.conf: https://pastebin.com/V90Zzwyc
And also the proxy.conf: https://pastebin.com/YqRgWnz9

I would be very glad for any help if you happen to know what the issue could be.

I have been trying to create a subdomain without luck, could be good to add i tried modifing this:

This is my file, but only show default nginx

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name kanboard.*;

	include /config/nginx/ssl.conf;

    location / {

        location / {
            try_files $uri $uri/ /index.php$is_args$args;
        }

        location ~ ^/(?:kanboard|config.php|config.default.php) {
            deny all;
        }

        location ~* /data {
            deny all;
        }

        location ~ \.php(?:$|/) {
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
            fastcgi_param PATH_INFO $fastcgi_path_info;
            fastcgi_param HTTPS on; # Use only if HTTPS is configured
            #include fastcgi_params;
            fastcgi_pass unix:/var/run/php5-fpm.sock;
        }

        location ~ /\.ht {
            deny all;
        }
    }
}

https://docs.kanboard.org/en/latest/admin_guide/url_rewriting.html

I was having a lot of issues getting these sample proxies to work on my docker setup (using the LS LetsEncrypt container) because I needed to have the port included in each request as well, for example, I need this:

https://my.domain.rocks:1234/someotherstuff

in every call, but the samples always removed the port, so it became this:

https://my.domain.rocks/someotherstuff

which broke a lot of things.

Editing the following 2 lines in proxy.conf to look like this seemed to magically make all of the .sample scripts work again.

proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-Host $http_host;

Thought I'd pass the tip along, since after a few days of Google-Fu and even a stop into the LS Discord chan came up empty. Other than that, great container!

I am using sonarr.subdomain.conf with auth enabled (Authelia, but the question applies to any other auth method).

However I noticed that the auth settings only apply to location /, not to location ~ (/sonarr)?/api. In fact I can access https://sonarr.my.url/sonarr/api bypassing any auth.

I was wondering if this is safe or if it allows anyone to make API calls to my Sonarr installation.

Setting up jellyfin with subfolder config. I get this message in browser : Unable to find the specified file

Other services are configured as subfolder and are working.
Can reach jellyfin webui if I map the port and reach it by ip address. Tried to change public https to 443, and "handled by reverse proxy", with no success.

@CHBMB Did you encounter this when you created the config?

Hello,

I have a lot of services running and a cname for all in my dns config (bind9). When I open the url in my browser nginx says: 2019/09/03 08:03:06 [error] 368#368: *5 wordpress could not be resolved (3: Host not found)...

nslookup lookes wired but can resolve the hostname:

root@ebcdbc201640:/# nslookup wordpress
nslookup: can't resolve '(null)': Name does not resolve

Name: wordpress
Address 1: 10.10.10.12 docker2.domain.com`

Ping looks good:

root@ebcdbc201640:/# ping -c 3 wordpress
PING wordpress (10.10.10.12): 56 data bytes
64 bytes from 10.10.10.12: seq=0 ttl=64 time=0.032 ms
64 bytes from 10.10.10.12: seq=1 ttl=64 time=0.056 ms
64 bytes from 10.10.10.12: seq=2 ttl=64 time=0.045 ms

And this is the resolv.conf of my container:

search domain.com
nameserver 127.0.0.11
options ndots:1

Any ideas what I'm doing wrong?

Cheers
Kai

I'm not real good with these things so I don't know for sure which place to go to for the right help, but I figured that the way the LE container's proxy configs are kinda tweaked a specific way, that maybe you guys might have a better grasp on how to handle this issue?

Rather than type it all out again, I'll just link to my first post on it, I don't think they use this specific container so they might not be the right place to go to for help?:

causefx/Organizr#1311

Can anyone help, pls?

I would love a working config for Cockpit. I've tried multiple sites suggested configs with no success:

https://github.com/cockpit-project/cockpit/wiki/Proxying-Cockpit-over-nginx

https://medium.com/@r.szulist/how-to-install-and-configure-cockpit-on-cenos8-3615d503092a

https://serverfault.com/questions/681084/docker-cockpit-error-after-redirecting-with-nginx

Thanks!

I'm trying to grafana for a live dashboard with letsencrypt without success

location ^~ /grafana {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;

# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /login;

include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_grafana grafana;
proxy_pass http://$upstream_grafana:3000;

}

I'm sending back to /login but with a /root display of letsencrypt

I've been trying to create a subdomain proxy config that will work with the official seafile docker file given at https://download.seafile.com/d/320e8adf90fa43ad8fee/files/?p=/docker/docker-compose.yml and can only get connection errors. Has anyone gotten these to work together?

Hi,

Is it possible to add the jeedom.subfolder.conf file ? It works good with portainer, nextcloud and other. So I tried to do myself with the other sample but it works bad, it's slow and a lot of 502/504 errors happened.

`
location /jeedom {
return 301 $scheme://$host/jeedom/;
}

location ^~ /jeedom/ {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_jeedom 192.168.1.31;
rewrite /jeedom(.*) $1 break;
proxy_pass http://$upstream_jeedom:9080;

proxy_max_temp_file_size 1024m;

proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header Connection $http_connection;
proxy_redirect off;
proxy_ssl_session_reuse off;

}
`

By using local ip there is no problem.

Thanks.

TMM is an extremely useful media scraper, cleaner, renamer and manager.

Here are some info on a possible Nginx config: https://github.com/romancin/tinymediamanager-docker/blob/master/README.md

The project has since moved to gitlab: https://gitlab.com/tinyMediaManager

someone can help me to create a sample conf for pinry https://github.com/pinry/pinry
i have try create a conf for https tunnel but dont work

I'm not sure if this would be considered a feature for this project, but I've used these samples and docker-swag to create a reverse proxy in front of GitLab using podman and podman user defined networks cni.

I believe support for Podman would be easy to implement.

I've been trying to find some good standard wordpress configs for a while, somewhat in disbelief that it didn't exist in the proxy-confs already, given how popular wordpress is. Then following this old guide here, I notice it did seem to get included previously.

I'm not sure if it was removed intentionally, but it would be great if it could be re-added?

Many thanks,

Marshalleq

I'm using authelia for authentication on ruTorrent. Is there any security on the /RPC path? It doesn't need any API key to access the ruTorrent through RPC, isn't there a security problem there? Is adding a basic http authentication with .htpasswd file the only way to secure this?

I'm still not the most familiar with Nginx; I'm wrasslin with this RP at the moment. It's close but no cigar. It'll load but none of the assets are loading. No CSS, etc.

I thought that usually meant that a base URL needed to be used, but in this container I see no mention of it needing one. I'm using this container, and basing my RP on the example he has there for the subfolder + trying to follow your RP patterns as well:

https://hub.docker.com/r/jlesage/jdownloader-2

Here's what I have so far:

location /jdownloader-2 {
    return 301 $scheme://$http_host/jdownloader-2/;
}

location /jdownloader-2/ {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /login;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_jdownloader_2 jdownloader-2;
    proxy_pass http://$upstream_jdownloader_2:5800/;
    #proxy_set_header X-Scheme $scheme;
    #proxy_set_header X-Script-Name /jdownloader-2;

    location /jdownloader-2/websockify {
        proxy_pass http://$upstream_jdownloader_2:5800/websockify/;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        proxy_read_timeout 86400;
    }
}

The console is showing a bunch of these:

Resource interpreted as Stylesheet but transferred with MIME type text/html

Uncaught SyntaxError: Unexpected token .

I haven't gotten to the websockify stuff yet; I just have that there for the moment because he has it in his sample.

I have a feeling it's something simple that's slipping by me. Anyone able spot anything wrong?

Thanks, team linuxserver.io

can you make synology nas config??

i made synology dsm config. it is working. but it's not access Photo station.

how can i do?

This is not needed if you set the X-Forwarded-Proto header properly
proxy_set_header X-Forwarded-Proto $scheme;

Thanks, team linuxserver.io

Hello, I am trying to connect to the web interface (port 9981) of the linuxserver/tvheadend docker image using a reverse proxy. When I navigate to tvheadend.logicalunit.net I get the Tvheadend authentication prompt, but I get a 403 forbidden error when I try to log in.

I am using Nginx Proxy Manager, and here is my config:

https://pastebin.com/WzXC7Jgf

EDIT: Disregard this issue. The solution was to tick the box that says Proxy Protocol & X-Forwarded-For in Tvheadend configuration (it's under HTTP server settings, you may need to switch to View Level Expert). I also need to enable Websockets support in the proxy manager.

a config file to get the Slack alternative working would be nice.

mattermost on dockerhub

Saw that there isn't a Prometheus sample added yet and tested this one (just a basic copy of the other samples), which is working if you'd like to add it to the collection.

# make sure that your dns has a cname set for prometheus and that your prometheus container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name prometheus.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_prometheus prometheus;
        proxy_pass http://$upstream_prometheus:9090;
    }
}

could be created an webmin reverseproxy configuration file,since it is very simple to be created,(https://serverfault.com/questions/443482/proxying-webmin-with-nginx)

I've generally been able to create my own .conf files when I've needed to, but I'm seriously struggling with creating a new subfolder.conf for Monica CRM: https://github.com/monicahq/monica

I've seen example nginx.conf files for it, but I've yet to be able to extract what I need from them to make it work properly. Examples here: https://www.vultr.com/docs/how-to-install-monica-on-ubuntu-18-04-lts and here: monicahq/monica#568 and a Yunohost version here: https://github.com/YunoHost-Apps/monica_ynh/blob/master/conf/nginx.conf

The best I've managed is:

location /monica {
    return 301 $scheme://$host/monica/;
}
location ^~ /monica/ {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_monica monicahq;
    rewrite /monica(.*) $1 break;
    proxy_pass http://$upstream_monica:80;
    proxy_redirect off;
    proxy_set_header Host $host;

#    proxy_set_header Range $http_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto https;
#    proxy_set_header X-Forwarded-Host $server_name;
}

The login page loads, but incorrectly, with images and css pointing to their original paths, rather than under Monica, and login fails as it tries to load example.com/login in stead of example.com/monica/login

Apologies if I handled this incorrectly, and thanks in advance for any help you can offer.

Wouldn't it be beneficial to prevent any indexing?
add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";

using letsencrypt community app on unraid for reverse proxy, working OK for nextcloud. Trying to set it up for plex too. The only thing I changed in the plex.subdomain.conf file is

proxy_pass https://$upstream_plex:32400;

since I am requiring secure connections.

This setup works locally (plex.mydomain.com) on a web browser but doesn’t seem to work for my devices. Also plex says it can’t be reached from the network.

Add http2 protocol to the config files.

like:

listen 443 ssl http2;
listen [::]:443 ssl http2;

https://canary.discordapp.com/channels/354974912613449730/506925392603512839/715034647490199623

basically, user had commented out the location block but got a 404 in organizr until they also commented out the second location block. Once they commented that out, it worked fine. Since i do not use organizr I can't confirm something else wasn't at play.

if this is true, we should add a note in the top of organizr.subfolder.conf.sample to inform users that they need to comment out the second location as well.

Thanks, team linuxserver.io

Creating this as a reminder for myself.

I'm going to create _template.subdomain.conf.sample and _template.subfolder.conf.sample as generic templates that can be used for creating new samples.

I'll include comments in them to indicate how to keep the formatting and where to include extra needed things like additional headers or separate location blocks for things like APIs.

This project could make use of a config file generator. There is a lot of commonality from config to config. Many configs only differ on the upstream port number.

With the following self-contained (it also includes the template) config file and a 30 line Python script I was able to generate nearly half (1500 of the 3400) *.subdomain.conf.sample files. Nearly verbatim; only differences where whitespace, punctuation, etc.

In the past it seems there have been mass updates to some of the sample files. Having a generator would make this easier.

I noticed there were 3 commonly used notes at the top. Perhaps they should be merged and all use the same template; something like this would help facilitate those changes.

I noticed unnecessary whitespace differences between files. This would remove that and make diffing much simpler.

Adding new applications would also be super simple and you wouldn't have to pick/guess which existing sample to use as a basis for your new application.

This was done as a simple exercise. If this looks like something you'd like to go forward with, I can expand upon it, take on the subfolders as well and make a proper pull request.

If you're not open to it I won't waste any more time on it.

template: |-
  {notes}

  server {{
      listen 443 ssl;
      listen [::]:443 ssl;

      server_name {server_name}.*;

      include /config/nginx/ssl.conf;

      client_max_body_size 0;

      # enable for ldap auth, fill in ldap details in ldap.conf
      #include /config/nginx/ldap.conf;

      location / {{
          # enable the next two lines for http auth
          #auth_basic "Restricted";
          #auth_basic_user_file /config/nginx/.htpasswd;

          # enable the next two lines for ldap auth
          #auth_request /auth;
          #error_page 401 =200 /login;

          include /config/nginx/proxy.conf;
          resolver 127.0.0.11 valid=30s;
          set $upstream_app {upstream_app};
          set $upstream_port {upstream_port};
          set $upstream_proto {upstream_proto};
          proxy_pass $upstream_proto://$upstream_app:$upstream_port;

      }}
  }}

.notes_template1: &notes_template1 "# make sure that your dns has a cname set for {app_name}"
.notes_template2: &notes_template2 '# make sure that your dns has a cname set for {app_name} and that your {app_name} container is not using a base url'
.notes_template3: &notes_template3 '# make sure that your dns has a cname set for {app_name} and that your {app_name} container is named {app_name}'

defaults:
  upstream_port: 80
  upstream_proto: http
  notes: *notes_template1
  upstream_app: "{app_name}"
  server_name: "{app_name}"

applications:
  adguard:
    notes: *notes_template3
  airsonic:
    notes: *notes_template2
    upstream_port: 4040
  bazarr:
    notes: *notes_template2
    upstream_port: 6767
  beets:
    notes: |-
      #First edit beets.yml and enable the reverse proxy settings, under "web" add "reverse_proxy: true" and restart the beets container.
      #Make sure that your dns has a cname set for beets and that your beets container is not using a base url
    upstream_port: 8337
  booksonic:
    notes: *notes_template2
    upstream_port: 4040
  bookstack:
    notes: |-
      # make sure that your dns has a cname set for bookstack and that your bookstack container is named bookstack
      # Ensure you have the APP_URL Environment Variable set correctly in your Docker Run/Compose or in BookStack Env File (/www/.env)
      # https://github.com/linuxserver/docker-bookstack#docker
  codimd:
    notes: |-
      # make sure you have added the following environmental variables to your run command/compose file
      # CMD_DOMAIN=codimd.server.com
      # CMD_PROTOCOL_USESSL=true
    upstream_port: 3000
  couchpotato:
    notes: *notes_template2
    upstream_port: 5050
  deluge:
    notes: *notes_template2
    upstream_port: 8112
  dillinger:
    upstream_port: 8080
  dokuwiki:
    notes: |-
      # First complete the setup by appending install.php to URL.
      # Make sure that your dns has a cname set for dokuwiki
  domoticz:
    notes: *notes_template2
    upstream_port: 8080
  embystat:
    upstream_port: 6555
  flood:
    notes: *notes_template2
    upstream_port: 3000
  gitea:
    notes: |-
      # make sure that your dns has a cname set for gitea and the following parameters in /data/gitea/conf/app.ini are edited
      # [server]
      # SSH_DOMAIN       = gitea.server.com
      # ROOT_URL         = https://gitea.server.com/
      # DOMAIN           = gitea.server.com
    upstream_port: 3000
  glances:
    notes: *notes_template2
    upstream_port: 61208
  grafana:
    notes: *notes_template2
    upstream_port: 3000
  grocy: {}
  headphones:
    upstream_port: 8181
  heimdall:
    upstream_port: 443
    upstream_proto: https
  kanzi:
    upstream_port: 8000
    upstream_proto: https
  lazylibrarian:
    upstream_port: 5299
  lychee: {}
  monitorr: {}
  mstream:
    notes: '# make sure that your dns has a cname set for mstream and your container name is mstream and running using http (default)'
    upstream_port: 3000
  mylar:
    upstream_port: 8090
  netboot:
    upstream_port: 3000
  netdata:
    upstream_port: 19999
  osticket:
    notes: *notes_template3
  phpmyadmin:
    notes: *notes_template2
  piwigo: {}
  plexwebtools:
    upstream_port: 33400
    upstream_app: "plex"
    notes: *notes_template2
  prometheus:
    notes: *notes_template2
    upstream_port: 9090
  pydio:
    notes: *notes_template2
    upstream_port: 443
    upstream_proto:  https
  pyload:
    notes: *notes_template2
    upstream_port: 8000
  quassel-web:
    notes: |-
      # make sure that your dns has a cname set for quassel and make sure Quassel-Web is running on http
      # with -e 'HTTPS'='false' or if you're using -e 'ADVANCED'='true' by editing config.json appropriately
    server_name: "quassel"
    upstream_port: 64080
  raneto:
    upstream_port: 3000
  resilio-sync:
    notes: *notes_template2
    upstream_port: 8888
  sickrage:
    upstream_port: 8081
  smokeping: {}
  statping:
    notes: |-
      # make sure that your dns has a cname set for statping and that your statping container is not using a base url
      # If you are using the SSL docker-compose.yml on the statping repo, then the container name will be set to statup.
      # On other compose examples, it might be named statping. In that case, change $upstream_app statup to $upstream_app statping
    upstream_app: "statup"
    upstream_port: 8080
  syncthing:
    notes: *notes_template2
    upstream_port: 8384
  tdarr:
    notes: *notes_template2
    upstream_port: 8265
  thelounge:
    upstream_port: 9000
  znc:
    upstream_port: 6501

Thanks, team linuxserver.io

I have a problem with Gotify, the gotify.subdomain.conf file is the standard one, I haven’t changed it (not even a line).
I can access the gotify home page on gotify.mydomain.com, but when I try to login it always gives me the “login failed” error, if I try locally without the proxy I have no login problem.

Do you have any ideas?

host your own url shortener with yourls

Issue:
Airsonic streaming when using a subdomain redirection issue.

When streaming via the webui on https://airsonic.myaddress.com opening a stream generates a url that looks like http://airsonic.myaddress.com:443/stream?player=5&id=176
Which nginx sees as a bad request as it's a http request on port 443.

Have any config samples up your sleeve yet for SourceGraph? ;)

I tried to create a reverse proxy for mailu. Im using this image: https://hub.docker.com/r/linuxserver/letsencrypt/. They work perfectly. However, when I proceed to use the reverse proxy I get the "bad gateway" error. I will copy my configuration here. I have used the same of adminer, since in that service it works for me. I hope you can help me.

location /adminer {
return 301 $scheme://$host/adminer/;
}
location ^~ /adminer/ {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;

# enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
#auth_request /auth;
#error_page 401 =200 /login;

include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app adminer;
set $upstream_port 8080;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;

Here is the configuration used

location /admin{
    return 301 $scheme://$host/admin/;
}
location ^~ /admin/ {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app front;
    set $upstream_port 8080;
    set $upstream_proto http;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port/admin;

}

Thanks, team linuxserver.io

I have included the proxy.conf that worked for me which was a tweaked version of an existing conf file

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nodered.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nodered;
        set $upstream_port 1880;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_ip:$upstream_port;
        
        proxy_cache_bypass  $http_upgrade;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;

        #Forwards the real visitor remote IP address to the proxied server
	proxy_set_header X-Real-IP $remote_addr;

	#A list containing the IP addresses of every server the client has been proxied through    
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

	#When used inside an HTTPS server block, each HTTP response from the proxied server is rewritten to HTTPS.    
	proxy_set_header X-Forwarded-Proto $scheme;

	#Defines the original host requested by the client.    
	proxy_set_header X-Forwarded-Host $host;

	#Defines the original port requested by the client.    
	proxy_set_header X-Forwarded-Port $server_port;

    }

}

Having recently upgraded from Swag 1.7.0 to 1.8.0 and re-rolling from the sample configs. I noticed that the removal of two lines in this commit has broken the websocket connection under 'Alerts' for a server.

A copied Plex sample config has had these two lines removed between v1.7.0 and 1.8.0:

proxy_set_header        Upgrade         $http_upgrade;
proxy_set_header        Connection      "upgrade";

If you are accessing your Plex instance via Swag/a configuration using these reverse-proxy-confs at version 1.8.0 you will notice that going to Settings -> Alerts you will get the text: Unable to listen for events on servername.

This is fixed by re-adding the above two lines.

Thanks.

Many of these configs reference /config/proxy.conf. I don't see it anywhere or documented in the readme. Can someone enlighten me?

Edit: I was an idiot - didn't have the latest authelia config files with fix this problem 🙄

Expected Behavior

When uncommenting the authelia includes in the subdomain sample conf files (Like Sonarr or Radarr) a Authelia login screen should show up.

Current Behavior

When visiting the subdomain nginx shows error 500 internal server error.
NGINX error logs shows:
420#420: *6 auth request unexpected status: 303 while sending to client, client: xxx.xxx.xxx.xxx, server: radarr.xxx, request: "GET / HTTP/2.0", host: "radarr.xxx"

Probably clashes with location /authelia/api/verify block inside authelia-server.conf

Steps to Reproduce

1. Setup authelia
2. Uncomment authelia includes inside radarr.subdomain.conf
3. Restart container
4. Visit Subdomain

Same problems applys to every config that has a similar location block like sonarr or radarr.

1. I'm able to access the usual http://pi.hole/admin
2. Then I renamed the pihole.subfolder.conf.sample to pihole.subfolder.conf (even copied/pasted the latest version from the repo as of today.)
3. docker cp it over to the LE container, and restart it
4. Visit https://my.domain.rocks:3333/pihole

I get the following error:

[ERROR]: Unable to parse results from queryads.php: Unhandled error message (Invalid domain!)

Not sure if this is useful, but a quick goggle turned up this:

pi-hole/pi-hole#2195.

Title, really!
Mumble is a very neat application for voice chatting, similar to Teamspeak.
https://www.mumble.com/

It would be great to se a gitlab-ce config. As it comes in a Omnibus package bundled with mattermost it would be even better if mattermost would also work. THX

When I run home assistant from the official home-assistant.io they want to run the docker in network_mode: host

version: '3'
services:
  homeassistant:
    container_name: home-assistant
    image: homeassistant/home-assistant:stable
    volumes:
      - /PATH_TO_YOUR_CONFIG:/config
    environment:
      - TZ=America/New_York
    restart: always
    network_mode: host

When then using the default config from the linuxserverver letsencrypt docker, I get a 502.
Here is the homeassistant.subdomain.conf file.

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Not sure what the best practices is for getting ssl on docker images in network_mode: host

Trying to enable LDAP for Grafana subdomain, but I think I'm ending up in some weird loop. Might be because /login is also used by Grafana?

I have LDAP working correctly for other containers, so it's just this one misbehaving.