Introduction and requirements.
Here you will find a guide on installing letsencrypt and duckdns docker containers on UnRAID. You will be guided on creating a account with the dynamic dns service known as duckdns aswell as shown how to use letsencrypt and reverse proxy your internal applications such as plex, deluge, sonarr, couchpotato etc. they will even be accesible via HTTPS securely.
Requirements
- UnRAID all configured and set up to use dockers (6.2.4 was what this tutorial was written against).
- An internet connection on your UnRAID server.
- The Community Applications plugin installed and configured.
Goals
- To be able to access UnRAID dockers such as sonarr, radarr, couchpotato, htpc-manager from outside of your LAN in a secure way via HTTPS.
- To make the more complicated Nextcloud work via reverse proxy.
- Enable automatic IP address updating to your chosen DuckDNS domain.
103 Comments. Leave new
Thanks for this tutorial!
One question, when navigating to Sonarr remotely I only receive a webpage containing the text “Sonar Verr.” With nothing else. I’m wondering if you’ve run into this.
Thanks!
you need to set the base path in sonarr, (having notification issues so not getting told about comments)
very help, long time user of unraid, followed your steps and when i try https://XXX.duckdns.org/sonarr i get a NGIX Bad Gatewat error 502. Install went as descibed.
Clear browser started working
Hi, I will add this step in extras
Dont forget to clear your browser cache if you have gotten errors and have corrected settings!
good call!
Hi, Are you able to go through with me if you have 10 mins on team viewer, struggling a lot with the installation. Cheers
sure send me an email with the subject “Joe – Teamviewer” to [email protected]
If I have my own domain name (instead of using duckdns), does this process still work or are there additional steps that need to be taken?
simple answer: yes, depends on if you need a dynamic DNS still or not.
Thanks so much for this tutorial, it has helped get me set up for remote access to my network. I do have to admit I’m not quite sure what everything that I did in this tutorial has actually done. This became quite apparent when I tried to set up two servers on my network running the same two dockers.
I have two dockers running the same app on two different unraid boxes. I have the ports set to 192.x.x.0:xxx0 and 192.x.x.1:xxx1 but I’m not sure how to set up the ‘default’ file to point to each one separately. At first I thought I could just change the name after the ‘location/xxx’ but quickly found out that broke everything. The app I’m trying to point to is Sabnzbd which doesn’t seem to let you set the base url.
I can successfully get to one of the SAB instances, but not the other. What am I missing?
if you can’t change the basepath i don’t think you will be able to without a seperate domain / sub domain
for radarr/sonarr its like this
Instance 1
location /radarr {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.3:7878/radarr;
}
Base path set to /radarr
Instance 2
location /radarr2 {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.4:7878/radarr2;
}
Base path set to /radarr2
Hope this helps.
Hi All, for some reason i have been having issues with getting notifications of stuff on my website, comments, forum posts etc… due to this i haven’t been able to reply to you as i haven’t actively been checking it.
i am working on fixing these issues so i can provide a quicker response time.
UPDATE: i have fixed the email notification issue so will reply quicker to comments/replies now.
Sorry for the inconvenience.
How would you get Zoneminder working with this?
No idea without more information, need to know things like what the current url structure is… e.g http://192.168.1.45:3867/web or http://192.168.1.45:3867/ etc also if there is a “basepath” option in zoneminder
give me a list of a couple of the URL’s from a few different pages of zoneminder
main page = http://192.168.2.90:8084/zm/index.php
options page = http://192.168.2.90:8084/zm/index.php?view=options
it looks like all pages start with http://192.168.2.90:8084/zm/index.php and i do not see anything in options/settings for a basepath. Does this info help at all?
try this
location /zm {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.2.90:8084/zm/;
}
or
location /zm {
include /config/nginx/proxy.conf;
proxy_pass http://192.168.2.90:8084/zm;
}
tbh i’m going to configure Zoneminder my self in the coming days/weeks so if this doesn’t work i can look in the future.
the top one worked!! woohoo thank you! this is great!
are you using a docker? if so which one? just curious
I am using a Docker
Well, I followed your directions, but i seem to be running into errors trying to get the letsencrypt docker started. No confirmation in logs. Instead im getting that my port “entered disabled state”, “left promiscuous mode” and ultimately “Deleting interface #13 docker0”
oh boy, Im a total idiot. Capitalized the ‘T’ in ‘true’. Removed the docker, reinstalled, totally working…soooo to all you out there, dont do that! And thank you very much for putting this tutorial together. Ill try to actually follow the rest of the directions!
glad you got it fixed 🙂
i get a bad gateway for nextcloud only. i refreshed the cache and still the same issue.
it seems you are missing something then, make sure to change the config file for nextcloud as shown in the tutorial, also make sure to restart both dockers.
i went through everything again, and it all seems to be what you have. i’m at a loss since it’s only nextcloud
send me [email protected] the contents of these, feel free to remove passwords or private data.
\\UnRAIDIP\appdata\nextcloud\nginx\site-confs\default
\\UnRAIDIP\appdata\nextcloud\config\www\nextcloud\config
\\UnRAIDIP\appdata\letsencrypt\nginx\site-confs\default
this has been resolved by re-doing the nextcloud docker.
Trying to figure out how to change the baseurl of Pydio and Guacamole to get this working. Also I am trying to get Muximux setup as well, it appears as though it is going to be similar to Nextcloud by changing roots. Any thoughts?
hi, not without more information, if you want muximux at / then its easy, i use organizr the same way. the others i have no idea on.
Before you do all of this, you have to install NGINX – yes? How do you do that bit? Do you use another port besides 80 on this too? Thanks!
No, the letsencrypt docker includes nginx
Thanks for the guide. Are you able to advise on how to password protect the nginx webserver? I’d prefer to do that so I don’t need to password protect each application.
Hi,
“If you’d like to password protect your sites, you can use htpasswd. Run the following command on your host to generate the htpasswd file docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd”
https://github.com/linuxserver/docker-letsencrypt
and then add the following
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
hi when i visit this url http://xxxx.duckdns.org/sonarr it says 404 and the url changed to http://xxxx.duckdns.org/login?returnUrl=/sonarr do you know how i fix this?
Hi, Have you set the path on sonarr? in settings…
restart your sonarr docker afterwards
hi that dit work thank you so much, but somehow I can’t get this to work for plexpy (did the same thing after I restart it I keep getting a blank screen and nothing interesting happens in the log), couch potato (can’t find the setting) and htpc just keeps giving me the error ( anerror has occured on a blank page) i’am a bit of a noob in unraid territory and I would love to get some more help 🙂
location /plexpy {
proxy_bind $server_addr;
proxy_pass http://[IP]:8181;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
}
can you please advise in how to integrate emby with this setup?
i used to use emby but due to the xbox one app not being free moved to plex.
try
location /emby {include /config/nginx/proxy.conf;
proxy_pass http://[IP]:8096;
}
make sure to reload the letsencrypt docker after saving the changes
I was wondering how this process would differ if I have a dynamic dns through dyn as opposed to duckdns?
I also own a domain that I am currently pointing the ddns to.
Install the DDclient docker: https://github.com/macexx/ddclient
Connect to \appdata\ddclient and use this as your ddclient.conf (edit the items inside ):
## ddclient configuration file
daemon=600
# check every 600 seconds
syslog=yes
# log update msgs to syslog
mail-failure= # Mail failed updates to user
pid=/var/run/ddclient.pid
# record PID in file.
## Detect IP with our CheckIP server
use=web, web=checkip.dyndns.com/, web-skip=’IP Address’
## DynDNS username and password here
login=
password=
## Default options
protocol=dyndns2
server=members.dyndns.org
## Dynamic DNS hosts
In the LETSENCRYPT settings make sure to put your DOMAIN and the SUBDOMAIN, you’re using.
My tags didnt transfer properly to my post.
Make sure to add your email after “mail-failure=”, your username for dyn after “login=” and password after “password=”
Under the ## Dynamic DNS hosts section, you need to add your DYN URL; i.e. test-server.dynalias.org
Great, Thanks for your contribution 🙂
Thank you so much. i will check this out as soon as I am able and will comment back with the results.
Wait, so do I just replace everything in the conf file with what you have written or just the relevant lines?
Use this link when signed in to dyn.com to create your own: https://account.dyn.com/tools/clientconfig.html
I have followed your tutorial closely but i could not get to the nginx default webpage. Set port 80 to 81, and leave the default port 443. The container log has nothing relevant.
Hi, sorry for the late reply, i’ve been out of the country on holiday without access to a computer.
have you forwarded the router ports, i need more information, i need your config files, or docker settings or something more than “container log has nothing relevant”
Hey
What should i do if i have my own domain and a public static ip
Should i just make a single A record pointing to my public static ip
skip all the duckdns stuff and just add your static ip to the A record of your domain.
Thanks 🙂
if I’m not using some of the services in the template I would just delete them right?
When I’m not using Netdata I can just remove the following text from the header?:
upstream backend {
server 192.168.1.3:19999;
keepalive 64;
}
Thanks for the guide 🙂
Could I also delete this, when not using netdata?
location ~ /netdata/(?.*) {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://backend/$ndpath$is_args$args;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection “keep-alive”;
proxy_store off;
If you’re not using any of the services then you can delete the section without issue, although you might prefer to comment it (should you need it in the future) by adding a # at the start of each line.
Thanks 🙂 I’m also trying to add SABNZBD.
Under NGinx they want
https://sabnzbd.org/wiki/extra/howto-apache
location /sabnzbd {
include /etc/nginx/conf.d/proxy.conf;
proxy_pass http://localhost:8080/sabnzbd;
}
They also want to add
upstream SABnzbd {
server localhost:8080;
keepalive 512;
}
What does that do? Is it necessary?
Thanks in advance 🙂
if that what they want then add it all, i haven’t took the time to understand what the “upstream” stuff does yet.
As a sidenote. I was recommended to add the following to my default file
server {
listen 80 default_server
listen [::]:80 default_server
server_name _;
return 301 https://$server_name$request_uri;
}
server {
listen 443 ssl default_server;
root /config/www;
index index.html index.htm index.php;
server_name _;
After this comes the certificates and location tags.
This forces a SSL connection
I thought it would be relevant to know
yes that is just standard 80 http -> 443 https
Hi, I followed your guide and got next cloud accessible from the outside world everything works except the part where in upload files to the server. it keeps giving me this error: Not enough free space, you are uploading xx MB but only 0 B is left you (even when I have 13tb free). it worked before I attempted to install lets encrypt. could you please help me?
Hi,
No idea on this one sorry, mine definitely works fine, i would check all your permissions and settings and config files for both nginx and nextcloud.
I’m having this exact issue right now. Did you ever work out a fix?
I just corrected the same issue for myself Thanks to a comment on a similar post on reddit. Make sure you have “location ^~/nextcloud {” for the nextcloud location in the letsencrypt-nginx/site-confs default file.
Have anyone succed in making plex work without forwarding port 32400
Yes mine works fine, i’ve set it up for multiple people now, please follow the steps in the guide.
I have followed the exact steps in the guide both changed the default file and the plex setting, it works when I have forwarded port 32400, if I dont then it won’t work
Great writeup so far! Been able to get Sonarr to work. Nextcloud is another story. Getting ‘400 Bad Request’ when I go to https://[SUBSITE].duckdns.org/nextcloud
Says “The plain HTTP request was sent to HTTPS port”.
Followed everything exactly. I have my Nextcloud mapped to another port, but other than that I can’t figure out what’s wrong. Works just fine at https://[UNRAID-IP]:[CUSTOM-PORT].
Hi,
make sure you have the nextcloud entry in your default file set to https like so
proxy_pass https://[IP]:444/nextcloud;
all the others are http but this one is https.
also make sure you did the edit to the nextcloud config file and nginx config file
Hey, thanks! Changing it to HTTPS worked! However, new problem. It’s SUPER slow via URL, but speedy via external IP. See screenshots.
http://imgur.com/a/eyc1H
Hmm, i’m not sure on why you’re having speed issues, are you comparing it with the external ip or internal ip? could be DNS resolution issues or your router may be clever enough to route the external IP internally avoiding the internet but not so much for the domain name.
Should I be seeing something at https://.duckdns.org/services — for me, Chrome refuses to connect.
Sorry, the formatting on the site doesn’t let me type it correctly. Basically, when I substitute my subdomain at domain dot duckdns dot org forward-slash services, I get an error within my browser.
you aren’t meant to do /services, you do /plex or /sonarr or /radarr etc.
Ah, well /plex is not working. Any ideas?
Hi, No sorry i don’t know why it’s not working, please double check all the steps as others have it working correctly.
Hi,
I was able to get nextcloud together with LetsEncrypt running.
Each docker for LetsEncrypt and also NextCloud are running on a seperate (virtual) IP.
But I am struggeling with another problem, maybe someone can help me?
I have a domain “my-domain.at”. I am already using “nextcloud.my-domain.at” for nextcloud.
Next I wanted to work on some Webprojects like wordpress, joomla and other PHP Tools.
First I wanted to do it via Apache, as I know apache from my native Server. So I installed apache on a docker with a dedicated (virtual) IP.
But somehow I was not able to get the forwarding from LetsEncrypt to Apache working. Somehow I always ended with “ERR_TO_MANY_REDIRECTS” in the browser.
Then I thought I could do it with LetsEncrypt as it also has a Webserver with PHP Support, isn’t it?
So I tried several “site-conf” examples, but somehow I never got it working correctly.
What would be an example for wordpress to get it working?
Asuming the domain “wordpress.my-domain.com” and the site is located under “/var/www/wordpress”?
Br,
Johannes
Hi,
unfortunately this is not related to this tutorial so the best i can do is give you an example, i won’t be able to further exist regarding this though.
you can try something like this
SSL (HTTPS)
server {listen 443 ssl default_server;
root /config/www/wordpress;
index index.html index.htm index.php;
server_name wordpress.cyanlabs.net;
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
ssl_prefer_server_ciphers on;
client_max_body_size 0;
location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
or
Non-SSL (HTTP)
server {listen 80 default_server;
root /config/www/wordpress;
index index.html index.htm index.php;
server_name wordpress.cyanlabs.net;
client_max_body_size 0;
location / {
try_files $uri $uri/ /index.html /index.php?$args =404;
}
location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass 127.0.0.1:9000;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}
}
Is there any way to get this tow work with the unraid webgui? I tried but the page loaded a bunch of text and no graphical elements.
the best way is to just setup a subdomain like unraid.xxx.xxx and set up a new server block just for unraid.
Hello, thank you for this tutorial but im stuck with the lets encrpt certificate…. i made a post at https://forums.lime-technology.com/topic/51808-support-linuxserverio-letsencrypt-nginx/?page=25#comment-572672 but nobody is answering. Could it be that there is an update that this guide wont work anymore?
Regards
Bengele
It seems like you are using subdomains on duckdns but as far as i know you can’t do that. try 1 domain and use /service e.g /plex etc.
Thanks for this awesome write-up! It’s super helpful. I was able to get everything setup correctly (I think…I know Deluge is accessible via my domain/downloads), however I’m having trouble with both radarr and sonarr. When I go to domain/radarr or domain/sonarr the page loads but only says Radarr Ver. or Sonarr Ver. (respectively). Any idea how to fix this?
you need to set the path on sonarr/radarr’s settings
Settings > General > URL Path = /sonarr or /radarr
Then restart sonarr and radarr.
I’m having real trouble getting letsencrypt to work.
I’m not sure where I’m going wrong, the relevant error from the logs seems to be:
[code]Failed authorization procedure. towerlocal.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout[/code]
make sure port 443 is accessible from outside your LAN and that it is forwarded in your router to your Unraid Box.
http://portforward.com
Hi there, thanks for the guide, I’m currently running No-IP on my pfSense router so I didn’t use the DuckDNS container and went straight into the setup at the LetsEncrypt section. I put the details in for my No-IP DynDNS setup and then completed the install of the LetsEncrypt container, however, I cannot access the “Welcome to the server” page locally. For me I use 192.168.1.5 for my unRAID setup so when I go to http://192.168.1.5:81, it cannot find a page, in Chrome I get “This site can’t be reached”
Any ideas?
Thanks
you need to view the logs of the letsencrypt container.
This is what it’s showing:
Failed authorization procedure. *my domain**.duckdns.org (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Timeout
Though looking further at the log I think this info may be more pertinent:
certbot: error: argument –cert-path: No such file or directory
Maybe that is stopping it from starting up?
You are missing some of the steps here then, you need to forward port 443 to your internal IP (i assume since you have pfsense i don’t need to explain this) so whenever the letsencrypt bot goes to https://XXX.duckdns.org:443 it will authenticate
You said before you weren’t using duckdns but you are saying your log is using it, can you clarify this as if your log is saying that then you have done something wrong (outside of this guide)
Yeh I don’t think I was helping myself there, I set up DuckDNS to test if it was just some issue with the pfSense DDNS. I’ve removed that and now set it up with the port redirect and my own DNS and it’s now started, though I still can’t get to 192.168.1.5:81 locally or remotely
OK it seems to have kinda started now but I can’t actually access anything remotely yet… I have Sonarr etc running on a VM on my server (separate to my unRAID server) so I edited that config file you supplied to that IP and the port I use and when I go with mydomain.ddns.net/sonarr it just spins…. Not sure what I’m doing wrong! I get nothing locally on 192.168.1.5 either on port 80 or 81 but I’m not sure if this is the issue or not , LetsEncypt shows no errors in the log now…
Hello, great article that walks through everything I need to set things up. My main issue is that my unRAID server is behind my Asus Merlin router running OpenVPN client connecting to AirVPN service. The AirVPN has a port forwarding service as well as a static exit IP. They also provide a DDNS. So right now I have subdomain.airdns.org:PORT forwarded via IP tables script on my router to 443 port on my unRAID server. So remotely I can easily access my Nextcloud server. Using https://scan.nextcloud.com/ I get a A+ rating even though I have not setup Letsencrypt or any specific SLL. Not sure if this is done through their DDNS service.
Anyway this makes it impossible for Letsencrypt docker to access that external link (https://subdomain.airdns.org:PORT) from behind the VPN. I guess I don’t even need to setup DuckDNS or Letsencrypt as my Nextcloud is behind a VPN and should be secure.
My question then is how do I setup reverse proxy if not using the nginx in the Letsencrypt docker. I have already setup dnsmasq on my router: address=/airdns.org/192.168.1.5 #(unRIAD IP). Also the DDNS currently has a PORT associated with it and dnsmasq does not allow ports to be used. I am basically trying to access my Nextcloud server using the same address whether it is remote or internal. Is there a way to change the default port on unRAID so if I goto http://192.168.1.5 it will automatically redirect to https://192.68.1.5?
Any help would be greatly appreciated!
Hi,
Don’t have much experience in this aspect, if you want to change unraid’s port you can edit the go file in the config folder of your flash drive (/boot/config/go) and change emhttp to emhttp -p XXXX (where XXXX is the port number)
If you then add 80 and 443 as the actual ports 80 and 443 in the docker that should work for you.
Hope this helps.
Awesome thanks for the quick reply. I guess I could also try giving the nextcloud container a separate IP. Where would you edit the nginx for reverse proxy? In the Nextcloud app folder?
You just need to edit the “default” file in the letsencrypt nginx folder
this guide helped me a lot but i have one question.
i have everything set to be on a subdomain ie: sabnzbd.DOMAIN.com, sonarr.DOMAIN.com
how do i edit the deluge block to work as deluge.DOMAIN.com?
i’m using the below but all i get is a blank screen with the webpage title Deluge: Web UI
location /{
include /config/nginx/proxy.conf;
proxy_pass http://[IP]:8112/;
proxy_set_header X-Deluge-Base “/downloads/”;
}
I really cannot get plexpy to work just cannot get anything to load anyone help me out the other comment in this section doesnt really help