New container added with template YAML not accessible about gooby HOT 7 CLOSED

Sorry for the long post!

from gooby.

What is really interesting is that I tried accessing the webUI through http://[server IP]:9091 and it works, I can connect to it. So definitely the reverse proxy isn't doing its thing...

from gooby.

I updated the yaml to change the ip address range - LOCAL_NETWORK=127.0.0.1 to 172.27.0.0/16, seems it was too restrictive. Now the reverse proxy seems to pickup the fact that there is a service running; this is the section from /etc/nginx/conf.d/default.conf that now refers to transmission:

# transmission.mydomain.com
upstream transmission.mydomain.com {
                                ## Can be connected with "docker_default" network
                # transmission
                        server 172.27.0.5 down;
}
server {
        server_name transmission.mydomain.com;
        listen 80 ;
        access_log /var/log/nginx/access.log vhost;
        return 301 https://$host$request_uri;
}
server {
        server_name transmission.mydomain.com;
        listen 443 ssl http2 ;
        access_log /var/log/nginx/access.log vhost;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
        ssl_prefer_server_ciphers on;
        ssl_session_timeout 5m;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;
        ssl_certificate /etc/nginx/certs/transmission.mydomain.com.crt;
        ssl_certificate_key /etc/nginx/certs/transmission.mydomain.com.key;
        ssl_dhparam /etc/nginx/certs/transmission.mydomain.com.dhparam.pem;
        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/nginx/certs/transmission.mydomain.com.chain.pem;
        add_header Strict-Transport-Security "max-age=31536000" always;
        include /etc/nginx/vhost.d/default;
        location / {
                proxy_pass http://transmission.mydomain.com;
        }
}

Also, the webUI is left wide open, I can't set a password or any form of authentication...

from gooby.

Interesting! Yeah a reverse proxy would probably not work out of the box with Open VPN... not sure what can be done. And it seems like you have been doing quite a bit of homework on this yourself :D

Let me know what you come up with - and I'll keep my eyes open too (but no promises, this is quite a bit beyond the scope of what Gooby was intended for haha).

from gooby.

I would leave off any of the network settings to begin with. This includes the DNS and local_network. If you NEED a local network, then the /16 should work but this won't be very portable (ie, if Docker switches to 192.168.x.x/16 for example).

The next thing is that you're VPNing from remote TO this container, if it even works, it will probably terminate inside the Docker container's network. That is, you'll be "local" to Transmission, Plex, etc., but won't have host access. If that's your intention, then it's a reasonable goal. You'll still have Internet access via your VPN I believe, but it will be going from inside the container through the Docker NAT system to the host and then out from the host to the "real" Internet.

from gooby.

Thanks for your comments! I'm holding off on this thing until I can figure out how to get more bandwidth out of the VPN, since I could connect using the IP address of the VPS.
The local network address range seems to be needed in order to be able to 'see' the container from within the 'local' network, since the container only uses the VPN to access the internet and do its thing. The amended local address range allows the other containers to see this one, but I still haven't figured out how to get the reverse proxy going. In any case, if I can't get more speed out of the VPN this point is moot.

from gooby.

Nice, let us know what you come up with @nesbcn :) Always great to see people making the system their own... and adding useful information in the meantime 🥇 I'll close this issue for the moment, but please do share how things went with your enhancements!

from gooby.