#1
Hello,
I'm unable to connect to Sonnar/Radarr using the App. Well, actually I can, but selectively.
For Sonarr - the "All" tab is not working - "Could not connect to Sonarr",
For Radarr - the "All" tab is not working - "Could not connect to Radarr"; "Missing" and "Cinemas" are loading infinitely;
Adding new titles works, connection test in settings is passed. Services are accesible with browser. It does not matter, whether I'm connecting from within or outside of my NAT.

This has something to do with nginx reverse proxy.
My setup: sonarr in a docker container (linuxserver/sonarr) running in a docker swarm (but only a single instance), behind nginx reverse proxy.
When it works: sonarr accesed directly via port mapped to its container (eg. http://192.168.111.2:8989)
When does not work:
- In config such as below (https://user:pass@sonarr.domain.com:443 -> http://sonarr:8989)
- or when reverse-proxying nginx to address and port mapped directly to the sonarr's container (eg. https://user:pass@192.168.111.2:5000 -> http://192.168.111.2:8989)

nginx server config:

Code: Select all

upstream sonarr {
  server        sonarr:8989;
}

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;

  server_name   sonarr.domain.com www.sonarr.domain.com;

  include /config/nginx/snippets/secure-ssl.conf;
  include /config/nginx/snippets/auth.conf;

  location / {
    proxy_pass  http://sonarr;

    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Real-IP $remote_addr;
  }
}

nginx ssl snippet:

Code: Select all

ssl_certificate /etc/letsencrypt/live/domain.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.com/privkey.pem;
ssl_dhparam /config/nginx/dhparams.pem;

ssl_session_cache shared:SSL:20m;
ssl_session_timeout 180m;
ssl_session_tickets off;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;

ssl_ecdh_curve secp384r1;

resolver 8.8.8.8 8.8.4.4;

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";

docker-compose.yaml

Code: Select all

services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      PUID: 1000
      PGID: 122
      TZ: Europe/Warsaw
      URL: domain.com
      SUBDOMAINS: wildcard
      VALIDATION: dns
      DNSPLUGIN: provider #optional
      # PROPAGATION:  #optional
      # DUCKDNSTOKEN:  #optional
      EMAIL: me@email.com #optional
      ONLY_SUBDOMAINS: "false" #optional
      # EXTRA_DOMAINS:  #optional
      STAGING: "false" #optional
      # MAXMINDDB_LICENSE_KEY:  #optional
    restart: unless-stopped
    volumes:
      - ./swag/config:/config
    networks:
      - sab_proxy
    ports:
      - mode: host
        protocol: tcp
        published: 443
        target: 443
    deploy:
      placement:
        constraints:
          - node.hostname == myhost

  sonarr:
    image: ghcr.io/linuxserver/sonarr
    container_name: sonarr
    environment:
      TZ: Europe/Warsaw
      PUID: 1000 # set this to the UID of your user
      PGID: 122 # set this to the GID of your user
      UMASK: "002" #optional
    restart: unless-stopped
    networks:
      - sab
      - sab_proxy
    ports:
      - 8989:8989 # port mapping
    volumes:
      - "./sonarr/config:/config"
    deploy:
      # replicas: 2
      placement:
        constraints:
          - node.hostname == myhost

networks:
  sab:
    driver: overlay
  sab_proxy:
    driver: overlay
#2
Ok, the ciphers seem to strict. Disabling this block allows for connection.

Code: Select all

ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384
I have added AES-128+SHA256 as well.
cron