[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

linuxserver_medium.png

 

Application Name: SWAG - Secure Web Application Gateway

Application Site:  https://docs.linuxserver.io/general/swag

Docker Hub: https://hub.docker.com/r/linuxserver/swag

Github: https://github.com/linuxserver/docker-swag

 

Please post any questions/issues relating to this docker you have in this thread.

 

If you are not using Unraid (and you should be!) then please do not post here, instead head to linuxserver.io to see how to get support.

 

PS. This image was previously named "letsencrypt", however, due to a trademark related issue, it was rebranded SWAG and is being published in new repos. In order to migrate to the new image, all you need to do (at a minimum) is to open the container settings and change the "Repository" field from "linuxserver/letsencrypt" to "linuxserver/swag". If you prefer, you can change the container name to "swag" as well, although it is not required. As long as you keep the environment vars the same and the "/config" folder mount the same, all the settings will be picked up by the new container. Please see here for more detailed instructions: https://github.com/linuxserver/docker-swag/blob/master/README.md#migrating-from-the-old-linuxserverletsencrypt-image

Edited by linuxserver.io
new image name and repos
  • Like 2
  • Thanks 1
  • Upvote 3
Link to comment

If someone wants to migrate to this container, what differences are there between this and the Nginx-letsencrypt by aptalca?

 

This is based on Alpine Linux not Phusion, so considerably smaller (46MB vs 243MB).  It's not a drop in replacement as some of the folder/file structure is slightly different, but if you pull both of them to different appdata folders it's pretty easy to figure out.  I've been playing around with this for a month or two now and that's what I did.  For the record, this was written by Aptalca as well.

 

Does this container have Perl-FastCGI baked in?

 

Not that I'm aware of, I guess you could pull a tagged release

 

linuxserver/letsencrypt:13

 

and then

 

docker exec -it letsencrypt apk add --no-cache perl-fcgi

 

And I'm pretty sure that will survive the weekly update, leaving you to update manually when you see fit.

 

Or even set it up on a cron job I guess, or a user script using Squids plugin to update after each weekly update.

Link to comment

Has anyone tried to use this with CloudFlare?

 

I've set up my domain to use CloudFlare, and when I installed the docker, it couldn't be set up correctly because it's resolving my domain into CloudFlare's IP. I can't get the SSL certificates going because it's not my home IP.

 

I understand this is a CloudFlare issue, I am trying out disabling their caching and all the functions. Not sure how long it takes for that to come into effect.

 

Just wondering if anyone has tried this with CloudFlare and how they did it.

 

And a separate question: In the docker settings you're suppose to enter a URL. It doesn't take an IP. I know an IP defeats the purpose of DDNS, I really just want the reverse proxy function since my company prevents me from accessing a DDNS like DuckDNS. I'd be equally happy accessing my server with http://IP/sonarr .

Link to comment

Has anyone tried to use this with CloudFlare?

 

I've set up my domain to use CloudFlare, and when I installed the docker, it couldn't be set up correctly because it's resolving my domain into CloudFlare's IP. I can't get the SSL certificates going because it's not my home IP.

 

I understand this is a CloudFlare issue, I am trying out disabling their caching and all the functions. Not sure how long it takes for that to come into effect.

 

Just wondering if anyone has tried this with CloudFlare and how they did it.

 

And a separate question: In the docker settings you're suppose to enter a URL. It doesn't take an IP. I know an IP defeats the purpose of DDNS, I really just want the reverse proxy function since my company prevents me from accessing a DDNS like DuckDNS. I'd be equally happy accessing my server with http://IP/sonarr .

 

I would imagine you'd need to turn off cloudflare to create the certs.

Link to comment

I think I've turned off the caching and all the extra features that would divert traffic to CloudFlare but my domain is still resolving to CloudFlare's IP. Unless it takes some time for those to come into effect.

 

Or did you mean to remove my domain from CloudFlre entirely, try to get the SSL certs, and then put my domain on CloudFlare?

Link to comment

I think I've turned off the caching and all the extra features that would divert traffic to CloudFlare but my domain is still resolving to CloudFlare's IP. Unless it takes some time for those to come into effect.

 

Or did you mean to remove my domain from CloudFlre entirely, try to get the SSL certs, and then put my domain on CloudFlare?

 

I can't remember as I gave up on Cloudflare a while ago as it caused issues.  But if your domain is resolving to Cloudflare IP then that needs to be changed as per the readme.

 

Before running this container, make sure that the url and subdomains are properly forwarded to this container's host.

 

 

Link to comment

Ok thank you. I'll try my second option and see what happens.

 

 

Regarding my second question, is there a way to use this with an IP instead of a domain? Just to get reverse proxy working with something like http://IP/sonarr ?

Unless you are an ISP or a large organization, you don't own any public IP's. And no, you can't get SSL certificates for things you don't "own".

 

I can't recommend getting your own domain name enough tbh.  Mine only cost me about $10 iirc for a year.

  • Like 1
Link to comment

Unless you are an ISP or a large organization, you don't own any public IP's. And no, you can't get SSL certificates for things you don't "own".

 

Ah I get it now. The cert is registered to a domain I can own, not to a dynamic IP that my ISP assigns me.

 

I can't recommend getting your own domain name enough tbh.  Mine only cost me about $10 iirc for a year.

 

I do have an existing domain I can use, it's just that I'm running into set up problem because I'm using CloudFlare's DNS with it. And I'm using CloudFlare because I found a CloudFlare DDNS docker for unRAID: https://lime-technology.com/forum/index.php?topic=40553.0

 

And I'm going through all these because I can't access sub.duckdns.org from work.

 

 

I'm using CloudFlare's DNS with it because I found a CloudFlare DDNS docker for unRAID.

 

Do you know of other free DDNS service that can be used with your own domain instead of a sub like duckdns.org?

Link to comment

Looks like mine is enom.

 

I managed to turn off the HTTP caching part of CloudFlare and only use its DNS. The domain resolves back to my home IP now. I'll give this another shot and hopefully this time it'll set up right.

 

Thanks again and sorry for the off-topic. Looking forward to trying this docker. Was previously using Aptalca's previous docker and thought if this is smaller why not.

Link to comment

Looks like mine is enom.

 

I managed to turn off the HTTP caching part of CloudFlare and only use its DNS. The domain resolves back to my home IP now. I'll give this another shot and hopefully this time it'll set up right.

 

Thanks again and sorry for the off-topic. Looking forward to trying this docker. Was previously using Aptalca's previous docker and thought if this is smaller why not.

 

Cool, no problem.  Not only is this smaller, but as Aptalca has joined ls.io, development will be on this version going forward.

Link to comment

Very pleased to report I got this docker working with CloudFlare and my domain, everything is reverse proxying as they should.

 

It's also working with the NZBD360 app.

 

Once I figured out how to use CloudFlare only for DNS the docker setup was pretty straight forward.

 

Thanks for the work on this and the off-topic help earlier.

Link to comment

Somewhat off-topic, but I have a question I haven't been able to figure out with regards to registered domain names and dynamic dns services.

 

I have a domain name that I've had for years.  It's currently registered through Google Domains, but I could change that.  It's just sitting there, waiting for me to do something with it.

 

I also have (and currently use) a dynamic DNS service (dyn-dns) to point to my server from off network.  I'm on a Verizon FIOS connection here in the US and can't easily get a static IP without paying a fortune.

 

Ideally I'd like to ditch the subdomain.dyndns.com and move to my domain name and have it point to my unRaid server and Nginx. 

 

Is that even possible?  Or do I just stick with the subdomain.dyndns.com and register that with LetsEncrypt?

 

Thanks!

Link to comment

Can anyone help me configure and set up sites in Nginx?

 

I got the following docker apps installed:

 

letsencrypt;

1.1.1.3:8833

1.1.1.3:8181

 

nextcloud:

1.1.1.3:3443 resolved to cloud.domain.com

 

plex:

 

rutorrent:

1.1.1.3:8099 resolved to torrent.domain.com

1.1.1.3:45566

1.1.1.3:8089

1.1.1.3:9527

 

unifi:

1.1.1.3:8080 resolved to unifi.domain.com

1.1.1.3:8081

1.1.1.3:8443

Link to comment

Can anyone help me configure and set up sites in Nginx?

 

I got the following docker apps installed:

 

rutorrent:

1.1.1.3:8099 resolved to torrent.domain.com

1.1.1.3:45566

1.1.1.3:8089

1.1.1.3:9527

 

If you haven't done so yet you'd want to create a .htpasswd file and put that in /appdata/letsencrypt/ngins/

 

I learned this from reading and mimicking instructions from other people so I can only share what I did for rutorrent:

 

You have to edit /appdata/rutorrent/nginx/nginx.conf. Change

 

server {
listen 80 default_server;
        root /var/www/localhost/rutorrent;
index index.html index.htm index.php;

 

to

 

server {
listen 80 default_server;
        root /var/www/localhost;
index index.html index.htm index.php;

 

And then add to /appdata/letsencrypt/nginx/site-confs/default

 

#Config for ruTorrent
	location ^~ /ru {
		auth_basic "Restricted";
		auth_basic_user_file /config/nginx/.htpasswd;
		include /config/nginx/proxy.conf;
		proxy_pass http://your.internal.ip:port/rutorrent/;
	}

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.