rikdegraaff Posted August 17, 2021 Share Posted August 17, 2021 Guys what am I doing wrong? See post: Do I need an SSL certificate on the subdomains/domain I am using for swag? Or is something else wrong...? Thanks in advance! Quote Link to comment
shrekfx Posted August 17, 2021 Share Posted August 17, 2021 I'm trying to set up Swag on my unraid server and having a beast of a time doing so. Back story. I had a bunch of dockers set up and configured including Nginx Proxy Manager Official. For the most part, it was working. Then I found a feature I wanted and it was in SWAG. I removed Nginx and installed Swag and went through the setup process and filled in the blanks. When I go to open the web ui, i get a page stating; This site can’t be reached 192.168.68.139 refused to connect. Try: Checking the connection Checking the proxy and the firewall ERR_CONNECTION_REFUSED What I did then was removed all my dockers, deleted the app_data for all the dockers and started fresh (I think), I put in Swag and still the same thing. Here is the log from the docker. Brought to you by linuxserver.io ------------------------------------- To support the app dev(s) visit: Certbot: https://supporters.eff.org/donate/support-work-on-certbot To support LSIO projects visit: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/Los_Angeles URL=mydomain.xyz SUBDOMAINS=server,mycloud EXTRA_DOMAINS= ONLY_SUBDOMAINS=false VALIDATION=http CERTPROVIDER= DNSPLUGIN= [email protected] STAGING=false Using Let's Encrypt as the cert provider SUBDOMAINS entered, processing SUBDOMAINS entered, processing Sub-domains processed are: -d server.mydomain.xyz -d mycloud.mydomain.xyz E-mail address entered: [email protected] http validation is selected Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Requesting a certificate for mydomain.xyz and 2 more domains Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems: Domain: mycloud.mydomain.xyz Type: unauthorized Detail: Invalid response from http://mycloud.mydomain.xyz/.well-known/acme-challenge/zn1lUN4VXIHrx1cLNMaa6OLcoFFJQx0_Tn9S0pUvZ1E [2606:4700:3034::ac43:d57e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js " Domain: mydomain.xyz Type: unauthorized Detail: Invalid response from http://mydomain.xyz/.well-known/acme-challenge/6J1-8GdVoKbGMHlnkqBCf7CsKHDyqLyZ090NcPHDl5Y [2606:4700:3034::ac43:d57e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js " Domain: server.mydomain.xyz Type: unauthorized Detail: Invalid response from http://server.mydomain.xyz/.well-known/acme-challenge/V-1VSde1mqS5fnXmR7aMN-6pCCBz_w8uemYX9hY5zsY [2606:4700:3037::6815:3dc7]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js " Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Quote Link to comment
micheyll Posted August 17, 2021 Share Posted August 17, 2021 Could someone give me a bit of insight on this? I'm trying to set up a remote connection to my ZNC IRC bouncer using nginx, so that I can access my bouncer from work. I have ZNC running as a container on unRAID. This is what I have in my nginx config file (znc.subdomain.conf): ## Version 2021/05/18 # make sure that your dns has a cname set for znc server { listen 443 ssl; listen [::]:443 ssl; server_name irc.*; include /config/nginx/ssl.conf; client_max_body_size 0; # enable for ldap auth, fill in ldap details in ldap.conf #include /config/nginx/ldap.conf; # enable for Authelia #include /config/nginx/authelia-server.conf; location / { # enable the next two lines for http auth #auth_basic "Restricted"; #auth_basic_user_file /config/nginx/.htpasswd; # enable the next two lines for ldap auth #auth_request /auth; #error_page 401 =200 /ldaplogin; # enable for Authelia #include /config/nginx/authelia-location.conf; include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; proxy_pass http://192.168.1.2:6502; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } My ZNC config file has the following set up for listeners, nothing else in that config file should really matter: <Listener listener0> AllowIRC = false AllowWeb = true IPv4 = true IPv6 = false Port = 6501 SSL = false URIPrefix = / </Listener> <Listener listener1> AllowIRC = true AllowWeb = false IPv4 = true IPv6 = false Port = 6502 SSL = false URIPrefix = / </Listener> With this setup I keep getting the following error message on my IRC client whenever I try to connect to my subdomain using the port 443: HTTP/1.1 400 Bad Request Server: nginx Date: Tue, 17 Aug 2021 18:36:52 GMT Content-Type: text/html Content-Length: 150 Connection: close <html> <head><title>400 Bad Request</title></head> <body> <center><h1>400 Bad Request</h1></center> <hr><center>nginx</center> </body> Using the same swag container I've managed to set up remote access for my Plex server using another one of my subdomains. Quote Link to comment
alturismo Posted August 17, 2021 Share Posted August 17, 2021 45 minutes ago, micheyll said: My ZNC config file has the following set up for listeners, nothing else in that config file should really matter: may i ask if this is a http site you try to reverse proxy or TCP traffic (what it looks like on 1st sight), if so, swag is by design for http sites to be proxied and not tcp, udp traffic ... that would need some advanced setups etc with the stream module Quote Link to comment
davper Posted August 18, 2021 Share Posted August 18, 2021 On 8/16/2021 at 9:12 PM, davper said: Hi I was getting an emergency error most likely caused by me making a config change to add wordpress. So I restored from a recent backup. I am now getting this upon start: Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems: Domain: www.xxxxxx.com Type: connection Detail: Fetching http://www.xxxxxx.com/.well-known/acme-challenge/E0JYqMtNJ18FUDxUh7QYKjjq5DMu516AONQvPJA0hPg: Timeout during connect (likely firewall problem) Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet. I check my pfSense and nothing has changed since I got swag running a few weeks ago. I have 80 forwarded to port 180 and 443 forwarded to 1443. Is there something else I should be looking at? my full swag log ErrorWarningSystemArrayLogin [s6-init] making user provided files available at /var/run/s6/etc...exited 0. [s6-init] ensuring user provided files have correct perms...exited 0. [fix-attrs.d] applying ownership & permissions fixes... [fix-attrs.d] done. [cont-init.d] executing container initialization scripts... [cont-init.d] 01-envfile: executing... [cont-init.d] 01-envfile: exited 0. [cont-init.d] 10-adduser: executing... ------------------------------------- _ () | | ___ _ __ | | / __| | | / \ | | \__ \ | | | () | |_| |___/ |_| \__/ Brought to you by linuxserver.io ------------------------------------- To support the app dev(s) visit: Certbot: https://supporters.eff.org/donate/support-work-on-certbot To support LSIO projects visit: https://www.linuxserver.io/donate/ ------------------------------------- GID/UID ------------------------------------- User uid: 99 User gid: 100 ------------------------------------- [cont-init.d] 10-adduser: exited 0. [cont-init.d] 20-config: executing... [cont-init.d] 20-config: exited 0. [cont-init.d] 30-keygen: executing... using keys found in /config/keys [cont-init.d] 30-keygen: exited 0. [cont-init.d] 50-config: executing... Variables set: PUID=99 PGID=100 TZ=America/New_York URL=xxxxxx.com SUBDOMAINS=www,ddns,cloud,bw,sonarr EXTRA_DOMAINS= ONLY_SUBDOMAINS=true VALIDATION=http CERTPROVIDER= DNSPLUGIN= [email protected] STAGING=false Using Let's Encrypt as the cert provider SUBDOMAINS entered, processing SUBDOMAINS entered, processing Only subdomains, no URL in cert Sub-domains processed are: -d www.xxxxxx.com -d ddns.xxxxxx.com -d cloud.xxxxxx.com -d bw.xxxxxx.com -d sonarr.xxxxxx.com E-mail address entered: [email protected] http validation is selected Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created Generating new certificate Saving debug log to /var/log/letsencrypt/letsencrypt.log Account registered. Requesting a certificate for www.xxxxxx.com and 4 more domains Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems: Domain: www.xxxxxx.com Type: connection Detail: Fetching http://www.xxxxxx.com/.well-known/acme-challenge/E0JYqMtNJ18FUDxUh7QYKjjq5DMu516AONQvPJA0hPg: Timeout during connect (likely firewall problem) Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet. Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container Hi Solved the issue. My wan IP had changed and that 1 subdomain(www) did not get updated at cloudflare. Once I changed the setting to get the ip from ddns subdomain, it was working again. All other subdomains were working fine. Quote Link to comment
ziggie216 Posted August 18, 2021 Share Posted August 18, 2021 Hi, out of boredom, I wanted to swag to work with IPv6. Is the only way for a docker container to obtain a IPv6 is to place it on br0? If it is and since SWAG is no longer on the same network (proxynet), does that means I would also have to replace the $upsteream_app with the IP address of the host address (which is the unraid's) address? Quote Link to comment
micheyll Posted August 18, 2021 Share Posted August 18, 2021 10 hours ago, alturismo said: may i ask if this is a http site you try to reverse proxy or TCP traffic (what it looks like on 1st sight), if so, swag is by design for http sites to be proxied and not tcp, udp traffic ... that would need some advanced setups etc with the stream module It's an IRC bouncer so it's TCP traffic, but I've seen a lot of examples of people setting it up to work using nginx. Also SWAG comes with a built-in sample config file for ZNC, so I think it should be a viable way to set it up? I'm really not an expert on this, though. Quote Link to comment
alturismo Posted August 18, 2021 Share Posted August 18, 2021 1 hour ago, micheyll said: It's an IRC bouncer so it's TCP traffic, but I've seen a lot of examples of people setting it up to work using nginx. Also SWAG comes with a built-in sample config file for ZNC yes, i see there is IRC and web, and i assume the sample is for the web frontend Quote Link to comment
micheyll Posted August 18, 2021 Share Posted August 18, 2021 5 minutes ago, alturismo said: yes, i see there is IRC and web, and i assume the sample is for the web frontend I think you're right. Here on ZNC's wiki they mention using the stream module to connect with IRC, which you mentioned as well: https://wiki.znc.in/Reverse_Proxy I'll take a new look at this in the evening. I'm not sure if I know how to enable the stream module, though, but I'll give it a go and let you know how it went. Quote Link to comment
alturismo Posted August 18, 2021 Share Posted August 18, 2021 2 minutes ago, micheyll said: I'll take a new look at this in the evening. I'm not sure if I know how to enable the stream module, though, but I'll give it a go and let you know how it went. pretty simple, BUT ... it wont be behind your reverse proxy, need a sep Port and will be reachable through all available addresses, ip, domains, .... so more or less like a sep port forward anyway directly if you want to go through your RP somehow, its alot of tweaks and adjustments ... ssl-preread would be a way to start, but be aware its alot of read, trial and error and even may wont work as expected. nginx by design is made for http traffic, the stream module is like a sep part and you wont benefit from irc.yourdomain.com to pass to the stream by default, there are "workarounds" using the upper mentioned ssl_preread_module ... like said, workarounds Quote Link to comment
micheyll Posted August 18, 2021 Share Posted August 18, 2021 35 minutes ago, alturismo said: pretty simple, BUT ... it wont be behind your reverse proxy, need a sep Port and will be reachable through all available addresses, ip, domains, .... so more or less like a sep port forward anyway directly if you want to go through your RP somehow, its alot of tweaks and adjustments ... ssl-preread would be a way to start, but be aware its alot of read, trial and error and even may wont work as expected. nginx by design is made for http traffic, the stream module is like a sep part and you wont benefit from irc.yourdomain.com to pass to the stream by default, there are "workarounds" using the upper mentioned ssl_preread_module ... like said, workarounds Thanks for your input. I think I'll save myself a lot of trouble and grey hair if I just forward the port for ZNC on my router and use SWAG for http traffic applications. Thanks for the help, I would've kept hitting my head to this wall for the foreseeable future. Quote Link to comment
Autchirion Posted August 20, 2021 Share Posted August 20, 2021 Hello all, I'm currently using swag for bitwarden but I would like to use it for nextcloud as well, it would use the same domain, but with a different port. Do you guys know how to achieve that? Thank you in advance, Autchi Quote Link to comment
alturismo Posted August 20, 2021 Share Posted August 20, 2021 2 hours ago, Autchirion said: but with a different port Reverse Proxy is meant to be used on https port only, if you only have 1 domain, may take a look at the subfolder parts (there are plenty samples and pre configured in your proxy conf folder) like https://yourdomain.de/bitwarden https://yourdomain.de/nextcloud Quote Link to comment
strike Posted August 20, 2021 Share Posted August 20, 2021 2 hours ago, Autchirion said: Hello all, I'm currently using swag for bitwarden but I would like to use it for nextcloud as well, it would use the same domain, but with a different port. Do you guys know how to achieve that? Thank you in advance, Autchi Just set up a subdomain. @SpaceInvaderOne has a video on how to set up nextcloud with swag: https://www.youtube.com/watch?v=I0lhZc25Sro Quote Link to comment
Autchirion Posted August 20, 2021 Share Posted August 20, 2021 32 minutes ago, strike said: Just set up a subdomain. @SpaceInvaderOne has a video on how to set up nextcloud with swag: https://www.youtube.com/watch?v=I0lhZc25Sro ok, do I need two instances of swag then? Just to clarify, I don't want it open to the internet, I only want the annoying message gone, that the page appears to be not secure. Quote Link to comment
strike Posted August 20, 2021 Share Posted August 20, 2021 4 minutes ago, Autchirion said: ok, do I need two instances of swag then? Just to clarify, I don't want it open to the internet, I only want the annoying message gone, that the page appears to be not secure. OH, then you don't want to reverse proxy it with swag.. That's what's swag is for, making it open to the internet ,securely. But maybe you can copy the certs from swag to nextcloud, idk. You'll have to google it as I have no clue, but I THINK it can be done. Quote Link to comment
Autchirion Posted August 21, 2021 Share Posted August 21, 2021 ok, if someone comes up with an Idea, that would be awesome, I don't know a lot about certificates. 🙂 Quote Link to comment
anongum Posted August 21, 2021 Share Posted August 21, 2021 I have a page under a reverse proxy. Can I set credentials to access this page, if so how do I do it? Quote Link to comment
langrock Posted August 22, 2021 Share Posted August 22, 2021 (edited) I can no longer renew the certs and am getting the following error message. Quote Failed to renew certificate langrock.duckdns.org with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again. I have changed absolutely nothing on either the server or the router in many years. Any idea if a recent update to the letsencrypt docker might be causing issues? The only web server running is the one serving the Unraid GUI ... this has not been an issue in the past. Thanks Update: I checked that the port forwarding worked and that I am able to access the apps I am linking to from the outside world, jellyfin and calibre-web in my case, and both still work just fine. The container log doesn't indicate any problems or warnings, but running 'certbot renew' still throws the above error. I am mystified. Edited August 23, 2021 by langrock Quote Link to comment
DZMM Posted August 23, 2021 Share Posted August 23, 2021 On 8/10/2021 at 6:56 PM, comfox said: Did you change anything to get it working? Mine still won't come back online. I just had this problem again. I think the port forwarding on the BT hub is rubbish and fails occasionally. SWAG stopped working for me again - I just had to reboot the hub. Quote Link to comment
emptyfish Posted August 24, 2021 Share Posted August 24, 2021 I have a (likely) very basic question on SWAG. I am running several internal applications inside my internal network. Using nextcloud as an example which I do have set up with a domain name, the docker port mappings show up like this: 172.17.0.1:443 > [unraid ip]:[port] This works fine until I reboot and then Docker may or may not change the IP of the container from 172.17.0.1 to something else. This breaks swag until I go in to the terminal and manually update the configuration file for nextcloud to the new IP address. It's not a huge deal but I feel like I am missing some very obvious step to prevent this from happening. I have tried mapping SWAG's proxy config using the container host name but it never works, it only seems to be able to resolve to the internal IP. Would appreciate any ideas on what I need to update if it's possible to fix this. Thanks! Quote Link to comment
eagle470 Posted August 27, 2021 Share Posted August 27, 2021 I'm trying to add a second top level domain to SWAG and it says it's doing the request, but I can't see that it created the directory or a cert for the TL domain. Quote Link to comment
bschaeff18 Posted August 29, 2021 Share Posted August 29, 2021 Hello, I am using SWAG to get my nextcloud docker to access the internet. But now all of the sudden when I try to start SWAG it tries to generate a new cert for nextcloud.FQDN but fails saying that it could not download the challenge files from the temporary standalone webserver started by Certbot on port 80. I followed @SpaceInvaderOne's tutorial and have the same NAT rules as he did to allow it into the network. I'm really just confused and don't know a whole lot about certs to dive into it. Quote Link to comment
volcs0 Posted September 1, 2021 Share Posted September 1, 2021 (edited) Edit: I realized that I cannot do this without forwarding port 80. Since I cannot do that, I changed to trying duckdns validation. While I now see that port 443 is open, I am still not able to get my reverse proxy running. I've asked about this in a new thread here: -------- This is a bit of complex question. I'm unable to forward in requests, and I think it has to do with the way that Comcast/Xfinity's modem/router works/doesn't work. I'm using default settings for the docker for port 80 (8080-->80) and 443. I have port 443 forwarded to my unRAID box. I do not have port 80 forwarded. Do I need to? I'm getting this error: Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems: Domain: XXXXX.duckdns.org Type: connection Detail: Fetching http://XXXXXX.duckdns.org/.well-known/acme-challenge/0JQsgWcr6OCovXfDLxU8F4m3U3t_jHOqawZJ1DyVI: Timeout during connect (likely firewall problem) Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet. Do I need to set up port 80 to forward to port 8080 on my unRAID? If so, I think I'm out of luck, as XFinity's XFi gateway does not allow you to map one port to another. Any advice on how to mitigate these errors is appreciated. Thanks. Edited September 1, 2021 by volcs0 Quote Link to comment
Kewjoe Posted September 5, 2021 Share Posted September 5, 2021 On 8/24/2021 at 10:54 AM, emptyfish said: I have a (likely) very basic question on SWAG. I am running several internal applications inside my internal network. Using nextcloud as an example which I do have set up with a domain name, the docker port mappings show up like this: 172.17.0.1:443 > [unraid ip]:[port] This works fine until I reboot and then Docker may or may not change the IP of the container from 172.17.0.1 to something else. This breaks swag until I go in to the terminal and manually update the configuration file for nextcloud to the new IP address. It's not a huge deal but I feel like I am missing some very obvious step to prevent this from happening. I have tried mapping SWAG's proxy config using the container host name but it never works, it only seems to be able to resolve to the internal IP. Would appreciate any ideas on what I need to update if it's possible to fix this. Thanks! You shouldn't be using the internal docker IP for any of the configs. You need a custom docker network, then you'll be able to refer to the docker name instead of an IP address. Check out Ibracorp's video on Docker Custom networks: or Spaceinvaderone's video on Reverse Proxy with Swag: Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.