Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

2 hours ago, cosmicrelish said:

Here is the conf file for Mealie that is in the swag proxy-conf folder.

 

13 hours ago, alturismo said:

and may a docker run from your mealie docker

 

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

On 1/22/2025 at 10:15 PM, alturismo said:

may rather take a look at the apps configuration, i dont know kimal now, but is there something to set the external url ?

may your non native https port needs to be added to the url there too ...

 

also, may if kimal is somehow calling http, your redirect rule in the default site conf from nginx will redirect to https ... may consider changing this to your custom https port too ...

 

overall, not the best idea to use a custom https port but you will have your reasons ...

and you are aware its "off" standard ...

Thank you for the help.

 

It ended up being that the swag template for kimai is not suitable for this scenario.  I found this on the kimai website for reverse proxies, plus I set environmental variables on the kimai container for TRUSTED_PROXIES and TRUSTED_HOSTS based off some old github comments from the owner (similar to the instructions in the Nextcloud swag conf)

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name kimai.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
          proxy_pass https://internalIPaddressForKimaiContainerGoesHere:443/;

          proxy_set_header  Host $http_host;
          proxy_set_header  X-Real-IP $remote_addr;
          proxy_set_header  X-Forwarded-Host $host:$server_port;
          proxy_set_header  X-Forwarded-Server $host;
          proxy_set_header  X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header  X-Forwarded-Proto $scheme;
          proxy_set_header  X-Forwarded-Port $server_port;
    }
    # Redirect HTTP to HTTPS, in case an invalid (plain HTTP) request was sent to port 443
    error_page 497 https://$host:$server_port$request_uri;
}

 

Edited by bhcompy

  • 1 month later...

Hi, I´ve tried to secure npm with fail2ban from @linuxserver.io / lscr.io/linuxserver/fail2ban

 

fail2ban triggers IPs correctly:

IPv4:

2025-03-16 15:12:25,087 146D00D56B38 INFO  [npm] Found 80.187.xxx - 2025-03-16 15:12:24
 2025-03-16 15:12:43,834 146D00D56B38 INFO  [npm] Found 80.187.xxx - 2025-03-16 15:12:43
 2025-03-16 15:12:49,078 146D00D56B38 INFO  [npm] Found 80.187.xxx - 2025-03-16 15:12:49
 2025-03-16 15:12:49,177 146D00B4BB38 NOTIC [npm] Ban 80.187.xxx
 2025-03-16 15:12:49,195 146D00B4BB38 ERROR 146d01b5fd20 -- exec: { iptables -w -C f2b-npm -j RETURN >/dev/null 2>&1; } || { iptables -w -N f2b-npm || true; iptables -w -A f2b-npm -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do  
{ iptables -w -C DOCKER-USER -p $proto -m multiport --dports 12345 -j f2b-npm >/dev/null 2>&1; } || { iptables -w -I DOCKER-USER -p $proto -m multiport --dports 12345 -j f2b-npm; }
done
 2025-03-16 15:12:49,196 146D00B4BB38 ERROR 146d01b5fd20 -- stderr: 'iptables: No chain/target/match by that name.'  
 2025-03-16 15:12:49,196 146D00B4BB38 ERROR 146d01b5fd20 -- returned 1
 2025-03-16 15:12:49,196 146D00B4BB38 ERROR Failed to execute ban jail 'npm' action 'iptables-multiport' info 'ActionInfo({'ip': '80.187.xxx', 'family': 'inet4', 'fid': <function Actions.ActionInfo.<lambda> at 0x146d01b85a80>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x146d01b86200>})': Error starting action Jail('npm')/iptables-multiport: 'Script error' 

IPv6:

2025-03-16 15:05:59,104 146D00D56B38 INFO  [npm] Found 2003:da:xxx - 2025-03-16 15:05:58
 2025-03-16 15:06:02,336 146D00D56B38 INFO  [npm] Found 2003:da:xxx - 2025-03-16 15:06:01
 2025-03-16 15:06:09,597 146D00D56B38 INFO  [npm] Found 2003:da:xxx - 2025-03-16 15:06:09
 2025-03-16 15:06:10,344 146D00B4BB38 NOTIC [npm] Ban 2003:da:xxx
 2025-03-16 15:06:10,379 146D00B4BB38 ERROR 146d01b796f0 -- exec: { ip6tables -w -C f2b-npm -j RETURN >/dev/null 2>&1; } || { ip6tables -w -N f2b-npm || true; ip6tables -w -A f2b-npm -j RETURN; }
for proto in $(echo 'tcp' | sed 's/,/ /g'); do  
{ ip6tables -w -C DOCKER-USER -p $proto -m multiport --dports 12345 -j f2b-npm >/dev/null 2>&1; } || { ip6tables -w -I DOCKER-USER -p $proto -m multiport --dports 12345 -j f2b-npm; }
done
 2025-03-16 15:06:10,381 146D00B4BB38 ERROR 146d01b796f0 -- stderr: 'ip6tables: No chain/target/match by that name.'  
 2025-03-16 15:06:10,382 146D00B4BB38 ERROR 146d01b796f0 -- returned 1
 2025-03-16 15:06:10,383 146D00B4BB38 ERROR Failed to execute ban jail 'npm' action 'iptables-multiport' info 'ActionInfo({'ip': '2003:da:xxx', 'family': 'inet6', 'fid': <function Actions.ActionInfo.<lambda> at 0x146d01b85a80>, 'raw-ticket': <function Actions.ActionInfo.<lambda> at 0x146d01b86200>})': Error starting action Jail('npm')/iptables-multiport: 'Script error'  

 

it seems that the fail2ban container can´t access iptables, although it has privileged rights.

 

jail.local:

[DEFAULT]
bantime  = 4h
maxretry = 3

[npm]
enabled = true
port 	= 12345
backend = polling
logpath = /var/log/proxy-host-*_error.log
chain   = DOCKER-USER
action  = %(known/action)s

 

any ideas?

 

unraid 7.0.1

 

Hi, i updated SWAG this morning to the latest release but now SWAG doesn't seem to works.
If i click on SWAG and choose logs I'm getting spammed with:

2025/03/17 11:37:58 [emerg] 2164#2164: module "/var/lib/nginx/modules/ngx_http_lua_module.so" version 1026003 instead of 1026002 in /etc/nginx/modules/30_http_lua.conf:1

 

I can't access any resource behind swag.

 

Crowdsec enabled and fail2ban disabled.


Any tips?

Edited by lusitopp

I got closer to the problem:

the container uses "iptables v1.8.10 (nf_tables)"
Unraid uses: "iptables v1.8.11 (legacy)"

@linuxserver.io could you solve this ?

Updated the swag container today, and I get a load of these messages repeated over and over - and while it is started, it does not work.

 

2025/03/18 07:47:34 [alert] 3024#3024: failed to load the 'resty.core' module (https://github.com/openresty/lua-resty-core); ensure you are using an OpenResty release from https://openresty.org/en/download.html (reason: /usr/share/lua/common/resty/core/base.lua:24: ngx_http_lua_module 0.10.27 required) in /config/nginx/nginx.conf:172

 

I looked at line 172 that I suppose it is referring to (I am not good with this stuff), and it just has a ')' - so I assume it is that whole section ?

 

image.png.a43e099e581f9ea054caf1eb81dad5c0.png

 

Further to this - Editied - I moved in all the sample files and still get this issue........ As I have used nginx, then swag for 10+ years and had a load of my own custom config - so I assume it is in the container itself.

 

FIXED - ok the issue is the crowdsec dockermod for the swag container.  

 

ghcr.io/linuxserver/mods:swag-crowdsec

 

If you have the docker mod for this, then this crashes with this error as shown above.

I have removed it for now.

 

 

Edited by vw-kombi
more testing.

12 hours ago, vw-kombi said:

FIXED - ok the issue is the crowdsec dockermod for the swag container.  

 

ghcr.io/linuxserver/mods:swag-crowdsec

 

If you have the docker mod for this, then this crashes with this error as shown above.

I have removed it for now.

Thanks for the tip!

 

For anyone else who hits this, it's not stopping the crowdsec container, but updating the swag container's DOCKER_MODS value to not include it.

Make sure you backup what you have there (I used the description field on that value) so can reinstate when the issue gets resolved.

 

Cheers

  • 4 weeks later...

Hey folks, I'm using SWAG as a web server via the www directory and trying to run PHP scripts on my web pages. The pages are saved as .php files, however they don't appear to be getting passed off to the PHP engine. When I access the pages in a browser, it appears as though it's trying to parse the PHP as if it's html. The inspector in Firefox shows me, for instance...

 

<!--? phpinfo(); ?-->

 

... instead of the results of the function.

 

I've confirmed via the console that PHP 8.3.19 is installed in the container, as expected, and I haven't changed anything, so it should be configured per linuxserver defaults - is there some configuration option that I have to change to enable the PHP engine to execute files in the www directory?

 

EDIT - I gather swag/nginx/site-confs/default.conf is what controls this. Here is how I have that configured...

 

# main server block
server {
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;

    server_name www.mydomain.name mydomain.name;

    include /config/nginx/ssl.conf;

    root /config/www;
    index index.html index.htm index.php;

    # enable subfolder method reverse proxy confs
    include /config/nginx/proxy-confs/*.subfolder.conf;

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        try_files $uri $uri/ /index.html /index.htm /index.php$is_args$args;
    }

    location ~ ^(.+\.php)(.*)$ {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
        #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;

        fastcgi_split_path_info ^(.+\.php)(.*)$;
        if (!-f $document_root$fastcgi_script_name) { return 404; }
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

    # deny access to .htaccess/.htpasswd files
    location ~ /\.ht {
        deny all;
    }
}

 EDIT #2 many months later because I was embarrassed - Turns out I was configuring short_open_tag=On in a place that was getting overwritten every time I restarted the container. Set the variable in the php-local.ini stored in /mnt/user/appdata/swag/php/ instead and it persists. Updating so someone as dumb as me will have an answer if they're trying to google it.

Edited by DogEatWaffle

  • 2 weeks later...

getting a lot of errors in nginx error log lately. I assume its trying to validate the letsencrpt certificate and failing?
My sites seem to work ok 

massive amounts of these errors not sure what changed in swag lately but there really isnt an indication that there is a problem without looking

 

2025/04/21 17:35:20 [error] 984#984: e6.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: e6.o.lencr.org, certificate: "/config/keys/cert.crt"
2025/04/21 17:43:09 [error] 986#986: e6.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: e6.o.lencr.org, certificate: "/config/keys/cert.crt"




server: za.*, request: "POST /api/webhook/18b659ea610297da1687675d589e2c33bbb52f42d654bea0b734f5ba1822b7bd HTTP/1.1", upstream: "http://192.168.1.1:8123/api/webhook/18b659ea610297da1687675d589e2c33bbb52f42d654bea0b734f5ba1822b7bd", host: "mydomain"
2025/04/22 18:11:36 [error] 955#955: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 18.210.179.88, server: za.*, request: "POST /api/webhook/18b659ea610297da1687675d589e2c33bbb52f42d654bea0b734f5ba1822b7bd HTTP/1.1", upstream: "http://192.168.1.1:8123/api/webhook/18b659ea610297da1687675d589e2c33bbb52f42d654bea0b734f5ba1822b7bd", host: "mydomain"
2025/04/22 18:11:39 [error] 959#959: e6.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: e6.o.lencr.org, certificate: "/config/keys/cert.crt"
2025/04/22 18:11:40 [error] 960#960: e6.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: e6.o.lencr.org, certificate: "/config/keys/cert.crt"

 

 

image.thumb.png.1f0d9722254e29845ac61f958d8132ef.png

Edited by xokia

is no one else seeing these issues? Kinda quite in here.

bueller.jpg

Not seeing this no…..

It would appear that ngnix is unable to resolve dns.

 

/etc/resolv.conf

nameserver 127.0.0.11
options ndots:0
 

This appears to point to the docker dns which should in return point to the host dns. The host dns resolves. I cant seem to change the /etc/resolv.conf file in swag as each time I change it then restart swag it recreates itself.

 

I can't figure out why the docker container is unable to resolve dns if the host can. This is a relatively new occurrence and I haven't changed anything in swag or unraid other then the pushed updates. Any help would be appreciated

 

 

host dns below

root@Server:~# dig A r3.o.lencr.org @1.1.1.1 +short
dig A r3.o.lencr.org @1.0.0.1 +short
dig A r3.o.lencr.org @8.8.8.8 +short
o.lencr.edgesuite.net.
a1887.dscq.akamai.net.
104.100.168.73
104.100.168.115
o.lencr.edgesuite.net.
a1887.dscq.akamai.net.
104.103.68.73
104.103.68.105

; <<>> DiG 9.16.42 <<>> A r3.o.lencr.org @8.8.8.8 +short
;; global options: +cmd
;; connection timed out; no servers could be reached

Edited by xokia

I remember having something similar for another container.  It’s was a while back and not swag.  I googled it and maybe I did this - 

 

Configure DNS for Docker Containers

Docker containers may not inherit the host's DNS settings. To force proper DNS resolution for containers:

Edit the Docker daemon configuration file:

Go to Settings > Docker in Unraid.

Under "Docker custom network DNS server", add 1.1.1.1 and 8.8.8.8.

*Sometimes a network reload helps here:
 

/etc/rc.d/rc.docker restart

Now I am confused if I ping the offending address from the swag container it resolves!
Maybe there is something wrong with letsencrypt? I know my error log is full of these it appears it tries every 5 min or so.
 

2025/05/02 18:14:06 [error] 961#961: e6.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: e6.o.lencr.org, certificate: "/config/keys/cert.crt"
2025/05/02 18:19:46 [error] 969#969: e6.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: e6.o.lencr.org, certificate: "/config/keys/cert.crt"
2025/05/02 18:19:58 [error] 970#970: e6.o.lencr.org could not be resolved (110: Operation timed out) while requesting certificate status, responder: e6.o.lencr.org, certificate: "/config/keys/cert.crt"

 

PING e6.o.lencr.org (23.32.152.232): 56 data bytes
64 bytes from 23.32.152.232: seq=0 ttl=45 time=29.889 ms
64 bytes from 23.32.152.232: seq=1 ttl=45 time=30.711 ms
64 bytes from 23.32.152.232: seq=2 ttl=45 time=29.913 ms
64 bytes from 23.32.152.232: seq=3 ttl=45 time=30.170 ms
64 bytes from 23.32.152.232: seq=4 ttl=45 time=29.624 ms
64 bytes from 23.32.152.232: seq=5 ttl=45 time=30.873 ms
64 bytes from 23.32.152.232: seq=6 ttl=45 time=29.585 ms
^C
--- e6.o.lencr.org ping statistics ---
7 packets transmitted, 7 packets received, 0% packet loss
round-trip min/avg/max = 29.585/30.109/30.873 ms

 

Edited by xokia

Stop docker, then try the above settings.

13 hours ago, vw-kombi said:

Stop docker, then try the above settings.

I run my own dns server .20 is my dns server. I tried manually adding the dns to the swag container. I also tried --dns 8.8.8.8 --dns 1.1.1.1 made zero difference.

 

image.thumb.png.bd6fc8c6315338eff566df7cc156a2c5.png

 

 

There is no option for custom dns server under the docker settingimage.thumb.png.aa29331ca217d10d98c64e2ea8a2d073.png

Edited by xokia

I found where I had this exact same issue.  It was with the iCloudPD container.  Reason I could not find it here was I posted on their discord support.

 

issue was the tailscale plugin.

 

i uninstalled that and dns worked again.

 

attaching screenshot of my post.  Something to do with magic dns.

 

 

 

 

IMG_0973.png

14 hours ago, vw-kombi said:

I found where I had this exact same issue.  It was with the iCloudPD container.  Reason I could not find it here was I posted on their discord support.

 

issue was the tailscale plugin.

 

i uninstalled that and dns worked again.

 

attaching screenshot of my post.  Something to do with magic dns.

 

 

 

 

IMG_0973.png

The plugin disables Tailscale DNS by default. Unfortunately, one of the popular video tutorial makers put out a video a while back that directed people to turn it on, which is probably why you had the issue.

On 3/17/2025 at 11:46 AM, Avenga said:

I got closer to the problem:

the container uses "iptables v1.8.10 (nf_tables)"
Unraid uses: "iptables v1.8.11 (legacy)"

@linuxserver.io could you solve this ?

I've having the same issue. fail2ban detects and blocks IP but its not being applied to host machines iptables

13 hours ago, EDACerton said:

The plugin disables Tailscale DNS by default. Unfortunately, one of the popular video tutorial makers put out a video a while back that directed people to turn it on, which is probably why you had the issue.

Dunno about that - I never did any config to it, or watched any youtubes, just installed it one day, did the setup, then a few days later realised icloudPD container was not working.  All other containers were working fine, just not that one.  Uninstalled plugin, it works again, I tried installing it again to prove that was it, and it stopped again - never installed it again (I have tailscale with advertise routes on another always on machine (my home assistant and CCTV system) - so its not really needed on unraid.

  • 2 months later...

Running into an issue with swag on startup. seeing this error (redacted my domains and other private info) :

Docker run:

docker run
  -d
  --name='SWAG'
  --net='br2.80'
  --ip='10.168.80.50'
  --pids-limit 2048
  --privileged=true
  -e TZ="America/New_York"
  -e HOST_OS="Unraid"
  -e HOST_HOSTNAME="XXXXXX"
  -e HOST_CONTAINERNAME="SWAG"
  -e 'TCP_PORT_80'='80'
  -e 'TCP_PORT_443'='443'
  -e 'EMAIL'='XXXXXXXX'
  -e 'URL'='st6.com'
  -e 'SUBDOMAINS'='XXXXXX,XXXXXX,XXXXXX'
  -e 'ONLY_SUBDOMAINS'='true'
  -e 'VALIDATION'='dns'
  -e 'DNSPLUGIN'='cloudflare'
  -e 'EXTRA_DOMAINS'=''
  -e 'STAGING'='false'
  -e 'DUCKDNSTOKEN'=''
  -e 'PROPAGATION'='30'
  -e 'MAXMINDDB_LICENSE_KEY'='XXXXXXXXXXXX'
  -e 'DOCKER_MODS'='linuxserver/mods:swag-maxmind'
  -e 'MAXMINDDB_USER_ID'='1190058'
  -e 'PUID'='99'
  -e 'PGID'='100'
  -l net.unraid.docker.managed=dockerman
  -l net.unraid.docker.webui='https://[IP]:[PORT:443]'
  -l net.unraid.docker.icon='https://raw.githubusercontent.com/linuxserver/docker-templates/master/linuxserver.io/img/linuxserver-ls-logo.png'
  -v '/mnt/user/appdata/joeproxy_2':'/config':'rw'
  -v '/mnt/user/remotelogs/XXXXXX/':'/var/log/':'rw'
  --cap-add=NET_ADMIN 'lscr.io/linuxserver/swag'

Log output:

Using Let's Encrypt as the cert provider

SUBDOMAINS entered, processing

Sub-domains processed are: XXXXXXXX

E-mail address entered: XXXXXXXX

dns validation via cloudflare plugin is selected

Generating new certificate

ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

Running CERTBOT by itself works:

root@XXXXXX:/mnt/cache/appdata/cloudflare-ddns-config# docker exec -it XXXXXXX certbot certonly \

  --dns-cloudflare \

  --dns-cloudflare-credentials /config/dns-conf/cloudflare.ini \

  --dns-cloudflare-propagation-seconds 30 \

  -d joeflix.st6.com \

  --email XXXXXXXX \

  --agree-tos \

  --non-interactive

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Account registered.

Requesting a certificate for XXXXXXXX

Waiting 30 seconds for DNS changes to propagate

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/XXXXXXXX/fullchain.pem

Key is saved at:         /etc/letsencrypt/live/XXXXXXXXX/privkey.pem

This certificate expires on 2025-10-19.

These files will be updated when the certificate renews.

NEXT STEPS:

- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

If you like Certbot, please consider supporting our work by:

* Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate

* Donating to EFF:                    https://eff.org/donate-le

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

This tells me that my cloudflare.ini keys are correct and the file permissions are working. I'm at a loss on what could be happening. It has been working fine for a few years.

Running into an issue with swag on startup. seeing this error (redacted my domains and other private info) :

[docker run]

-d

--name='SWAG'

--net='br2.80'

--ip='10.168.80.50'

--pids-limit 2048

--privileged=true

-e TZ="America/New_York"

-e HOST_OS="Unraid"

-e HOST_HOSTNAME="XXXXXX"

-e HOST_CONTAINERNAME="SWAG"

-e 'TCP_PORT_80'='80'

-e 'TCP_PORT_443'='443'

-e '[EMAIL'='XXXXXXXX]'

-e 'URL'='XXXX.XXX'

-e 'SUBDOMAINS'='XXXXXX,XXXXXX,XXXXXX'

-e 'ONLY_SUBDOMAINS'='true'

-e 'VALIDATION'='dns'

-e 'DNSPLUGIN'='cloudflare'

-e 'EXTRA_DOMAINS'=''

-e 'STAGING'='false'

-e 'DUCKDNSTOKEN'=''

-e 'PROPAGATION'='30'

-e 'MAXMINDDB_LICENSE_KEY'='XXXXXXXXXXXX'

-e 'DOCKER_MODS'='linuxserver/mods:swag-maxmind'

-e 'MAXMINDDB_USER_ID'='XXXXXXX'

-e 'PUID'='99'

-e 'PGID'='100'

-l net.unraid.docker.managed=dockerman

-l net.unraid.docker.webui='[IP]:[PORT:443]'

-l net.unraid.docker.icon='linuxserver-ls-logo.png'

-v '/mnt/user/appdata/joeproxy_2':'/config':'rw'

-v '/mnt/user/remotelogs/XXXXXX/':'/var/log/':'rw'

--cap-add=NET_ADMIN 'lscr.io/linuxserver/swag'

Log output:

Using Let's Encrypt as the cert provider

SUBDOMAINS entered, processing

Sub-domains processed are: XXXXXXXX

E-mail address entered: [XXXXXXXX]

dns validation via cloudflare plugin is selected

Generating new certificate

certbot: error: unrecognized arguments: --dns--propagation-seconds=30

ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

Running CERTBOT by itself works:

root:/mnt/cache/appdata/cloudflare-ddns-config# docker exec -it XXXXXXX certbot certonly \

--dns-cloudflare \

--dns-cloudflare-credentials /config/dns-conf/cloudflare.ini \

--dns-cloudflare-propagation-seconds 30 \

-d XXXXXXXX \

--email [XXXXXXXX] \

--agree-tos \

--non-interactive

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Account registered.

Requesting a certificate for XXXXXXXX

Waiting 30 seconds for DNS changes to propagate

Successfully received certificate.

Certificate is saved at: /etc/letsencrypt/live/XXXXXXXX/fullchain.pem

Key is saved at: /etc/letsencrypt/live/XXXXXXXXX/privkey.pem

This certificate expires on 2025-10-19.

These files will be updated when the certificate renews.

NEXT STEPS:

- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Comments:

This tells me that my cloudflare.ini keys are correct and the file permissions are working. I'm at a loss on what could be happening. It has been working fine for a few years. I can confirm the same error occurs when using ZeroSSL.

  • 1 month later...

I've been Googling my a$$ off and can't figure this one out. I already had a Cloudflare account, and created a new domain for a website that I'm wanting to host. I created an account with zerossl. I installed swag and set up the Cloudflare tunnels for the new site, ports 80 & 443, for both mydomain.net and www.mydomain.net.

Initially, I was getting "too many redirects" when I tried to open the new site (nothing uploaded to it yet - just straight up SWAG). It loads fine if I go to the local ip. I had previously set Cloudflare SSL to "Full (Strict)" as a suggested fix. Still too many redirects. I solved the redirects by commenting out the port 80 section of the 'default.conf' file, but now I'm getting a 502-Bad Gateway error when using the domain name for the site. I've since uncommented out those lines, but am back to the Bad Gateway issue.

This seems to be a common issue, but the suggested fixes are all over the place. Any help would be fantastic.

  • 1 month later...

I finally RESOLVED my Swag dashboard issue with repeated '504 Gateway Time-out'. I simply had to increase the timeout in my 'dashboard.subdomain.conf' file. I do wish this mod was faster at reloading, typically takes ~2 minutes to load every time.

        proxy_read_timeout 300s;
        proxy_send_timeout 300s;
        proxy_connect_timeout 300s;

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.