Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

I thought I should put this somewhere. I switched to Porkbun for my ssl certificate a few months ago, and the cert renewal failed earlier this month. This might have been the first renewal, I'm not sure.

It turned out that the certbot-dns-porkbun plugin shipping with the Swag docker was old, something like 0.5.1 or thereabouts. This no longer works with the porkbun api.

My workaround was:

  1. add linuxserver/mods:universal-package-install to DOCKER_MODS. In my case this means DOCKER_MODS = linuxserver/mods:swag-dashboard|linuxserver/mods:universal-package-install

  2. add a variable, INSTALL_PIP_PACKAGES with the value certbot-dns-porkbun -U

This causes the porkbun plugin to be updated to the latest, so it works with the API again.

There might be a better way but this works for me and I have a working SSL cert again.

  • 3 months later...
  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

Hello again folks. I added the CrowdSec mod to swag, running alongside Ibracorp's CrowdSec container. Everything appears to be set up correctly and working - logs are being acquired & parsed, lines poured to buckets, buckets occasionally overflowing, decisions being made, and decisions being enforced by the nginx bouncer inside the swag container.

The one issue I have is that the bouncer is not reporting remediation metrics. Maybe I haven't been running it long enough for them to show up. I'm not entirely sure what type of metrics should show up for bouncers, but I was assuming I would see the blocks in there. I can tell it is blocking via logs, and non-empty answers in the LAPI decisions metrics. I'm under the impression that the nginx bouncer supports reporting metrics, but when I use the command cscli metrics show bouncers I get no bouncer metrics found.

image.png

Hi, I am using a Unifi USG with Region Blocking for incoming traffic.

From which country (and maybe also IP range) is the Cert Renewal coming?

With my current setup the autorenewal is not working and I have to disable region blocking, restart swag and activate again after the renewal.

1 hour ago, ebnerjoh said:

Hi, I am using a Unifi USG with Region Blocking for incoming traffic.

From which country (and maybe also IP range) is the Cert Renewal coming?

With my current setup the autorenewal is not working and I have to disable region blocking, restart swag and activate again after the renewal.

During renewal, validation requests (like HTTP-01) might hit servers in different countries, so you can't restrict validation to just one country.

They use servers and CDN points globally for validation, not just one location.

Use the geoblocking in swag instead, I've never had an issue with that.

SWAG and Authelia

I wanted to enable Authelia for authentication of some sites that did not have their own. The only documentation I could find was quite old and out of date. I am writing this down for my own memory, and perhaps others who are looking to do the same.

The example I give uses a username and password authentication, and a TOTP one time password for multi-factor authentication. I used bitwarden for the TOTP, but you can use whatever authenticator you want. It keeps user accounts stored in a users_database.yml file and does not send email notifications. Once the basic system is working, you can configure additional settings like email notifications.

Basic Setup

Find and install the Authelia official container. Keep default settings except for the Network Type. Set the network type to the same custom network that your SWAG instance uses. This is required so that the dockers can find each other by name.

Run the Authelia docker. It will start, then immediately stop. This generates the default configuration file. There are many more options in the config file than covered here. The following are the only options I had uncommented and set.

# yamllint disable rule:comments-indentation
---
###############################################################################
##                           Authelia Configuration                          ##
###############################################################################
theme: 'dark'
server:
  address: 'tcp://:9091/auth'
  buffers:
    read: 4096
    write: 4096
log:
  level: 'info'
  file_path: '/config/logs/authelia.log'
  keep_stdout: true
totp:
  disable: false
  issuer: 'authelia.com'
  algorithm: 'SHA1'
  digits: 6
  period: 30
  skew: 1
  secret_size: 32
  allowed_algorithms:
    - 'SHA1'
  allowed_digits:
   - 6
  allowed_periods:
   - 30
  disable_reuse_security_policy: false
identity_validation:
  reset_password:
    jwt_secret: 'a_very_important_secret'
authentication_backend:
  password_reset:
    disable: false
  file:
    path: '/config/users_database.yml'
    password:
      algorithm: 'argon2'
      argon2:
        variant: 'argon2id'
        iterations: 1
        memory: 65536
        parallelism: 8
        key_length: 32
        salt_length: 16
access_control:
  default_policy: 'deny'
  rules:
    - domain: 
      - 'example.com'
      - "*.example.com"
      policy: 'two_factor'
session:
  secret: 'another_very_important_secret'
  cookies:
    -
      name: 'authelia_session'
      domain: 'example.com'
      authelia_url: 'https://auth.example.com'
      default_redirection_url: 'https://www.example.com'
      inactivity: '5 minutes'
      expiration: '1 hour'
      remember_me: '1 month'
regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'
storage:
  encryption_key: 'another_very_long_important_secret_that_is_min_20_chars_long'
  local:
    path: '/config/db.sqlite3'
notifier:
  filesystem:
    filename: '/config/notification.txt'
...

Next, ssh into Unraid, and navigate to the Authelia docker folder. Create a users_database.yml file

Example:

users:
  yourUsername:
    disabled: false
    displayname: 'Your User Display Name'
    password: '$argon2id$v=19$m=65536,t=1,p=8$uyRxCPxOsvVeJ4rzU+/56w$tT1sAyalTfAbQNWtq/ZaK83mhduPc22BBa0Y9KkCSBE'
    email: '[email protected]'
    groups:
      - admins

There has to be a valid account/password in order to get the Authelia docker to actually start, so use the password line above which is from a randomly generated 64 character string. In the next step we will be replacing it.

With the configuration.yml and users_database.yml file generated, you should now be able to start the Authelia docker.

To generate a secure Password and Digest for authentication, On the Unraid Docker page, on the Authelia docker, select Console to open a terminal within the docker.

image.png

At the prompt type in 'authelia crypto hash generate argon2 --random'. This will generate a random password and the corresponding hash. Copy this information. If you dont want it to be a randomly generated password, you can replace the '--random' with '--password yourpassword'.

Example:

/app # authelia crypto hash generate argon2 --random

Random Password: 0gC87ufWReolAn8OvE59XR7qOHACYKs0DGtfeCzYJKdks38gGGfA1z7wAjtWCChCKOMthThJ

Digest: $argon2id$v=19$m=65536,t=1,p=8$Odxvn8jWnrsUXt7ghztL0g$sHaRzqroRRsuuRoNqsR2dnmByLPNAogJo3/m6tbOTFo

Copy both the Password and the Digest. This is the password you will use to authenticate to Authelia. Save it somewhere and don't lose it as you cant recover it or regenerate it later. Copy the Digest string starting with the $argon to the end of the line.

Edit the users_database.yml file and replace the digest string on the password line. make sure to keep the quote marks surrounding the digest string

Now to configure SWAG.

Stop the SWAG docker.

In the appdata/swag/nginx folder, copy the authelia-location.conf.sample file and name it authelia-location.conf. Copy the authelia-server.conf.sample file and name it authelia-server.conf. The default configurations should work.

Copy the swag/nginx/proxy-confs/authelia.subdomain.conf.sample file to swag/nginx/site-confs/authelia.subdomain.conf

Edit the authelia.subdomain.conf file and change 'server_name authelia.*;' to 'server_name auth.*;'

This is the only change to this file.

To use authelia for a specific site, edit the sites .conf file in the site-confs. Uncomment the 'include /config/ngingx/authelia-server.conf;' and 'include /config/ngingx/authelia-location.conf;' lines and save.

restart the SWAG container and you should be able to go to your site. It should automatically redirect you to the Authelia page to log in. After logging in, it should redirect you to the site.

With the TOTP enabled, the first time you attempt to log in, it will prompt you to create/store the config. Since I do not have email notifications enabled, the codes are instead generated in the appdata/Authelia/notification.txt file. get the code from there and proceed to setting up your TOTP manager. In the second step, it generates a QR code which is used to set up your TOTP manger. I used bitwarden, but it should work for any TOTP manager.

This config has worked for me. Hopefully it will be useful for others.

Edited by mattekure

Just updated to Swag 5.2.2-ls433 and I see these errors in the logs:

[mod-init] Adding linuxserver/mods:swag-maxmind to container

[mod-init] linuxserver/mods:swag-maxmind digest could not be fetched from lscr.io, checking local cache

[mod-init] (ERROR) OFFLINE: linuxserver/mods:swag-maxmind not found in modcache, skipping

[mod-init] Adding linuxserver/mods:swag-dashboard to container

[mod-init] linuxserver/mods:swag-dashboard digest could not be fetched from lscr.io, checking local cache

[mod-init] (ERROR) OFFLINE: linuxserver/mods:swag-dashboard not found in modcache, skipping

The container seems to run anyway as do the services that are proxied.

What's up with these errors?

8 hours ago, nraygun said:

Just updated to Swag 5.2.2-ls433 and I see these errors in the logs:

[mod-init] Adding linuxserver/mods:swag-maxmind to container

[mod-init] linuxserver/mods:swag-maxmind digest could not be fetched from lscr.io, checking local cache

[mod-init] (ERROR) OFFLINE: linuxserver/mods:swag-maxmind not found in modcache, skipping

[mod-init] Adding linuxserver/mods:swag-dashboard to container

[mod-init] linuxserver/mods:swag-dashboard digest could not be fetched from lscr.io, checking local cache

[mod-init] (ERROR) OFFLINE: linuxserver/mods:swag-dashboard not found in modcache, skipping

The container seems to run anyway as do the services that are proxied.

What's up with these errors?

I restarted the container and now MaxMind works. Must have been a down server or something. :-)

Latest update broke authelia for me any docker that has the docker mod to use authelia gets a 500 internal server error. Otherwise swag is working.

Anyone else having this issue?

Ive recreated the container not a swag issue its authelia issue but the update must have rooted the issue. Authelia is having the issue of time

time="2026-01-28T09:09:21-06:00" level=info msg="Storage schema is already up to date"

time="2026-01-28T09:09:22-06:00" level=error msg="Error occurred running a startup check" error="the system clock is not synchronized accurately enough with the configured NTP server" provider=ntp

time="2026-01-28T09:09:22-06:00" level=fatal msg="One or more providers had fatal failures performing startup checks, for more details check the error level logs" providers="[ntp]" stack="github.com/authelia/authelia/v4/internal/commands/root.go:93 (*CmdCtx).RootRunE\ngithub.com/spf13/[email protected]/command.go:1015 (*Command).execute\ngithub.com/spf13/[email protected]/command.go:1148 (*Command).ExecuteC\ngithub.com/spf13/[email protected]/command.go:1071 (*Command).Execute\ngithub.com/authelia/authelia/v4/cmd/authelia/main.go:10 main\ninternal/runtime/atomic/types.go:194 (*Uint32).Load\nruntime/asm_amd64.s:1693

Incase anyone else is having issues

Edited by ijuarez

I have been having some connection issue with jellyfin either using finamp or the jellfyfin app both on Android or IOS. When I check jellyfin's log's it shows me this error:

[2026-01-29 13:36:19.828 -05:00] [WRN] [56] Emby.Server.Implementations.HttpServer.WebSocketConnection: WS "172.18.0.5" error receiving data: "The remote party closed the WebSocket connection without completing the close handshake."

That ip address is for the swag container. When I check the error logs for swag today I got this message:

2026/01/27 16:27:41 [crit] 834#834:*48744 SSL_do_handshake() failed (SSL: error:0A0000C6:SSL routines::packet length too long error:0A000139:SSL routines::record layer failure) while SSL handshaking, client: x.x.x.x, server: 0.0.0.0:443

This is the only error message in the error log.

Update: I'm able to connect to my jellyfin server again, however I still have the same error message in the error log. Also I have been having intermittent connection issue for over a month, where the finamp will give me a message saying:

ClientException with SocketException: Failed host lookup: 'jellyfin server name' (OS Error: no address associated with the hostname, erno = 7), uri=https://jellfinservername/Users/ Followed by a string of numbers.

Every time I check the jellyfin log it shows that first error pointing to the swag container. This error from swag however is different than the previous error when I got the connection error in jellyfin. I thought it was DNS related and I checked my firewall a few days ago cleared my DNS cache and I thought everything was resolved as I was connecting fine to my server for several days with any issue, but now the intermittent connection issue is back.

I believe I did a swag update yesterday, so I don't know if that's what's causing the issue. Part of the update required me to update the jellyfin.subdomain.conf, which I did.

Edited by Ben4

  • 1 month later...

I am removing the dns admin from Cloudflare to original registrar. The SWAG setup is as SpaceinvadeOne setup video. My registrar do not have a dns plugin. But I like to keep dns admin at the registrar. How can/should I go about to set the up. I tried changing validation to http and remove the line "dns plugin". The LetsEncrypt insist on port 80.

image.png

  • 3 weeks later...

I want swag to resolve a second domain. Is anyone aware of a youtube tutorial to do this.

There are plenty of posts which declare you can do this but I can't find an explanation of how.

  • 4 weeks later...
On 3/29/2026 at 2:32 AM, Jessie said:

I want swag to resolve a second domain. Is anyone aware of a youtube tutorial to do this.

There are plenty of posts which declare you can do this but I can't find an explanation of how.

Not sure of any tutorials, but I believe you would just duplicate the .conf for your existing site (so you'd have site1.conf and site2.conf) and change the server_name and root in your server block, and set up your DNS records too, of course.

Edited by DogEatWaffle

  • 1 month later...
On 8/10/2024 at 9:40 PM, nraygun said:

I think I got it!

I had to change my account ID from my email address to a series of numbers. Seems to work by executing the script now.

Thanks!

Just came looking since noticed my geoip database was last updated in 2021!

I generated a new API key in Maxmind, since they have changed format, and changed my user id to the account id, and the new key is now showing as having been used.

Of course my work VPN IP is still showing as US rather than UK, but that's another issue I guess.

Cheers

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.