Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

2 hours ago, td00 said:

Hey All - I've got this up and running for a while now - great image thanks. Just a question though, it it possible to have a wild card URL entry? Kind of like the way google does with *.google.com?

 

My current setup just has this:

 

URL=topleveldomain.com

SUBDOMAINS=portainer,sonarr,radarr

 

But when I click to view the cert in the browser it seems that it sets portainer.topleveldomain.com as the URL and the rest in the SAN where they should be. Was just looking to see if possible to clean up. Currently, my topleveldomain doesn't point to anything if that makes a difference?

Yes, you can get wildcard certs. It's explained in the readme

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

1 hour ago, thunderclap said:

I'm having an interesting problem with LetsEncrypt. Two issues I've experienced I would like to try and resolve: if I use use DNS through Cloudflare my subdomains become unbearably slow. If I do the subdomains through my registrar and forego Cloudflare, anytime I add or remove a subdomain LetsEncrypt reports a firewall/timeout error for several hours rendering my subdomains inaccessible. Does anyone know why this is happening?

You probably had cloudflare cache/proxy turned on, which we recommend against. It's explained in the docs article linked in the first post

2 hours ago, aptalca said:

Yes, you can get wildcard certs. It's explained in the readme

Got it! Thanks!

Hi Guys,

 

I am trying to get swag working with Snipe-IT but I didn't see any configs available for it. Can someone help me figure out a way to get it working?

 

Swag log

image.png.28664c3017f12c0fa4ff51d8a1785c4f.png

 

I have swag setup and the docker Snipe-IT is also setup and working.

729621860_2020-10-1220_31_42-Window.png.3455cbb1b439f4b0029cd62d106d9812.png

 

I tried copying a similar config and changing it for my needs but I get a "502 Bad Gateway" error.

image.png.0bc9c78d518ad1e78cb095ec0ff059aa.png

 

Here is the config file I started

snipe.mydomin.com is the domain, so I used server_name snipe.*

 

server {
    listen 443 ssl;

    server_name snipe.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app snipe-it;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Let me know what information would be useful in troubleshooting. I'm not sure where to go from here.

 

Thanks,

Victor

39 minutes ago, vuribe1221 said:

Hi Guys,

 

I am trying to get swag working with Snipe-IT but I didn't see any configs available for it. Can someone help me figure out a way to get it working?

 

Swag log

image.png.28664c3017f12c0fa4ff51d8a1785c4f.png

 

I have swag setup and the docker Snipe-IT is also setup and working.

729621860_2020-10-1220_31_42-Window.png.3455cbb1b439f4b0029cd62d106d9812.png

 

I tried copying a similar config and changing it for my needs but I get a "502 Bad Gateway" error.

image.png.0bc9c78d518ad1e78cb095ec0ff059aa.png

 

Here is the config file I started

snipe.mydomin.com is the domain, so I used server_name snipe.*

 


server {
    listen 443 ssl;

    server_name snipe.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app snipe-it;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Let me know what information would be useful in troubleshooting. I'm not sure where to go from here.

 

Thanks,

Victor

You don't use the host port when using a custom bridge. You use the container port, which is port 80.

🙃

Could have swore I tried that before but I guess not. It's working now.

 

Thanks saarg

On 10/8/2020 at 11:48 PM, aptalca said:

Looks like you modified your confs and referenced a custom cert. Our image does not use such a cert out of the box.

Hi,

 

I have? Where do I see/configure that?

Hi,

 

Just installed the swag container yesterday, and all is working fine so far.

Now I need to limit access to the services.
 

Regarding access control, after reading documentation and config files, it seems choice are: basic auth, ldap, authelia or organizr auth.

Except for jellyfin, all other services just need authorization (sonarr, radarr, jackett, qbitorrent, ...) 
I'd like to keep it as simple as possible, as well at configuration side but for user experience too.

Ideally:

  • login once, then access all services (except Jellyfin as it needs authentication and do not support OIDC)
  • centralize unraid users with reverse proxy ones: active directory / ldap ?
  • web ui to add/edit users 

Another point is to get access to my docker services both on external an local network.

Is there a way, with some kind of DNS override, to access my services locally using the xxx.duckdns.org URL (when connected to my local network, xxx.duckdns.org will redirect to the unraid box IP)

Maybe using a services dashboard like heimdall/organizr/ombi, will help to access service 'transparently' whatever local or external ?

 

Thanks

13 hours ago, Muff said:

Hi,

 

I have? Where do I see/configure that?

I don't know, you tell me. Check all the confs in the /config/nginx folder

12 hours ago, mika91 said:

Hi,

 

Just installed the swag container yesterday, and all is working fine so far.

Now I need to limit access to the services.
 

Regarding access control, after reading documentation and config files, it seems choice are: basic auth, ldap, authelia or organizr auth.

Except for jellyfin, all other services just need authorization (sonarr, radarr, jackett, qbitorrent, ...) 
I'd like to keep it as simple as possible, as well at configuration side but for user experience too.

Ideally:

  • login once, then access all services (except Jellyfin as it needs authentication and do not support OIDC)
  • centralize unraid users with reverse proxy ones: active directory / ldap ?
  • web ui to add/edit users 

Another point is to get access to my docker services both on external an local network.

Is there a way, with some kind of DNS override, to access my services locally using the xxx.duckdns.org URL (when connected to my local network, xxx.duckdns.org will redirect to the unraid box IP)

Maybe using a services dashboard like heimdall/organizr/ombi, will help to access service 'transparently' whatever local or external ?

 

Thanks

I use authelia and it works great. There is no webui for user management yet (I hear it's in the works), but you can set up the users in a number of ways including ldap (I use a simple yaml file).

 

See here: https://blog.linuxserver.io/2020/08/26/setting-up-authelia/

 

For accessing the domain on lan, you need either a hairpin nat or nat loopback (if your router supports it), or you can set up a split dns (where you tell your local dns to resolve the domain to the unraid lan ip). The main caveat is that swag has to use port 443 on the host, which means you'll have to change unraid's https port to a different one first. Afterwards all requests for https://yourdomain.com will resolve to unraid and the client will connect to swag directly on lan (for http to https redirect, you'd need to change unraid's port 80 as well, so swag can use it, but I don't do that and instead only use the https endpoint so only port 443 goes to swag). Google the three terms I mentioned above and you'll find plenty of info for your router/setup.

Hi there,

I posted the problem I'm facing on the Unraid general support but I received no replies. I'm hoping I can get some feedback here. I changed from Letsencrypt to Swag recently and after the change i lose access to multiple sections in Unraid and all dockers stop functioning properly... I lose access thru the UI to the Dashboard, Docker and the bottom portion of the Main tab. The console gets unresponsive to any docker command and to the "powerdown" capability so every time I restart the system it has to do a parity check. Of course none of the apps using the reverse proxy are working to the outside.

The migration was based on a fresh installation and I just copied the conf files from Letsecrypt. The Unraid logs show the following error (it varies depending on the page I'm trying):

nginx: 2020/10/12 10:06:48 [error] 32315#32315: *246154 upstream timed out (110: Connection timed out) while reading response header from upstream, client ... upstream: "fastcgi://unix:/var/run/php5-fpm.sock" ...

Any suggestion would be greatly appreciated. Please help!

8 hours ago, aptalca said:

I don't know, you tell me. Check all the confs in the /config/nginx folder

It was the Emby subconfig file that had that configuration but I don't know were that came from.

Anyway, it's solved. Thank you!

My Swag GUI looks like this....it basically looks like data from my Heimdall app. Am I doing something wrong between the two? If this is messed up what would be the most likely cause?

 

swag gui.jpg

Edited by SPOautos

16 hours ago, Mesias said:

Hi there,

I posted the problem I'm facing on the Unraid general support but I received no replies. I'm hoping I can get some feedback here. I changed from Letsencrypt to Swag recently and after the change i lose access to multiple sections in Unraid and all dockers stop functioning properly... I lose access thru the UI to the Dashboard, Docker and the bottom portion of the Main tab. The console gets unresponsive to any docker command and to the "powerdown" capability so every time I restart the system it has to do a parity check. Of course none of the apps using the reverse proxy are working to the outside.

The migration was based on a fresh installation and I just copied the conf files from Letsecrypt. The Unraid logs show the following error (it varies depending on the page I'm trying):

nginx: 2020/10/12 10:06:48 [error] 32315#32315: *246154 upstream timed out (110: Connection timed out) while reading response header from upstream, client ... upstream: "fastcgi://unix:/var/run/php5-fpm.sock" ...

Any suggestion would be greatly appreciated. Please help!

I don't see how swag can have anything to do with loosing access to parts of unraid. Turn off the container and see if it helps, if not, it has nothing to do with swag. If it helps, you have missconfigured something, but I do not know how you could manage that.

1 hour ago, SPOautos said:

My Swag GUI looks like this....it basically looks like data from my Heimdall app. Am I doing something wrong between the two? If this is messed up what would be the most likely cause?

 

swag gui.jpg

Swag doesn't have a GUI.

Just now, saarg said:

Swag doesn't have a GUI.

 

okay, so its in the dropdown where you can select webgui but its not actually built in yet, correct?  So is what I am seeing normal when I select on that webgui in the swag dropdown (for someone with Heimdall)?

3 minutes ago, SPOautos said:

 

okay, so its in the dropdown where you can select webgui but its not actually built in yet, correct?  So is what I am seeing normal when I select on that webgui in the swag dropdown (for someone with Heimdall)?

That goes to the default landing page of swag if you haven't changed it your self in the nginx default file. Nginx is the webserver.

Have you added Heimdall to swag?

You should post your docker run command.

1 hour ago, saarg said:

That goes to the default landing page of swag if you haven't changed it your self in the nginx default file. Nginx is the webserver.

Have you added Heimdall to swag?

You should post your docker run command.

 

I have the Heimdall template network type pointing to the reverse proxy network and I have Heimdall listed but as "server" instead of Heimdall so that my url that pulls up Heimdall is server.myurl.com.....and it all functions perfectly except this one issue.

 

How do I post my "docker run command"? Please forgive the ignorance but I'm brand new to all of this....."all of this" being computers, networks, servers, Unraid, all of it.  I've been working on my server for about 2 months and just trying my best to learn everything as I go. A couple months ago I'd never heard of a reverse proxy, VPN, VM....nothing  lol.  So I'm about as newbie as they come....BUT slowly Im getting it all working great!

 

If you can get me a little more info regarding the docker run command I'll post it and maybe we can figure out if I need to edit something in nginx.

7 hours ago, SPOautos said:

 

I have the Heimdall template network type pointing to the reverse proxy network and I have Heimdall listed but as "server" instead of Heimdall so that my url that pulls up Heimdall is server.myurl.com.....and it all functions perfectly except this one issue.

 

How do I post my "docker run command"? Please forgive the ignorance but I'm brand new to all of this....."all of this" being computers, networks, servers, Unraid, all of it.  I've been working on my server for about 2 months and just trying my best to learn everything as I go. A couple months ago I'd never heard of a reverse proxy, VPN, VM....nothing  lol.  So I'm about as newbie as they come....BUT slowly Im getting it all working great!

 

If you can get me a little more info regarding the docker run command I'll post it and maybe we can figure out if I need to edit something in nginx.

If you have set up nginx to serve Heimdall as the landing page, then it's no wonder that you get Heimdall when opening the webgui link in swag. 

Of you want help, the best way is to provide the config files you have changed stuff in. That way it's much easier for the ones helping.

 

The docker run command is the command popping up when you update or change something in the container template. Just add something to a field and remove it, then hit apply and you will get the command.

17 hours ago, saarg said:

If you have set up nginx to serve Heimdall as the landing page, then it's no wonder that you get Heimdall when opening the webgui link in swag. 

Of you want help, the best way is to provide the config files you have changed stuff in. That way it's much easier for the ones helping.

 

The docker run command is the command popping up when you update or change something in the container template. Just add something to a field and remove it, then hit apply and you will get the command.

Thank You!

So this is the docker run command you were refering too, correct? I want sure if you meant the one for Swag or Heimdall so I just attached them both....

 

SWAG....

Command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='swag' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='mywebsite.com' -e 'SUBDOMAINS'='ombi,server,sonarr,radarr,lidarr,nextcloud,sabnzbd,nzbget,plex' -e 'ONLY_SUBDOMAINS'='true' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'

76457241e9b946d99184a4254b3963fe78876f13c10d23e0fed380eb7a8ceb4e

The command finished successfully!

 

 

Heimdall.....

Command:root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='heimdall' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '280:80/tcp' -p '2443:443/tcp' -v '/mnt/user/appdata/heimdall':'/config':'rw' 'linuxserver/heimdall'

773977f9c74aa209781671d43f3d93c6b6200b45132fc58ae73bc2f27b1402cb

The command finished successfully!

 

 

 

 

I went to appdata/Heimdall/nginix/site-confs/default but when I open it and highlight it all and copy, it wont let me paste it in here. What is the best way to provide the config files?

 

Edited by SPOautos

7 hours ago, SPOautos said:

Thank You!

So this is the docker run command you were refering too, correct? I want sure if you meant the one for Swag or Heimdall so I just attached them both....

 

SWAG....

 

 

Heimdall.....

 

 

 

 

I dont know what all config files I should post, I went to appdata/Heimdall/nginix/site-confs/default but when I open it and highlight it all and copy, it wont let me paste it in here. What is the best way to provide the config files?

 

It's better to copy the text and add it as code in the post. That way it's easier to read and you can redact your mail and URL.

The easiest way is to mark the text, copy it and add it as code.

You post all the configs that you changed. We can't know which ones you changed.

4 hours ago, saarg said:

It's better to copy the text and add it as code in the post. That way it's easier to read and you can redact your mail and URL.

The easiest way is to mark the text, copy it and add it as code.

You post all the configs that you changed. We can't know which ones you changed.

 

I edited the post above removing the screen shots and redoing with copy/paste of the command info but I'll add it here as well. But I'm not sure how to do the config files. I'm going into Krusader and going to a file but when I copy it then try to paste it here in the </> code box, it wont paste. Is there a better way to do them? Can I somehow download the file and then upload it into the forum post?

 

SWAG....

Command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='swag' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='mywebsite.com' -e 'SUBDOMAINS'='ombi,server,sonarr,radarr,lidarr,nextcloud,sabnzbd,nzbget,plex' -e 'ONLY_SUBDOMAINS'='true' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'

76457241e9b946d99184a4254b3963fe78876f13c10d23e0fed380eb7a8ceb4e

The command finished successfully!

 

 

Heimdall.....

Command:root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='heimdall' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '280:80/tcp' -p '2443:443/tcp' -v '/mnt/user/appdata/heimdall':'/config':'rw' 'linuxserver/heimdall'

773977f9c74aa209781671d43f3d93c6b6200b45132fc58ae73bc2f27b1402cb

Edited by SPOautos

19 hours ago, saarg said:

It's better to copy the text and add it as code in the post. That way it's easier to read and you can redact your mail and URL.

The easiest way is to mark the text, copy it and add it as code.

You post all the configs that you changed. We can't know which ones you changed.

Hope you dont mind that I have the command lines and these files on seperate posts. 

 

I'm not sure what to do with the config files since it wouldnt let me copy/paste so I am just uploading them, does that work?  Please let me know if you would like me to get them in here a different way.  I dont think I actually changed anything in these except In a heimdall file I made the url "server"@myurl.com instead of [email protected].... but I have noticed that in Heimdall files and Swag files they both point to port 80 and 443 eventhough I changed ports in the templates so they would be different. Could this be why they are 'overlapping' and Heimdall shows up when I select the Swag gui?

 

Also, something else is that in my router, my main internet IP address that shows up.....if I go to a browser without being on my local network (I did it over cellular) and type in that router internet ip address, it takes me to my Heimdall page. Same with my routers Dynamic DNS, if I type it in on a browser over cellular it also goes to my Heimdall page.  I realized this because I have been trying to set up a PPTP vpn in my router using the dynamic dns and it doesnt seem to be working and I think this is why....because its going to my Heimdall page. I'm not positive if that is causing the vpn issue, but I stumbled on all of this with heimdall and swag while trying to figure out why my router is directing to heimdall.....maybe it should do that because of reverse proxy and all that, I do not really know.

 

I havent done much more than use email and a browser on a windows pc in 20 years.....so honestly I'm suprised I've made it this far with this project....its only because of awesome people like you and old posts here on the forum, and SpaceInvader videos that I have all this going and working on a box I actually put together myself.....its pretty amazing! I appreciate the help!

 

 

heimdall nginx.conf heimdall site confs swag nginx site confs

Edited by SPOautos

How do you get wildcard certs for additional domains? I've set EXTRA_DOMAINS="*.domain2.com", but a wildcard cert is only created for the URL primary domain. Under /etc/letsencrypt/live is only one folder which is for the primary domain.

URL=domain1.com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=*.domain2.com
ONLY_SUBDOMAINS=false
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]

I've also tried setting EXTRA_DOMAINS=domain2.com,*.domain2.com, but it didn't make any difference.

 

Edit: Nevermind, my mistake. The certificate created is valid for both domains! And when I provide it as EXTRA_DOMAINS=domain2.com,*.domain2.com the certificate works for the root as well.

Edited by vonpelz

8 hours ago, vonpelz said:

How do you get wildcard certs for additional domains? I've set EXTRA_DOMAINS="*.domain2.com", but a wildcard cert is only created for the URL primary domain. Under /etc/letsencrypt/live is only one folder which is for the primary domain.


URL=domain1.com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=*.domain2.com
ONLY_SUBDOMAINS=false
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]

I've also tried setting EXTRA_DOMAINS=domain2.com,*.domain2.com, but it didn't make any difference.

 

Edit: Nevermind, my mistake. The certificate created is valid for both domains! And when I provide it as EXTRA_DOMAINS=domain2.com,*.domain2.com the certificate works for the root as well.

There is only ever one cert generated with this image and it contains all the names as SANs

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.