[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

36 minutes ago, saarg said:

You don't have to set a came in cloudflare when using wildcard. Wildcard is for everything.

 

I guess you are using a custom docker network for swag and radarrs, so no need to change the port in the proxy-conf as swag talks to the containers using the name. It is all internal in the custom network and therefor you use the container port.

 

Changing to the container port worked.  I never considered that and that is the only container that I run where I changed the default port.  Thanks so much!

 

I thought I still needed the cname and the wildcard was just allowing any of my cnames through.  So I can delete all my subdomain cnames on Cloudflare?

Link to comment
14 hours ago, RockDawg said:

 

Changing to the container port worked.  I never considered that and that is the only container that I run where I changed the default port.  Thanks so much!

 

I thought I still needed the cname and the wildcard was just allowing any of my cnames through.  So I can delete all my subdomain cnames on Cloudflare?

As long as you have a wildcard cname set in cloudflare, you can delete the other subdomains.

  • Thanks 1
Link to comment

Unable to access Bitwarden externally using SWAG

 

Starting last week I was unable to access Bitwarden from my own domain. Without going too into what i've tried I'm basically back to square one.

I've uninstalled/reinstalled Bitwarden (to allow it to pull the new vaultwarden info)

I've uninstalled/reinstalled SWAG.

I've renamed my Bitwarden install to match the proxy-confs for bitwarden.

I've followed all the steps in Spaceinvaders Letsencrypt (SWAG)/Bitwarden/Cloudflare videos and just keep getting Error: 522 from cloudflare when I try and load my domain page.

I thought it might be tied to some firewall stuff I did on my unifi to isolate my IOT things on a different VLAN So i've completely removed all those settings and still not working.

The SWAG logs show that server is running and it can get certs for my domain but the site still won't load.

I currently have Cloudflare set up as my DNS to bypass my local internet provider from blocking port 80. Cloudflare is set to point to my Duckdns name which is pointing to my IP. All of this is in SpaceInvaders cloudflare set up video.

Here is are screen shots of my docker settings/Docker page/Port Forwarding setup.

https://i.imgur.com/NqsRNOs.png

Again this was all working from July of last year until last week.

Any assistance would be appreciated.

  • Like 1
Link to comment

Hi, I'm using Authelia and everything works as it should. I have a problem with LMS, I only proxied it to use Alexa skill and wanted to use Authelia instead of basic auth, but it seems Alexa can't/won't use 2-factor auth for this skill! Can I set somewhere in the config to use single-factor just for this container? 

Thanks,

Tim

Link to comment

Can someone point me in the right direction?

 

I have A75G's airsonic-advanced docker accessed through SWAG / reverse proxy with a duckdns subdomain and lets encrypt https certificate. I'm using the airsonic.subdomain.conf config and all is working well.

I'd like to start using fail2ban to block access to the airsonic URL but during testing, looking at the airsonic logs they show failed logins from the IP of the internal docker container and not the real external IP. 

 

I have the 'server.use-forward-headers=true' line added to the airsonic.properties file in the airsonic config as stated in the airsonic.subdomain.conf from SWAG but something seems missing

 

Any suggestions?

Link to comment

For a few days now I can't connect to my owncloud via my reverse proxy anymore as I get a 400 bad request anytime I try to do it. I have not changed anything in my proxy conf and have already contacted the dev of the owncloud docker container. He said that nothing has changed in the container since the issue came up for me, leading me to believe the error has to lie somewhere with the proxy. Does anyone know what it could be? It's now been a few weeks and I've tried to solve it on my own, without success. 

 

It worked until the 7th of may but has not worked since. I can not connect from either the browser, my phone, the owncloud windows or owncloud android client. Nothing works unfortunately. Does anyone have an idea? Here is my proxy conf that has, at least until the 7th of may, worked wonderfully.

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;


    server_name owncloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_owncloud owncloud;
        proxy_pass https://192.168.0.2:8000;
		
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Port $server_port;
		proxy_set_header X-Forwarded-Proto $scheme;
    }

   
}

 

Edited by RedXon
Link to comment

Hi all,

 

I am getting 502 errors after setting up swag following the original SIO video for letsencrypt. The issue seems to be that name lookup of the containers is failing. 

 

  • I am using latest, but also tried with several other versions dating back to 1.8.0
  • I am using all sample configs with no modifications 
    • portainer
    • nextcloud
    • grafana
  • swag and containers are all on custom docker network
  • nslookup finds the docker container by name
  • can ping one container from another
  • Using linuxserverio containers with default names

 

nginx error.log:

2021/06/05 20:21:54 [error] 470#470: *1 nextcloud could not be resolved (3: Host not found), client: 192.168.100.1, server: nextcloud.*, request: "GET / HTTP/2.0", host: "nextcloud.domain.com"
2021/06/05 20:43:08 [error] 406#406: *6 portainer could not be resolved (3: Host not found), client: 192.168.100.1, server: portainer.*, request: "GET / HTTP/2.0", host: "portainer.domain.com"

root@unRAID:/mnt/user/appdata/swag/nginx/proxy-confs# docker container list
CONTAINER ID   IMAGE                                  COMMAND            CREATED             STATUS                    PORTS                                         NAMES
40368254d154   linuxserver/swag                       "/init"            12 minutes ago      Up 12 minutes             0.0.0.0:8081->80/tcp, 0.0.0.0:4443->443/tcp   swag
0130fe9243c4   portainer/portainer                    "/portainer"       About an hour ago   Up 24 minutes             0.0.0.0:44344->9000/tcp                       portainer


nslookups:

root@40368254d154:/# nslookup portainer
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:
*** Can't find portainer: No answer

Non-authoritative answer:
Name:   portainer
Address: 172.18.0.2

root@40368254d154:/# 

root@40368254d154:/# ping portainer
PING portainer (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.161 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.145 ms
^C

 

 

If I modify portainer.subdomain.conf as follows the 502 error goes away.

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app portainer;
        set $upstream_port 9000;
        set $upstream_proto http;
        #proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_pass $upstream_proto://172.18.0.2:$upstream_port; # hard code ip

 

I wonder if nginx is choking on the first failed nslookup? Is that a docker network issue?  Any other ideas?

Thanks in advance!

Edited by codebone
Add docker container names
Link to comment

Hi,

 

I have a big doubt regarding the using of sub-subdomains.

 

Until now I was using two domains (I did not know that sub-sub domains can be configured): exampleemby and examplenas with duckdns.org

 

I use "exampleemby" seting it up in swag as subdomain and "examplenas" with some subfolders configurations (x.e. nextcloud).

 

Now I want to setup 2 more subdomains (to use with photoprism that only has subdomain template).

 

Searching in the web I saw that it is possible to setp up unly one subdomain and with it configure several sub-subdomains. Am I right?

 

In this case, how I should setup swag container? What I am using now is:

Domain Name: duckdns.org

Subdomain (s): homeemby,homenas

 

I have also seen in linuxserver swag docker web page that it is not possible to use, at the same time, subdomains a sub-subdomains, but, is it possible to use "homemby" as subdomain and "homeother" as sub-subdomain?

 

I have tryed setups in swag container (empty, wildcard...) but I only can getting it work with above configuration (filling domain and all the subdomains)

 

Thank you

Edited by dellorianes
Link to comment

I've had letsencrypt/swag working for a number of years but it is now failing to renew the certificates. I have uninstalled and tried again but i get the same error. I am using proxynet and my domains are all duckdns, no cloudflare.

Can anyone point me in the right direction please?

 

Generating new certificate
Requesting a certificate for ***.duckdns.org and 3 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: ***.duckdns.org
Type: connection
Detail: Fetching http://***.duckdns.org/.well-known/acme-challenge/GX1N0HDQV9cetf0bUvB7E_68fh5OCaDdf168NYwJzpI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

 

EDIT - So i bounced my server and it now all works?! Anyway glad it's now working.

Edited by showstopper
Link to comment

Hello,

 

I am absolutely lost and unsure how to decipher the details everyone is discussing. Im a newbie to this kind of stuff and hoping for some help! My SWAG on unraid was connected to personal webhost. DuckDNS was used to update my IP address. it was working and all of the sudden has stopped receiving certificates.

-------------------------------------------------

Router Settings:

Port forwarding is open on router 80>81 and 443>442.

-------------------------------------------------

Container Settings:

http - 81

https - 442

 

domain name - mydomainname.com

subdomains - bw, etc...

only subdomains - true

validation - http

duckDNS Token - MyToken

----------------------------------------------------

Logs:

SWAG Log:

When running logs, the following errors are received: (obviously hid my domain stuff below)

 

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:


Domain: subdomainnamehere.domainhere.com
Type: connection
Detail: Fetching http://subdomainnamehere.domainhere.com/.well-known/acme-challenge/XXXXXHIDDEN: Timeout during connect (likely firewall problem)

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

---------------------------------------

LetsEncrypt Log:

Failed to renew certificate subdomainnamehere.domainhere.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xHIDDEN>: Failed to establish a new connection: [Errno -3] Try again'))

--------------------------------------------

I appreciate help in advance. 

Link to comment
6 hours ago, Gragorg said:

I installed Swag back in March and everything is going good.  I have been getting emails from zerossl that my certs will expire within 14 days.  I assume SWAG will automatically renew them when the time comes?  Or do I need to manually renew them?

Does your server run 24/7?

Link to comment
30 minutes ago, Gragorg said:

Yes it does.

couple scenarios off the top of my head

 

1. You set up some subdomains that have since been removed, so those specific certs are no longer being renewed because they aren't needed.

2. Your authentication method isn't working properly, so renewal is failing.

3. Something else is preventing the overnight scheduled renewal check from completing.

 

What does the container log show?

  • Like 1
Link to comment
13 hours ago, jonathanm said:

You set up some subdomains that have since been removed, so those specific certs are no longer being renewed because they aren't needed.

Looks like this may be the case I have a few extra certs from when i was setting up.  The log mentions that the certs are not going to expire.

 

"The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight"

 

I guess Ill just have to be patient and wait it out.  Thanks

 

Link to comment

Hey folks,

So I finally figured out where my hiccup was on swag. jonathonm commented on another post and suggested in was a porting issue. Turns out that was correct. So in my centurylink modem. I can port forward just fine, but I can not translate for example external 443 to internal 1443. 

 

What I did to figure this out is changed the ports that unraid uses. Once I did that I could port forward 443 in my modem/router and swag would connect. I could still access unraid at my internal ip 192.168.1.x:180 which is the "new" port I gave it. 


So I can not translate ports (terminology?) but I can forward. Are there any other options besides changing the unraid ports and letting swag have the 443 ports? I had thought about purchasing a router and bridging the modem. 

Link to comment
11 hours ago, 2000gtacoma said:

Hey folks,

So I finally figured out where my hiccup was on swag. jonathonm commented on another post and suggested in was a porting issue. Turns out that was correct. So in my centurylink modem. I can port forward just fine, but I can not translate for example external 443 to internal 1443. 

 

What I did to figure this out is changed the ports that unraid uses. Once I did that I could port forward 443 in my modem/router and swag would connect. I could still access unraid at my internal ip 192.168.1.x:180 which is the "new" port I gave it. 


So I can not translate ports (terminology?) but I can forward. Are there any other options besides changing the unraid ports and letting swag have the 443 ports? I had thought about purchasing a router and bridging the modem. 

This is what I did some months ago. I changed Unraid to run off of 180/1443 and let Swag have 80/443 and it worked flawlessly. Now swag completly refuses to issue certs despite me not having changed any settings between when I first set it up and now.

Link to comment

Hi,

 

I've been tinkering around with SWAG today to set up a couple of Docker instances and a VM.

 

After watching SpaceInvader One's YouTube video I've changed my router to now point to the Unraid server instead of the VM and both the Docker instances work, but I'm really struggling with the VM.

 

I have, for a number of years, been using Mail-in-a-Box (https://mailinabox.email/) as my personal mail server on a Ubuntu VM.  It works really well and also has inbuilt letsencrypt to automate certificate renewal.

 

Obviously SWAG does this too, but I don't want to mess around with the VM config and break things.  I've been reading through this thread and trying to get it working, but I'm just stumped as nothing I do seems to work (which means I'm obviously not doing something right)!

 

For info, MiaB uses box.domain.com as its default and also manages the webserver at www.domain.com.  It also has an inbuilt DNS server which you point to from your registrar.

 

The comments I keep seeing from everyone is to change the app to an IP instead of a server name, so this is what my current config file looks like that I've copied from the _template.subdomain.conf and named mail.subdomain.conf.


 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mail.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.210;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

 

I haven't added anything to the SWAG Docker settings other than the initial settings to add the subdomains for the Docker instances, and I'm not sure what or where I should change there (if anything) if I don't want SWAG to manage the letsencrypt certificates for the mail server.

 

Help, please :)

Edited by Melawen
Link to comment

Hi I can't get nextcloud to work anymore and I think I've messed up the config.php file.  Can someone share their config.php file please.

 

I can see the login page, but it won't let me login remotely.  Locally, I can login via a browser - it's all very weird.


Thanks in advance.

Link to comment

Here's mine, with obvious bits edited for privacy :)

 

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'myinstanceid',
  'passwordsalt' => 'mypasswordsalt,
  'secret' => 'mysecret ... shhhh',
  'trusted_domains' =>
  array (
    0 => '10.10.0.25',
    1 => 'mydomain.com',
  ),
  'dbtype' => 'sqlite3',
  'version' => '21.0.2.1',
  'overwrite.cli.url' => 'https://mydomain.com',
  'overwritehost' => 'mydomain.com',
  'overwriteprotocol' => 'https',
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

 

  • Like 1
Link to comment
1 hour ago, Melawen said:

Here's mine, with obvious bits edited for privacy :)

 


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'myinstanceid',
  'passwordsalt' => 'mypasswordsalt,
  'secret' => 'mysecret ... shhhh',
  'trusted_domains' =>
  array (
    0 => '10.10.0.25',
    1 => 'mydomain.com',
  ),
  'dbtype' => 'sqlite3',
  'version' => '21.0.2.1',
  'overwrite.cli.url' => 'https://mydomain.com',
  'overwritehost' => 'mydomain.com',
  'overwriteprotocol' => 'https',
  'installed' => true,
  'maintenance' => false,
  'theme' => '',
  'loglevel' => 2,
);

 

Thanks.  I think my problem isn't my config file.  It's weird - everything is fine locally, but remotely I get the login page, but it won't login.

Link to comment

So trying to use Swag with nextcloud.  In the Proxy-Conf file, I am trying to modify the subdomain .conf.sample file.

 

I've made modifications, removed .sample from the end, but I cannot save due to "You need permission to perform this action".  I can't drag and drop the file from my computer to the server/appdata folder either.  I even tried to SSH / Midnight Commander move the file into appdata but the "proxy-conf" directory doesn't show up in MC.  How do i get a modified nextcloud .config file to save into the appdata folder?  Note I am logged in under my account with read/write access and SSH/MC under root login - no avail on either.

 

Thanks!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.