[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I'm trying to set up Swag on my unraid server and having a beast of a time doing so.  Back story. I had a bunch of dockers set up and configured including Nginx Proxy Manager Official.  For the most part, it was working.  Then I found a feature I wanted and it was in SWAG.  I removed Nginx and installed Swag and went through the setup process and filled in the blanks.  When I go to open the web ui, i get a page stating;

 

This site can’t be reached

192.168.68.139 refused to connect.

Try:

Checking the connection

Checking the proxy and the firewall

ERR_CONNECTION_REFUSED

 

What I did then was removed all my dockers, deleted the app_data for all the dockers and started fresh (I think), I put in Swag and still the same thing.  Here is the log from the docker.

 

Brought to you by linuxserver.io

-------------------------------------

 

To support the app dev(s) visit:

Certbot: https://supporters.eff.org/donate/support-work-on-certbot

 

To support LSIO projects visit:

https://www.linuxserver.io/donate/

-------------------------------------

GID/UID

-------------------------------------

 

User uid: 99

User gid: 100

-------------------------------------

 

[cont-init.d] 10-adduser: exited 0.

[cont-init.d] 20-config: executing...

[cont-init.d] 20-config: exited 0.

[cont-init.d] 30-keygen: executing...

using keys found in /config/keys

[cont-init.d] 30-keygen: exited 0.

[cont-init.d] 50-config: executing...

Variables set:

PUID=99

PGID=100

TZ=America/Los_Angeles

URL=mydomain.xyz

SUBDOMAINS=server,mycloud

EXTRA_DOMAINS=

ONLY_SUBDOMAINS=false

VALIDATION=http

CERTPROVIDER=

DNSPLUGIN=

[email protected]

STAGING=false

 

Using Let's Encrypt as the cert provider

SUBDOMAINS entered, processing

SUBDOMAINS entered, processing

Sub-domains processed are: -d server.mydomain.xyz -d mycloud.mydomain.xyz

E-mail address entered: [email protected]

http validation is selected

Generating new certificate

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Requesting a certificate for mydomain.xyz and 2 more domains

 

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

 

Domain: mycloud.mydomain.xyz

Type: unauthorized

Detail: Invalid response from http://mycloud.mydomain.xyz/.well-known/acme-challenge/zn1lUN4VXIHrx1cLNMaa6OLcoFFJQx0_Tn9S0pUvZ1E [2606:4700:3034::ac43:d57e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "

 

Domain: mydomain.xyz

Type: unauthorized

Detail: Invalid response from http://mydomain.xyz/.well-known/acme-challenge/6J1-8GdVoKbGMHlnkqBCf7CsKHDyqLyZ090NcPHDl5Y [2606:4700:3034::ac43:d57e]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "

 

Domain: server.mydomain.xyz

Type: unauthorized

Detail: Invalid response from http://server.mydomain.xyz/.well-known/acme-challenge/V-1VSde1mqS5fnXmR7aMN-6pCCBz_w8uemYX9hY5zsY [2606:4700:3037::6815:3dc7]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

 

 

Some challenges have failed.

 

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment

Could someone give me a bit of insight on this? I'm trying to set up a remote connection to my ZNC IRC bouncer using nginx, so that I can access my bouncer from work. I have ZNC running as a container on unRAID. This is what I have in my nginx config file (znc.subdomain.conf):

 

## Version 2021/05/18
# make sure that your dns has a cname set for znc

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name irc.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        proxy_pass http://192.168.1.2:6502;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

 

My ZNC config file has the following set up for listeners, nothing else in that config file should really matter:

 

<Listener listener0>
        AllowIRC = false
        AllowWeb = true
        IPv4 = true
        IPv6 = false
        Port = 6501
        SSL = false
        URIPrefix = /
</Listener>

<Listener listener1>
        AllowIRC = true
        AllowWeb = false
        IPv4 = true
        IPv6 = false
        Port = 6502
        SSL = false
        URIPrefix = /
</Listener>

 

With this setup I keep getting the following error message on my IRC client whenever I try to connect to my subdomain using the port 443:

 

HTTP/1.1 400 Bad Request
Server: nginx
Date: Tue, 17 Aug 2021 18:36:52 GMT
Content-Type: text/html
Content-Length: 150
Connection: close
<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>nginx</center>
</body>

 

Using the same swag container I've managed to set up remote access for my Plex server using another one of my subdomains.

Link to comment
45 minutes ago, micheyll said:

My ZNC config file has the following set up for listeners, nothing else in that config file should really matter:

 

may i ask if this is a http site you try to reverse proxy or TCP traffic (what it looks like on 1st sight), if so, swag is by design for http sites to be proxied and not tcp, udp traffic ... that would need some advanced setups etc with the stream module

Link to comment
On 8/16/2021 at 9:12 PM, davper said:

Hi

I was getting an emergency error most likely caused by me making a config change to add wordpress. So I restored from a recent backup. I am now getting this upon start:

 

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: www.xxxxxx.com
Type: connection
Detail: Fetching http://www.xxxxxx.com/.well-known/acme-challenge/E0JYqMtNJ18FUDxUh7QYKjjq5DMu516AONQvPJA0hPg: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

 

I check my pfSense and nothing has changed since I got swag running a few weeks ago. I have 80 forwarded to port 180 and 443 forwarded to 1443.

 

image.thumb.png.550d7a5805f4b5790771c4625b70d005.png

image.png.a20d1844ef28581cab259c574bf6b482.png

 

Is there something else I should be looking at?

 

my full swag log

ErrorWarningSystemArrayLogin


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=xxxxxx.com
SUBDOMAINS=www,ddns,cloud,bw,sonarr
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
[email protected]
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d www.xxxxxx.com -d ddns.xxxxxx.com -d cloud.xxxxxx.com -d bw.xxxxxx.com -d sonarr.xxxxxx.com
E-mail address entered: [email protected]
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for www.xxxxxx.com and 4 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: www.xxxxxx.com
Type: connection
Detail: Fetching http://www.xxxxxx.com/.well-known/acme-challenge/E0JYqMtNJ18FUDxUh7QYKjjq5DMu516AONQvPJA0hPg: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

 

Hi

Solved the issue. 

 

My wan IP had changed and that 1 subdomain(www) did not get updated at cloudflare. Once I changed the setting to get the ip from ddns subdomain, it was working again. All other subdomains were working fine.

 

 

 

Link to comment

Hi, out of boredom, I wanted to swag to work with IPv6. Is the only way for a docker container to obtain a IPv6 is to place it on br0? If it is and since SWAG is no longer on the same network (proxynet), does that means I would also have to replace the $upsteream_app with the IP address of the host address (which is the unraid's) address? 

Link to comment
10 hours ago, alturismo said:

may i ask if this is a http site you try to reverse proxy or TCP traffic (what it looks like on 1st sight), if so, swag is by design for http sites to be proxied and not tcp, udp traffic ... that would need some advanced setups etc with the stream module

 

It's an IRC bouncer so it's TCP traffic, but I've seen a lot of examples of people setting it up to work using nginx. Also SWAG comes with a built-in sample config file for ZNC, so I think it should be a viable way to set it up? I'm really not an expert on this, though.

Link to comment
5 minutes ago, alturismo said:

 

yes, i see there is IRC and web, and i assume the sample is for the web frontend

 

I think you're right. Here on ZNC's wiki they mention using the stream module to connect with IRC, which you mentioned as well:

 

https://wiki.znc.in/Reverse_Proxy

 

I'll take a new look at this in the evening. I'm not sure if I know how to enable the stream module, though, but I'll give it a go and let you know how it went.

Link to comment
2 minutes ago, micheyll said:

I'll take a new look at this in the evening. I'm not sure if I know how to enable the stream module, though, but I'll give it a go and let you know how it went.

pretty simple, BUT ... it wont be behind your reverse proxy, need a sep Port and will be reachable through all available addresses, ip, domains, .... so more or less like a sep port forward anyway directly ;)

 

if you want to go through your RP somehow, its alot of tweaks and adjustments ... ssl-preread would be a way to start, but be aware its alot of read, trial and error and even may wont work as expected.

 

nginx by design is made for http traffic, the stream module is like a sep part and you wont benefit from irc.yourdomain.com to pass to the stream by default, there are "workarounds" using the upper mentioned ssl_preread_module ... like said, workarounds ;)

Link to comment
35 minutes ago, alturismo said:

pretty simple, BUT ... it wont be behind your reverse proxy, need a sep Port and will be reachable through all available addresses, ip, domains, .... so more or less like a sep port forward anyway directly ;)

 

if you want to go through your RP somehow, its alot of tweaks and adjustments ... ssl-preread would be a way to start, but be aware its alot of read, trial and error and even may wont work as expected.

 

nginx by design is made for http traffic, the stream module is like a sep part and you wont benefit from irc.yourdomain.com to pass to the stream by default, there are "workarounds" using the upper mentioned ssl_preread_module ... like said, workarounds ;)

 

Thanks for your input. I think I'll save myself a lot of trouble and grey hair if I just forward the port for ZNC on my router and use SWAG for http traffic applications. Thanks for the help, I would've kept hitting my head to this wall for the foreseeable future.

Link to comment
2 hours ago, Autchirion said:

Hello all,

 

I'm currently using swag for bitwarden but I would like to use it for nextcloud as well, it would use the same domain, but with a different port. Do you guys know how to achieve that?

 

Thank you in advance,

Autchi

Just set up a subdomain. @SpaceInvaderOne has a video on how to set up nextcloud with swag: https://www.youtube.com/watch?v=I0lhZc25Sro

 

Link to comment
4 minutes ago, Autchirion said:

ok, do I need two instances of swag then?

 

Just to clarify, I don't want it open to the internet, I only want the annoying message gone, that the page appears to be not secure.

OH, then you don't want to reverse proxy it with swag.. That's what's swag is for, making it open to the internet ,securely. But maybe you can copy the certs from swag to nextcloud, idk. You'll have to google it as I have no clue, but I THINK it can be done.

Link to comment

I can no longer renew the certs and am getting the following error message.

 

Quote

Failed to renew certificate langrock.duckdns.org with error: Could not bind TCP port 80 because it is already in use by another process on this system (such as a web server). Please stop the program in question and then try again.

 

I have changed absolutely nothing on either the server or the router in many years. Any idea if a recent update to the  letsencrypt docker might be causing issues? The only web server running is the one serving the Unraid GUI ... this has not been an issue in the past. Thanks

 

 

Update: I checked that the port forwarding worked and that I am able to access the apps I am linking to from the outside world, jellyfin and calibre-web in my case, and both still work just fine. The container log doesn't indicate any problems or warnings, but running 'certbot renew' still throws the above error. I am mystified.

Edited by langrock
Link to comment
On 8/10/2021 at 6:56 PM, comfox said:

 

Did you change anything to get it working?  Mine still won't come back online.

I just had this problem again. I think the port forwarding on the BT hub is rubbish and fails occasionally.  SWAG stopped working for me again - I just had to reboot the hub.

Link to comment

I have a (likely) very basic question on SWAG. I am running several internal applications inside my internal network. Using nextcloud as an example which I do have set up with a domain name, the docker port mappings show up like this:

 

172.17.0.1:443 > [unraid ip]:[port]

 

This works fine until I reboot and then Docker may or may not change the IP of the container from 172.17.0.1 to something else. This breaks swag until I go in to the terminal and manually update the configuration file for nextcloud to the new IP address. It's not a huge deal but I feel like I am missing some very obvious step to prevent this from happening. I have tried mapping SWAG's proxy config using the container host name but it never works, it only seems to be able to resolve to the internal IP. Would appreciate any ideas on what I need to update if it's possible to fix this. Thanks!

Link to comment

Hello, I am using SWAG to get my nextcloud docker to access the internet. But now all of the sudden when I try to start SWAG it tries to generate a new cert for nextcloud.FQDN but fails saying that it could not download the challenge files from the temporary standalone webserver started by Certbot on port 80. I followed @SpaceInvaderOne's tutorial and have the same NAT rules as he did to allow it into the network. I'm really just confused and don't know a whole lot about certs to dive into it.

Link to comment

Edit: I realized that I cannot do this without forwarding port 80. Since I cannot do that, I changed to trying duckdns validation. While I now see that port 443 is open, I am still not able to get my reverse proxy running. I've asked about this in a new thread here:

 

 

--------

 

 

This is a bit of complex question. I'm unable to forward in requests, and I think it has to do with the way that Comcast/Xfinity's modem/router works/doesn't work.

 

I'm using default settings for the docker for port 80 (8080-->80) and 443. 

 

I have port 443 forwarded to my unRAID box.

I do not have port 80 forwarded. Do I need to?

I'm getting this error:

 

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: XXXXX.duckdns.org
Type: connection
Detail: Fetching http://XXXXXX.duckdns.org/.well-known/acme-challenge/0JQsgWcr6OCovXfDLxU8F4m3U3t_jHOqawZJ1DyVI: Timeout during connect (likely firewall problem)

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

 

 

 

Do I need to set up port 80 to forward to port 8080 on my unRAID?

If so, I think I'm out of luck, as XFinity's XFi gateway does not allow you to map one port to another. 

 

Any advice on how to mitigate these errors is appreciated.

 

Thanks.

 

 

Edited by volcs0
Link to comment
On 8/24/2021 at 10:54 AM, emptyfish said:

I have a (likely) very basic question on SWAG. I am running several internal applications inside my internal network. Using nextcloud as an example which I do have set up with a domain name, the docker port mappings show up like this:

 

172.17.0.1:443 > [unraid ip]:[port]

 

This works fine until I reboot and then Docker may or may not change the IP of the container from 172.17.0.1 to something else. This breaks swag until I go in to the terminal and manually update the configuration file for nextcloud to the new IP address. It's not a huge deal but I feel like I am missing some very obvious step to prevent this from happening. I have tried mapping SWAG's proxy config using the container host name but it never works, it only seems to be able to resolve to the internal IP. Would appreciate any ideas on what I need to update if it's possible to fix this. Thanks!

 

You shouldn't be using the internal docker IP for any of the configs. You need a custom docker network, then you'll be able to refer to the docker name instead of an IP address.

 

Check out Ibracorp's video on Docker Custom networks: 

 

 

or Spaceinvaderone's video on Reverse Proxy with Swag: 

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.