[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

linuxserver.io

By linuxserver.io
in Docker Containers

Recommended Posts

stottle Apprentice

stottle

Posted
Posted

I've followed Spaceinvaderone's video for setting up SWAG, but the docker container is giving an error: 

Requesting a certificate for <mySubDomain>.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: <mySubDomain>.duckdns.org
Type: unauthorized
Detail: Invalid response from http://<mySubDomain>.duckdns.org/.well-known/acme-challenge/U9o-N70woR3z5jnFl0cEVPWd711PJT8SAqRPiZLYAXc [<My IP>]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

 

I have two gateways, AT&T for ISP and a Google WiFi mesh, but I believe I have the port forwarding correct.  Two reasons for this.

1) I can see my Plex server, so the two hop forwarding to that container is working

2) I was getting timeout errors in the log, but those have now changed to this unauthorized/404 error.

 

For SWAG, I am have AT&T forward 80 and 443 directly (the only option I saw), and Google changing the ports to 180 and 1443.  SWAG is set up for 180 and 1443.

 

I'm trying to get http auth working as that seemed like the best place to start.  I need to understand the other options better, too.

 

Any tips for debugging?

Link to comment
  • Replies 6.1k
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

nraygun
nraygun

Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

aptalca
aptalca

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

BigBoyMarky
BigBoyMarky

I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

isaac.olsen94 Noob

isaac.olsen94

Posted
Posted
On 11/9/2020 at 10:59 PM, LifeBasher said:

Hi,

im trying to get swag to reverse proxy to my vm in unraid. i used spaceinvader video to set it up at start but now when im trying to send to the vm, the log give me this... any one has any idea? i mean it work great when im using it on docker but i cant get it to send it to my vm

Thanks for any help

P.S. I actually want to send it to a vm for nextcloud instead of using a docker for it.

 

2020/11/10 00:45:08 [error] 431#431: *63 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 66.70.148.95, server: myServer.*, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.8.13:443/favicon.ico", host: "myHost", referrer: "https://myHost/"

Did you ever get this figured out? I'm also trying to pass through Ubuntu VM running Nextcloud. 

Link to comment
  • 2 weeks later...
stottle Apprentice

stottle

Posted
Posted
On 9/7/2021 at 12:58 PM, stottle said:

I have two gateways, AT&T for ISP and a Google WiFi mesh, but I believe I have the port forwarding correct.  Two reasons for this.

1) I can see my Plex server, so the two hop forwarding to that container is working

2) I was getting timeout errors in the log, but those have now changed to this unauthorized/404 error.

 

For SWAG, I am have AT&T forward 80 and 443 directly (the only option I saw), and Google changing the ports to 180 and 1443.  SWAG is set up for 180 and 1443.

 

I'm trying to get http auth working as that seemed like the best place to start.  I need to understand the other options better, too.

 

Any tips for debugging?

The error turned out to be a mismatch in ports between the two routers (mixing which was internal vs. external).

 

Also, to the earlier person who mentioned still getting "insecure" messages due to having staging set to `true` - thanks, I hit that as well.

Link to comment
Huongalt Noob

Huongalt

Posted
Posted
On 5/6/2021 at 4:38 PM, tetrapod said:

I had the same issue and I think, if I remember correctly, that Spaceinwader's video didn't mention that you had to turn of proxy for the subdomain CNAME record. Maybe this worked differently before at Cloudflare? But when I turn on "proxied" for any CNAME that URL will no longer point to my server, it will point to a cloudflare server. How this proxy via Cloudflare is supposed to work I do not know.
I can keep "proxied" on for my A records though

Anyone ever get to the bottom of this ? :)

 

Link to comment
BurntOC Apprentice

BurntOC

Posted
Posted (edited)

I searched this thread and generally online for an answer to this, but I don't see it or I missed it.  I've been running swag to front end a couple of dozen containers for a year or so and it has worked great.  I tried adding another one today and I went to ssh into it to modify the config file and I'm getting an error that the target actively refused it.  I've made no changes to my network, and I've restarted the container and even rebooted Unraid but I'm still getting the same error.  

 

Any ideas on what I might be missing?

 

NVM - Needed more coffee. I remembered I ssh into Unraid and then go to the appdata from there rather than ssh into the swag container IP.

Edited by BurntOC
Link to comment
zaker Rookie

zaker

Posted
Posted

Ain't nobody got time to troll thru 228! pages of messages to figure out how to use swag with zerossl on unraid.  Looks like linuxserver.io even spends precious little describing what is needed for zerossl.

I did find that the github link for docker-swag has a little info though!.

There has got to be a better way to support it than this forum.

Link to comment
altyne Noob

altyne

Posted
Posted

Need help.

 

I have an error while intalling the docker swag: I cannot see the logs since after installation and running the docket setup remove the image. But  I see the commands generated:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='swag' --net='proxynet' -e TZ="Europe/Madrid" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='myownadomain.com' -e 'SUBDOMAINS'='cloud' -e 'ONLY_SUBDOMAINS'='false' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'
8234a2c63b968ed9a9ee04b5d0f10e93352e6424393d2d9531ce27b587916872

 

 

Link to comment
altyne Noob

altyne

Posted
Posted
1 hour ago, altyne said:

Need help.

 

I have an error while intalling the docker swag: I cannot see the logs since after installation and running the docket setup remove the image. But  I see the commands generated:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='swag' --net='proxynet' -e TZ="Europe/Madrid" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='myownadomain.com' -e 'SUBDOMAINS'='cloud' -e 'ONLY_SUBDOMAINS'='false' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'
8234a2c63b968ed9a9ee04b5d0f10e93352e6424393d2d9531ce27b587916872

 

 

i resolve my issue is port used.

 

However i have issue again:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cloud.myowndomain.com
Type: connection
Detail: Fetching http://cloud.myowndomain.com/.well-known/acme-challenge/MW0vkuKtEVdJrtPHQhH-_BqvajZK31sTq18SZuk2qug: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment
altyne Noob

altyne

Posted
Posted
On 9/24/2021 at 4:01 PM, altyne said:

i resolve my issue is port used.

 

However i have issue again:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cloud.myowndomain.com
Type: connection
Detail: Fetching http://cloud.myowndomain.com/.well-known/acme-challenge/MW0vkuKtEVdJrtPHQhH-_BqvajZK31sTq18SZuk2qug: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I managed to installed the SSL via cloudflare. However, my router blocks port 80 and showing the router web admin page? Did ignore port forwarding ?

internet -> router (port 80 forwarded  -> unraid server port 192.168.x.x:180 -> nextcloud : 80)

internet -> router (blocks here returns web admin page from router)?

Link to comment
sloob Rookie

sloob

Posted
Posted (edited)

Like many people here I followed spaceinvader one guide to give online access to nextcloud using a domain name. I followed his guide to the letter and everything seems to be working fine other than my router not supporting NAT reflection.

 

This means that I can only access my nextcloud GUI via my domain name using a VPN or when I'm away from home. which is fine by me, EXCEPT that I can no longer access my nextcloud GUI AT ALL on my home network, when I try to access it via localhost:444 it gets redirected to my domain name (nextcloud.mydomain.com). is there a way I can retain the ability to connect to owncloud on my home network?

 

This problem is only with nextcloud, I can access sonarr with both my domain and my local ip depending on if I'm connected to my local network or not.

Edited by sloob
Link to comment
altyne Noob

altyne

Posted
Posted
On 9/25/2021 at 4:19 PM, altyne said:

 

I managed to installed the SSL via cloudflare. However, my router blocks port 80 and showing the router web admin page? Did ignore port forwarding ?

internet -> router (port 80 forwarded  -> unraid server port 192.168.x.x:180 -> nextcloud : 80)

internet -> router (blocks here returns web admin page from router)?

 

It working for me right now,  what I did; was disabled the firewall settings built in in my router and upnp options.

 

Well, looks like this thread is like a rant and nobody cares to read for 228 pages long. what I bummer. 

 

What I observed from SpaceInvaderOne guides are still good but most are outdated unless he updated in the comment section. For others content, you can follow but you should be cautious because settings will likely not compatible with latest version. Some tips and gotcha I'd observed, you can get the instruction inside cnf/config files in comments section.  And also read author documentations/wiki guides on how to configure.

 

Unraid server (particularly docker) just present the configuration in the screen and eventually submitted into command line. You can read author's guide or clicking the question mark in the top right screen below your username; to see some valid values and tips.

Link to comment
joecool169 Apprentice

joecool169

Posted
Posted
32 minutes ago, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

I'm having this untrusted certificate issue with nextcloud. Just started today for me as well.

Link to comment
Carlos Noob

Carlos

Posted
Posted
On 9/30/2021 at 5:24 PM, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

Nevermind, looks like it's fixed with the latest client update recently deployed

 

Cheers

Link to comment
dfox1787 Apprentice

dfox1787

Posted
Posted

Hi, Has something changed on swag recently? its been working fine and nothing has changed on my FW or network now i am getting this error:

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
Tosh6072 Noob

Tosh6072

Posted
Posted

I had my Swag docker still failing with the Letsencrypt cert renewal.  My issue renewing was caused with Cloudflare proxing the traffic.   I turned off Proxying for my A and CNAME records (under the DNS tab in Cloudflare).  I then restarted docker and it came right.  I could then go back to Cloudflare and turned the Proxying back on.  Hope this may help someone else

  • Like 1
Link to comment
dfox1787 Apprentice

dfox1787

Posted
Posted (edited)
On 10/5/2021 at 8:51 AM, dfox1787 said:

Hi, Has something changed on swag recently? its been working fine and nothing has changed on my FW or network now i am getting this error:

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

restored a backup all working now. thanks for the help.....

Edited by dfox1787
  • Like 1
Link to comment
galluno Noob

galluno

Posted
Posted

Hi! I'm trying to host my own git server, using Gitea combined with SWAG, I followed @SpaceInvaderOne's guide on how to add reverse proxies for select applications, I think I did it right, as I get to an error page, saying Error 403 Permission Denied; SWAG redirects the traffic "correctly", but I can't figure out what I configured wrongly. Could someone help me? app.iniis Gitea's own config.

gitea.subdomain.conf

Link to comment
bat2o Noob

bat2o

Posted
Posted (edited)
On 9/25/2021 at 2:23 PM, sloob said:

EXCEPT that I can no longer access my nextcloud GUI AT ALL on my home network, when I try to access it via localhost:444 it gets redirected to my domain name (nextcloud.mydomain.com). is there a way I can retain the ability to connect to owncloud on my home network?

 

I have the same issue, where my router doesn't allow NAT loopback or hairpinning. To access nextcloud on my home network, type the localhost:444, which then redirects it to the nextcloud.mydomain.com (like you indicated). After that first redirect I change the "nextcloud.mydomain.com" with "localhost:444" in the url and it works.

Edited by bat2o
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing