[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hi All,

Finally getting around to switching over from Let'sEncrypt to Swag.

Curious if anyone has any ideas how to stop this from happening?

 

image.thumb.png.0ce237a1394ac0aff4323c33ef973f9b.png

 

Spoiler

image.thumb.png.a904c463a51956a2f1c0b1bb60d663a4.png

 

 

 

If I let this go, it will just keep adding the same line (to infinity and beyond!)

 

Followed Ed's guide to the letter.

Thank in advance!

 

 

Link to comment
Hi All,
Finally getting around to switching over from Let'sEncrypt to Swag.
Curious if anyone has any ideas how to stop this from happening?
 
image.thumb.png.0ce237a1394ac0aff4323c33ef973f9b.png
 
Spoiler

image.thumb.png.a904c463a51956a2f1c0b1bb60d663a4.png

 
 
 
If I let this go, it will just keep adding the same line (to infinity and beyond!)
 
Followed Ed's guide to the letter.
Thank in advance!
 
 


What’s on line 7 in bitwarden subdomain conf?


Sent from my iPhone using Tapatalk
Link to comment
sorry @blaine07,
 
Did you mean this:
 
server {
    listen 443 ssl;
    server_name xxxxxxxxxxbitwarden.*;
    include /config/nginx/ssl.conf;
  client_max_body_size 128M;

 
 
Thanks again...

Somewhere in that file it says “resolver” and it’s being defined twice hence the error. Not sure where else it’s defined but specifically on line 7 it appears. What you sent may be further down than line 7 on your Nextcloud CONF.

Edit: you could rename Bitwarden conf, so seat doesn’t include it, temporarily so the rest of your services would work and swag would properly load…
Link to comment

Hi @blaine07,

 

Thank you very much for your help!

I commented out the Bitwarden.conf - Thanks a bunch for reminding me. NC is back up and running!!!

 

I hope you do not mind, but I attached both my Bitwarden and NextCloud .conf files.

I cannot, for the life of me, find where is says 'resolver' more than once.

 

Would you mind taking a look yourself?

Thanks!

 

Have hit the sack for a few before going back in. It has been so bad here that we had to set up a triage area 😷 in the atrium of our hospital... and it aint a small joint!!!

nextcloud.subdomain.conf bitwarden.subdomain.confUSE_ME

Link to comment

Hi everyone, I've setup Swag with cloudflare to my domain, according to the IBRACorp video.

I also setup all the plugins, log shows 'server ready'.

I've added a label to my emby container 'swag_url=media.mydomain.com', but when I connect I get a 502 bad gateway.

**** Labels for EmbyServer changed, will generate new conf. ****
**** No preset proxy conf found for EmbyServer, generating from scratch ****
**** Setting upstream address EmbyServer for EmbyServer ****
**** Labels for EmbyServer changed, will generate new conf. ****
**** No preset proxy conf found for EmbyServer, generating from scratch ****
**** Setting upstream address EmbyServer for EmbyServer ****
**** Setting port 1900 for EmbyServer ****
**** Setting proto http for EmbyServer ****
**** Setting url media.selausa.online for EmbyServer ****
nginx: the configuration file /config/nginx/nginx.conf syntax is ok
nginx: configuration file /config/nginx/nginx.conf test is successful
**** Changes to nginx config are valid, reloading nginx ****

 

How does auto-proxy work? i.e. where does it create the config files for each container? I don't see any change in any files in /appdata/swag.

Also, where does this port 1900 come from? how do I change it? My emby server is running on port 56907 internally.

Thanks!

Edited by shpitz461
Link to comment

How do we enable the MaxMinds's GeoLite2 db? Did generate their licence key and set it as MAXMINDDB_LICENSE_KEY env var, yet nothing is downloaded into /config/geoip2db/ directory.

 

After env var was set & service was restarted, then 'geo' nor 'maxmind' no longer can be found in the log.

 

Maxmind licence page says the key has never been used ('Last used' column not set).

Edited by tuxbass
Link to comment
On 12/13/2021 at 6:01 AM, tuxbass said:

How do we enable the MaxMinds's GeoLite2 db? Did generate their licence key and set it as MAXMINDDB_LICENSE_KEY env var, yet nothing is downloaded into /config/geoip2db/ directory.

 

After env var was set & service was restarted, then 'geo' nor 'maxmind' no longer can be found in the log.

 

Maxmind licence page says the key has never been used ('Last used' column not set).

 

I'm also having the same issue. Nothing has been downloaded to the appdata/swag/geoip2db folder. Variable is set to MAXMINDDB_LICENSE_KEY with my key as well. It doesn't show that it has been accessed on the maxmind site, but I get the below activity in the log like it is downloading it.

 

 

image.png

Link to comment

Hello all, I have a new error and I think I have an idea what the issue is but I'm unsure how to resolve it.

nginx: [emerg] cannot load certificate "/config/keys/letsencrypt/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

When I check that directory, there is no file with the name fullchain.pem . I do see priv-fullchain-bundle.pem .

I suspect this is a consolidated file and my thought is to point swag to this to resolve but I haven't been able to find which config to edit.

 

Any guidance is greatly appreciated.

Link to comment
28 minutes ago, Aerodb said:

Hello all, I have a new error and I think I have an idea what the issue is but I'm unsure how to resolve it.

nginx: [emerg] cannot load certificate "/config/keys/letsencrypt/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

When I check that directory, there is no file with the name fullchain.pem . I do see priv-fullchain-bundle.pem .

I suspect this is a consolidated file and my thought is to point swag to this to resolve but I haven't been able to find which config to edit.

 

Any guidance is greatly appreciated.

EDIT: if you have this issue on unraid, check the SWAG appdata directory etc/letsencrypt/live  directory to be sure you don't have a folder with the -0001 ending. I changed the original file to anything else and the -0001 folder back to the original name. It started working right away. Seems there was some sort of permission or access issue. 


(ex. with two folders named examplefolder-0001 and examplefolder , changed examplefolder to examplefolder-01 and examplefolder-0001 to examplefolder . It worked right away and the swag log had no errors. 

  • Thanks 1
Link to comment
On 12/18/2021 at 4:24 AM, Flubster said:

They've moved maxmind into a docker mod. Not sure if it was previously configured and working if it'll stop working or not but

 

https://github.com/linuxserver/docker-mods/tree/swag-maxmind

 

Dave

 

Edit: I also needed to cycle the docker twice to get it to download, first time "enabled" the mod, second time downloaded the database

 

Yeah, sorry. I forgot that I switched over to the docker mod for it. It should be working as my other mods are as well. Cycling didn't help. :/

Link to comment

Hi guys,

 

maybe a bit of a noob question, but can anybody tell me what the purpose of this line in the default authelia-server.conf is?

 

if ($request_uri ~ [^a-zA-Z0-9_+-=\!@$%&*?~.:#'\;\(\)\[\]]) { return 401; }

 

As far as I understand it's preventing illegal characters in the request_uri but this is causing problems with some urls for me.
Urls similar to this cause an infinite realoding of an error page:
 

https://redacted.org/content?c={"type":"x"}&perPage=n&sortby=xyz

 

After I removed the line everything worked fine for me so what is it used for?

Edited by Dotfo
Link to comment

Hi,

I used the sample for guacamole docker and adjusted only IP address but I am getting only 502 Bad Gateway

Spoiler
  GNU nano 5.3                             guacamole.subdomain.conf
## Version 2021/05/18
# make sure that your dns has a cname set for guacamole and that your guacamole container is not using a >

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name guacamole.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.2.212;
        set $upstream_port 8080;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_buffering off;
    }
}

 

I can access the docker in local network via http://192.168.2.212:8080

The DNS is showing to the right IP-address

Can somebody please help me?

Link to comment
On 12/19/2021 at 6:15 PM, Trenta27 said:

 

Yeah, sorry. I forgot that I switched over to the docker mod for it. It should be working as my other mods are as well. Cycling didn't help. :/

Were you able to solve this? I have the exact same issue. I can enable the new mod, I see activity of it in the log, it's working, but it's not downloading the new GeoLite2-City.mmdb file and I don't see any activity on the maxmind website. It was working file previously.

Link to comment
On 2/15/2021 at 1:41 PM, Stubbs said:

I am getting this warning in my Swag log:

 

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
 

 

Is this anything to worry about?

Hi, I just got this too, did you managed it?

Link to comment
On 12/23/2021 at 8:54 PM, touz said:

Were you able to solve this? I have the exact same issue. I can enable the new mod, I see activity of it in the log, it's working, but it's not downloading the new GeoLite2-City.mmdb file and I don't see any activity on the maxmind website. It was working file previously.

Sadly not. I have the file that I downloaded manually in that location now but I can't get the auto download to work in any way. I think I'm just gonna let Cloudflare handle that portion...

  • Thanks 1
Link to comment

I've got SWAG setup, and logs are reporting "SERVER READY"

 

I'm using the default subdomain confs for freshrss, jackett, radarr, and sonarr

freshrss is working

jackett returns a 502 error

sonarr and radarr both return the swag interface page

 

i had to add the dns records to pi-hole, now i can ping the containers from an unRAID console

how can i get jackett, radarr, and sonarr to work

also i have qbittorrent running through an openvpn-client container, is it possible to have that work via reverse proxy as well?

 

Link to comment
36 minutes ago, Alchemist Zim said:

I've got SWAG setup, and logs are reporting "SERVER READY"

 

I'm using the default subdomain confs for freshrss, jackett, radarr, and sonarr

freshrss is working

jackett returns a 502 error

sonarr and radarr both return the swag interface page

 

i had to add the dns records to pi-hole, now i can ping the containers from an unRAID console

how can i get jackett, radarr, and sonarr to work

also i have qbittorrent running through an openvpn-client container, is it possible to have that work via reverse proxy as well?

 

i haddn't noticed the lines in the conf files saying to add base urls to the jackett, sonarr, and radarr containers😑, so those are working now...internally and externally

 

now my only question...Is it possible to access a qbittorrent container that has the network setup to go through a VPN container?

Link to comment
42 minutes ago, Alchemist Zim said:

i haddn't noticed the lines in the conf files saying to add base urls to the jackett, sonarr, and radarr containers😑, so those are working now...internally and externally

 

now my only question...Is it possible to access a qbittorrent container that has the network setup to go through a VPN container?

figured it out..i pointed my DNS to the unRAID ip address instead of the container ip...worked like a charm😁

Link to comment
On 4/19/2021 at 6:41 PM, Wolbaz said:

Having issues with overseerr. Works great and is fast and snappy with network set to bridge. When I add it to proxynet, however, it is consistently slow, and sometimes hangs up for minutes at a time. This is both using the local IP as well as the external domain. All of my other dockers on proxynet work fine. I brought that up on overseerr discord support and they insist it's a docker problem.

 

Did this ever get resolved? I am having the exact same issue and do not know how to fix it. 

 

Link to comment
On 12/31/2021 at 10:02 AM, Cornd00g said:

 

Did this ever get resolved? I am having the exact same issue and do not know how to fix it. 

 

I was able to solve it temporarily by switching the container network to host. I just changed it back to proxynet to test if it was still an issue and it seems to be working at first glance. I've changed a ton of things since then so I'm not sure what the issue was.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.