[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

On 2/20/2022 at 3:13 PM, Picha said:

Hello,

 

i am having a lot of error messages in my error.log and have no clue what it could mean. I looked it up in google, but this didnt really help much. As far as i can tell everything works, but these errors are new / i never noticed them. Tried increasing the timeout which didnt help.

 

Error Log example:

2022/02/20 14:40:31 [error] 634#634: *10069 upstream prematurely closed connection while reading response header from upstream, client: xxxxxxx, server: plex.*, request: "GET /:/websockets/notifications?X-Plex-Token=xxxxxxxx-Plex-Language=de-de HTTP/1.1", upstream: "https://192.168.3.100:32400/:/websockets/notifications?X-Plex-Token=QR-xxxxxxxX-Plex-Language=de-de", host: "xxxxxxx"


 

Proxy Config:

client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240s;
proxy_send_timeout 240s;
proxy_connect_timeout 240s;

# TLS 1.3 early data
proxy_set_header Early-Data $ssl_early_data;

# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
#proxy_cookie_path / "/; HTTPOnly; Secure"; # enable at your own risk, may break certain apps
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
proxy_headers_hash_bucket_size 128;
proxy_headers_hash_max_size 1024;

 

Plex Config:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name plex.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    proxy_redirect off;
    proxy_buffering off;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;
    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app 192.168.3.100;
        set $upstream_port 32400;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
        proxy_set_header X-Plex-Device $http_x_plex_device;
        proxy_set_header X-Plex-Device-Name $http_x_plex_device_name;
        proxy_set_header X-Plex-Platform $http_x_plex_platform;
        proxy_set_header X-Plex-Platform-Version $http_x_plex_platform_version;
        proxy_set_header X-Plex-Product $http_x_plex_product;
        proxy_set_header X-Plex-Token $http_x_plex_token;
        proxy_set_header X-Plex-Version $http_x_plex_version;
        proxy_set_header X-Plex-Nocache $http_x_plex_nocache;
        proxy_set_header X-Plex-Provides $http_x_plex_provides;
        proxy_set_header X-Plex-Device-Vendor $http_x_plex_device_vendor;
        proxy_set_header X-Plex-Model $http_x_plex_model;
    }
}

 

Errors in Plex:

Unbenannt.thumb.JPG.a28bcbd50260910bf08e280b2d2d765f.JPG

So, i solved those errors with trial and error, but actually have no clue what the hell i did.

Could somebody enlighten me ? Did i proxy the plex websockets? why does no one else has these problems ?

 

I added the following lines into the plex.conf:

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";

 

Link to comment

Recently I've been having an issue where after a few days, I'll start getting a "Secure Connection Failed" error whenever trying to connect to items behind my reverse proxy. There's nothing referencing it in the access.log, error.log, or the docker log that would give a hit as to the cause. Is there anyone else having a similar issue or have any ideas as to what could be causing it?

The only change that has been made recently is that I've moved houses and the IP address changed, but I made the needed changes and it has been working. Nowadays it stops working after a bit and so far itll go back to working after i reset the docker enough.

Link to comment

Might be a dumb question, but I'm writing a program on my local desktop machine. In part of my program I'm trying to connect to a mysql db on my unraid server. My plan was to write a PHP file that I could put into Swag that could connect to my DB and do some kind of action. So it would go program->php (on swag)->mysql. This is all being done on the same server. When I put the url as https:/serverIP:1443/php/phpfile.php it says file not found. What should I put here?

Link to comment
On 1/31/2020 at 9:03 PM, Coolsaber57 said:

I am trying to expose my Octoprint page, but am having trouble finding a configuration that will work.  

 

Here's the examples that Octoprint provides: https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107

 

Here's my current config:

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name print.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.2.13:80;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;

    }

}

I took out a few lines that were causing the docker container to throw errors.  I'm currently getting a 500 error.  If I copy a config from another container and change the IP/port/subdomain, I do actually get to see the login page, but it says it's offline and asks me to reconnect.

 

Has anyone successfully configured Octoprint in this container? If so, would you be able to share the config?

On 2/2/2020 at 12:09 PM, phreeq said:

I'm rather interested in this too. If you find an answer elsewhere, can you give us an update?

Sent from my ONEPLUS A5010 using Tapatalk


I did a quick search for this but couldnt find a solution in this thread.  Inc ase you guys (or anybody else who comes across this in the future) is wondering, the config file is just a generic config you use. 

octoprint.subdomain.conf


 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name print.*;

  include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
         include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app 192.168.1.102;
        set $upstream_port 5003;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_buffering off;
		       
  }

}


You only need to setup port 5003 as octoprint is accessible form there and 5002.  The camera runs on 5003, so might as well just do 5003.  One thing to note, if youre having trouble with the webcam working in whatever android/ios  remote app youre using, make sure you enter https for the address.  I was using the octoremote app and while http:\\print.mydomain worked for the printer connection, it didnt work for the webcam url until I wrote in https in the app.

(the above ports are assuming youre using the spants template from the community app store for your octoprint instance.  If you changed the ports on your template, use those instead. )

Edited by 007craft
Link to comment

I am trying to connect SWAG to a domain via cloudflare. I get the following error message in the logs of SWAG. 

 

As email I have entered the address with which I log in to cloudflare and as key the Global API Key from cloudflare.

Am I doing something wrong? How can I find out where the error is? Thanks!

 

2022-03-23 23.45.57.jpg

 

Here is an extract from the logs:

 

Mar 23 15:30:45 Aldnoah nginx: 2022/03/23 15:30:45 [error] 2323#2323: *868944 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/token HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/token", host: "192.168.178.47", referrer: "http://192.168.178.47/dockerterminal/swag/"
Mar 23 15:30:45 Aldnoah nginx: 2022/03/23 15:30:45 [error] 2323#2323: *869155 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/ws HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/ws", host: "192.168.178.47"
Mar 23 15:30:45 Aldnoah nginx: 2022/03/23 15:30:45 [error] 2323#2323: *868944 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/token HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/token", host: "192.168.178.47", referrer: "http://192.168.178.47/dockerterminal/swag/"
Mar 23 15:30:45 Aldnoah nginx: 2022/03/23 15:30:45 [error] 2323#2323: *869158 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/ws HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/ws", host: "192.168.178.47"
Mar 23 15:30:46 Aldnoah nginx: 2022/03/23 15:30:46 [error] 2323#2323: *868944 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/token HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/token", host: "192.168.178.47", referrer: "http://192.168.178.47/dockerterminal/swag/"
Mar 23 15:30:46 Aldnoah nginx: 2022/03/23 15:30:46 [error] 2323#2323: *869161 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/ws HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/ws", host: "192.168.178.47"
Mar 23 15:30:47 Aldnoah nginx: 2022/03/23 15:30:47 [error] 2323#2323: *868944 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/token HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/token", host: "192.168.178.47", referrer: "http://192.168.178.47/dockerterminal/swag/"
Mar 23 15:30:47 Aldnoah nginx: 2022/03/23 15:30:47 [error] 2323#2323: *869165 connect() to unix:/var/tmp/swag.sock failed (111: Connection refused) while connecting to upstream, client: 192.168.178.22, server: , request: "GET /dockerterminal/swag/ws HTTP/1.1", upstream: "http://unix:/var/tmp/swag.sock:/ws", host: "192.168.178.47"

 

Edited by Near
Link to comment
  • 3 weeks later...

I cant seem to get three containers to proxy through no matter what I do - these are my secondary sonarr/radarr containers and my plex container. On the dashboard all three state that they are unavailable and that SWAG can not reach them at http://[containername]:[port]. I have tried manually editing the configs to direct at the ip and port without any variables with no luck. I can't figure out what is going on here. All of the dockers except plex are on the dockerlocal network with plex having a host network. The normal sonarr and radarr containers work flawlessly.

Link to comment

I can't seem to get any other dockers besides nextcloud to passthrough SWAG with my subdomains

nextcloud.mydomain.com works, but

sonarr.mydomain.com gives me

Quote

 

Try clearing your cookies.

ERR_TOO_MANY_REDIRECTS

 

The cname's are setup the same way in cloudflare. Anyone have any idea of what to look for or change? If any more info is needed let me know

Link to comment
On 2/5/2022 at 7:10 AM, jademonkee said:

Hi all,

I keep seeing in the logs:

No MaxMind license key found; exiting. Please enter your license key into /etc/libmaxminddb.cron.conf
run-parts: /etc/periodic/weekly/libmaxminddb: exit status 1

If I restart the container, it doesn't appear in the logs, but eventually re-appears.

The key I have provided in the Docker variable 'GeoIP2 License key' is current and correct, and if I run the command

echo $MAXMINDDB_LICENSE_KEY

It returns the correct value.

 

The only mention of this issue that I can find is this:

https://github.com/linuxserver/docker-swag/issues/139

 

Similar to that page, if I run:

# /config/geoip2db# ls -lah

it returns:
 

sh: /config/geoip2db#: not found

 

But the page says that the issue has been solved. Could it be that I had to manually apply those changes? I'm usually pretty good at looking at the logs after an update to see if any configs need to be manually updated, but maybe I missed it?

I'm not sure how to manually check if those changes have been applied in the Docker or not.

 

Your help is appreciated - I'm concerned that Geo IP blocking is not working while this is happening.

 

FWIW, it looks like the old method for GeoIP blocking has been superceded, so that's why I was getting errors.

I followed the instructions at: https://github.com/linuxserver/docker-mods/tree/swag-maxmind/ and https://virtualize.link/secure/

And replaced the old references to GeoIP2 in the config files mentioned in the above instructions. Seems like it's all working now, although I'll find out in a week if the error (or a new one) pops up in my logs again. I also note that the file appdata/swag/geoip2db/GeoLite2-City.mmdb hasn't been modified since 2021-11-30, so maybe this change will allow it to update? Although, TBH, I'm not even sure what the database does, given I'm banning by country code (does it link IPs to countries, maybe?).

Anyway, thought I'd post it here for posterity, in case anyone else has a similar problem.

Edited by jademonkee
Link to comment

Hi, maybe a dumb question but I wold like to access my unraid dashboard (192.168.1.50) from outside using swag. I have a domain mydomain.org and I have created a subdomain in cloudflare unraid.mydomain.org. I try to modify a template .conf file but a port is required... what should I use ? or maybe that not the right way to go as .conf are only for docker app ? Thanks for any help.

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name unraid.*;
    include /config/nginx/ssl.conf;
    client_max_body_size 0;
    location / {
        # enable the next two lines for http auth
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.50;
        set $upstream_port <port_number>;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

 

Link to comment

Hi 

 

After i did update to latest version my jellyfin become unaccusable in logs i got spam every second 

 

 

nginx: [emerg] cannot load certificate "/config/keys/letsencrypt/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

Did update break anything related to ssl?

Link to comment

Not replying to anybody in particular, just wanted to post this in case it helps somebody out in the future.

 

I was getting a 502 Bad Gateway error with SWAG for a couple of days and it was driving me nuts, every solution I looked for came up with "Did you enable Host access to custom networks?", but what had actually happened is my resolver.conf (at appdata/swag/nginx) had gotten stuck with some random IP address.

 

Simple delete of resolver.conf and restart of the SWAG container and everything was running smoothly.

Link to comment
On 4/24/2022 at 4:26 AM, MrPresibent said:

Not replying to anybody in particular, just wanted to post this in case it helps somebody out in the future.

 

I was getting a 502 Bad Gateway error with SWAG for a couple of days and it was driving me nuts, every solution I looked for came up with "Did you enable Host access to custom networks?", but what had actually happened is my resolver.conf (at appdata/swag/nginx) had gotten stuck with some random IP address.

 

Simple delete of resolver.conf and restart of the SWAG container and everything was running smoothly.

Bingo! I spent the last 24h pulling my hair out trying to troubleshoot this. Thank you!!!

  • Like 1
Link to comment
On 4/28/2022 at 5:21 AM, ejf513 said:

Bingo! I spent the last 24h pulling my hair out trying to troubleshoot this. Thank you!!!

Hahaha, I was just joking with somebody about how all I ever want at my incredibly basic experience level is for somebody to find this helpful and comment saying it solved their problem. You've made my day.

  • Like 1
Link to comment

Hello Guys,

 

I haven't touched at my reverse proxy in at least 6 months and i don't think that i have done anything to my server/ network this week.

 

However my setup stopped working :

- I can access locally all my containers

- If i point my website to my server IP, i reach the swag front page

- But if i try adding my subdomain, it ends up in an Error Connection Timed out.( If i try any subdomain that links to nothing, it tells me straight away that it does not exist.)

 

 

What i tried :

- No errors in Swag log, and i deleted the resolver/ proxy.conf to be sure

- restarted everthing

- tested cloudflare is working

 

 

So i'm starting to go mad. From above i conclude that cloudflare is working + Local containers are working + Modem/router are redirecting all request to the containers.

 

So why is swag not opening the containers?

 

Starting to go mad here, if you have any ideas.

 

Edit for Solution: After a while searching and trying out stuff. I switched dns only in cloudflare in the Cname (it used to work before, as shown in space invader video) to proxied. It worked instantly.

 

 

 

Edited by Troussdesoin
update
Link to comment
38 minutes ago, xxbryantd said:

192.168.148:3000 but not sure how to do this?

 

i guess you miss a dot in your ip but as sample ...

 

use the template sample from the proxy confs and replace container name with your ip ...

 

image.png.cd3f48c38265c5c0f4d37afe4c53c991.png

 

before

image.png.ef8783c42d6bb5bc4604afa10d3a9882.png

after

image.png.fab0d7ac4a01a3b9315b5aa61924a438.png

 

prolly your external adguard ... then i would suggest to use the adguard sample and also just replace name with ip ;)

Link to comment

Hi,

I’ve just configured whit another ISP a proxy server whit nextcloud and cloudflare and it works fine.

Now I’m change ISP whit a LTE connection. I request a public IP and open all ports except http and https.

I think the problem is a roule of router that block 443 and 80 ports for remotly assistnce by ISP

With the new ISP, I can't change a router because it resides in CPE, and I can't obtaining a wan IP address in my fritzbox.

Correct port forwarding whit wan 443 and 80 redirect in login page of router.

 

Therefor I change a swag subdomain config file and tried to change listen port to a different wan port but when I try to access to remotely it will stop to swag interfaces.

If I trie to access in lan it says ngnix 404 error

Dockers's log file say ok

However, swag doesn’t redirect to nextcloud docker.

 

I spent the last 2 week to try a resolve it but I’m very afraid and I can't resolve it. I’m just learn from:

https://docs.linuxserver.io/general/swag/

 and https://docs.nextcloud.com/server/19/admin_manual/configuration_server/

 

English is not my mother tongue, I hope I have made myself understood and ask me if something is not clear or if there is a need for other information. maybe it takes days to answer but due to work I'm not often in front of the pc.

 Attach config file.

If the img was bigger or non confortable for correct format of topic please tell me

1101356347_Screenshot(3).thumb.png.e1355056ebf3787fb7e1db479b1b7370.png

927122223_InkedScreenshot(4)_LI.jpg.b63a2d84ae04ebf20c02b877fd86c15e.jpg

trying to deepen the subject I was to ask me if the nginx files should be touched

649202927_InkedScreenshot(1)_LI.thumb.jpg.4231985a1aadb0e4077ccfd04c632ad7.jpg

I do no if is possible to do. i'm just reserch in the internet and linux server forum but i dont find a solution.

Without pretension. Thanks to this community that made me pleasantly brush up on my old computer knowledge of 10 years ago and that made me learn a lot and for free.

My warmest congratulations

Link to comment
On 3/2/2022 at 9:02 PM, Matmat07_2 said:

Edit: I made a new container using swag instead of the old letsencrypt. Only changed the domain and email settings: Same result

 

Edit2: using "nc -l localhost -p 80" and shutting down the Swag container, I made sure I could access port 80 from outside. I'm not sure what else I changed, but now it works. You can always help me, but now I'l be trying to add back my old settings slowly.

 

Hi, I just had to change my domain and now I can't seem to make letsencrypt/swag work again. I changed the domain name in most files/area I could think of, but I guess I'm forgetting something important.

 

Requesting a certificate for mydomain.fun and www.mydomain.fun

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: mydomain.fun
Type: connection
Detail: Fetching http://mydomain.fun/.well-known/acme-challenge/AxgorMtHjklmjngO0kvrKsu3Pi-EuATqWmPA9x-tvUc: Timeout during connect (likely firewall problem)

Domain: www.mydomain.fun
Type: connection
Detail: Fetching http://www.mydomain.fun/.well-known/acme-challenge/Lo35xswjM0aVaWMmlHuYYLNu3VgF5GEHvGHSGGPeiao: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

"www" is the only subdomain I tried adding so far.

 

Over at Namecheap, I've got:

AAAA Record        @       *IPV6 address*

Cname Record      ombi   mydomain.fun

Cname Record      www   mydomain.fun

 

 

Any idea what I might have forgotten, or where I could find more info? The logs I'm getting aren't super usefull (from the little I understand)

 

 

Hi there.
I'm having the same issue as you. Where did you added "nc -l localhost -p 80" ?

 

Thanks

Link to comment
  • 2 weeks later...

hello, I had a power failure that wiped my pfsense vm, and now my proxy containers don't work.

Everything is up and running, no errors; I've checked that ports 80 and 443 are open on the rebuilt pfsense vm, and SWAG, Vaultwarden, and Guac are all running/accessible locally.

 

I'm stumped on what to troubleshoot next - I've looked at the proxy config files, everything looks correct.
What couldI be missing?

Link to comment
On 1/30/2022 at 12:48 PM, Rex099 said:

Wondering if someone might be willing to help point me in the right direction to what is going on with my Issue. 

As of 3am this morning everything was working fine with my swag setup, then i went to bed... when I awoke today my website (dlongo.net)  is no longer accessible from inside my local network.(The site just times out ERR_CONNECTION_TIMED_OUT) But it seems to work fine if I turn on my VPN or access it from my mobile connection. Also if I ping dlongo.net it seems to resolve the correct IP. Anyone have any ideas on what I can check? Im just kinda lost at this point. 

hi,i have got the same problem

did you solve that?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.