[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Quote

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=***.net
SUBDOMAINS=sonarr,radarr,ombi
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
DNSPLUGIN=
EMAIL=***@***.com
STAGING=

SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d sonarr.***.net -d radarr.***.net -d ombi.***.net
E-mail address entered: ***@***.com
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/sonarr.***.net/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ombi.***.net
http-01 challenge for radarr.***.net
http-01 challenge for sonarr.***.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sonarr.***.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sonarr.***.net/privkey.pem
Your cert will expire on 2020-11-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

New certificate generated; starting nginx
Downloading GeoIP2 City database.
tar: invalid tar magic
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

2 issues ...

1) Downloading GeoIP2 City database.
tar: invalid tar magic

 I've added my api key for MaxMind but getting an invalid tar magic error

 

2) nginx isnt routing requests to my downstream app container on the same subnet

letsencrypt component seems to be working, nginx is just getting me to the welcome page. not seeing issues in the container log file. app specific sample .conf files have been changed to map to the specific container names in my environment [no other change other than renaming the file to remove .sample]

 

any pointers as to why nginx isnt forwarding on the request to my downstream app container? or where to look for log files?

 

Thank you in advance

Edited by EvilTiger
Link to comment
1 hour ago, EvilTiger said:

2 issues ...

1) Downloading GeoIP2 City database.
tar: invalid tar magic

 I've added my api key for MaxMind but getting an invalid tar magic error

 

2) nginx isnt routing requests to my downstream app container on the same subnet

letsencrypt component seems to be working, nginx is just getting me to the welcome page. not seeing issues in the container log file. app specific sample .conf files have been changed to map to the specific container names in my environment [no other change other than renaming the file to remove .sample]

 

any pointers as to why nginx isnt forwarding on the request to my downstream app container? or where to look for log files?

 

Thank you in advance

Likely your api key is not correctly added or is not correct

If you're getting the default landing page, then likely the proxy conf is not activated correctly. Check its name, and check the server name directive

Link to comment
11 hours ago, cardo said:

Hi All,

 

I set up the SWAG docker container last weekend and have reverse proxied all of the services I want except one, Pi-Hole. I had it working when I was using a physical Pi-Hole on my 192.168.0.0 network, and I have Pi-Hole running fine when I use the custom network as per @SpaceInvaderOne’s video, but I am unable to use the needed network that is shared with the SWAG container for the all of the reverse proxy containers as it is on the internal 172.18.0.0 network and I need it to be on my 192.168 network. The other issue is that UnRAID is already using port 80 and 443.  I know I can change those, but port 67 is still be used by something and I’m not sure what.  I tried searching this thread, but didn’t have much luck. I’m certain it’s something easy I’m missing, but just don’t know what.

 

EDIT: After some more digging I determined that libvert binds to port 67 which makes pihole not start unless I disable my vm manager. I was able to get pihole to work by specifying the letsencrypt custom interface and specifying the IP for the pihole docker container, but now VM Manager won’t start because the pihole docker has port 67 bound now.

 

I also just realized that my pihole is using the unRAID default internal ip and not the one I specified so that won’t work.

 

Any recommendations/best practices here?

 

 

Also, I set up Plex to reverse proxy via a subfolder as required so I’m reversing the root domain, is there a .conf file I can add the allow/deny entry so the root site domain.com is only accessible from my internal network?  I have all of the other services locked down via the appropriate file in proxy-confs.

If you give pihole its own ip, it will use macvlan network type. That type blocks connections between the container and the host (and everything else bridged on host) as a security feature. So swag won't be able to connect to pihole. We highly recommend running pihole on bare metal (an rpi gets the job done) instead of in docker.

 

The subfolder confs get included in the main server block in the default site conf. You can edit that.

Link to comment
10 minutes ago, aptalca said:

Likely your api key is not correctly added or is not correct

If you're getting the default landing page, then likely the proxy conf is not activated correctly. Check its name, and check the server name directive

thank you for the quick response

 

1) you're correct ... there was an extra space after the api key from the copy / paste

 

2) for testing sake, i tried to access via an external connection [over my mobile] and it worked, so i must be internal NAT loopback issue. i need to figure out how to address via Unifi USG

Link to comment
1 hour ago, EvilTiger said:

thank you for the quick response

 

1) you're correct ... there was an extra space after the api key from the copy / paste

 

2) for testing sake, i tried to access via an external connection [over my mobile] and it worked, so i must be internal NAT loopback issue. i need to figure out how to address via Unifi USG

scratch that, i dont think its a NAT loopback issue ... its works fine in Chrome locally and only goes to the 'Welcome ...' page in Microsoft Edge

 

must be a browser setting issue, any clues?

Link to comment
8 hours ago, aptalca said:

If you give pihole its own ip, it will use macvlan network type. That type blocks connections between the container and the host (and everything else bridged on host) as a security feature. So swag won't be able to connect to pihole. We highly recommend running pihole on bare metal (an rpi gets the job done) instead of in docker.

 

The subfolder confs get included in the main server block in the default site conf. You can edit that.

Thanks for the response, so if I have a reverse proxy set up for Ombi like request.domain.com, adding the following to ombi.sub domain.conf will block someone from connecting to domain.com too?

 

allow 192.168.0.0/16;

deny all;

 

I have the swag container set to only sub domains and cname record only for request.domain.com.

Link to comment
8 hours ago, EvilTiger said:

scratch that, i dont think its a NAT loopback issue ... its works fine in Chrome locally and only goes to the 'Welcome ...' page in Microsoft Edge

 

must be a browser setting issue, any clues?

Could be browser cache. Try an incognito window

Link to comment
58 minutes ago, cardo said:

Thanks for the response, so if I have a reverse proxy set up for Ombi like request.domain.com, adding the following to ombi.sub domain.conf will block someone from connecting to domain.com too?

 

allow 192.168.0.0/16;

deny all;

 

I have the swag container set to only sub domains and cname record only for request.domain.com.

In your previous question, you were asking about subfolder. They are handled differently.

 

The basics are that, server blocks are parents of location blocks. If you put the deny in a server block for ombi, it will work for that subdomains and all child location blocks.

 

A subfolder proxy conf is a child location block of the main domain's server block.

 

So to answer your last question, if you add the allow/deny into ombi subdomain's server block, it will only affect that subdomain, not the main domain as the main domain is served under a different server block.

Link to comment
29 minutes ago, aptalca said:

In your previous question, you were asking about subfolder. They are handled differently.

 

The basics are that, server blocks are parents of location blocks. If you put the deny in a server block for ombi, it will work for that subdomains and all child location blocks.

 

A subfolder proxy conf is a child location block of the main domain's server block.

 

So to answer your last question, if you add the allow/deny into ombi subdomain's server block, it will only affect that subdomain, not the main domain as the main domain is served under a different server block.

If I wanted prevent anyone from accessing domain.com, which .conf would the allow/deny go?  I am really new to nginx. 

Link to comment
11 hours ago, cardo said:

If I wanted prevent anyone from accessing domain.com, which .conf would the allow/deny go?  I am really new to nginx. 

Put it in the main server block in the default site conf located at "/config/nginx/site-confs/default". That will take care of the main domain and all subfolder proxies.

Link to comment

Is this container now depricated or not because this message apperas now:

 

******************************************************
******************************************************
* *
* *
* This image has been deprecated *
* *
* Use the new image at *
* *
* linuxserver/swag *
* *
* https://hub.docker.com/r/linuxserver/swag *
* *
* https://github.com/linuxserver/docker-swag *
* *
* *
* *
******************************************************
******************************************************

 

Will it get updates or do I have to setup swag instead?

Also what are the differences, can I just point my existing Let's Encrypt folder to swag and it will work OOB and will there be a official template for swag?

Link to comment
1 minute ago, blaine07 said:

Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part... emoji848.png

Works OOB in my case, just changed the repo from /letsencrypt to /swag

Link to comment
22 minutes ago, blaine07 said:

Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part... emoji848.png

Quote

At this point, the SWAG and letsencrypt images are 100% compatible and we plan to keep SWAG backwards compatible as long as we can. The main change is to the docker image name, which was linuxserver/letsencrypt for the old image and is linuxserver/swag for the new.

 

  • Like 2
Link to comment
30 minutes ago, blaine07 said:


Pardon my inexperience but how exactly does one just change repo? Download swag and point it at same app data as letsencrypt or?

Enable the advanced view on the existing letsencrypt template page and there you should see linuxserver/letsencrypt at Repository just change that to linuxserver/swag

 

That's how it looks now:

grafik.thumb.png.58865a02fab0177d6612449ae789d514.png

 

Also there will be a orphan image at the bottom on your docker page if you done this (just the old letsencrypt image), just click on it and you select remove.

grafik.png.3d0e9f4b31bb44635b1d6f3c878418fe.png

  • Like 1
  • Thanks 1
Link to comment
Enable the advanced view on the existing letsencrypt template page and there you should see linuxserver/letsencrypt at Repository just change that to linuxserver/swag
 
That's how it looks now:
grafik.thumb.png.58865a02fab0177d6612449ae789d514.png
 
Also there will be a orphan image at the bottom on your docker page if you done this (just the old letsencrypt image), just click on it and you select remove.
grafik.png.3d0e9f4b31bb44635b1d6f3c878418fe.png

One last question...

I use Cloudflare Proxy... when I change the repository is it going to try to renew certs or is that something that will be maintained; existing certs kept? (If it wants to rewrite certs I need to go through and turn Cloudflare proxy off etc etc and don’t want it to fail renewal is why I’m asking...).
Link to comment
Just now, blaine07 said:


One last question...

I use Cloudflare Proxy... when I change the repository is it going to try to renew certs or is that something that will be maintained; existing certs kept? (If it wants to rewrite certs I need to go through and turn Cloudflare proxy off etc etc and don’t want it to fail renewal is why I’m asking...).

In my case it kept the certificates.

Link to comment

Two simple questions with the changes to SWAG.

 

#1 - Is there a new icon URL I can plug into the container so it doesn't show "LetsEncrypt" icon anymore? I'm weird about these things.

 

#2 - Is there going to be a new support thread that I should update it to link to, or is this still going to be the same thread?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.