[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hi guys

First of all thanks in advance for any advice, and sorry but english is not my native language

I hope that you could help me.

 

I watched Spaceinvader One guides on how reverse proxys

My goal was to reverse proxy: Jellyfin and Nextcloud.

Untill 2 days ago all my service worked just fine, now every time i try to connect to one of my private site i've got something like

"The 'Host' field contained in Http header is invalid"

 

I would like to understand if got something wrong and eventually exclude any problem with let's encrypt. So i can learn something

 

I've dynamic public ip address (right now i can't have a static one due to my provider)

I use Godaddy to provide domain and Cloudflare to manage DNS so (if i understanded correctly) i could use wildcard.

In Cloudflare i've set A keys ( to point my public ip), and i use cloudflare-ddns docker to update my current public ip and it woks just fine.

I changed my unraid access port so Let's Encrypt could use 443 an 80

I portfoward both 443 and 80 in my router setting. 

I set ngnx conf files correctly (i presume cause they worked perfectly untill 2 days ago)

 

So I check my cert

Quote

 

 

Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: XXXXXX.it
    Serial Number: XXXXXXXXXXXXXXXXXXXXXXXXXXc177b4a7e5
    Domains: *.XXXXXX.it
    Expiry Date: 2020-11-08 16:25:11+00:00 (VALID: 67 days)
    Certificate Path: /etc/letsencrypt/live/XXXXX.it/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/XXXXXX.it/privkey.pem
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@822616ce902d:/# 
root@822616ce902d:/# certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/XXXXXX.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

The following certs are not due for renewal yet:
  /etc/letsencrypt/live/XXXXXXX.it/fullchain.pem expires on 2020-11-08 (skipped)
No renewals were attempted.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
root@822616ce902d:/# 

 


 

And i check my docker Let's encrypt log

Quote

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=XXXX.it
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]
STAGING=

SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of XXXXXXX.it will be requested
E-mail address entered:[email protected]
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

so i try to ping my site inside the docker and from my pc and it works

Quote

ING jellyfin.XXXXXXXXX.it (XXXXX) 56(84) bytes of data.
64 bytes from host-XXXXXXXXXXXXXXXX.it (XXXXXXXXXXX): icmp_seq=1 ttl=63 time=1.99 ms

 

I tryed all i can do, but i've really no idea on how to deal with this thing. All i can do is to offer you a good italian wine as soon as this pandemic gonna end and you pass to Northern Italy and all i can do for you :) 

Edited by daniele.fenaroli
Link to comment

After changing to  /swag  and delete the orphan image i reboot my server and all my dockers are gone F......ck .

Please help what to do now.I have no any dockers installed now please help.

My cache drive corrupt and i have to format it to use it .

everything broke because of this container.

Edited by Vesko
Link to comment
1 hour ago, Vesko said:

After changing to  /swag  and delete the orphan image i reboot my server and all my dockers are gone F......ck .

Please help what to do now.I have no any dockers installed now please help.

My cache drive corrupt and i have to format it to use it .

everything broke because of this container.

This is not related to this container, so I suggest you create your own thread about corrupt cache drive. This is most likely a hardware issue and this container did not break anything.

Link to comment
8 hours ago, saarg said:

This is not related to this container, so I suggest you create your own thread about corrupt cache drive. This is most likely a hardware issue and this container did not break anything.

I am sorry maybe was bad luck that's happened exactly when i did this update and reboot.

Thank you for your hard work .

Link to comment
16 minutes ago, saarg said:

There is nothing different except the name.

Along with the repository that it's pulling from.  Not to mention that the original displays

  

On 8/29/2020 at 7:34 AM, ich777 said:

* This image has been deprecated * * * * Use the new image at * * * * linuxserver/swag *

 

Seems to me that the template should be updated

Link to comment
2 hours ago, dockerPolice said:

Along with the repository that it's pulling from.  Not to mention that the original displays

  

 

Seems to me that the template should be updated

I was answering the last line. There will be a new template when we get around to it.

The container still works, so no need to panic.

  • Like 1
  • Thanks 1
Link to comment

IMPORTANT ANNOUNCEMENT

 

As some of you already noticed by now, the letsencrypt image has been rebranded SWAG - Secure Web Application Gateway as a result of a trademark related request. The new image is published in a new repo and the old image is deprecated. Currently, the old and the new images are near identical and one can switch simply by changing the image repository.

 

In order to migrate to the new image, all you need to do (at a minimum) is to open the container settings and change the "Repository" field from "linuxserver/letsencrypt" to "linuxserver/swag". If you prefer, you can change the container name to "swag" as well, although it is not required. As long as you keep the environment vars the same and the "/config" folder mount the same, all the settings will be picked up by the new container. Please see here for more detailed instructions: https://github.com/linuxserver/docker-swag/blob/master/README.md#migrating-from-the-old-linuxserverletsencrypt-image

 

Thread title and the first post are updated with this info. There will be new template for SWAG published shortly.

  • Thanks 1
Link to comment
3 hours ago, danioj said:

Watching the thread via email updates and had to chime in. I like this one, good job!!

I am liking that one too as well.... I am not sure if the LSIO team would approve of their logo being cropped like this though.

 

I think the icon is only seen at small size in the GUIs...

 

last one.... image.png.e018667d3b8805575e92e4b03866d2de.png

1871674142_lsioswag4.png.69c8ab1cfcd41d8feb03acff54878a65.png

Link to comment
8 hours ago, hernandito said:

I am liking that one too as well.... I am not sure if the LSIO team would approve of their logo being cropped like this though.

 

I think the icon is only seen at small size in the GUIs...

 

last one.... image.png.e018667d3b8805575e92e4b03866d2de.png

1871674142_lsioswag4.png.69c8ab1cfcd41d8feb03acff54878a65.png

Those are all some good options, but just a reminder, the name of the app is an acronym so it should be all caps

  • Like 1
Link to comment

 

3 hours ago, aptalca said:

Those are all some good options, but just a reminder, the name of the app is an acronym so it should be all caps

Noted.... I agree that "Swag" above is not reading as an acronym...  I was thinking of relating it to the word swag itself - gifts, freebies, bling... I am not sure that it works. It is hard to make a letters into an icon... look at every instance of IMDB icons that are small... hard to make them great.

 

My personal favorite are the below... slightly edited from the earlier version. I have an all-caps and an all-lower case version.

 

image.png.3d04a68b47044b1e839cb41f55ed4db7.png

1065326843_lsioswag3a.png.c8ecce78d3b3c32d9dc4f29fd0455107.png480180322_lsioswag3b.png.85b7e99b2609b46e97d6804aaa7e22e7.png

 

In context:

image.png.efa6cc52c61b87e20e04215ec6693ac4.png

 

 

Edited by hernandito
Link to comment

The plugin "Fix common problems" said the letsencrypt has a error because the name change to SWAG. and ask it it could change a  It changed a url of something. So i click ok change it. and it  changed the logo etc and some text.

 

Tried a few times and it gave a error that a certificate could not renewed while everything it said was correct. it did said success ful added dns records etc ( using dnsplugin) and also removed it again but still fail and the docker didnt want to start.

 

It also said

“Plugin legacy name certbot-dns-transip:dns-transip may be removed in a future version. Please use dns-transip instead. “

I think i use the correct plugin.

 

So I clicked apply again for the Xth time so that refresh/rebuild the docker. Finally after the XTh time ( lost count) all error were gone and the certificate works and the docker finally works.

 

Only thing it shows in the log is the following error tho but everything seems to work again it does not break the container just yet..

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.