[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

2 hours ago, td00 said:

Hey All - I've got this up and running for a while now - great image thanks. Just a question though, it it possible to have a wild card URL entry? Kind of like the way google does with *.google.com?

 

My current setup just has this:

 

URL=topleveldomain.com

SUBDOMAINS=portainer,sonarr,radarr

 

But when I click to view the cert in the browser it seems that it sets portainer.topleveldomain.com as the URL and the rest in the SAN where they should be. Was just looking to see if possible to clean up. Currently, my topleveldomain doesn't point to anything if that makes a difference?

Yes, you can get wildcard certs. It's explained in the readme

Link to comment
1 hour ago, thunderclap said:

I'm having an interesting problem with LetsEncrypt. Two issues I've experienced I would like to try and resolve: if I use use DNS through Cloudflare my subdomains become unbearably slow. If I do the subdomains through my registrar and forego Cloudflare, anytime I add or remove a subdomain LetsEncrypt reports a firewall/timeout error for several hours rendering my subdomains inaccessible. Does anyone know why this is happening?

You probably had cloudflare cache/proxy turned on, which we recommend against. It's explained in the docs article linked in the first post

  • Thanks 1
Link to comment

Hi Guys,

 

I am trying to get swag working with Snipe-IT but I didn't see any configs available for it. Can someone help me figure out a way to get it working?

 

Swag log

image.png.28664c3017f12c0fa4ff51d8a1785c4f.png

 

I have swag setup and the docker Snipe-IT is also setup and working.

729621860_2020-10-1220_31_42-Window.png.3455cbb1b439f4b0029cd62d106d9812.png

 

I tried copying a similar config and changing it for my needs but I get a "502 Bad Gateway" error.

image.png.0bc9c78d518ad1e78cb095ec0ff059aa.png

 

Here is the config file I started

snipe.mydomin.com is the domain, so I used server_name snipe.*

 

server {
    listen 443 ssl;

    server_name snipe.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app snipe-it;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Let me know what information would be useful in troubleshooting. I'm not sure where to go from here.

 

Thanks,

Victor

Link to comment
39 minutes ago, vuribe1221 said:

Hi Guys,

 

I am trying to get swag working with Snipe-IT but I didn't see any configs available for it. Can someone help me figure out a way to get it working?

 

Swag log

image.png.28664c3017f12c0fa4ff51d8a1785c4f.png

 

I have swag setup and the docker Snipe-IT is also setup and working.

729621860_2020-10-1220_31_42-Window.png.3455cbb1b439f4b0029cd62d106d9812.png

 

I tried copying a similar config and changing it for my needs but I get a "502 Bad Gateway" error.

image.png.0bc9c78d518ad1e78cb095ec0ff059aa.png

 

Here is the config file I started

snipe.mydomin.com is the domain, so I used server_name snipe.*

 


server {
    listen 443 ssl;

    server_name snipe.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app snipe-it;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Let me know what information would be useful in troubleshooting. I'm not sure where to go from here.

 

Thanks,

Victor

You don't use the host port when using a custom bridge. You use the container port, which is port 80.

Link to comment

Hi,

 

Just installed the swag container yesterday, and all is working fine so far.

Now I need to limit access to the services.
 

Regarding access control, after reading documentation and config files, it seems choice are: basic auth, ldap, authelia or organizr auth.

Except for jellyfin, all other services just need authorization (sonarr, radarr, jackett, qbitorrent, ...) 
I'd like to keep it as simple as possible, as well at configuration side but for user experience too.

Ideally:

  • login once, then access all services (except Jellyfin as it needs authentication and do not support OIDC)
  • centralize unraid users with reverse proxy ones: active directory / ldap ?
  • web ui to add/edit users 

Another point is to get access to my docker services both on external an local network.

Is there a way, with some kind of DNS override, to access my services locally using the xxx.duckdns.org URL (when connected to my local network, xxx.duckdns.org will redirect to the unraid box IP)

Maybe using a services dashboard like heimdall/organizr/ombi, will help to access service 'transparently' whatever local or external ?

 

Thanks

Link to comment
12 hours ago, mika91 said:

Hi,

 

Just installed the swag container yesterday, and all is working fine so far.

Now I need to limit access to the services.
 

Regarding access control, after reading documentation and config files, it seems choice are: basic auth, ldap, authelia or organizr auth.

Except for jellyfin, all other services just need authorization (sonarr, radarr, jackett, qbitorrent, ...) 
I'd like to keep it as simple as possible, as well at configuration side but for user experience too.

Ideally:

  • login once, then access all services (except Jellyfin as it needs authentication and do not support OIDC)
  • centralize unraid users with reverse proxy ones: active directory / ldap ?
  • web ui to add/edit users 

Another point is to get access to my docker services both on external an local network.

Is there a way, with some kind of DNS override, to access my services locally using the xxx.duckdns.org URL (when connected to my local network, xxx.duckdns.org will redirect to the unraid box IP)

Maybe using a services dashboard like heimdall/organizr/ombi, will help to access service 'transparently' whatever local or external ?

 

Thanks

I use authelia and it works great. There is no webui for user management yet (I hear it's in the works), but you can set up the users in a number of ways including ldap (I use a simple yaml file).

 

See here: https://blog.linuxserver.io/2020/08/26/setting-up-authelia/

 

For accessing the domain on lan, you need either a hairpin nat or nat loopback (if your router supports it), or you can set up a split dns (where you tell your local dns to resolve the domain to the unraid lan ip). The main caveat is that swag has to use port 443 on the host, which means you'll have to change unraid's https port to a different one first. Afterwards all requests for https://yourdomain.com will resolve to unraid and the client will connect to swag directly on lan (for http to https redirect, you'd need to change unraid's port 80 as well, so swag can use it, but I don't do that and instead only use the https endpoint so only port 443 goes to swag). Google the three terms I mentioned above and you'll find plenty of info for your router/setup.

Link to comment

Hi there,

I posted the problem I'm facing on the Unraid general support but I received no replies. I'm hoping I can get some feedback here. I changed from Letsencrypt to Swag recently and after the change i lose access to multiple sections in Unraid and all dockers stop functioning properly... I lose access thru the UI to the Dashboard, Docker and the bottom portion of the Main tab. The console gets unresponsive to any docker command and to the "powerdown" capability so every time I restart the system it has to do a parity check. Of course none of the apps using the reverse proxy are working to the outside.

The migration was based on a fresh installation and I just copied the conf files from Letsecrypt. The Unraid logs show the following error (it varies depending on the page I'm trying):

nginx: 2020/10/12 10:06:48 [error] 32315#32315: *246154 upstream timed out (110: Connection timed out) while reading response header from upstream, client ... upstream: "fastcgi://unix:/var/run/php5-fpm.sock" ...

Any suggestion would be greatly appreciated. Please help!

Link to comment
16 hours ago, Mesias said:

Hi there,

I posted the problem I'm facing on the Unraid general support but I received no replies. I'm hoping I can get some feedback here. I changed from Letsencrypt to Swag recently and after the change i lose access to multiple sections in Unraid and all dockers stop functioning properly... I lose access thru the UI to the Dashboard, Docker and the bottom portion of the Main tab. The console gets unresponsive to any docker command and to the "powerdown" capability so every time I restart the system it has to do a parity check. Of course none of the apps using the reverse proxy are working to the outside.

The migration was based on a fresh installation and I just copied the conf files from Letsecrypt. The Unraid logs show the following error (it varies depending on the page I'm trying):

nginx: 2020/10/12 10:06:48 [error] 32315#32315: *246154 upstream timed out (110: Connection timed out) while reading response header from upstream, client ... upstream: "fastcgi://unix:/var/run/php5-fpm.sock" ...

Any suggestion would be greatly appreciated. Please help!

I don't see how swag can have anything to do with loosing access to parts of unraid. Turn off the container and see if it helps, if not, it has nothing to do with swag. If it helps, you have missconfigured something, but I do not know how you could manage that.

Link to comment
3 minutes ago, SPOautos said:

 

okay, so its in the dropdown where you can select webgui but its not actually built in yet, correct?  So is what I am seeing normal when I select on that webgui in the swag dropdown (for someone with Heimdall)?

That goes to the default landing page of swag if you haven't changed it your self in the nginx default file. Nginx is the webserver.

Have you added Heimdall to swag?

You should post your docker run command.

Link to comment
1 hour ago, saarg said:

That goes to the default landing page of swag if you haven't changed it your self in the nginx default file. Nginx is the webserver.

Have you added Heimdall to swag?

You should post your docker run command.

 

I have the Heimdall template network type pointing to the reverse proxy network and I have Heimdall listed but as "server" instead of Heimdall so that my url that pulls up Heimdall is server.myurl.com.....and it all functions perfectly except this one issue.

 

How do I post my "docker run command"? Please forgive the ignorance but I'm brand new to all of this....."all of this" being computers, networks, servers, Unraid, all of it.  I've been working on my server for about 2 months and just trying my best to learn everything as I go. A couple months ago I'd never heard of a reverse proxy, VPN, VM....nothing  lol.  So I'm about as newbie as they come....BUT slowly Im getting it all working great!

 

If you can get me a little more info regarding the docker run command I'll post it and maybe we can figure out if I need to edit something in nginx.

Link to comment
7 hours ago, SPOautos said:

 

I have the Heimdall template network type pointing to the reverse proxy network and I have Heimdall listed but as "server" instead of Heimdall so that my url that pulls up Heimdall is server.myurl.com.....and it all functions perfectly except this one issue.

 

How do I post my "docker run command"? Please forgive the ignorance but I'm brand new to all of this....."all of this" being computers, networks, servers, Unraid, all of it.  I've been working on my server for about 2 months and just trying my best to learn everything as I go. A couple months ago I'd never heard of a reverse proxy, VPN, VM....nothing  lol.  So I'm about as newbie as they come....BUT slowly Im getting it all working great!

 

If you can get me a little more info regarding the docker run command I'll post it and maybe we can figure out if I need to edit something in nginx.

If you have set up nginx to serve Heimdall as the landing page, then it's no wonder that you get Heimdall when opening the webgui link in swag. 

Of you want help, the best way is to provide the config files you have changed stuff in. That way it's much easier for the ones helping.

 

The docker run command is the command popping up when you update or change something in the container template. Just add something to a field and remove it, then hit apply and you will get the command.

Link to comment
17 hours ago, saarg said:

If you have set up nginx to serve Heimdall as the landing page, then it's no wonder that you get Heimdall when opening the webgui link in swag. 

Of you want help, the best way is to provide the config files you have changed stuff in. That way it's much easier for the ones helping.

 

The docker run command is the command popping up when you update or change something in the container template. Just add something to a field and remove it, then hit apply and you will get the command.

Thank You!

So this is the docker run command you were refering too, correct? I want sure if you meant the one for Swag or Heimdall so I just attached them both....

 

SWAG....

Command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='swag' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='mywebsite.com' -e 'SUBDOMAINS'='ombi,server,sonarr,radarr,lidarr,nextcloud,sabnzbd,nzbget,plex' -e 'ONLY_SUBDOMAINS'='true' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'

76457241e9b946d99184a4254b3963fe78876f13c10d23e0fed380eb7a8ceb4e

The command finished successfully!

 

 

Heimdall.....

Command:root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='heimdall' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '280:80/tcp' -p '2443:443/tcp' -v '/mnt/user/appdata/heimdall':'/config':'rw' 'linuxserver/heimdall'

773977f9c74aa209781671d43f3d93c6b6200b45132fc58ae73bc2f27b1402cb

The command finished successfully!

 

 

 

 

I went to appdata/Heimdall/nginix/site-confs/default but when I open it and highlight it all and copy, it wont let me paste it in here. What is the best way to provide the config files?

 

Edited by SPOautos
Link to comment
7 hours ago, SPOautos said:

Thank You!

So this is the docker run command you were refering too, correct? I want sure if you meant the one for Swag or Heimdall so I just attached them both....

 

SWAG....

 

 

Heimdall.....

 

 

 

 

I dont know what all config files I should post, I went to appdata/Heimdall/nginix/site-confs/default but when I open it and highlight it all and copy, it wont let me paste it in here. What is the best way to provide the config files?

 

It's better to copy the text and add it as code in the post. That way it's easier to read and you can redact your mail and URL.

The easiest way is to mark the text, copy it and add it as code.

You post all the configs that you changed. We can't know which ones you changed.

Link to comment
4 hours ago, saarg said:

It's better to copy the text and add it as code in the post. That way it's easier to read and you can redact your mail and URL.

The easiest way is to mark the text, copy it and add it as code.

You post all the configs that you changed. We can't know which ones you changed.

 

I edited the post above removing the screen shots and redoing with copy/paste of the command info but I'll add it here as well. But I'm not sure how to do the config files. I'm going into Krusader and going to a file but when I copy it then try to paste it here in the </> code box, it wont paste. Is there a better way to do them? Can I somehow download the file and then upload it into the forum post?

 

SWAG....

Command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='swag' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'EMAIL'='[email protected]' -e 'URL'='mywebsite.com' -e 'SUBDOMAINS'='ombi,server,sonarr,radarr,lidarr,nextcloud,sabnzbd,nzbget,plex' -e 'ONLY_SUBDOMAINS'='true' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'

76457241e9b946d99184a4254b3963fe78876f13c10d23e0fed380eb7a8ceb4e

The command finished successfully!

 

 

Heimdall.....

Command:root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='heimdall' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '280:80/tcp' -p '2443:443/tcp' -v '/mnt/user/appdata/heimdall':'/config':'rw' 'linuxserver/heimdall'

773977f9c74aa209781671d43f3d93c6b6200b45132fc58ae73bc2f27b1402cb

Edited by SPOautos
Link to comment
19 hours ago, saarg said:

It's better to copy the text and add it as code in the post. That way it's easier to read and you can redact your mail and URL.

The easiest way is to mark the text, copy it and add it as code.

You post all the configs that you changed. We can't know which ones you changed.

Hope you dont mind that I have the command lines and these files on seperate posts. 

 

I'm not sure what to do with the config files since it wouldnt let me copy/paste so I am just uploading them, does that work?  Please let me know if you would like me to get them in here a different way.  I dont think I actually changed anything in these except In a heimdall file I made the url "server"@myurl.com instead of [email protected].... but I have noticed that in Heimdall files and Swag files they both point to port 80 and 443 eventhough I changed ports in the templates so they would be different. Could this be why they are 'overlapping' and Heimdall shows up when I select the Swag gui?

 

Also, something else is that in my router, my main internet IP address that shows up.....if I go to a browser without being on my local network (I did it over cellular) and type in that router internet ip address, it takes me to my Heimdall page. Same with my routers Dynamic DNS, if I type it in on a browser over cellular it also goes to my Heimdall page.  I realized this because I have been trying to set up a PPTP vpn in my router using the dynamic dns and it doesnt seem to be working and I think this is why....because its going to my Heimdall page. I'm not positive if that is causing the vpn issue, but I stumbled on all of this with heimdall and swag while trying to figure out why my router is directing to heimdall.....maybe it should do that because of reverse proxy and all that, I do not really know.

 

I havent done much more than use email and a browser on a windows pc in 20 years.....so honestly I'm suprised I've made it this far with this project....its only because of awesome people like you and old posts here on the forum, and SpaceInvader videos that I have all this going and working on a box I actually put together myself.....its pretty amazing! I appreciate the help!

 

 

heimdall nginx.conf heimdall site confs swag nginx site confs

Edited by SPOautos
Link to comment

How do you get wildcard certs for additional domains? I've set EXTRA_DOMAINS="*.domain2.com", but a wildcard cert is only created for the URL primary domain. Under /etc/letsencrypt/live is only one folder which is for the primary domain.

URL=domain1.com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=*.domain2.com
ONLY_SUBDOMAINS=false
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]

I've also tried setting EXTRA_DOMAINS=domain2.com,*.domain2.com, but it didn't make any difference.

 

Edit: Nevermind, my mistake. The certificate created is valid for both domains! And when I provide it as EXTRA_DOMAINS=domain2.com,*.domain2.com the certificate works for the root as well.

Edited by vonpelz
Link to comment
8 hours ago, vonpelz said:

How do you get wildcard certs for additional domains? I've set EXTRA_DOMAINS="*.domain2.com", but a wildcard cert is only created for the URL primary domain. Under /etc/letsencrypt/live is only one folder which is for the primary domain.


URL=domain1.com
SUBDOMAINS=wildcard
EXTRA_DOMAINS=*.domain2.com
ONLY_SUBDOMAINS=false
VALIDATION=dns
DNSPLUGIN=cloudflare
[email protected]

I've also tried setting EXTRA_DOMAINS=domain2.com,*.domain2.com, but it didn't make any difference.

 

Edit: Nevermind, my mistake. The certificate created is valid for both domains! And when I provide it as EXTRA_DOMAINS=domain2.com,*.domain2.com the certificate works for the root as well.

There is only ever one cert generated with this image and it contains all the names as SANs

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.