[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

3 hours ago, casperse said:

Maybee a stupid Q

 

But is it okay to add multiple subdomains like this?


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photo.doamin.dk;
    server_name photos.domain.dk;
    server_name piwigo.domain.dk;

And could I just add a piwigo.domain2.dk also?

It might work but I dont want to go against the approved structure

You can put multiple names in a single server name directive, don't use multiple directives

Link to comment
4 hours ago, BurntOC said:

Fair observation.  I thought about including it originally but if the connectivity is there, it seems like this would be some well-known trick that I don't know about.  To that point, your question is a great one to which I believed the answer was "Yes, I've tested it.".  But if so I'd have been wrong, as checking right now it is not getting a response.  I'm up to 15 other devices that are working just fine across the other 2 situations I included in my initial post on this.  Since it is working for other servers in that same domain it would seem like the traffic should have no problems getting from my Unraid server to the firewall headed to the Pi, but clearly I do.  Here's my proxy, in any event (I use hassio.mydomain.me and the device is on 192.168.60.4 in this example):

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hassio.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
#        set $upstream_app homeassistant;
        set $upstream_app 192.168.60.4;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

If you can't ping 192.168.60.4 it's not the proxy conf that is the issue. Since you have other services working, I would assume your firewall blocks access from the unraid network to your hassio RPI.

Link to comment
17 minutes ago, saarg said:

If you can't ping 192.168.60.4 it's not the proxy conf that is the issue. Since you have other services working, I would assume your firewall blocks access from the unraid network to your hassio RPI.

So I verified that I had port isolation enabled on both the Unifi switch port connected to that Unraid network and the port the Pi is connected to.  Disabling it on the Pi port allowed swag to ping the Pi, but I am still getting the Nginx gateway error.  The isolation observation and the lack of entries in the logs confirms this is transiting port to port without the firewall seeing it, but it's even more puzzling as to why it still isn't working... 

Link to comment
1 hour ago, BurntOC said:

So I verified that I had port isolation enabled on both the Unifi switch port connected to that Unraid network and the port the Pi is connected to.  Disabling it on the Pi port allowed swag to ping the Pi, but I am still getting the Nginx gateway error.  The isolation observation and the lack of entries in the logs confirms this is transiting port to port without the firewall seeing it, but it's even more puzzling as to why it still isn't working... 

I can't really help with network issues.

You are sure you use the correct port and that it is http and not https?

Are you accessing the domain from your network or using your phone?

Edited by saarg
  • Thanks 1
Link to comment
2 hours ago, saarg said:

I can't really help with network issues.

You are sure you use the correct port and that it is http and not https?

Are you accessing the domain from your network or using your phone?

Port was correct, but though I'd tested http vs https earlier with no effect (of course because port isolation was probably blocking it in any case), I just tried switching it to https and it works.  I have had Hass pulling a cert with the LetsEncrypt addon and I had it set to access via HTTPS.  I'm tempted to leave it for now.  As I understand it, I'm doing SSL to Swag, but it's doing HTTP to the proxied hosts in most cases per the template default, right?  And there would be some risk of something else on the same subnet trying to sniff the unencrypted traffic, but in this case I'm doing SSL to swag and then also to the proxied server so the full path is encrypted, right?  If not, I will leave these other connections be, as I was going to look into usings HTTPS with them as well.

Link to comment
4 hours ago, BurntOC said:

Port was correct, but though I'd tested http vs https earlier with no effect (of course because port isolation was probably blocking it in any case), I just tried switching it to https and it works.  I have had Hass pulling a cert with the LetsEncrypt addon and I had it set to access via HTTPS.  I'm tempted to leave it for now.  As I understand it, I'm doing SSL to Swag, but it's doing HTTP to the proxied hosts in most cases per the template default, right?  And there would be some risk of something else on the same subnet trying to sniff the unencrypted traffic, but in this case I'm doing SSL to swag and then also to the proxied server so the full path is encrypted, right?  If not, I will leave these other connections be, as I was going to look into usings HTTPS with them as well.

If it's within your own network, I would drop SSL and just do http.

Edited by saarg
  • Like 1
Link to comment
11 hours ago, aptalca said:

You can put multiple names in a single server name directive, don't use multiple directives

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photo.doamin.dk,photos.domain.dk,piwigo.domain.dk,piwigo.domain2.dk;

I tried combining them but got a strange error afterwards?

nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised

Link to comment

Hi,

im trying to get swag to reverse proxy to my vm in unraid. i used spaceinvader video to set it up at start but now when im trying to send to the vm, the log give me this... any one has any idea? i mean it work great when im using it on docker but i cant get it to send it to my vm

Thanks for any help

P.S. I actually want to send it to a vm for nextcloud instead of using a docker for it.

 

2020/11/10 00:45:08 [error] 431#431: *63 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 66.70.148.95, server: myServer.*, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.8.13:443/favicon.ico", host: "myHost", referrer: "https://myHost/"

Link to comment
On 11/9/2020 at 10:05 AM, casperse said:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photo.doamin.dk,photos.domain.dk,piwigo.domain.dk,piwigo.domain2.dk;

I tried combining them but got a strange error afterwards?

nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised

Strange only when I list them in sepereate lines it works and I dont get the below error

 

 

nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

 

server_name photo.domain1.dk;

server_name photos.domain1.dk;

server_name piwigo.domain1.dk;

 

It works no errors (Even if the syntax is not right)

Link to comment

I have multiple services running behind a reverse nginx proxy. But I am having issues with home assistant. The UI loads but the calls don't get forwarded and error out 


 

Failed to call service homeassistant/turn_off. Unable to find service light/turn_off

I am running https://hub.docker.com/r/homeassistant/home-assistant on Unraid. This is the nginx config. The site loads but gives errors when I try to turn on lights.
 

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

 

This is the command used to run the container:


 

usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='HomeAssistant' --net='proxynet' --privileged=true -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -p '8123:8123/tcp' --device='/dev/ttyUSB0' 'homeassistant/home-assistant' 

 

 I am not sure if its more suited for home assistant? 

Edited by BoKKeR
Link to comment
3 hours ago, BoKKeR said:

I have multiple services running behind a reverse nginx proxy. But I am having issues with home assistant. The UI loads but the calls don't get forwarded and error out 


 


Failed to call service homeassistant/turn_off. Unable to find service light/turn_off

I am running https://hub.docker.com/r/homeassistant/home-assistant on Unraid. This is the nginx config. The site loads but gives errors when I try to turn on lights.
 


# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

 

This is the command used to run the container:


 


usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='HomeAssistant' --net='proxynet' --privileged=true -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -p '8123:8123/tcp' --device='/dev/ttyUSB0' 'homeassistant/home-assistant' 

 

 I am not sure if its more suited for home assistant? 

You have the name wrong for the container. You have to name it homeassistant with small letters.

Link to comment
9 hours ago, BoKKeR said:

Removing the block rebooting SWAG, I get even less access. I get to the login page. After login I am greeted with 

 

image.thumb.png.15cb45e6f4aecf562ce86f4b1b0df87f.png

Did you set homeassistant to use https om that port? If so, change it back to http. There is a similar problem like this fixed on this page.

Link to comment

I am wondering if anyone has any idea how to use SWAG with a SQL docker to reverse proxy a MSSQL server for remote access through SSMS?

 

I have spent most of a couple of days looking into it, and I know that I need to use a stream process, however I can't get it to work with the nginx within SWAG docker. Anyone have this working and could give me some guidance on how to setup the subdomain conf file?

Link to comment
10 hours ago, saarg said:

Did you set homeassistant to use https om that port? If so, change it back to http. There is a similar problem like this fixed on this page.

 

I cant find this option, but to make sure I made a new container with a new config location and adjusted the config in swag, restarted swagger. I get the https login page on the subdomain, upon login I end up with the same error page. 

Link to comment
7 hours ago, deanpelton said:

I am wondering if anyone has any idea how to use SWAG with a SQL docker to reverse proxy a MSSQL server for remote access through SSMS?

 

I have spent most of a couple of days looking into it, and I know that I need to use a stream process, however I can't get it to work with the nginx within SWAG docker. Anyone have this working and could give me some guidance on how to setup the subdomain conf file?

You can't as it's not web traffic.

Link to comment
On 11/12/2020 at 2:29 PM, deanpelton said:

I am wondering if anyone has any idea how to use SWAG with a SQL docker to reverse proxy a MSSQL server for remote access through SSMS?

 

I have spent most of a couple of days looking into it, and I know that I need to use a stream process, however I can't get it to work with the nginx within SWAG docker. Anyone have this working and could give me some guidance on how to setup the subdomain conf file?

 

On 11/12/2020 at 10:24 PM, saarg said:

You can't as it's not web traffic.

standard tcp or udp traffic is like mentioned not supported with http server blocks, it works single as stream "passthrough".

 

if there would be this module included we may could play and bind domains to the stream(s), but its not included so ... sadly no.

 

https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

 

Link to comment
3 hours ago, alturismo said:

 

standard tcp or udp traffic is like mentioned not supported with http server blocks, it works single as stream "passthrough".

 

if there would be this module included we may could play and bind domains to the stream(s), but its not included so ... sadly no.

 

https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

 

Thanks alturismo,

I saw your previous comments on this topic but I couldn't load the stream module into my swag container.

Any other methods of doing this with a IP address whitelisting for safety?

Link to comment
On 11/17/2020 at 8:16 PM, jonathanm said:

The image shows the internal and external ports reversed.

Thanks mate, i figured they were but had tried in the correct setup but was still failing. Turns out i had static DNS that was incorrect on the modem. All working now.

 

EDIT: Literally a few hours later and it all stopped again. Seems to be a DNS issue with the Netcomm modem i'm using. I wasn't having any issues with the Netgear. But i wanted to NAT loopback features of the Netcomm

Edited by xxbigfootxx
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.