[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

1 minute ago, strike said:

Yes it does, I just quoted from it: https://github.com/linuxserver/docker-swag/blob/master/README.md

Just put all your extra domians in EXTRA_DOMAINS as it says. If you want mote info: Use google with the "site" argument as I have done for you here

 

Ohhh shit my bad bro hahahaha for some reason I thought I was on the CloudFlare-DDNS thread where I was asking about updating another domain with the same container 😂😂 But yes you are right. I did find where to add the extra domains for SWAG. I am working on trying to figure out the extra parameters for the NGINX cofig file now.

 

Sorry about the confusion that is totally my fault! 😅

Link to comment
13 hours ago, waymon said:

Hello,

 

I attempted to updated my Nextcloud inside the Nextcloud gui.   When I try to load the internal or external address I get this.

 


Internal Server Error

The server encountered an internal error and was unable to complete your request.
Please contact the server administrator if this error reappears multiple times, please include the technical details below in your report.
More details can be found in the webserver log.

 

I visited what I thought was the webserver log.  The bottom of  \appdata\nextcloud\log\nginx\access.log:


172.19.0.4 - waymon [05/Mar/2021:16:58:21 -0700] "GET /status.php HTTP/1.1" 200 155 "-" "Mozilla/5.0 (Windows) mirall/3.0.3stable-Win64 (build 20201125) (Nextcloud)"
172.19.0.4 - waymon [05/Mar/2021:16:58:21 -0700] "PROPFIND /remote.php/webdav/ HTTP/1.1" 503 282 "-" "Mozilla/5.0 (Windows) mirall/3.0.3stable-Win64 (build 20201125) (Nextcloud)"

 

I am not sure what to do next.  I think I have a http 200 and 155 error?  And a webdav 503 and 282 error?

 

Any ideas?  Thanks.

That would go in the nextcloud thread. Nothing to do with swag.

Link to comment
On 2/26/2021 at 1:26 PM, th30p3rat0r said:

 

I got the exact same results with my swag setup, fail2ban works and can log ips and add them in the iptables for the container, but are still not blocking the traffic for whatever reason, even if it is fully contained within swag.  Example, I have a bitwarden filter, am able to see my IP logged into the jail, but can still access even though it is in the f2b-bitwarden iptable entry as DENY.  It must have to do with what you said, dev input would be beneficial on this

Same issue, Fail2Ban does not work in the slightest, not sure why.  It is started as a service, the jail is set up properly, the IP is banned, but not dropped/rejected/blocked in any form.  Its noce to have a list of IPs I can block manually in my FW but would be nice if fail2ban would work. 

Link to comment

I've got a SWAG container setup along with other docker for services like Heimdal, Emby, Sonarr, etc. For most people trying to connect, it works fine. However there's one computer that can't connect to the server. In the logs I see it's getting a 444 Connection Closed Without Response error, but there's no indication as to what caused the error. Looking in the fail2ban logs, the ip that's trying to connect isn't banned.

 

There are other computers on that network that can connect fine, and I've also had them try it on different browsers with the same problem happening.

 

Anyone have any ideas?

Link to comment

I was using the older letsencrypt container before, without any issues, until I had to uninstall my server and set it up to a new server.

THen I found out about SWAG, replacing the old docker.

 

I was expecting things to be pretty easy to setup, but I have been trying today for several hours, to no avail.

 

What I did:

 

- Install the docker container through Unraids CA apps tab

- Forwarded 80tcp and 443tcp from the outside to 2500tcp and 2501tcp

- Fill in all the info needed (incl 2500http and 2501https) and clicked install. (check is set to http)

 

 

Installation goes fine, but in the logging I see this:

(changed my domain name to 'mydomain.online' for the anonimized sample below)

 

Challenge failed for domain mydomain.online

http-01 challenge for mydomain.online
Cleaning up challenges
Some challenges have failed.

IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: mydomain.online
Type: unauthorized
Detail: Invalid response from
http://mydomain.online/.well-known/acme-challenge/Az-vK485heTd4xY4lz6zuobtWhDJFYIPpY58-vx36E8
[2a00:4e40:1:1::2:20a]: "<!doctype html><html lang=\"nl\"><head>
<meta charset=\"UTF-8\"> <meta name=\"viewport\"
content=\"width=device-width, user-scalable=no"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

- The A record on DNS level is set correctly.

- When I bind 80-tcp to something else running a httpd internally the NAT works, when opening my external IP from my cell phone while off wifi (did but it back after this small test).

- When I try doing the same while it forwards to SWAG it times out. Is this correct?? Am I forgetting/not seeing anything here?

(Id expect the daemon to answer, also for the http check from LE.

- Also tried switching to zerossl, but also to no avail.

 

...What am I missing or doing wrong here? Thanks in advance!

Link to comment

......I think I found it.

I read somewhere online it will prioritize AAAA records if it finds any.

I had AAAA records set up, but those were old and not in use right now.

 

When I delete these, things magically work again I believe.. ;-)

So for now, I can continue!

Link to comment

I'm following SpacedInvaders Reverse Proxy setup video and am running into issues with the validation test (like many others).  I have setup a duckdns.org subdomain.  I have attempted to forward the 1443 and 180 ports in my Ubiquiti USG Pro-4 router.  However, I'm getting the same validation errors that many others get ('cert does not exist, check port forwarding or dns'). 

 

I notice that when I use a port checking utility online, that my 1443 port is never actually "open" - even though I'm certain I have the port forwarding rule setup correctly (pointing port 1443 to port 443 on the unRAID IP). 

 

Any advice where to start troubleshooting?  I'm doing this to setup the BitWardenRS docker.

 

I'm using the latest SWAG docker, but I updated the config file to point to ports 180 and 1443 (just like in the video). 

Link to comment
59 minutes ago, perfect said:

I'm following SpacedInvaders Reverse Proxy setup video and am running into issues with the validation test (like many others).  I have setup a duckdns.org subdomain.  I have attempted to forward the 1443 and 180 ports in my Ubiquiti USG Pro-4 router.  However, I'm getting the same validation errors that many others get ('cert does not exist, check port forwarding or dns'). 

 

I notice that when I use a port checking utility online, that my 1443 port is never actually "open" - even though I'm certain I have the port forwarding rule setup correctly (pointing port 1443 to port 443 on the unRAID IP). 

 

Any advice where to start troubleshooting?  I'm doing this to setup the BitWardenRS docker.

 

I'm using the latest SWAG docker, but I updated the config file to point to ports 180 and 1443 (just like in the video). 

Sounds to me like you have your port forwarding backwards. On the WAN side it's port 443 and 80 that's need to be open. You can point those ports to 1443 and 180 on the LAN side. So you need to point port 443 to 1443 and port 80 to 180, not the other way around. And when you're checking if the port is open you have to check ports 443 and 80.

 

Doublecheck your port forwarding and if it's still not working, post your docker run command and screenshot of the port forwarding. I don't know which config file you changed but you should post that too.

Link to comment

Hey folks, I apologize in advance for what must be an absolutely ridiculous question. I removed my SWAG container and image a little while ago because I wanted to nuke and pave my setup (had a cert problem that I couldn't solve and I suspect I borked it while messing with the config last week and wanted to just start from scratch). Previously, I had a working SWAG container with several proxied subdomains working just fine. 

 

Now, I can't find the SWAG docker in Community Applications. Has it disappeared? Or am I being unbelievably thick? I can't seem to find any other dockers from the lsio repository either, come to think of it. I can get them from the Docker Hub results, just not from the main Community Apps index. 

Link to comment
1 hour ago, wintervaler said:

Hey folks, I apologize in advance for what must be an absolutely ridiculous question. I removed my SWAG container and image a little while ago because I wanted to nuke and pave my setup (had a cert problem that I couldn't solve and I suspect I borked it while messing with the config last week and wanted to just start from scratch). Previously, I had a working SWAG container with several proxied subdomains working just fine. 

 

Now, I can't find the SWAG docker in Community Applications. Has it disappeared? Or am I being unbelievably thick? I can't seem to find any other dockers from the lsio repository either, come to think of it. I can get them from the Docker Hub results, just not from the main Community Apps index. 

Well, this is embarrassing. They're all back. Not sure what was going on. :) 

Link to comment

curious if appdata/swag/crontabs file is set to run periodic renewals or not?

 

# do daily/weekly/monthly maintenance
# min   hour    day     month   weekday command
*/15    *       *       *       *       run-parts /etc/periodic/15min
0       *       *       *       *       run-parts /etc/periodic/hourly
0       2       *       *       *       run-parts /etc/periodic/daily
0       3       *       *       6       run-parts /etc/periodic/weekly
0       5       1       *       *       run-parts /etc/periodic/monthly
# renew letsencrypt certs

 

I didn't see any mention of SWAG or certbot in any /etc/cron.*/<files>

 

Link to comment
On 12/9/2020 at 1:18 AM, cybrnook said:

To all,

 

Has anyone been successful in setting up Cloudflare "Authenticated Origin Pulls" with this container, is it possible?

 

https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls

 

I have this running using swag, just follow the link you shared and I just used the config/keys folder to upload the cloudflare certificate which is downloadable in that support page.

  • Thanks 1
Link to comment
2 hours ago, 01cooperl said:

 

I have this running using swag, just follow the link you shared and I just used the config/keys folder to upload the cloudflare certificate which is downloadable in that support page.

Thanks for this! I asked back in December if the Swag container supported this in the LInuxserver.io groups Discord and @Roxedus said it did not support it and I should instead use a VPN basically. So I ended up going a different direction with the whole thing, but I AM pleased to hear you got it going. Means I could shift back to it if I come back to Swag 🙂 

Edited by cybrnook
Link to comment

Has anyone been able to get 2 separate domain names (i.e. domainname1.com & domainname2.com) working through Cloudflare and SWAG?

 

I was able to get my first domain all setup and working. I can access all the subdomains just fine.

 

I then added a new site to Cloudflare, and verified the DNS setup is working and pointing to my public IP like my first domain. I can see communication is occurring through Cloudflare.

 

I then added this domain to the "Extra Domains" parameter in the SWAG docker container. Restarted, and everything generated fine. It recognized the new extra domain.

 

However, whenever I try to access the public domain name in a browser, all I get is the below error, and I'm not sure what else to do from here, or how to troubleshoot it. Any ideas?

 

EDIT: I discovered some people having luck by adding a "server block" to the "default" file in the /appdata/swag/nginx/site-confs/ folder. Although, I'm still having the exact same issue after completing this setup. Not sure what is going on.

 

EDIT2: It's working now. I missed one setting in Cloudflare as usual (setting SSL/TLS to "Full").

 

Error:

"ERR_TOO_MANY_REDIRECTS"

 

Default file in /appdata/swag/nginx/site-confs/ folder:

## Version 2021/01/03 - Changelog: https://github.com/linuxserver/docker-swag/commits/master/root/defaults/default

error_page 502 /502.html;

# redirect all traffic to https
server {
	listen 80;
	listen [::]:80;
	server_name domain1.com;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	root /config/www;
	index index.html index.htm index.php;

	server_name domain1.com;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
}

server {
	listen 80;
	listen [::]:80;
	server_name domain2.com;
	return 301 https://$host$request_uri;
}

server {
	listen 443 ssl http2;
	listen [::]:443 ssl http2;

	root /config/www;
	index index.html index.htm index.php;

	server_name domain2.com;

	# enable subfolder method reverse proxy confs
	include /config/nginx/proxy-confs/*.subfolder.conf;

	# all ssl related config moved to ssl.conf
	include /config/nginx/ssl.conf;

	client_max_body_size 0;

	location / {
		try_files $uri $uri/ /index.html /index.php?$args =404;
	}

	location ~ \.php$ {
		fastcgi_split_path_info ^(.+\.php)(/.+)$;
		fastcgi_pass 127.0.0.1:9000;
		fastcgi_index index.php;
		include /etc/nginx/fastcgi_params;
	}
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf;

# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

 

Edited by carnivorebrah
Link to comment
1 hour ago, cybrnook said:

Thanks for this! I asked back in December if the Swag container supported this in the LInuxserver.io groups Discord and @Roxedus said it did not support it and I should instead use a VPN basically. So I ended up going a different direction with the whole thing, but I AM pleased to hear you got it going. Means I could shift back to it if I come back to Swag 🙂 

It is still unsupported, and I don't even see the appeal of doing this.

Link to comment
2 hours ago, Roxedus said:

It is still unsupported, and I don't even see the appeal of doing this.

"The advantage of using this setup is that you benefit from Cloudflare fast DNS resolution and add an extra layer of security by hiding your server identity while ensuring that all the connections pass through Cloudflare. This prevents any malicious requests from reaching the server."

 

https://support.cloudways.com/configure-cloudflare-origin-certificate-with-your-application/

 

 

In a nutshell it let's CF field all the nasties on the web for you, while hiding your server and it's point of origin behind it's WAF. Good way to mitigate attempts against your port forwarded server sitting on the web.

Link to comment
1 hour ago, cybrnook said:

"The advantage of using this setup is that you benefit from Cloudflare fast DNS resolution and add an extra layer of security by hiding your server identity while ensuring that all the connections pass through Cloudflare. This prevents any malicious requests from reaching the server."

You can do this without their certs. I also like to use my site when cloudflare isnt working. 

Link to comment

Hi there. I have an issue with using the reverse proxy set up for nextcloud. In the nextcloud.subfolder.config it says:


 

## Version 2020/12/09
# Assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['swag'],
#  'overwritewebroot' => '/nextcloud',
#  'overwrite.cli.url' => 'https://your-domain.com/nextcloud',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'your-domain.com',
#  ),

 

When I try to do this for my docker container of nextcloud, if the line 'overwritewebroot' => '/nextcloud', is inserted it prevents me from accessing nextcloud locallay - it says that "The page isn't redirecting properly". And when trying to access remotely SWAG displays "502 Bad Gateway".

 

My nextcloud config.php is as follows:

 

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'xxxxx',
  'passwordsalt' => 'xxxxx',
  'secret' => 'xxxxx',
  'trusted_domains' => 
  array (
    0 => '192.168.1.123:12345',
	1 => 'MYSITE.duckdns.org',
  ),
  'dbtype' => 'mysql',
  'version' => '21.0.0.18',
  'overwrite.cli.url' => 'https://192.168.1.123:12345',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.123',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'xxxxx',
  'installed' => true,
  'trusted_proxies' => ['swag'],
  'overwritewebroot' => '/nextcloud',
  'overwrite.cli.url' => 'https://MYSITE.duckdns.org/nextcloud',
);

 

If you could give me some advice as to what I am doing wrong I would be really greateful.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.