[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Not sure what is going on but it seems the the registrar for the SSL signed cert is expired. What do I have to do to fix it? It doesn't seem like it is something that I have a lot of control over.

image.png.7cf0c6598ffd5a814451ac0719b48d5d.png

 

The other server I have that is still using the letsencrypt docker is using a different registrar to sign the certs (which is valid).

image.png.358f6b47e8754f3c6b1017df026e68f0.png

Link to comment

I have an issue with SWAG nextcloud and cloudflare keep getting these in the log, by the thousands, the log file got to 200 GB in one day, and then nextcloud is not responding anymore, any ideas what's wrong ? 

I see this alert "zero size buf in chain writer t:1 r:1 f:0", I googled it but cannot find any resolution!

Does anyone here had a similar issue ?

 

Screenshot SWAG log.jpg

Edited by dianasta
updated more info
Link to comment
2 hours ago, uByte said:

Not sure what is going on but it seems the the registrar for the SSL signed cert is expired. What do I have to do to fix it? It doesn't seem like it is something that I have a lot of control over.

image.png.7cf0c6598ffd5a814451ac0719b48d5d.png

 

The other server I have that is still using the letsencrypt docker is using a different registrar to sign the certs (which is valid).

image.png.358f6b47e8754f3c6b1017df026e68f0.png

Found the problem. Apparently there is an option in the SWAG settings when you set the value to true the certificate sets to staging. If you change it to false it will use a legit CA. Checking those settings matter. 

image.thumb.png.1643642c17c443507b7cd86195b8cbea.png

Link to comment

Hi, is there anyway I can edit a config file or set an environment variable so that swag will add multiple domains to the let's encrypt?

I am using a duckdns https but I have a domain name that can redirect, whilst keeping the domain name in the address bar, but I need a certificate to be generated for this other domain, as well as the duckdns domain that it points at.

MTIA.

Link to comment

I was running swag, nextcloud and bitwarden with cloudflare reverse proxy, everything were working just fine.

I saw update available for all 3 dockers i mentioned, so I stopped all the dockers and updated them, opened them again after finished, then suddenly I couldn't connect to nextcloud and bitwarden through my domain, it returns a status 503.

The log has no error at all, i am so confused. What would have cause the problem to exist?

Link to comment
3 hours ago, Millerthegorilla said:

Hi, is there anyway I can edit a config file or set an environment variable so that swag will add multiple domains to the let's encrypt?

I am using a duckdns https but I have a domain name that can redirect, whilst keeping the domain name in the address bar, but I need a certificate to be generated for this other domain, as well as the duckdns domain that it points at.

MTIA.

@Millerthegorilla I saw this under the SWAG docker settings. Looks like how you can add a different domain.

image.thumb.png.9c1a8dd03f632ea19034279f2d8b578d.png

You could also maybe add it from the add another path, port, variable or device option at the bottom of the lets encrypt docker.

image.png.5ae729f8296d8071fd11b886ef04dfeb.png

Link to comment
3 hours ago, vinckcent said:

I was running swag, nextcloud and bitwarden with cloudflare reverse proxy, everything were working just fine.

I saw update available for all 3 dockers i mentioned, so I stopped all the dockers and updated them, opened them again after finished, then suddenly I couldn't connect to nextcloud and bitwarden through my domain, it returns a status 503.

The log has no error at all, i am so confused. What would have cause the problem to exist?

What are your setting in SWAG / nextcloud and cloudflare? could you post some screenshots ? 

Link to comment

Probably a stupid question and easily solved, but my search always returns results solving the opposite problem.

I set up the reverse proxy and everything works fine. I can access the sites hosted under my subdomains perfectly.

 

Now I want to drop all connections not directly directed at one of my supported domains. 

If I access my Public IP I want to get no result at all.

 

As far as I figured out I should be able to do that be configuring the default config.
But so far I only managed to either block nothing or block everything. 

 

Any tips how to adapt the config?

Link to comment

I did my setup following the tutorial from spaceinvader one just using the new swag docker container.

 

Due to the port forwarding if I access my WAN IP  I land on the "Welcome to your SWAG instance" Page. 

 

Now my goal is to simple drop these request (return 444) and only respond to requests targeting

supportedsubdomain.domain.com

supportedsubdomain2.domain.com

 

 

Link to comment

I dont know what my problem was yesterday, I think I had something quite similar. But figured it out now.

Relevant Part of my default file:

 

server {
	return 444;
}

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name mydomain.com;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name mydomain.com;

 

Additional Server Block to drop all requests.

Server name for http und https change to only work for my domain

 

Link to comment

Do you have to use a lets encrypt cert?

 

I have an existing domain at hostinger that I would like to use, but you have to manually renew the ssl certificate if you want to use lets encrypt. There is an option to buy a lifetime ssl certificate from them for $12 which would be cheaper than buying a new domain somewhere else.

 

Also I don't want to move my domain over to a new host.

Link to comment

Is this expected behavior?

From outside my home network, going to https://my-ip takes me to the Swag splash page. 

Right now, I have 4 unRAID dockers set at duckdns.org, and those all work. I was just surprised to see that my home ip by itself does this. 

Is this OK?

Screen Shot 2021-03-28 at 19.06.26.png

Link to comment
19 hours ago, volcs0 said:

Is this expected behavior?

From outside my home network, going to https://my-ip takes me to the Swag splash page. 

Right now, I have 4 unRAID dockers set at duckdns.org, and those all work. I was just surprised to see that my home ip by itself does this. 

Is this OK?

Screen Shot 2021-03-28 at 19.06.26.png

That is normal.

  • Like 1
Link to comment
On 4/29/2020 at 3:02 PM, Heciruam said:

Is there an ngix .config.sample file for Mattermost? I just installed it and was wandering on how to get public access.
 

Edit:
Ok I figured it out. I found a guide on how to do it here

 

Can you by chance share a redacted version of your Conf? I cannot for the life of me get this working. I get an "nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /config/nginx/proxy-confs/mattermost.subdomain.conf:9" error.

Link to comment

Hi there, 

 

so I am kinda new to unraid and docker and I have a little problem.

 

I run a website on swag which is supposed to pack some files into a .zip. Before I switched to unraid and swag i ran that website on apache on a raspberry and zipping some files with p7zip worked great but the performance was not - for this and some other reasons I switched to unraid and swag. I know i can not just "use" p7zip. As far as I know thats because swag does not have the right permissions. As I understand it p7zip is located at /usr/bin/. By using the webterminal I am able to see and execute 7z. When I try the same thing inside the swag-webterminal they just do not appear in the same directory. 

My next idea was to just copy those files into a directory which is owned by swag which worked and I am able to see those files now, but I can not execute them.

 

If somebody has any idea how to help me with my problem - a better way or workaround or something else - I would be happy :D

p7zip1.JPG

Link to comment
22 minutes ago, ThereIsNo said:

As I understand it p7zip is located at /usr/bin/

You must have installed it yourself from Nerd Pack.

 

You can get to the console inside any of your dockers by clicking on its icon and selecting Console.

 

But it doesn't look like p7zip exists inside the SWAG container.

Link to comment

Thanks for the fast reply!

 

I installed it from Nerd Pack and yeah, it does not exist inside SWAG. I dont know any other way than building swag myself with p7zip inside. And I dont think I am advanced enough for this or doing this frequently after swag updates. :/
chown or chmod also had no positive effect.

Link to comment

Hi! 

I rebooted my containers yesterday and after that my SWAG container won’t listed to the ports I’ve chosen. It worked flawlessly the days before that. I use 80/443 and they are portforwarded in my pfsense. I thought I mucked something up in pfsense so I’ve wiped it and started over, but no success. When I tried Nginx Proxy Manager, the port is suddenly open, even on the same LAN IP. As soon as I stop Nginx and start swag, the port is suddenly closed. I have other port forwards in pfsense set up and they work too.

 

Swag is in br0.

 

Does anyone have a clue what happened? I’m on the latest version of swag. I’ve forced updates and I wiped swag too but no successful. 

Link to comment

Hey all during an upgrade of swag it failed. And now ive removed it completely removed any files associated with it but when i go to resintall fresh it wont launch. I get this error.

 

driver failed programming external connectivity on endpoint swag (c09c532ca4cfa43c71f2affae682c2387117adc17070dda5db1b07ecc3d7b35f): Error starting userland proxy: listen tcp 0.0.0.0:80: bind: address already in use.

Link to comment
8 hours ago, Schwaby412 said:

Hey all during an upgrade of swag it failed. And now ive removed it completely removed any files associated with it but when i go to resintall fresh it wont launch. I get this error.

 

driver failed programming external connectivity on endpoint swag (c09c532ca4cfa43c71f2affae682c2387117adc17070dda5db1b07ecc3d7b35f): Error starting userland proxy: listen tcp 0.0.0.0:80: bind: address already in use.

 

port 80 already in use ... you may changed your network settings like to host while unraid already listeining on port 80 as sample, take a look what you done in your swag docker network settings.

Link to comment

Hi, I updated Swag container and now my bitwarden instance is not working anymore. Checking swag log I found a message asking me to update nginx conf files so I update conf file inside nginx folder with new template, renamed container as requested in that file from bitwardenrs to bitwarden and set true to WEBSOCKET_ENABLED in bitwarden container. Still can't access from outside. Any hint?

 

Previous conf file

 

#BITWARDEN
# make sure that your domain has dns has a cname or a record set for the subdomain bitwarden 
# This config file will work as is when using a custom docker network the same as letesencrypt (proxynet).
# However the container name is expected to be "bitwardenrs" as it is by default the template as this name is used to resolve.  
# If you are not using the custom docker network for this container then change the line "server bitwardenrs:80;" to "server [YOUR_SERVER_IP]:8086;" Also remove line 7

resolver 127.0.0.11 valid=30s;
upstream bitwarden {
    server bitwardenrs:80;
}

server {
    listen 443 ssl;
    server_name bitwarden.*;
    include /config/nginx/ssl.conf;
  client_max_body_size 128M;

  location / {
   proxy_pass http://bitwarden;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
  }
  
  location /notifications/hub {
   proxy_pass http://bitwarden;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
  
  location /notifications/hub/negotiate {
    proxy_pass http://bitwarden;
  }
}

 

New Conf file

 

## Version 2020/12/09
# make sure that your dns has a cname set for bitwarden and that your bitwarden container is not using a base url
# make sure your bitwarden container is named "bitwarden"
# set the environment variable WEBSOCKET_ENABLED=true on your bitwarden container

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bitwarden.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 128M;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /admin {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 3012;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /notifications/hub/negotiate {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app bitwarden;
        set $upstream_port 80;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}


 

Link to comment
On 4/1/2021 at 1:02 PM, muppie said:

Hi! 

I rebooted my containers yesterday and after that my SWAG container won’t listed to the ports I’ve chosen. It worked flawlessly the days before that. I use 80/443 and they are portforwarded in my pfsense. I thought I mucked something up in pfsense so I’ve wiped it and started over, but no success. When I tried Nginx Proxy Manager, the port is suddenly open, even on the same LAN IP. As soon as I stop Nginx and start swag, the port is suddenly closed. I have other port forwards in pfsense set up and they work too.

 

Swag is in br0.

 

Does anyone have a clue what happened? I’m on the latest version of swag. I’ve forced updates and I wiped swag too but no successful. 

There was nothing wrong with SWAG. I messed up my cloudflare settings which caused the error.

Link to comment

Hi,

I have been trying to setup something I am not sure is possible to do with my current setup and swag. Basically is to reverse proxy http only services on my unraid machine from a domain like photoprism.lan to its containerIP and port (2342)

I have swag running on unraid 6.9.1 host and listening on ports 80 and 443, those are port forwarded from my router for external access. I can successfully access my desired services running on https behind the subdomain certs I have generated for nextcloud and bitwarden: nextcloud.mydomain.com and bitwarden.mydomain.com. Everything works fine also internally: I have two entries on PiHole internal DNS server that resolves nextcloud.mydomain.com and bitwarden.mydomain.com to the local unraid IP where swag nginx is listening.

 

Now I am trying to make use of the nginx reverse proxy on swag to locally access a new service on my unraid, in this case photoprism. The thing is that photoprism gui is running on port 2342 and is running over http. I would like to access photoprism with a domain (different from my external one used for nextcloud and bitwarden) and without needing to write the port each time, for example with http://photoprism.lan and no port (I have added a dns entry on the pihole to resolve photoprism.lan to the unraid IP where swag nginx is listening) but I have not find a way to configure a proxy-conf in nginx that proxies this domain to the right IP and port. What I have tried, among many other things is to put a file (local-servers.conf) inside proxy-confs folder of ngingx with:

 

server {
    listen 80;
    server_name photoprism.*;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app photoprism;
        set $upstream_port 2342;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

 

I have tried also with server_name photoprism.lan*
Although the internal docker dns works ok resolving the container name, I have tried also setting the proxy_pass with the final docker IP and port with no luck.

When I try to go to http://photoprism.lan I got redirected to a https://photoprism.lan/ and see the default nginx webpage:

 

Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: [email protected]


Is this because by default only https is being configured to be proxied?
Any way of allowing http for internal lan without compromising security?
My certs are subdomains, as stated above, like nextcloud.mydomain.com but the photoprism is not in the same domain but photoprism.lan, does this cause the failure?

 

Thanks!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.