[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Hey looking for some help with SWAG, nothing is getting baned at all. I have tried to trip getting banned by trying 10 times in a row with a bad login... max is set to 2. I thought it might be that i needed to add a .local for bitwardenrs and a path to the log. even after doing this still getting nothing. 

 

[Definition]
failregex = ^\s*\[ERROR\]\s+Username or password is incorrect. Try again.(?:, 2FA invalid)?\. <HOST>$
 

this is my bitwarden.local inside filter.d

 

[bitwarden]

enabled  = true
filter   = bitwarden
logpath  = /config/log/containers/bitwarden.log
maxretry = 2
 

inside jail.local

 

i have added my fail2ban log.

 

i changed to debug and heavydebug 

 

still can't see why it isn't picking up the failed attempt.

 

 

any help would be much appriciated

 

fail2ban.log

Link to comment

Commenting to see if anyone has gotten Snapdrop working through a SWAG reverse proxy on unraid. Tried setting up the configs myself with partial success but it's not working properly. Would also be awesome to see a default config file for linuxserver/snapdrop included with SWAG!

Link to comment

Hi all, 

 

Quick (hopefully) question; 

I've followed SpaceInvaderOne's video about setting up reverse proxy and Nextcloud - using SWAG to make it externally accessible. 

Everything is working fine - and Nextcloud is the only externally accessible app I've setup. 

 

However, when I access my static IP address directly from a browser (not via the Nextcloud.(mydomain.com)) I get a 'Welcome to your SWAG instance' page. 

 

Is this a security issue? Is there any way to direct ALL traffic that hits port 80 or 444 at my address to send it directly to my Nextcloud instance? 

 

Cheers! 

 

Link to comment
2 hours ago, BenW said:

Hi all, 

 

Quick (hopefully) question; 

I've followed SpaceInvaderOne's video about setting up reverse proxy and Nextcloud - using SWAG to make it externally accessible. 

Everything is working fine - and Nextcloud is the only externally accessible app I've setup. 

 

However, when I access my static IP address directly from a browser (not via the Nextcloud.(mydomain.com)) I get a 'Welcome to your SWAG instance' page. 

 

Is this a security issue? Is there any way to direct ALL traffic that hits port 80 or 444 at my address to send it directly to my Nextcloud instance? 

 

Cheers! 

 

 

that would make a reverse proxy more or less onsolete .... you can skip swag then and just forward ports to your NC instance directly, cert creation will be another story then ...

 

as option, use rewrite rules for all incoming requests to root to your NC domain in swag

Link to comment

Having an issue migrating from the old letsencrypt image to swag. Followed the instructions on the repo, and now I'm getting 

 

Error determining zone_id: 9103 Unknown X-Auth-Key or X-Auth-Email. Please confirm that you have supplied valid Cloudflare API credentials. (Did you enter the correct email address and Global key?)
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file

 

Also getting this warning, ran `chmod 600` and the warning will not go away.

Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini

My credentials are correct in cloudflare.ini. I've tried rolling my API token, generating completely new ones, even using email/global API key and nothing is working. 

 

Stumped here.

 

/var/log/letsencrypt.log hits the first exception here:

2021-04-14 12:28:36,683:DEBUG:urllib3.connectionpool:https://api.cloudflare.com:443 "GET /client/v4/zones?name=docker.muth.dev&per_page=1 HTTP/1.1" 403 None
2021-04-14 12:28:36,692:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot_dns_cloudflare/_internal/dns_cloudflare.py", line 187, in _find_zone_id
    zones = self.cf.zones.get(params=params)  # zones | pylint: disable=no-member
  File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 672, in get
    return self._base.call_with_auth('GET', self._parts,
  File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 126, in call_with_auth
    return self._call(method, headers, parts,
  File "/usr/lib/python3.8/site-packages/CloudFlare/cloudflare.py", line 502, in _call
    raise CloudFlareAPIError(code, message)
CloudFlare.exceptions.CloudFlareAPIError: Unknown X-Auth-Key or X-Auth-Email

 

I can curl the https://api.cloudflare.com/client/v4/user/tokens/verify endpoint just fine:

"messages":[{"code":10000,"message":"This API Token is valid and active","type":null}]

 

 

I am a genius.

 

Renamed my dir that my compose and config files live in from letsencrypt/ to swag/, but forgot to update the volume mount path as well. Amazing lol. All is well.

Edited by seanmuth
log output, I'm an idiot
Link to comment

Hi all. I upgraded from Lets Encrypt to SWAG this week, and initially things were fine. But then a separate cache corruption issue occurred, and I had to reformat my cache drive. Now that I've ran Mover twice (once to move everything to the array, and again after the reformat back to the cache), things aren't working as expected. SWAG is failing to run and seems to be missing certain files. Honestly I'm not much of an expert here, I can follow along @SpaceInvaderOne's videos and google enough to be dangerous, but this has me stuck. Would anyone be kind enough to provide some guidance on what I should try? I don't have a CA backup because the last one ran before I had SWAG, and I can't restore Lets Encrypt because the app has been delisted and I no longer have the template saved.

 

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Los_Angeles
URL=[***OMITTED***]
SUBDOMAINS=ombi,cloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
EMAIL=[***OMITTED***]
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d ombi.[***OMITTED***] -d cloud.[***OMITTED***]
E-mail address entered: [***OMITTED***]
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Renewing an existing certificate for ombi.[***OMITTED***] and cloud.[***OMITTED***]
An unexpected error occurred:

There were too many requests of a given type :: Error creating new order :: too many certificates already issued for exact set of domains: cloud.[***OMITTED***],ombi.[***OMITTED***]: see https://letsencrypt.org/docs/rate-limits/

Please see the logfiles in /var/log/letsencrypt for more details.
Can't open privkey.pem for reading, No such file or directory
22963416648520:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('privkey.pem','r')

22963416648520:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

unable to load private key
cat: privkey.pem: No such file or directory
cat: fullchain.pem: No such file or directory
New certificate generated; starting nginx
Starting 2019/12/30, GeoIP2 databases require personal license key to download. Please retrieve a free license key from MaxMind,
and add a new env variable "MAXMINDDB_LICENSE_KEY", set to your license key.
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
Can't open /config/keys/letsencrypt/fullchain.pem for reading, No such file or directory
23299000830792:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:69:fopen('/config/keys/letsencrypt/fullchain.pem','r')

23299000830792:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:76:

unable to load certificate
The cert is either expired or it expires within the next day. Attempting to renew. This could take up to 10 minutes.
<------------------------------------------------->

<------------------------------------------------->
cronjob running on Sat Apr 17 11:46:29 PDT 2021
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ombi.[***OMITTED***]-0001.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Cert not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/ombi.[***OMITTED***].conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 70, in _reconstitute
renewal_candidate = storage.RenewableCert(full_path, config)
File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 468, in __init__
self._check_symlinks()
File "/usr/lib/python3.8/site-packages/certbot/_internal/storage.py", line 538, in _check_symlinks
raise errors.CertStorageError(
certbot.errors.CertStorageError: expected /etc/letsencrypt/live/ombi.[***OMITTED***]/cert.pem to be a symlink
Renewal configuration file /etc/letsencrypt/renewal/ombi.[***OMITTED***].conf is broken. Skipping.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
/etc/letsencrypt/live/ombi.[***OMITTED***]-0001/fullchain.pem expires on 2021-07-16 (skipped)
No renewals were attempted.
No hooks were run.

Additionally, the following renewal configurations were invalid:
/etc/letsencrypt/renewal/ombi.[***OMITTED***].conf (parsefail)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
0 renew failure(s), 1 parse failure(s)
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 70-templates: executing...
**** The following reverse proxy confs have different version dates than the samples that are shipped. ****

**** This may be due to user customization or an update to the samples. ****
**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****
/config/nginx/proxy-confs/ombi.subdomain.conf
/config/nginx/proxy-confs/nextcloud.subdomain.conf

[cont-init.d] 70-templates: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [emerg] cannot load certificate "/config/keys/letsencrypt/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/config/keys/letsencrypt/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

Link to comment

Just a thing I found out, just in case someone has the same problem and did not know:
Tried to update the certs today but got the message that authentication did not work.
Found out that since my domain is now on Cloudflare, I had to turn off the proxy for the subdomains SWAG is using, then the authentication worked and then I could turn the proxy setting on again.

Link to comment

Having issues with overseerr. Works great and is fast and snappy with network set to bridge. When I add it to proxynet, however, it is consistently slow, and sometimes hangs up for minutes at a time. This is both using the local IP as well as the external domain. All of my other dockers on proxynet work fine. I brought that up on overseerr discord support and they insist it's a docker problem.

Link to comment

Good evening all,

 

My web host raised their rates again and... well... screw that... $15/mo for a simple, mostly static, WP site... I don't think so.

 

I already have MariaDB, SWAG, and a NextCloud instance set up and working. I blew away swag and redid it so that it includes top level domain certificate and not just sub-domains. My subdomain for Nextcloud is working, as well as one that I called web.exampledomian.com [using my actual domain]. The web one goes straight to the SWAG page. As does www.exampledomain.com. That said, I get 'ERR_TOO_MANY_REDIRECTS' when I just try https://exampledomain.com

 

I am using Cloudflare for dns. Once I get my site up and running, I plan to transition my DNS registration to Cloudflare entirely for $8/yr.

 

Any idea where to look as to why https://exampledomain.com would get a Too Many Redirects error while the subdomains (including www) do not?

Link to comment
5 minutes ago, wes.crockett said:

Good evening all,

 

My web host raised their rates again and... well... screw that... $15/mo for a simple, mostly static, WP site... I don't think so.

 

I already have MariaDB, SWAG, and a NextCloud instance set up and working. I blew away swag and redid it so that it includes top level domain certificate and not just sub-domains. My subdomain for Nextcloud is working, as well as one that I called web.exampledomian.com [using my actual domain]. The web one goes straight to the SWAG page. As does www.exampledomain.com. That said, I get 'ERR_TOO_MANY_REDIRECTS' when I just try https://exampledomain.com

 

I am using Cloudflare for dns. Once I get my site up and running, I plan to transition my DNS registration to Cloudflare entirely for $8/yr.

 

Any idea where to look as to why https://exampledomain.com would get a Too Many Redirects error while the subdomains (including www) do not?

 It's always the setting you don't think about... set it to do Full SSL on CloudFlare and good to go.

Link to comment

Configuration change needed after latest Nextcloud update to Nextcloud 21.0.1

 

Error message:

image.thumb.png.e27f854ccb102e622c694cfd26f8ba97.png

 

My existing configuration in Swag:


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name maindomain.dk;

    include /config/nginx/ssl.conf;
#   add_header X-Frame-Options "SAMEORIGIN" always; 
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomians; preload;";


    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }
}

 

I have found different solution on the net that I cant "translate" into my SWAG configuration file

 

Quote

To be more precise, I have added the following lines to my nginx config file:

    location = /.well-known/webfinger {
            rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
    }

    location = /.well-known/nodeinfo {
            rewrite ^/.well-known/nodeinfo /public.php?service=nodeinfo last;
    }

 

Or this one:

location ^~ /.well-known {
        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }
        try_files $uri $uri/ =404;
    }

 

If anyone have this working then it would be great if you could share your configuration file ;-)

Link to comment

Update I tried this:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name maindomain.dk;

    include /config/nginx/ssl.conf;
#   add_header X-Frame-Options "SAMEORIGIN" always; 
    add_header Strict-Transport-Security "max-age=15768000; includeSubDomians; preload;";


    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }

    # Make a regex exception for `/.well-known` so that clients can still
    # access it despite the existence of the regex rule
	location ^~ /.well-known {
        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
        # Anything else is dynamically handled by Nextcloud
        location ^~ /.well-known            { return 301 /index.php$uri; }
        try_files $uri $uri/ =404;
    }
		
}

 

And I got it reduced to this last one:

image.thumb.png.1b729e12b1da988d4ac2a37cd66b49cd.png

 

To anyone finding this "webfinger" error

Last error is related to cache (In chrome do the following) Open Dev Tools (F12), and while this is open right click on "normal" refresh button on your top left and select Empty cache and hard reload.

And all us ok ;-)

image.thumb.png.8f2b9f154f326e8d906f6cff5d3b7475.png

 

Edited by casperse
Link to comment
2 hours ago, Greygoose said:

I am trying to set my maxmind key in the docker by adding a variable.

 

Its not working :/  I would be most grateful for some advice.

 

Config Type: Variable

Name: Maxmind

Key: my Maxmind key

Value: MAXMINDDB_LICENSE_KEY=

Default value: -e

 

What wrong with the above please.

Everything.

You have switched value and key and also remove =. Default value is also not -e. Just leave it blank.

  • Thanks 1
Link to comment

I'm having some problems with my reverse proxy for a particular container (Linuxserver's Airsonic).

I recently updated my containers (both Airsonic and Swag). Everything was working perfectly fine before the update.

Now I get the following error :

1.jpg.b578ec56e21022536d3ac9f70e4436a3.jpg

 

I am using the default subdomain.conf file provided with Swag (airsonic.subdomain.conf)

Just to make sure, I tried deleting the config file and using the new one that gets automatically downloaded. The results stays the same.

I can still access the Airsonic docker using the local address.

Also, all of my other containers using Swag reverse proxy still work perfectly fine, so it seems isolated for Airsonic.

The log of Swag does not bring up any error and airsonic subdomain is shown in there.

 

Any ideas?

Edited by gustomucho
Link to comment
53 minutes ago, gustomucho said:

I'm having some problems with my reverse proxy for a particular container (Linuxserver's Airsonic).

I recently updated my containers (both Airsonic and Swag). Everything was working perfectly fine before the update.

Now I get the following error :

1.jpg.b578ec56e21022536d3ac9f70e4436a3.jpg

 

I am using the default subdomain.conf file provided with Swag (airsonic.subdomain.conf)

Just to make sure, I tried deleting the config file and using the new one that gets automatically downloaded. The results stays the same.

I can still access the Airsonic docker using the local address.

Also, all of my other containers using Swag reverse proxy still work perfectly fine, so it seems isolated for Airsonic.

The log of Swag does not bring up any error and airsonic subdomain is shown in there.

 

Any ideas?

Yes, the context path was added back to your airsonic template. Remove it and it will work again.

  • Thanks 1
Link to comment

Hi - I'm having trouble with my swag setup. With a fresh docker install, my logs show challenge failed for my subdomains. They are properly setup in Cloudflare and my port forwarding is correct (forwarding 80 to 180 and 443 to 1443).

 

I've attached my logs. Any suggestions?

swaglog.txt

Edited by joshallen2k
typo
Link to comment

Hey all, 

   I wanted to ask where I could find the needed domains or IP addresses are for this container to work. I want to add them to my whitelist but I don't see anything detailing these on the linuxserver.io page for swag. 

 

  I had issues setting this up with my pi-hole DNS server and want to re-enable it now, but also want the certificates to be able to renew also. 

 

thank you in advance. 

Link to comment

I was wondering if somebody could help me out with a problem with Swag not working on a particular subnet.  My network is Vlan 2 (192.168.1.x) where my unraid and Swag lives and I also have vlan 3 (192.168.3.x) where my wifi connections live.

So when in on the wan on some public IP, or on my computer on the 192.168.1.x network, which is the same as my unraid and swag containers, everything works fine.

When I use my cell phone however, which is on the 192.168.3.x network, I get an error.  Something about RFC1918 to public server address rejected.  my router is set to allow 100% vlan communication over the local lan.  I can easily access all my dockers from my 192.168.3.x network if I type the local ips, Like 192.168.1.102:8080 for example.  So why is it that when I access via my domain, which Has the reverse proxy and Swag forwards the domain over to 192.168.1.102:8080, it does not work if trying from the 192.168.3.x network?

 

I imagine this is because I need to somehow add 192.168.3.x Vlan to the "proxynet" bridge Im using in Unraid.  So add it to the unraid route table, but I am unsure how to do this.

Edited by 007craft
Link to comment
On 5/1/2021 at 10:18 PM, joshallen2k said:

Hi - I'm having trouble with my swag setup. With a fresh docker install, my logs show challenge failed for my subdomains. They are properly setup in Cloudflare and my port forwarding is correct (forwarding 80 to 180 and 443 to 1443).

 

I've attached my logs. Any suggestions?

swaglog.txt 3.89 kB · 1 download

I fixed this by disabling proxy inside Cloudflare. I'm not entirely sure why this worked, as my previous SWAG instance ran fine with Cloudflare proxy turned on...

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.