[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I was wondering if some one could help me figure out where i had screwed up. I set up swag and nextcloud on the same custom network and port forward is working but when i go to mydomain.me I get "The page isn’t redirecting properly". This all started when i got a new domain, on my old domain it worked just fine. can anyone point me in the right direction?

after poking it the settings some more, i think it may be in the NGINX program because when i changed it from DNS/wildcard to http and only used one subdomain it worked. but when i put in the rest of the subdomains it stopped working again.

Edited by dollabillz
new info
Link to comment
On 5/3/2021 at 4:20 PM, joshallen2k said:

I fixed this by disabling proxy inside Cloudflare. I'm not entirely sure why this worked, as my previous SWAG instance ran fine with Cloudflare proxy turned on...

 

I have the same issue - I have never been able to use Nginx with Cloudflare's proxy turned on. If anyone has insight into why this doesn't work, that would be great to know. Also - I can't access my own server using DNS from within my own network - e.g. nextcloud.mydom.com. It works from a VPN, but not from my LAN. As far as I can tell from SpaceInvader One's guides, I have done everything correctly, and I can see that he can access his own Nextcloud from his LAN. Why would that not work on my LAN..?

Link to comment
18 hours ago, mrtrilby said:

 

I have the same issue - I have never been able to use Nginx with Cloudflare's proxy turned on. If anyone has insight into why this doesn't work, that would be great to know.

I had the same issue and I think, if I remember correctly, that Spaceinwader's video didn't mention that you had to turn of proxy for the subdomain CNAME record. Maybe this worked differently before at Cloudflare? But when I turn on "proxied" for any CNAME that URL will no longer point to my server, it will point to a cloudflare server. How this proxy via Cloudflare is supposed to work I do not know.
I can keep "proxied" on for my A records though

Link to comment
On 5/1/2021 at 10:18 PM, joshallen2k said:

Hi - I'm having trouble with my swag setup. With a fresh docker install, my logs show challenge failed for my subdomains. They are properly setup in Cloudflare and my port forwarding is correct (forwarding 80 to 180 and 443 to 1443).

 

I've attached my logs. Any suggestions?

swaglog.txt 3.89 kB · 6 downloads

 

I'm having the same issue. I updated the docker and my reverse proxy stopped working.

 

On 5/3/2021 at 9:20 AM, joshallen2k said:

I fixed this by disabling proxy inside Cloudflare. I'm not entirely sure why this worked, as my previous SWAG instance ran fine with Cloudflare proxy turned on...

 

I wished this worked for me, but it didn't. Any other ideas?

Link to comment
On 8/26/2020 at 1:40 PM, druck21 said:

Has anything changed recently? I had this all set up correctly and working great using dns validation through cloudflare, but lately whenever I try to check my SAB docker by using the letsencrypt domain, I can get to the login page, but once I login I just get stuck on a  "Lost connection to SABnzbd.." error screen. I can view SAB just fine when I go directly to the docker's internal address, just not when going through letsencrypt. Any ideas?

 

Did you ever find out the reason and a solution for this problem?

Link to comment

Hey guys - Sort of a newbie here, but I have a question about my swag setup.  I followed a great guide on how to get Emby and Swag to work on my Unraid server.. All is well with that and im happy. 

 

However, I have another (physical) synology server that has services on the same domain. Those no longer work.  Is there any guides or information about how I'd get "emby.mydomain.com" to resolve to my unraid swag setup, and "synology.mydomain.com:5000" to work on my synology box? 

Link to comment
15 hours ago, tvd1 said:

Hey guys - Sort of a newbie here, but I have a question about my swag setup.  I followed a great guide on how to get Emby and Swag to work on my Unraid server.. All is well with that and im happy. 

 

However, I have another (physical) synology server that has services on the same domain. Those no longer work.  Is there any guides or information about how I'd get "emby.mydomain.com" to resolve to my unraid swag setup, and "synology.mydomain.com:5000" to work on my synology box? 

cant you just install Swag on both servers and port 5000 to your synology server?

 

Link to comment
On 5/9/2021 at 7:43 AM, tvd1 said:

Hey guys - Sort of a newbie here, but I have a question about my swag setup.  I followed a great guide on how to get Emby and Swag to work on my Unraid server.. All is well with that and im happy. 

 

However, I have another (physical) synology server that has services on the same domain. Those no longer work.  Is there any guides or information about how I'd get "emby.mydomain.com" to resolve to my unraid swag setup, and "synology.mydomain.com:5000" to work on my synology box? 

By giving the example "emby.mydomain.com" I guess that he ha set up Swag to work with subdomains?

What service have you used to point mydomain.com to your WAN address? I think we need a little more information on how you have set this up to be able to give good advice.

 

You should not need to give a port number in the URL ("synology.mydomain.com:5000"). You either need a nginx subdomain config file configured for you synology server pointing to that resource (<synologyLAN-IP>:5000) or you skip Swag and let you NAT point port 5000 to your synology.

 

But, again, there are a lot ways to skin this cat. Depends on what you are trying to accomplish @tvd1.

Link to comment
On 4/3/2021 at 11:22 PM, azacan said:

Hi,

I have been trying to setup something I am not sure is possible to do with my current setup and swag. Basically is to reverse proxy http only services on my unraid machine from a domain like photoprism.lan to its containerIP and port (2342)

I have swag running on unraid 6.9.1 host and listening on ports 80 and 443, those are port forwarded from my router for external access. I can successfully access my desired services running on https behind the subdomain certs I have generated for nextcloud and bitwarden: nextcloud.mydomain.com and bitwarden.mydomain.com. Everything works fine also internally: I have two entries on PiHole internal DNS server that resolves nextcloud.mydomain.com and bitwarden.mydomain.com to the local unraid IP where swag nginx is listening.

 

Now I am trying to make use of the nginx reverse proxy on swag to locally access a new service on my unraid, in this case photoprism. The thing is that photoprism gui is running on port 2342 and is running over http. I would like to access photoprism with a domain (different from my external one used for nextcloud and bitwarden) and without needing to write the port each time, for example with http://photoprism.lan and no port (I have added a dns entry on the pihole to resolve photoprism.lan to the unraid IP where swag nginx is listening) but I have not find a way to configure a proxy-conf in nginx that proxies this domain to the right IP and port. What I have tried, among many other things is to put a file (local-servers.conf) inside proxy-confs folder of ngingx with:

 


server {
    listen 80;
    server_name photoprism.*;

    location / {

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app photoprism;
        set $upstream_port 2342;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

 

I have tried also with server_name photoprism.lan*
Although the internal docker dns works ok resolving the container name, I have tried also setting the proxy_pass with the final docker IP and port with no luck.

When I try to go to http://photoprism.lan I got redirected to a https://photoprism.lan/ and see the default nginx webpage:

 


Welcome to our server

The website is currently being setup under this address.

For help and support, please contact: [email protected]


Is this because by default only https is being configured to be proxied?
Any way of allowing http for internal lan without compromising security?
My certs are subdomains, as stated above, like nextcloud.mydomain.com but the photoprism is not in the same domain but photoprism.lan, does this cause the failure?

 

Thanks!

 

Hi,

 

Any idea on how to solve this or even if it is possible?

 

Thanks!

Link to comment

Is there a way to put the swag container behind a VPN?

 

I followed the Spaceinvader guide on how to put certain docker applications behind a VPN using privoxy, but what if I wanted an entire custom network to be behind the VPN?

 

For example, I'm self-hosting a Nextcloud instance with Swag, but anyone with the URL can basically see my real WAN IP address. Is there a way to configure it with openVPN files to put a VPN connection between user and host?

Link to comment

Tried adding extra parameters to address what I was trying to do. Ended up breaking the container, so I reinstalled it, and now it's flat out not working. Any idea what's causing the problem? Log:

 

dns-01 challenge for site.org
Unsafe permissions on credentials configuration file: /config/dns-conf/luadns.ini
Cleaning up challenges
Cleaning up challenges
Encountered exception during recovery: TypeError: delete_record() got an unexpected keyword argument 'type'
Encountered exception during recovery: TypeError: delete_record() got an unexpected keyword argument 'type'
An unexpected error occurred:

TypeError: create_record() got an unexpected keyword argument 'type'
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/luadns.ini file.

Encountered exception during recovery: TypeError: delete_record() got an unexpected keyword argument 'type'
An unexpected error occurred:

TypeError: create_record() got an unexpected keyword argument 'type'
Please see the logfiles in /var/log/letsencrypt for more details.
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/luadns.ini file.

 

Edited by Stubbs
Link to comment

The more detailed log:

 

2021-05-14 07:27:14,760:DEBUG:acme.client:Storing nonce: 00033E53nKQ6FMRgnfb07hZGGW0_LU5GctvsON8mTd172Hk
2021-05-14 07:27:14,760:INFO:certbot._internal.auth_handler:Performing the following challenges:
2021-05-14 07:27:14,760:INFO:certbot._internal.auth_handler:dns-01 challenge for test.org
2021-05-14 07:27:14,761:WARNING:certbot.plugins.dns_common:Unsafe permissions on credentials configuration file: /config/dns-conf/luadns.ini
2021-05-14 07:27:14,765:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.luadns.com:443
2021-05-14 07:27:15,766:DEBUG:urllib3.connectionpool:https://api.luadns.com:443 "GET /v1/zones HTTP/1.1" 200 165
2021-05-14 07:27:15,770:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 60, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3.8/site-packages/certbot_dns_luadns/_internal/dns_luadns.py", line 54, in _perform
    self._get_luadns_client().add_txt_record(domain, validation_name, validation)
  File "/usr/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 48, in add_txt_record
    self.provider.create_record(type='TXT', name=record_name, content=record_content)
TypeError: create_record() got an unexpected keyword argument 'type'
2021-05-14 07:27:15,770:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-05-14 07:27:15,770:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-05-14 07:27:15,772:DEBUG:urllib3.connectionpool:Starting new HTTPS connection (1): api.luadns.com:443
2021-05-14 07:27:16,810:DEBUG:urllib3.connectionpool:https://api.luadns.com:443 "GET /v1/zones HTTP/1.1" 200 165
2021-05-14 07:27:16,813:ERROR:certbot._internal.error_handler:Encountered exception during recovery: TypeError: delete_record() got an unexpected keyword argument 'type'
2021-05-14 07:27:16,814:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1435, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1304, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 140, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 444, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 374, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 424, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 70, in handle_authorizations
    resps = self.auth.perform(achalls)
  File "/usr/lib/python3.8/site-packages/certbot/plugins/dns_common.py", line 60, in perform
    self._perform(domain, validation_domain_name, validation)
  File "/usr/lib/python3.8/site-packages/certbot_dns_luadns/_internal/dns_luadns.py", line 54, in _perform
    self._get_luadns_client().add_txt_record(domain, validation_name, validation)
  File "/usr/lib/python3.8/site-packages/certbot/plugins/dns_common_lexicon.py", line 48, in add_txt_record
    self.provider.create_record(type='TXT', name=record_name, content=record_content)
TypeError: create_record() got an unexpected keyword argument 'type'
2021-05-14 07:27:16,815:ERROR:certbot._internal.log:An unexpected error occurred:
2021-05-14 07:27:16,815:ERROR:certbot._internal.log:TypeError: create_record() got an unexpected keyword argument 'type'

 

Link to comment

Swap stopped renewing my  Letsencrypt cert since this week. i didnt change anything in the docker or any config file of this docker.

 

i do it via DNS which always worked the credentials are in the ini file at that location.

 

Failed to renew certificate .nl with error: Missing properties in credentials configuration file /config/dns-conf/transip.ini:
* Property "certbot_dns_transip:dns_transip_key_file" not found (should be RSA key file(convert with openssl rsa -in transip.key -out decrypted_key)).
* Property "certbot_dns_transip:dns_transip_username" not found (should be Transip username).

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:

 

 

EDIT:

maybe its new or it got removed somehow but after i added

image.png.0ca4039b961242f8fb3f2f736ae3c834.png

 

and restarted the container its all fixed.

Edited by KoNeko
Fixed the problem
Link to comment

Hey all! So I thought I had this up and running - got LetsEncrypt to work, got some subdomains setup, changed my DNS entries to point the right way and redirected my FW appropriately. But now I'm getting the following errors in my nginx log:

 

2021/05/14 18:18:06 [error] 476#476: send() failed (111: Connection refused) while resolving, resolver: 127.0.0.11:53
2021/05/14 18:18:11 [error] 476#476: send() failed (111: Connection refused) while resolving, resolver: 127.0.0.11:53
2021/05/14 18:18:11 [error] 476#476: send() failed (111: Connection refused) while resolving, resolver: 127.0.0.11:53

 

I've seen this elsewhere in the thread but no one's answered what's going on. It seems to me like the local docker resolver isn't working but I don't know whether this is from me changing something or just something broken in my config. I've confirmed I can ping 127.0.0.11 so it just seems like it's being rejected. I've tried running the container as a host but all my requests come back with a 502 error, presumably because it's not on the same docker subnet as the other containers, but once I put it back on 'bridge' with the rest of the containers I get these resolve errors as above again. I've tried restarting docker and my whole unraid box, to no avail-does anyone have any thoughts?

Link to comment

Ok, solved my issue to an extent. Whilst I have no idea why it's failing, I found this note in the SWAG proxy documentation:

Quote

If the proxied container is not in the same user defined bridge network as SWAG (could be on a remote host, could be using host networking or macvlan), we can change the value of $upstream_app to an IP address instead: set $upstream_app 192.168.1.10;

So I changed the $upstream_app to read, instead of the name of the container, the IP of the NAT'd IP of Docker. It works fine, but does anyone know why I have to do this and how to run it as default?

Link to comment

Hi everyone,

 

I'm sad I have to post here... everything was working fine until 3 days ago when one of my cache pool drive died.
I had problems with my /appdata backup and I had to delete files from the swag config (probably chmod problems or busy files the moment I wanted to backup).

I changed my cache drive without any other issue.

 

When I try to launch swag, I got this error in my log :

https://pastebin.com/mMuxi79e

 

My ovh.ini credentials are good.

I cleaned the _acme-challenge DNS entry from my OVH manager console.

My domain DNS are all ok,  A and CNAME.

Restarted swag container multiple times.... nothing.

 

I don't understand what I'm doing wrong. Any help would be VERY appreciated !

 

Link to comment

I've had SWAG set up and running for a couple years now (back before it was SWAG) and it works great.  I have to admit I don't totally understand everything (or even much) about it, but via tutorials and this forum, I was able to get everything working. I switched to a wildcard cert a year or so ago without much issue. But I am having an issue trying to allow for a new subdomain.

 

I have had Radarr working all this time and I recently another instance to to handle 4K content.  I thought this would be super easy.  I went on to my Cloudflare dash and created a cname for radarr4k (the other is just radarr) and I copied my radarr site-conf, renamed it to radarr4k, replaced every instance of radarr inside with radarr4k and changes the port the port I use for radarr4k.  I thought it would be as simple as that and just work, but I get a 502 error whenvever I try to go to https://radarr4k.myserver.com.  

 

Here is my radarr file:

server {
    listen 443 ssl;

    server_name radarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr radarr;
        proxy_pass http://$upstream_radarr:7878;
    }
}

 

 

Here is my radarr4k file:

server {
    listen 443 ssl;

    server_name radarr4k.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr4k radarr4k;
        proxy_pass http://$upstream_radarr4k:7879;
    }
}

 

 

Any ideas what I am doing wrong?

Link to comment
23 hours ago, guilhem31 said:

Hi everyone,

 

I'm sad I have to post here... everything was working fine until 3 days ago when one of my cache pool drive died.
I had problems with my /appdata backup and I had to delete files from the swag config (probably chmod problems or busy files the moment I wanted to backup).

I changed my cache drive without any other issue.

 

When I try to launch swag, I got this error in my log :

https://pastebin.com/mMuxi79e

 

My ovh.ini credentials are good.

I cleaned the _acme-challenge DNS entry from my OVH manager console.

My domain DNS are all ok,  A and CNAME.

Restarted swag container multiple times.... nothing.

 

I don't understand what I'm doing wrong. Any help would be VERY appreciated !

 

Use an earlier tag. It's an upstream issue.

Link to comment
57 minutes ago, RockDawg said:

I've had SWAG set up and running for a couple years now (back before it was SWAG) and it works great.  I have to admit I don't totally understand everything (or even much) about it, but via tutorials and this forum, I was able to get everything working. I switched to a wildcard cert a year or so ago without much issue. But I am having an issue trying to allow for a new subdomain.

 

I have had Radarr working all this time and I recently another instance to to handle 4K content.  I thought this would be super easy.  I went on to my Cloudflare dash and created a cname for radarr4k (the other is just radarr) and I copied my radarr site-conf, renamed it to radarr4k, replaced every instance of radarr inside with radarr4k and changes the port the port I use for radarr4k.  I thought it would be as simple as that and just work, but I get a 502 error whenvever I try to go to https://radarr4k.myserver.com.  

 

Here is my radarr file:


server {
    listen 443 ssl;

    server_name radarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr radarr;
        proxy_pass http://$upstream_radarr:7878;
    }
}

 

 

Here is my radarr4k file:


server {
    listen 443 ssl;

    server_name radarr4k.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr4k radarr4k;
        proxy_pass http://$upstream_radarr4k:7879;
    }
}

 

 

Any ideas what I am doing wrong?

You don't have to set a came in cloudflare when using wildcard. Wildcard is for everything.

 

I guess you are using a custom docker network for swag and radarrs, so no need to change the port in the proxy-conf as swag talks to the containers using the name. It is all internal in the custom network and therefor you use the container port.

  • Thanks 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.