Jump to content
linuxserver.io

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

5066 posts in this topic Last Reply

Recommended Posts

1 hour ago, ElectricBadger said:

Do we need to change anything in our unRAID configs in order to continue getting updates to this container, if it's being renamed? Or will the rename get picked up automatically?

I would assume that there will be a new container to swap to, as swag is in a different git repo than the lets encrypt image. There is currently not released one on the community application plugin in unraid, so i would assume they will release it when they have time.

Share this post


Link to post
11 hours ago, ElectricBadger said:

Do we need to change anything in our unRAID configs in order to continue getting updates to this container, if it's being renamed? Or will the rename get picked up automatically?

For now you can just edit the docker to point the repository from linuxserver/letsencrypt to linuxserver/swag and it seems to work fine for me so far.

Share this post


Link to post
Posted (edited)

I have lets encrypt running on Nginx proxy manager and i'm looking to come back to this docker as my lets encrypt certs are set to expire, and they won’t renew.

 

I have followed Spaceinvaders guide, when I start lets encrypt docket i get

 

Challenge failed for domain nextcloud.mydomain.co.uk

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

The confusing part is my dockers currently working, so its like the port forward settings work but not allowing certificate renewal.

 

Quote

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/London
URL=bmydomain.co.uk
SUBDOMAINS=nextcloud,
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
DNSPLUGIN=
EMAIL=info@mydomain.co.uk
STAGING=

SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d nextcloud.mydomain.co.uk
E-mail address entered: info@mydomain.co.uk
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for nextcloudmydomain.co.uk
Waiting for verification...
Challenge failed for domain nextcloudmydomain.co.uk
http-01 challenge for nextcloud.mydomain.co.uk
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: nextcloud.mydomain.co.uk
Type: connection
Detail: Fetching

http:/iremoved thelinkfromhere
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Edited by Greygoose

Share this post


Link to post
8 hours ago, Greygoose said:

I have lets encrypt running on Nginx proxy manager and i'm looking to come back to this docker as my lets encrypt certs are set to expire, and they won’t renew.

 

I have followed Spaceinvaders guide, when I start lets encrypt docket i get

 

Challenge failed for domain nextcloud.mydomain.co.uk

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

The confusing part is my dockers currently working, so its like the port forward settings work but not allowing certificate renewal.

 

 

Check your port forwarding for port 80

Follow this: https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Share this post


Link to post

Has anything changed recently? I had this all set up correctly and working great using dns validation through cloudflare, but lately whenever I try to check my SAB docker by using the letsencrypt domain, I can get to the login page, but once I login I just get stuck on a  "Lost connection to SABnzbd.." error screen. I can view SAB just fine when I go directly to the docker's internal address, just not when going through letsencrypt. Any ideas?

Share this post


Link to post
Posted (edited)

Hi All,

 

I set up the SWAG docker container last weekend and have reverse proxied all of the services I want except one, Pi-Hole. I had it working when I was using a physical Pi-Hole on my 192.168.0.0 network, and I have Pi-Hole running fine when I use the custom network as per @SpaceInvaderOne’s video, but I am unable to use the needed network that is shared with the SWAG container for the all of the reverse proxy containers as it is on the internal 172.18.0.0 network and I need it to be on my 192.168 network. The other issue is that UnRAID is already using port 80 and 443.  I know I can change those, but port 67 is still be used by something and I’m not sure what.  I tried searching this thread, but didn’t have much luck. I’m certain it’s something easy I’m missing, but just don’t know what.

 

EDIT: After some more digging I determined that libvert binds to port 67 which makes pihole not start unless I disable my vm manager. I was able to get pihole to work by specifying the letsencrypt custom interface and specifying the IP for the pihole docker container, but now VM Manager won’t start because the pihole docker has port 67 bound now.

 

I also just realized that my pihole is using the unRAID default internal ip and not the one I specified so that won’t work.

 

Any recommendations/best practices here?

 

 

Also, I set up Plex to reverse proxy via a subfolder as required so I’m reversing the root domain, is there a .conf file I can add the allow/deny entry so the root site domain.com is only accessible from my internal network?  I have all of the other services locked down via the appropriate file in proxy-confs.

Edited by cardo
Further progress made

Share this post


Link to post
Posted (edited)
Quote

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/New_York
URL=***.net
SUBDOMAINS=sonarr,radarr,ombi
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
DNSPLUGIN=
EMAIL=***@***.com
STAGING=

SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d sonarr.***.net -d radarr.***.net -d ombi.***.net
E-mail address entered: ***@***.com
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/sonarr.***.net/fullchain.pem!
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for ombi.***.net
http-01 challenge for radarr.***.net
http-01 challenge for sonarr.***.net
Waiting for verification...
Cleaning up challenges
IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/sonarr.***.net/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/sonarr.***.net/privkey.pem
Your cert will expire on 2020-11-24. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

New certificate generated; starting nginx
Downloading GeoIP2 City database.
tar: invalid tar magic
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)
Server ready

2 issues ...

1) Downloading GeoIP2 City database.
tar: invalid tar magic

 I've added my api key for MaxMind but getting an invalid tar magic error

 

2) nginx isnt routing requests to my downstream app container on the same subnet

letsencrypt component seems to be working, nginx is just getting me to the welcome page. not seeing issues in the container log file. app specific sample .conf files have been changed to map to the specific container names in my environment [no other change other than renaming the file to remove .sample]

 

any pointers as to why nginx isnt forwarding on the request to my downstream app container? or where to look for log files?

 

Thank you in advance

Edited by EvilTiger

Share this post


Link to post
1 hour ago, EvilTiger said:

2 issues ...

1) Downloading GeoIP2 City database.
tar: invalid tar magic

 I've added my api key for MaxMind but getting an invalid tar magic error

 

2) nginx isnt routing requests to my downstream app container on the same subnet

letsencrypt component seems to be working, nginx is just getting me to the welcome page. not seeing issues in the container log file. app specific sample .conf files have been changed to map to the specific container names in my environment [no other change other than renaming the file to remove .sample]

 

any pointers as to why nginx isnt forwarding on the request to my downstream app container? or where to look for log files?

 

Thank you in advance

Likely your api key is not correctly added or is not correct

If you're getting the default landing page, then likely the proxy conf is not activated correctly. Check its name, and check the server name directive

Share this post


Link to post
11 hours ago, cardo said:

Hi All,

 

I set up the SWAG docker container last weekend and have reverse proxied all of the services I want except one, Pi-Hole. I had it working when I was using a physical Pi-Hole on my 192.168.0.0 network, and I have Pi-Hole running fine when I use the custom network as per @SpaceInvaderOne’s video, but I am unable to use the needed network that is shared with the SWAG container for the all of the reverse proxy containers as it is on the internal 172.18.0.0 network and I need it to be on my 192.168 network. The other issue is that UnRAID is already using port 80 and 443.  I know I can change those, but port 67 is still be used by something and I’m not sure what.  I tried searching this thread, but didn’t have much luck. I’m certain it’s something easy I’m missing, but just don’t know what.

 

EDIT: After some more digging I determined that libvert binds to port 67 which makes pihole not start unless I disable my vm manager. I was able to get pihole to work by specifying the letsencrypt custom interface and specifying the IP for the pihole docker container, but now VM Manager won’t start because the pihole docker has port 67 bound now.

 

I also just realized that my pihole is using the unRAID default internal ip and not the one I specified so that won’t work.

 

Any recommendations/best practices here?

 

 

Also, I set up Plex to reverse proxy via a subfolder as required so I’m reversing the root domain, is there a .conf file I can add the allow/deny entry so the root site domain.com is only accessible from my internal network?  I have all of the other services locked down via the appropriate file in proxy-confs.

If you give pihole its own ip, it will use macvlan network type. That type blocks connections between the container and the host (and everything else bridged on host) as a security feature. So swag won't be able to connect to pihole. We highly recommend running pihole on bare metal (an rpi gets the job done) instead of in docker.

 

The subfolder confs get included in the main server block in the default site conf. You can edit that.

Share this post


Link to post
10 minutes ago, aptalca said:

Likely your api key is not correctly added or is not correct

If you're getting the default landing page, then likely the proxy conf is not activated correctly. Check its name, and check the server name directive

thank you for the quick response

 

1) you're correct ... there was an extra space after the api key from the copy / paste

 

2) for testing sake, i tried to access via an external connection [over my mobile] and it worked, so i must be internal NAT loopback issue. i need to figure out how to address via Unifi USG

Share this post


Link to post
1 hour ago, EvilTiger said:

thank you for the quick response

 

1) you're correct ... there was an extra space after the api key from the copy / paste

 

2) for testing sake, i tried to access via an external connection [over my mobile] and it worked, so i must be internal NAT loopback issue. i need to figure out how to address via Unifi USG

scratch that, i dont think its a NAT loopback issue ... its works fine in Chrome locally and only goes to the 'Welcome ...' page in Microsoft Edge

 

must be a browser setting issue, any clues?

Share this post


Link to post
8 hours ago, aptalca said:

If you give pihole its own ip, it will use macvlan network type. That type blocks connections between the container and the host (and everything else bridged on host) as a security feature. So swag won't be able to connect to pihole. We highly recommend running pihole on bare metal (an rpi gets the job done) instead of in docker.

 

The subfolder confs get included in the main server block in the default site conf. You can edit that.

Thanks for the response, so if I have a reverse proxy set up for Ombi like request.domain.com, adding the following to ombi.sub domain.conf will block someone from connecting to domain.com too?

 

allow 192.168.0.0/16;

deny all;

 

I have the swag container set to only sub domains and cname record only for request.domain.com.

Share this post


Link to post
8 hours ago, EvilTiger said:

scratch that, i dont think its a NAT loopback issue ... its works fine in Chrome locally and only goes to the 'Welcome ...' page in Microsoft Edge

 

must be a browser setting issue, any clues?

Could be browser cache. Try an incognito window

Share this post


Link to post
58 minutes ago, cardo said:

Thanks for the response, so if I have a reverse proxy set up for Ombi like request.domain.com, adding the following to ombi.sub domain.conf will block someone from connecting to domain.com too?

 

allow 192.168.0.0/16;

deny all;

 

I have the swag container set to only sub domains and cname record only for request.domain.com.

In your previous question, you were asking about subfolder. They are handled differently.

 

The basics are that, server blocks are parents of location blocks. If you put the deny in a server block for ombi, it will work for that subdomains and all child location blocks.

 

A subfolder proxy conf is a child location block of the main domain's server block.

 

So to answer your last question, if you add the allow/deny into ombi subdomain's server block, it will only affect that subdomain, not the main domain as the main domain is served under a different server block.

Share this post


Link to post
35 minutes ago, aptalca said:

Could be browser cache. Try an incognito window

that was it! thank you for the help, much appreciated. 

Share this post


Link to post
29 minutes ago, aptalca said:

In your previous question, you were asking about subfolder. They are handled differently.

 

The basics are that, server blocks are parents of location blocks. If you put the deny in a server block for ombi, it will work for that subdomains and all child location blocks.

 

A subfolder proxy conf is a child location block of the main domain's server block.

 

So to answer your last question, if you add the allow/deny into ombi subdomain's server block, it will only affect that subdomain, not the main domain as the main domain is served under a different server block.

If I wanted prevent anyone from accessing domain.com, which .conf would the allow/deny go?  I am really new to nginx. 

Share this post


Link to post
11 hours ago, cardo said:

If I wanted prevent anyone from accessing domain.com, which .conf would the allow/deny go?  I am really new to nginx. 

Put it in the main server block in the default site conf located at "/config/nginx/site-confs/default". That will take care of the main domain and all subfolder proxies.

Share this post


Link to post
43 minutes ago, aptalca said:

Put it in the main server block in the default site conf located at "/config/nginx/site-confs/default". That will take care of the main domain and all subfolder proxies.

Thank you very much!

Share this post


Link to post

Is this container now depricated or not because this message apperas now:

 

******************************************************
******************************************************
* *
* *
* This image has been deprecated *
* *
* Use the new image at *
* *
* linuxserver/swag *
* *
* https://hub.docker.com/r/linuxserver/swag *
* *
* https://github.com/linuxserver/docker-swag *
* *
* *
* *
******************************************************
******************************************************

 

Will it get updates or do I have to setup swag instead?

Also what are the differences, can I just point my existing Let's Encrypt folder to swag and it will work OOB and will there be a official template for swag?

Share this post


Link to post

Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part...

Share this post


Link to post
1 minute ago, blaine07 said:

Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part... emoji848.png

Works OOB in my case, just changed the repo from /letsencrypt to /swag

Share this post


Link to post
22 minutes ago, blaine07 said:

Very good chance I’m wrong but I’d swore someone said at one point that eventually going from Letsencrypt container to SWAG would require some interaction on our part... emoji848.png

Quote

At this point, the SWAG and letsencrypt images are 100% compatible and we plan to keep SWAG backwards compatible as long as we can. The main change is to the docker image name, which was linuxserver/letsencrypt for the old image and is linuxserver/swag for the new.

 

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.