[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

The plugin "Fix common problems" said the letsencrypt has a error because the name change to SWAG. and ask it it could change a  It changed a url of something. So i click ok change it. and it  changed the logo etc and some text.

 

Tried a few times and it gave a error that a certificate could not renewed while everything it said was correct. it did said success ful added dns records etc ( using dnsplugin) and also removed it again but still fail and the docker didnt want to start.

 

It also said

“Plugin legacy name certbot-dns-transip:dns-transip may be removed in a future version. Please use dns-transip instead. “

I think i use the correct plugin.

 

So I clicked apply again for the Xth time so that refresh/rebuild the docker. Finally after the XTh time ( lost count) all error were gone and the certificate works and the docker finally works.

 

Only thing it shows in the log is the following error tho but everything seems to work again it does not break the container just yet..

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Link to comment

This is solved. Two things happened: one involved not putting the CORRECT docker container on the customer network, and the second involved removing the "directions" in the conf file and removing any authentication methods.

 

Hello, 

 

Yes, I'm late to the party on this and I've kinda hit a wall going from forum to forum so I apologize in advance for re-opening this can of worms...

I am having some configuration trouble with getting radarr or ombi, or any docker on the docker proxy network to show up when I use my domain. I just get "can't reach this page," but when I use the IP:port everything is fine. I'm using duckdns which shouldn't be an issue unless I didn't look at the right thing...And as I far as I understand I should be able to go to myservernameradarr.duckdns.org (where the domain is active) and I should see radarr. Again, if I'm approaching this in the most ass-backwards way possible...then have a laugh at my expense and throw me some links to set me on the right path. :)

 

Swag is up and running as I do see "Server Ready" in the logs. I've modified the proxy-configs as they should per the various documents and videos I've seen and I think that is where my problem is, or at least I think... If anyone can point me in the right direction I will be very grateful. Here is where I stand with the configs (domains names are different, but the same as how I have them.) I also left the instructions in there as I didn't feel like I needed to remove them (see having a laugh at my expense)?
 

# make sure that your dns has a cname set for radarr and that your radarr container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name MYSERVERradarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

   

location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app binhex-radarr;
        set $upstream_port 7878;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ (/radarr)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app binhex-radarr;
        set $upstream_port 7878;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

It may be obvious to you what the error is, but not to me so be gentle :)

Edited by 2nu2storage
Link to comment

Hey all,

 

I'm trying to access Home Assistant Core via the lets encrypt docker, have updated the proxy.conf sample they have for Home Assistant with the new container name, as well as the port I mapped in.  I can access the page via my subdomain I set up (shows the HA user name and password prompt), but when I attempt to login, it just shows the HA symbol and the "refresh" button.

 

Here's the proxy.conf:

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app Home-Assistant-Core;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Is there something I"m doing wrong? I also set the external URL in the Home Assistant .yaml, but no dice.

 

Edit: I always seem to find the solution right after I post in this thread.  For future reference, if anyone needs the config for this, you need to add a section for /api.  Here's the updated (working) config:

 

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app Home-Assistant-Core;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
	location /api/ {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app Home-Assistant-Core;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
}
	
}

 

Edited by Coolsaber57
Link to comment

Hello,

 

I have just followed these two guides;

 

https://technicalramblings.com/blog/cloudflare-fail2ban-integration-with-automated-set_real_ip_from-in-nginx/

 

&

 

https://technicalramblings.com/blog/blocking-countries-with-geolite2-using-the-letsencrypt-docker-container/

 

Almost everything seems to be going fine, with no errors that I haven't been able to fix with all the support on this forum. I say almost, as when I try a VPN and connect to my server via another country, I'm still able to get through, I'm not blocked and the access is reported as the same as my "non-VPN" attempts in the logs?

 

I've registered with MAXMIND, entered the key and downloaded the GeoLite2.mmdb file, ensuring that it is saved in the right location. On a side note, sendmail-whois.local still needs some amendment by me, however I wanted to focus on actually securing my site before I continued attempts with notification. 

 

I've attached four screenshots below of the amendments I've made to the various config files within SWAG, in the hopes someone can point out what I'm doing wrong.

 

Excellent work by the way on this container, its impressive how much work has gone in to it, including the SWAG support page.

 

In the meantime I'll continue to read through this forum for tips, I'm up to page 19 so far. 

 

Regards. 

 

20200916_111118.jpg

 

20200916_111253.jpg

 

20200916_111502.jpg

 

20200916_111518.jpg

 

Here is the current reported state of my jail list (if it helps);

 

20200916_144114.jpg

 

***Edit - Whilst I'm trying to get to the bottom of my above problem I wanted to ask yourselves (@linuxserver.io @saarg @aptalca @CHBMB) a question as you clearly know what you are talking about (I'm up to page 72 of this thread, so much useful information!) What router would you recommend that works best with SWAG in a home setting? Pfsense or Ubiquiti? Apologies if this should be on its own thread, I just thought I would tag it on to my question above as my number one requirement of a new router will be that it fully supports and compliments SWAG. 

 

Edited by LoneTraveler
  • Like 1
Link to comment
On 9/16/2020 at 12:27 PM, LoneTraveler said:

Hello,

 

I have just followed these two guides;

 

https://technicalramblings.com/blog/cloudflare-fail2ban-integration-with-automated-set_real_ip_from-in-nginx/

 

&

 

https://technicalramblings.com/blog/blocking-countries-with-geolite2-using-the-letsencrypt-docker-container/

 

Almost everything seems to be going fine, with no errors that I haven't been able to fix with all the support on this forum. I say almost, as when I try a VPN and connect to my server via another country, I'm still able to get through, I'm not blocked and the access is reported as the same as my "non-VPN" attempts in the logs?

 

I've registered with MAXMIND, entered the key and downloaded the GeoLite2.mmdb file, ensuring that it is saved in the right location. On a side note, sendmail-whois.local still needs some amendment by me, however I wanted to focus on actually securing my site before I continued attempts with notification. 

 

I've attached four screenshots below of the amendments I've made to the various config files within SWAG, in the hopes someone can point out what I'm doing wrong.

 

Excellent work by the way on this container, its impressive how much work has gone in to it, including the SWAG support page.

 

In the meantime I'll continue to read through this forum for tips, I'm up to page 19 so far. 

 

Regards. 

 

20200916_111118.jpg

 

20200916_111253.jpg

 

20200916_111502.jpg

 

20200916_111518.jpg

 

Here is the current reported state of my jail list (if it helps);

 

20200916_144114.jpg

 

***Edit - Whilst I'm trying to get to the bottom of my above problem I wanted to ask yourselves (@linuxserver.io @saarg @aptalca @CHBMB) a question as you clearly know what you are talking about (I'm up to page 72 of this thread, so much useful information!) What router would you recommend that works best with SWAG in a home setting? Pfsense or Ubiquiti? Apologies if this should be on its own thread, I just thought I would tag it on to my question above as my number one requirement of a new router will be that it fully supports and compliments SWAG. 

 

All routers work with swag as long as it support port forwarding. If you want to use the domain inside the home network the router should support hairpin NAT/split DNS.

Both ubiquiti and pfsense works.

Edited by saarg
  • Thanks 1
Link to comment
11 minutes ago, saarg said:

All routers work with swag as long as it support port forwarding. If you want to use the domain inside the home network the router should support hairpin NAT/split DNS.

Both ubiquiti and pfsense works.

Many thanks for your advice.

 

Could I be forward and ask what router you use? It would be interesting to see what routers the "elders of the Internet - IT Crowd" use. 😁

Link to comment
2 hours ago, LoneTraveler said:

Many thanks for your advice.

 

Could I be forward and ask what router you use? It would be interesting to see what routers the "elders of the Internet - IT Crowd" use. 😁

Pfsense on an embedded celeron mobo with 4gb ram, an intel dual gigabit nic (pci-e), cheapest, smallest ssd in the cheapest case with a built in psu.

  • Thanks 1
Link to comment
3 hours ago, LoneTraveler said:

Many thanks for your advice.

 

Could I be forward and ask what router you use? It would be interesting to see what routers the "elders of the Internet - IT Crowd" use. 😁

Pfsense in an in a 1u supermicro rack server with an 8-core Xeon, 32GB ram and an SSD.

Just a little bit overkill.

Will probably install proxmox or something similar at one point to be able to test other firewalls.

  • Like 1
  • Thanks 1
Link to comment
Pfsense in an in a 1u supermicro rack server with an 8-core Xeon, 32GB ram and an SSD.
Just a little bit overkill.
Will probably install proxmox or something similar at one point to be able to test other firewalls.

I want to try Untangle and Sophos here, too, one day.

At any rate, have pfSense running on a Protectli box here and a spare instance going on a r720 in XCP.
  • Thanks 1
Link to comment

Hi,

 

I want to use the onlyoffice documentserver for nextcloud behind the proxy but as subfolder. aptalca posted a solution here which is working fine, but not for subfolder. onlyoffice described a proxy-to-virtual-path here but I could not get it to work. Iam not so experienced with nginx.

 

Any Ideas how a subfolder solution have to look like?

 

Thanks in advance.

 

Link to comment
1 hour ago, blaine07 said:

If i change template name from letsencrypt to SWAG what issues is that going to cause me?

None.  A name is a name is a name.  I respond to Andrew, Squid, (and my wife's favourite: Asshole).  Doesn't change who I am. 

 

The whole point is to change the repository from linuxserver/letsencrypt to linuxserver/swag.  

 

The only place this would cause an issue is if you're routing your traffic from other containers through "Letsencrypt" vs "Swag".  Which you're probably not.  (You tend to only do that with containers that connect to a VPN ie:Binhex, and not this one which simply forwards requests to a different port)

  • Like 2
Link to comment
None.  A name is a name is a name.  I respond to Andrew, Squid, (and my wife's favourite: Asshole).  Doesn't change who I am. 
 
The whole point is to change the repository from linuxserver/letsencrypt to linuxserver/swag.  
 
The only place this would cause an issue is if you're routing your traffic from other containers through "Letsencrypt" vs "Swag".  Which you're probably not.  (You tend to only do that with containers that connect to a VPN ie:Binhex, and not this one which simply forwards requests to a different port)

Thank you for the thorough response! (I won’t call you asshole BUT ironically that’s my wife’s favorite for me, too).
Link to comment
22 minutes ago, blaine07 said:


Thank you for the thorough response! (I won’t call you asshole BUT ironically that’s my wife’s favorite for me, tooemoji1787.png).

Sounds like we all have the same first name 😅

 

The only potential issue I'm aware of is in nextcloud's config.php where you allow a proxy. You'd have to change that to swag if you change the container name (and if you reverse proxy nextcloud)

Link to comment
Sounds like we all have the same first name
 
The only potential issue I'm aware of is in nextcloud's config.php where you allow a proxy. You'd have to change that to swag if you change the container name (and if you reverse proxy nextcloud)

e3e083691e1d248ae45873b238d3ea94.jpg


Excuse my rudimentary pic but I’m assume first line? Shutdown NC, change letsencrypt name to swag(&let it boot up), change NC config.php, then boot Nextcloud back up?
Link to comment

Hey guys, I could use a little guidance....I'm not a computer guy by any stretch of the imagination so setting up Nextcloud with ReverseProxy is WAY over my head.....I'm just following SI video instructions and have no idea what everything is actually doing.

 

Anyway, in the video when setting up Letsencrypt/SWAG he used the duckdns.org and his duckdns subdomains. I registered my own personal domains and created Cnames...BUT they forward to a duckdns url.  So in the field asking for the Domain Name....do I use my main URL I purchased or the DuckDNS.org that everything is forwarding too?

 

Additionally, at the bottom of SWAG it has a field for a DuckDNS token, that was not in the old app that SI was using.....Do I need to include that?

 

Currently I used my newly purchased Domain Name in the domain field, added the sub's, then dont have anything in the field asking for a DuckDNS tocken.....but I'm not wanting to move past this screen unless I know its correct because if all this doesnt work at the end, I will have NO idea where to look. So I REALLLLY want to get it right as I go though all of this.

 

ALSO, do I need to make subdomains for EVERYTHING like SAB, NZBget, PLEX and other things like that which are on my server but go out onto the net?

 

Thanks for any guidance you can give....greatly appreciated!

Edited by SPOautos
Link to comment

UPDATE to my last post - I went ahead and "applied" those settings I mentioned above.....

"Currently I used my newly purchased Domain Name in the domain field, added the sub's, then dont have anything in the field asking for a DuckDNS tocken.....but I'm not wanting to move past this screen unless I know its correct because if all this doesnt work at the end, I will have NO idea where to look. So I REALLLLY want to get it right as I go though all of this."

 

BUT in the logs all of the challanges failed. It seems like it was looking for a A record where I created CNames....is that why? With the A record though you have to point it to a IP address, it wont let me point it to a Duckdns address.

 

Could this be because I just purchased the domain and created the Cnames about 2-3 hours ago? Does it need more time? Or do I just have the settings wrong?

 

Here is the SWAG log.....

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=s2white.com
SUBDOMAINS=server,sonarr,radarr,lidarr,nextcloud
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=http
DNSPLUGIN=
EMAIL=stephen@whoopsiedaisyclothing.com
STAGING=false

SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Sub-domains processed are: -d server.s2white.com -d sonarr.s2white.com -d radarr.s2white.com -d lidarr.s2white.com -d nextcloud.s2white.com
E-mail address entered: stephen@whoopsiedaisyclothing.com
http validation is selected
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for lidarr.s2white.com
http-01 challenge for nextcloud.s2white.com
http-01 challenge for radarr.s2white.com
http-01 challenge for s2white.com
http-01 challenge for server.s2white.com
http-01 challenge for sonarr.s2white.com
Waiting for verification...
Challenge failed for domain lidarr.s2white.com
Challenge failed for domain nextcloud.s2white.com
Challenge failed for domain radarr.s2white.com
Challenge failed for domain s2white.com
Challenge failed for domain server.s2white.com
Challenge failed for domain sonarr.s2white.com
http-01 challenge for lidarr.s2white.com
http-01 challenge for nextcloud.s2white.com
http-01 challenge for radarr.s2white.com
http-01 challenge for s2white.com
http-01 challenge for server.s2white.com
http-01 challenge for sonarr.s2white.com
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: lidarr.s2white.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for lidarr.s2white.com -
check that a DNS record exists for this domain

Domain: nextcloud.s2white.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
nextcloud.s2white.com - check that a DNS record exists for this



Domain: radarr.s2white.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for radarr.s2white.com -
check that a DNS record exists for this domain

Domain: server.s2white.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for server.s2white.com -
check that a DNS record exists for this domain

Domain: sonarr.s2white.com
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for sonarr.s2white.com -
check that a DNS record exists for this domain
- The following errors were reported by the server:

Domain: s2white.com
Type: unauthorized
Detail: Invalid response from
http://s2white.com/.well-known/acme-challenge/II7qAGyVqDFhBJ7WLQg2obnFCDxtWDqCxANhUwOgLVM
[34.102.136.180]: "<!doctype html><html lang=\"en\"><head><meta
http-equiv=\"content-type\"
content=\"text/html;charset=utf-8\"><meta name=\"viewport\" con"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
- Your account credentials have been saved in your Certbot
configuration directory at /etc/letsencrypt. You should make a
secure backup of this folder now. This configuration directory will
also contain certificates and private keys obtained by Certbot so
making regular backups of this folder is ideal.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Edited by SPOautos
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.