Jump to content
linuxserver.io

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

5066 posts in this topic Last Reply

Recommended Posts

8 hours ago, hernandito said:

I am liking that one too as well.... I am not sure if the LSIO team would approve of their logo being cropped like this though.

 

I think the icon is only seen at small size in the GUIs...

 

last one.... image.png.e018667d3b8805575e92e4b03866d2de.png

1871674142_lsioswag4.png.69c8ab1cfcd41d8feb03acff54878a65.png

Those are all some good options, but just a reminder, the name of the app is an acronym so it should be all caps

Share this post


Link to post

 

3 hours ago, aptalca said:

Those are all some good options, but just a reminder, the name of the app is an acronym so it should be all caps

Noted.... I agree that "Swag" above is not reading as an acronym...  I was thinking of relating it to the word swag itself - gifts, freebies, bling... I am not sure that it works. It is hard to make a letters into an icon... look at every instance of IMDB icons that are small... hard to make them great.

 

My personal favorite are the below... slightly edited from the earlier version. I have an all-caps and an all-lower case version.

 

image.png.3d04a68b47044b1e839cb41f55ed4db7.png

1065326843_lsioswag3a.png.c8ecce78d3b3c32d9dc4f29fd0455107.png480180322_lsioswag3b.png.85b7e99b2609b46e97d6804aaa7e22e7.png

 

In context:

image.png.efa6cc52c61b87e20e04215ec6693ac4.png

 

 

Edited by hernandito

Share this post


Link to post

The plugin "Fix common problems" said the letsencrypt has a error because the name change to SWAG. and ask it it could change a  It changed a url of something. So i click ok change it. and it  changed the logo etc and some text.

 

Tried a few times and it gave a error that a certificate could not renewed while everything it said was correct. it did said success ful added dns records etc ( using dnsplugin) and also removed it again but still fail and the docker didnt want to start.

 

It also said

“Plugin legacy name certbot-dns-transip:dns-transip may be removed in a future version. Please use dns-transip instead. “

I think i use the correct plugin.

 

So I clicked apply again for the Xth time so that refresh/rebuild the docker. Finally after the XTh time ( lost count) all error were gone and the certificate works and the docker finally works.

 

Only thing it shows in the log is the following error tho but everything seems to work again it does not break the container just yet..

 

nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Share this post


Link to post
35 minutes ago, KoNeko said:

Icon URL:

 

So i need just change it in /boot/config/plugins/dockerMan/images ?

Share this post


Link to post

This is solved. Two things happened: one involved not putting the CORRECT docker container on the customer network, and the second involved removing the "directions" in the conf file and removing any authentication methods.

 

Hello, 

 

Yes, I'm late to the party on this and I've kinda hit a wall going from forum to forum so I apologize in advance for re-opening this can of worms...

I am having some configuration trouble with getting radarr or ombi, or any docker on the docker proxy network to show up when I use my domain. I just get "can't reach this page," but when I use the IP:port everything is fine. I'm using duckdns which shouldn't be an issue unless I didn't look at the right thing...And as I far as I understand I should be able to go to myservernameradarr.duckdns.org (where the domain is active) and I should see radarr. Again, if I'm approaching this in the most ass-backwards way possible...then have a laugh at my expense and throw me some links to set me on the right path. :)

 

Swag is up and running as I do see "Server Ready" in the logs. I've modified the proxy-configs as they should per the various documents and videos I've seen and I think that is where my problem is, or at least I think... If anyone can point me in the right direction I will be very grateful. Here is where I stand with the configs (domains names are different, but the same as how I have them.) I also left the instructions in there as I didn't feel like I needed to remove them (see having a laugh at my expense)?
 

# make sure that your dns has a cname set for radarr and that your radarr container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name MYSERVERradarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

   

location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app binhex-radarr;
        set $upstream_port 7878;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ (/radarr)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app binhex-radarr;
        set $upstream_port 7878;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

It may be obvious to you what the error is, but not to me so be gentle :)

Edited by 2nu2storage

Share this post


Link to post
5 minutes ago, Akitaka said:

So i need just change it in /boot/config/plugins/dockerMan/images ?

Edit the template, switch to advanced view and change the icon URL

Share this post


Link to post
2 minutes ago, Squid said:

Edit the template, switch to advanced view and change the icon URL

OMG, thx, i always thought that i'm already in advanced mode :(

Share this post


Link to post

Hey all,

 

I'm trying to access Home Assistant Core via the lets encrypt docker, have updated the proxy.conf sample they have for Home Assistant with the new container name, as well as the port I mapped in.  I can access the page via my subdomain I set up (shows the HA user name and password prompt), but when I attempt to login, it just shows the HA symbol and the "refresh" button.

 

Here's the proxy.conf:

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app Home-Assistant-Core;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Is there something I"m doing wrong? I also set the external URL in the Home Assistant .yaml, but no dice.

 

Edit: I always seem to find the solution right after I post in this thread.  For future reference, if anyone needs the config for this, you need to add a section for /api.  Here's the updated (working) config:

 

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app Home-Assistant-Core;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
	location /api/ {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app Home-Assistant-Core;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
}
	
}

 

Edited by Coolsaber57

Share this post


Link to post

Hello,

 

I have just followed these two guides;

 

https://technicalramblings.com/blog/cloudflare-fail2ban-integration-with-automated-set_real_ip_from-in-nginx/

 

&

 

https://technicalramblings.com/blog/blocking-countries-with-geolite2-using-the-letsencrypt-docker-container/

 

Almost everything seems to be going fine, with no errors that I haven't been able to fix with all the support on this forum. I say almost, as when I try a VPN and connect to my server via another country, I'm still able to get through, I'm not blocked and the access is reported as the same as my "non-VPN" attempts in the logs?

 

I've registered with MAXMIND, entered the key and downloaded the GeoLite2.mmdb file, ensuring that it is saved in the right location. On a side note, sendmail-whois.local still needs some amendment by me, however I wanted to focus on actually securing my site before I continued attempts with notification. 

 

I've attached four screenshots below of the amendments I've made to the various config files within SWAG, in the hopes someone can point out what I'm doing wrong.

 

Excellent work by the way on this container, its impressive how much work has gone in to it, including the SWAG support page.

 

In the meantime I'll continue to read through this forum for tips, I'm up to page 19 so far. 

 

Regards. 

 

20200916_111118.jpg

 

20200916_111253.jpg

 

20200916_111502.jpg

 

20200916_111518.jpg

 

Here is the current reported state of my jail list (if it helps);

 

20200916_144114.jpg

 

***Edit - Whilst I'm trying to get to the bottom of my above problem I wanted to ask yourselves (@linuxserver.io @saarg @aptalca @CHBMB) a question as you clearly know what you are talking about (I'm up to page 72 of this thread, so much useful information!) What router would you recommend that works best with SWAG in a home setting? Pfsense or Ubiquiti? Apologies if this should be on its own thread, I just thought I would tag it on to my question above as my number one requirement of a new router will be that it fully supports and compliments SWAG. 

 

Edited by LoneTraveler

Share this post


Link to post
On 9/16/2020 at 12:27 PM, LoneTraveler said:

Hello,

 

I have just followed these two guides;

 

https://technicalramblings.com/blog/cloudflare-fail2ban-integration-with-automated-set_real_ip_from-in-nginx/

 

&

 

https://technicalramblings.com/blog/blocking-countries-with-geolite2-using-the-letsencrypt-docker-container/

 

Almost everything seems to be going fine, with no errors that I haven't been able to fix with all the support on this forum. I say almost, as when I try a VPN and connect to my server via another country, I'm still able to get through, I'm not blocked and the access is reported as the same as my "non-VPN" attempts in the logs?

 

I've registered with MAXMIND, entered the key and downloaded the GeoLite2.mmdb file, ensuring that it is saved in the right location. On a side note, sendmail-whois.local still needs some amendment by me, however I wanted to focus on actually securing my site before I continued attempts with notification. 

 

I've attached four screenshots below of the amendments I've made to the various config files within SWAG, in the hopes someone can point out what I'm doing wrong.

 

Excellent work by the way on this container, its impressive how much work has gone in to it, including the SWAG support page.

 

In the meantime I'll continue to read through this forum for tips, I'm up to page 19 so far. 

 

Regards. 

 

20200916_111118.jpg

 

20200916_111253.jpg

 

20200916_111502.jpg

 

20200916_111518.jpg

 

Here is the current reported state of my jail list (if it helps);

 

20200916_144114.jpg

 

***Edit - Whilst I'm trying to get to the bottom of my above problem I wanted to ask yourselves (@linuxserver.io @saarg @aptalca @CHBMB) a question as you clearly know what you are talking about (I'm up to page 72 of this thread, so much useful information!) What router would you recommend that works best with SWAG in a home setting? Pfsense or Ubiquiti? Apologies if this should be on its own thread, I just thought I would tag it on to my question above as my number one requirement of a new router will be that it fully supports and compliments SWAG. 

 

All routers work with swag as long as it support port forwarding. If you want to use the domain inside the home network the router should support hairpin NAT/split DNS.

Both ubiquiti and pfsense works.

Edited by saarg

Share this post


Link to post
11 minutes ago, saarg said:

All routers work with swag as long as it support port forwarding. If you want to use the domain inside the home network the router should support hairpin NAT/split DNS.

Both ubiquiti and pfsense works.

Many thanks for your advice.

 

Could I be forward and ask what router you use? It would be interesting to see what routers the "elders of the Internet - IT Crowd" use. 😁

Share this post


Link to post
2 hours ago, LoneTraveler said:

Many thanks for your advice.

 

Could I be forward and ask what router you use? It would be interesting to see what routers the "elders of the Internet - IT Crowd" use. 😁

Pfsense on an embedded celeron mobo with 4gb ram, an intel dual gigabit nic (pci-e), cheapest, smallest ssd in the cheapest case with a built in psu.

Share this post


Link to post
3 hours ago, LoneTraveler said:

what routers the "elders of the Internet - IT Crowd" use. 😁

pfSense in a VM running on Unraid for daily use, pfsense on old pc hardware as a backup when I need extended downtime on the main Unraid box for some reason.

Share this post


Link to post
3 hours ago, LoneTraveler said:

Many thanks for your advice.

 

Could I be forward and ask what router you use? It would be interesting to see what routers the "elders of the Internet - IT Crowd" use. 😁

Pfsense in an in a 1u supermicro rack server with an 8-core Xeon, 32GB ram and an SSD.

Just a little bit overkill.

Will probably install proxmox or something similar at one point to be able to test other firewalls.

  • Like 1
  • Thanks 1

Share this post


Link to post
Pfsense in an in a 1u supermicro rack server with an 8-core Xeon, 32GB ram and an SSD.
Just a little bit overkill.
Will probably install proxmox or something similar at one point to be able to test other firewalls.

I want to try Untangle and Sophos here, too, one day.

At any rate, have pfSense running on a Protectli box here and a spare instance going on a r720 in XCP.

Share this post


Link to post

Hi,

 

I want to use the onlyoffice documentserver for nextcloud behind the proxy but as subfolder. aptalca posted a solution here which is working fine, but not for subfolder. onlyoffice described a proxy-to-virtual-path here but I could not get it to work. Iam not so experienced with nginx.

 

Any Ideas how a subfolder solution have to look like?

 

Thanks in advance.

 

Share this post


Link to post

Hi, 

 

I just wanted to say a big thanks to everyone who got me back on track especially @GilbN, SWAG is all up and running for me along with Fail2ban and GeoIP2, thank you! 

Edited by LoneTraveler

Share this post


Link to post

If i change template name from letsencrypt to SWAG what issues is that going to cause me? Is it usually referenced by container name anywhere else?

Share this post


Link to post
1 hour ago, blaine07 said:

If i change template name from letsencrypt to SWAG what issues is that going to cause me?

None.  A name is a name is a name.  I respond to Andrew, Squid, (and my wife's favourite: Asshole).  Doesn't change who I am. 

 

The whole point is to change the repository from linuxserver/letsencrypt to linuxserver/swag.  

 

The only place this would cause an issue is if you're routing your traffic from other containers through "Letsencrypt" vs "Swag".  Which you're probably not.  (You tend to only do that with containers that connect to a VPN ie:Binhex, and not this one which simply forwards requests to a different port)

Share this post


Link to post
None.  A name is a name is a name.  I respond to Andrew, Squid, (and my wife's favourite: Asshole).  Doesn't change who I am. 
 
The whole point is to change the repository from linuxserver/letsencrypt to linuxserver/swag.  
 
The only place this would cause an issue is if you're routing your traffic from other containers through "Letsencrypt" vs "Swag".  Which you're probably not.  (You tend to only do that with containers that connect to a VPN ie:Binhex, and not this one which simply forwards requests to a different port)

Thank you for the thorough response! (I won’t call you asshole BUT ironically that’s my wife’s favorite for me, too).

Share this post


Link to post
22 minutes ago, blaine07 said:


Thank you for the thorough response! (I won’t call you asshole BUT ironically that’s my wife’s favorite for me, tooemoji1787.png).

Sounds like we all have the same first name 😅

 

The only potential issue I'm aware of is in nextcloud's config.php where you allow a proxy. You'd have to change that to swag if you change the container name (and if you reverse proxy nextcloud)

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.