[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5641 posts in this topic Last Reply

Recommended Posts

2 minutes ago, vurt said:

Oh, I installed SWAG/letsencrypt using the unRAID interface and this was all default.

 

Odd that this used to work until now?

 

Can you advise what I should do?

 

I'd hate to mess up my setup, everything has been working fine till Calibre-Web after I updated it. I did switch the letsencrypt repo to SWAG too.

 

Should I follow the instructions here?

 

 

Did you check if you can access calibre-web locally? If that doesn't work, this issue should be in the calibre-web thread instead.

Link to post
  • Replies 5.6k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

Just now, saarg said:

Did you check if you can access calibre-web locally? If that doesn't work, this issue should be in the calibre-web thread instead.

Yes I can access it via http://192.168.1.252:8083/.

 

Sorry I thought this is a reverse proxy issue. If we're confirming this is a calibre-web issue I'll post over there.

 

But re. "SWAG shouldn't be on bridge" — do I need to fix that anyway?

Link to post
2 minutes ago, vurt said:

Yes I can access it via http://192.168.1.252:8083/.

 

Sorry I thought this is a reverse proxy issue. If we're confirming this is a calibre-web issue I'll post over there.

 

But re. "SWAG shouldn't be on bridge" — do I need to fix that anyway?

Then it's a reverse proxy issue.

 

Post the docker run command of bothe swag and calibre-web.

 

You need to use a custom docker network bridge if you want to take advantage of using the container names for communication.

 

 

Link to post
23 minutes ago, saarg said:

Then it's a reverse proxy issue.

 

Post the docker run command of bothe swag and calibre-web.

 

You need to use a custom docker network bridge if you want to take advantage of using the container names for communication.

 

 

 

I've only installed dockers from the unRAID gui. Is there a way to get this information for you? Should I check the logs?

 

I'm probably using this command wrongly ...

 

root@Tower:~# docker run calibre-web
Unable to find image 'calibre-web:latest' locally
docker: Error response from daemon: pull access denied for calibre-web, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.
root@Tower:~# docker run letsencrypt
Unable to find image 'letsencrypt:latest' locally
docker: Error response from daemon: pull access denied for letsencrypt, repository does not exist or may require 'docker login': denied: requested access to the resource is denied.
See 'docker run --help'.

Here's what I get when I do it from the GUI:

 

calibre-web

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='calibre-web' --net='bridge' -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'DOCKER_MODS'='linuxserver/calibre-web:calibre' -e '-e'='DOCKER_MODS=linuxserver/calibre-web:calibre' -e 'PUID'='99' -e 'PGID'='100' -p '8083:8083/tcp' -v '/mnt/user/Books/Calibre TOWER/':'/books':'rw' -v '/mnt/user/appdata/calibre-web':'/config':'rw' 'linuxserver/calibre-web'

c875805912b8f3698bfef2c25b0b300e4779df636bd4bee4edef344a133919e2

The command finished successfully!

 

swag

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='letsencrypt' --net='bridge' --privileged=true -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -e 'EMAIL'='email@gmail.com' -e 'URL'='domain.net' -e 'SUBDOMAINS'='www' -e 'ONLY_SUBDOMAINS'='false' -e 'DHLEVEL'='4096' -e 'VALIDATION'='dns' -e 'DNSPLUGIN'='cloudflare' -e 'PUID'='99' -e 'PGID'='100' -p '81:80/tcp' -p '443:443/tcp' -v '/mnt/user/appdata/letsencrypt':'/config':'rw' 'linuxserver/swag'

1b027e357b6b3c41e398d9cd24578313cab117de4c96ddf33abb6d56d235db91

The command finished successfully!

 

Edited by vurt
Link to post
20 hours ago, vurt said:

Thanks for suggesting that, I never knew there's a sample in there.

 

But I'm still getting the same 502 Bad Gateway error. I'm beginning to suspect it might be Calibre-Web. Someone on Reddit is also getting the same error when his/her reverse proxy worked fine before.

 

This is what I just tried based on the conf included in swag:

 


location /calibre {
    return 301 $scheme://$host/calibre/;
}

location ^~ /calibre/ {
    # enable the next two lines for http auth
    auth_basic "Restricted";
    auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /ldaplogin;

    # enable for Authelia, also enable authelia-server.conf in the default site config
    #include /config/nginx/authelia-location.conf;

    resolver 192.168.1.252 valid=30s;
    set $upstream_app calibre;
    set $upstream_port 8083;
    set $upstream_proto http;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    proxy_set_header Host $http_host;
    proxy_set_header X-Scheme $scheme;
    proxy_set_header X-Script-Name /calibre;
}

 

That's for calibre, not calibre-web

Link to post
3 minutes ago, aptalca said:

That's for calibre, not calibre-web

Do you mean the /calibre? I renamed it because I want to access it via domain.net/calibre instead of domain.net/calibre-web.

 

This hadn't been a problem previously. I literally have not touched anything besides updating calibre-web and switched letsencrypt to swag.

Link to post
10 minutes ago, vurt said:

Do you mean the /calibre? I renamed it because I want to access it via domain.net/calibre instead of domain.net/calibre-web.

 

This hadn't been a problem previously. I literally have not touched anything besides updating calibre-web and switched letsencrypt to swag.

You have added the IP in the wrong place in the proxy-conf. Don't change the resolver, change the upstream app variable to the IP.

 

If you would have used a custom docker bridge this would have been avoided. Then there are minimal things you need to change.

Link to post
2 hours ago, saarg said:

You have added the IP in the wrong place in the proxy-conf. Don't change the resolver, change the upstream app variable to the IP.

 

If you would have used a custom docker bridge this would have been avoided. Then there are minimal things you need to change.

 

That fixed it!! Thank you. I still don't understand why it worked previously though.

 

By "custom docker bridge", do you mean the custom network?

 

I just looked this up: https://docs.docker.com/network/bridge/

 

After running the command

$ docker network create my-net

Do I then use the unRAID GUI to edit all my dockers' config to point Network Type to "my–net" instead of "bridge"? Would that be it or are there other stuff I need to do?

 

My Emby is currently set to "Host", will that stay that way?

Edited by vurt
Link to post
2 hours ago, vurt said:

 

That fixed it!! Thank you. I still don't understand why it worked previously though.

 

By "custom docker bridge", do you mean the custom network?

 

I just looked this up: https://docs.docker.com/network/bridge/

 

After running the command


$ docker network create my-net

Do I then use the unRAID GUI to edit all my dockers' config to point Network Type to "my–net" instead of "bridge"? Would that be it or are there other stuff I need to do?

 

My Emby is currently set to "Host", will that stay that way?

Yes on my-net

 

Emby can stay on host, in which case you have to put the ip in the upstream app variable. Or you can switch to my-net and keep the proxy conf as is.

Link to post

Beside the HTTP header bug that noone else has (but thanks alot for the effort saarg 🙂 ), I have another question.

 

Whats the best way to backup Nextcloud? I have read about tar and sql dump but shouldn't it be enough to just copy the config volumes somewhere else?

Or is the dump and the tar process only to save disk space but both options would work?

Link to post
9 hours ago, DockX said:

Beside the HTTP header bug that noone else has (but thanks alot for the effort saarg 🙂 ), I have another question.

 

Whats the best way to backup Nextcloud? I have read about tar and sql dump but shouldn't it be enough to just copy the config volumes somewhere else?

Or is the dump and the tar process only to save disk space but both options would work?

Both would work, but simply copying the mapped folders is sufficient (don't forget mariadb data if you're using that)

Link to post
On 4/29/2020 at 10:02 PM, Heciruam said:

Is there an ngix .config.sample file for Mattermost? I just installed it and was wandering on how to get public access.
 

Edit:
Ok I figured it out. I found a guide on how to do it here

Did you get it up and running?

Link to post
On 4/29/2020 at 10:02 PM, Heciruam said:

Is there an ngix .config.sample file for Mattermost? I just installed it and was wandering on how to get public access.
 

Edit:
Ok I figured it out. I found a guide on how to do it here

Do you have it up and running?

Tried to use the documentation but never managed to get it working properly.

Link to post

Hey - trying to move over from Letsencrypt but keep getting an error when trying to edit the proxy-config files. Error states I don't have permission to save in that location. I could edit the Letsencrypt ones though, not sure why I can't with this container 😕

Link to post
On 11/27/2019 at 10:20 AM, dandiodati said:

Still have not been able to get letsencrypt to reverse proxy for unms. MothyTim sent me his configuration on a previous post but still did not work. 

The regular login redirects me fine just the websocket does not work therefore unms device discovery etc dont work correctly.

 

Anyone else have luch with unms ? 

 

I'm using the nico640/docker-unms docker container which starts find and works correctly (websockets included) when I connect directly to it.

I attached my letsencrypt nginx/proxy-confs/unms.subdomain.conf configuration. 

I have a custom network bridge step up for the letsencypt container and unms (also have nextcloud in there which works correctly).

My DNS is setup correct at cloudflare with A name for main ip address and C names for unms and nextcloud pointing to it.

 

Any ideas or help for solving this issue ? Been fighting with it for a long time with no solution.

 

Dan

 

 

unms.subdomain.conf 1.42 kB · 0 downloads

Has anyone else gotten unms working behind swag ? Still have issues with the websocket failing to passthrough.

I tried again using the pages https://help.ui.com/hc/en-us/articles/115015690207-UNMS-Reverse-Proxy and testing with https://help.ui.com/hc/en-us/articles/115015690147 but no luck. The external curl with websockets just causes swag to show its default web page instead of forward to the unms container.

 

 

Link to post
On 9/24/2020 at 2:53 PM, Mihle said:

How I switched to swag that seemed to work:

  1. Create an folder named swag in appdata
  2. Copy all content from letsencrypt folder to swag
    (could also rename it but I did not want to change letscencrypt stuff before I knew swag worked fine)
  3. Install swag template and change settings
  4. Stop letsencrypt docker and start swag
  5. Change letsencrypt to swag in nextcloud config
  6. Done.

Good call here
I followed the same instructions 

01. crated a new folder appdata/swag
02. copied content from appdata/letsencrypt/ to appdata/swag
03. located swag docker in app store and used the same settings from appdata/letsencrypt/
04. Applied settings
** note: if you have letsencrypt running and you copy settings the docker will download BUT not start as the same ports for letsencrypt are allocated **
05. stop letsencrypt docker
06. start swag docker
07. tested container 
08. successful

Edited by bombz
Link to post
On 10/2/2020 at 11:54 AM, xxDeadbolt said:

Hey - trying to move over from Letsencrypt but keep getting an error when trying to edit the proxy-config files. Error states I don't have permission to save in that location. I could edit the Letsencrypt ones though, not sure why I can't with this container 😕

So, once again proving my noob status: I wasn't using Krusader, I was trying to do it within Windows/File Explorer on my gaming rig... oops! All done, pretty much same steps as above!

Link to post
On 9/17/2020 at 6:28 PM, LoneTraveler said:

Could I be forward and ask what router you use? It would be interesting to see what routers the "elders of the Internet - IT Crowd" use. 😁

Pfsense, on a intel I7 box with extra network connections.

Link to post

Hello all, 

 

New to Unraid and new to dockers in general. I am trying to figure out how to get SWAG working with multiple domains. After searching through this topic I've found people asking similar questions and being referred to the GitHub readme. I have looked through the readme and have seen where to add extra domains in the docker settings and have done so. My question is where do I put the actual webpage files for the extra domains, I don't see that covered anywhere in the readme. If I've missed it please point me in the right direction or if anyone knows where I am supposed to put the webpage files for my other domains that would be greatly appreciated as well. Or if SWAG does not support having multiple domains run off of one docker in the sense that I am thinking please let me know.

 

Thanks in advance for any help!

Link to post
3 hours ago, SamuraiMarv said:

Hello all, 

 

New to Unraid and new to dockers in general. I am trying to figure out how to get SWAG working with multiple domains. After searching through this topic I've found people asking similar questions and being referred to the GitHub readme. I have looked through the readme and have seen where to add extra domains in the docker settings and have done so. My question is where do I put the actual webpage files for the extra domains, I don't see that covered anywhere in the readme. If I've missed it please point me in the right direction or if anyone knows where I am supposed to put the webpage files for my other domains that would be greatly appreciated as well. Or if SWAG does not support having multiple domains run off of one docker in the sense that I am thinking please let me know.

 

Thanks in advance for any help!

You can put them wherever you want as long as you reference it in the nginx config files. If you don't know how to do that, you need to do some more research into nginx.

Link to post
8 hours ago, saarg said:

You can put them wherever you want as long as you reference it in the nginx config files. If you don't know how to do that, you need to do some more research into nginx.

Roger that, thanks for the quick response. I will do some studying on Nginx!

Link to post
15 hours ago, SamuraiMarv said:

Roger that, thanks for the quick response. I will do some studying on Nginx!

Some of these guys are just so helpful.  If you just want to host static content locally, copy one of the example confs and put this in your server {} section and set the server_name appropriately.  Make sure that path is available by editing the container, go to the bottom, click + Add another Path, Port, Variable, Label or Device and map a path there.  I think what I did was made a share called wwwroot which makes a dir /mnr/user/wwwroot and then I mapped that to /wwwroot in the container.  Then you could host each domain below that like this.

 

    location / {
        root /wwwroot/marv1;
    }

 

It sounds like maybe you did this other part already, but if not:  make sure to support extra domains by editing the container, going to advanced view and adding them to Extra Parameters like -e EXTRA_DOMAINS=marvsamurai.com,samuraimarv.com

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.