[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5529 posts in this topic Last Reply

Recommended Posts

Hi,

 

I did a search for this error and the only solution i could find was to delete the old conf files and let the docker container redownload by restarting it. But the error still remains:

 

"nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)"

 

Any help would be very appreciated ... i am an unRaid newbie :/

 

 

[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Edited by Syed
Link to post
  • Replies 5.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

Hey All - I've got this up and running for a while now - great image thanks. Just a question though, it it possible to have a wild card URL entry? Kind of like the way google does with *.google.com?

 

My current setup just has this:

 

URL=topleveldomain.com

SUBDOMAINS=portainer,sonarr,radarr

 

But when I click to view the cert in the browser it seems that it sets portainer.topleveldomain.com as the URL and the rest in the SAN where they should be. Was just looking to see if possible to clean up. Currently, my topleveldomain doesn't point to anything if that makes a difference?

Link to post

I'm having an interesting problem with LetsEncrypt. Two issues I've experienced I would like to try and resolve: if I use use DNS through Cloudflare my subdomains become unbearably slow. If I do the subdomains through my registrar and forego Cloudflare, anytime I add or remove a subdomain LetsEncrypt reports a firewall/timeout error for several hours rendering my subdomains inaccessible. Does anyone know why this is happening?

Link to post
2 hours ago, td00 said:

Hey All - I've got this up and running for a while now - great image thanks. Just a question though, it it possible to have a wild card URL entry? Kind of like the way google does with *.google.com?

 

My current setup just has this:

 

URL=topleveldomain.com

SUBDOMAINS=portainer,sonarr,radarr

 

But when I click to view the cert in the browser it seems that it sets portainer.topleveldomain.com as the URL and the rest in the SAN where they should be. Was just looking to see if possible to clean up. Currently, my topleveldomain doesn't point to anything if that makes a difference?

Yes, you can get wildcard certs. It's explained in the readme

Link to post
1 hour ago, thunderclap said:

I'm having an interesting problem with LetsEncrypt. Two issues I've experienced I would like to try and resolve: if I use use DNS through Cloudflare my subdomains become unbearably slow. If I do the subdomains through my registrar and forego Cloudflare, anytime I add or remove a subdomain LetsEncrypt reports a firewall/timeout error for several hours rendering my subdomains inaccessible. Does anyone know why this is happening?

You probably had cloudflare cache/proxy turned on, which we recommend against. It's explained in the docs article linked in the first post

Link to post

Hi Guys,

 

I am trying to get swag working with Snipe-IT but I didn't see any configs available for it. Can someone help me figure out a way to get it working?

 

Swag log

image.png.28664c3017f12c0fa4ff51d8a1785c4f.png

 

I have swag setup and the docker Snipe-IT is also setup and working.

729621860_2020-10-1220_31_42-Window.png.3455cbb1b439f4b0029cd62d106d9812.png

 

I tried copying a similar config and changing it for my needs but I get a "502 Bad Gateway" error.

image.png.0bc9c78d518ad1e78cb095ec0ff059aa.png

 

Here is the config file I started

snipe.mydomin.com is the domain, so I used server_name snipe.*

 

server {
    listen 443 ssl;

    server_name snipe.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app snipe-it;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Let me know what information would be useful in troubleshooting. I'm not sure where to go from here.

 

Thanks,

Victor

Link to post
39 minutes ago, vuribe1221 said:

Hi Guys,

 

I am trying to get swag working with Snipe-IT but I didn't see any configs available for it. Can someone help me figure out a way to get it working?

 

Swag log

image.png.28664c3017f12c0fa4ff51d8a1785c4f.png

 

I have swag setup and the docker Snipe-IT is also setup and working.

729621860_2020-10-1220_31_42-Window.png.3455cbb1b439f4b0029cd62d106d9812.png

 

I tried copying a similar config and changing it for my needs but I get a "502 Bad Gateway" error.

image.png.0bc9c78d518ad1e78cb095ec0ff059aa.png

 

Here is the config file I started

snipe.mydomin.com is the domain, so I used server_name snipe.*

 


server {
    listen 443 ssl;

    server_name snipe.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app snipe-it;
        set $upstream_port 8000;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Let me know what information would be useful in troubleshooting. I'm not sure where to go from here.

 

Thanks,

Victor

You don't use the host port when using a custom bridge. You use the container port, which is port 80.

Link to post

Hi,

 

Just installed the swag container yesterday, and all is working fine so far.

Now I need to limit access to the services.
 

Regarding access control, after reading documentation and config files, it seems choice are: basic auth, ldap, authelia or organizr auth.

Except for jellyfin, all other services just need authorization (sonarr, radarr, jackett, qbitorrent, ...) 
I'd like to keep it as simple as possible, as well at configuration side but for user experience too.

Ideally:

  • login once, then access all services (except Jellyfin as it needs authentication and do not support OIDC)
  • centralize unraid users with reverse proxy ones: active directory / ldap ?
  • web ui to add/edit users 

Another point is to get access to my docker services both on external an local network.

Is there a way, with some kind of DNS override, to access my services locally using the xxx.duckdns.org URL (when connected to my local network, xxx.duckdns.org will redirect to the unraid box IP)

Maybe using a services dashboard like heimdall/organizr/ombi, will help to access service 'transparently' whatever local or external ?

 

Thanks

Link to post
12 hours ago, mika91 said:

Hi,

 

Just installed the swag container yesterday, and all is working fine so far.

Now I need to limit access to the services.
 

Regarding access control, after reading documentation and config files, it seems choice are: basic auth, ldap, authelia or organizr auth.

Except for jellyfin, all other services just need authorization (sonarr, radarr, jackett, qbitorrent, ...) 
I'd like to keep it as simple as possible, as well at configuration side but for user experience too.

Ideally:

  • login once, then access all services (except Jellyfin as it needs authentication and do not support OIDC)
  • centralize unraid users with reverse proxy ones: active directory / ldap ?
  • web ui to add/edit users 

Another point is to get access to my docker services both on external an local network.

Is there a way, with some kind of DNS override, to access my services locally using the xxx.duckdns.org URL (when connected to my local network, xxx.duckdns.org will redirect to the unraid box IP)

Maybe using a services dashboard like heimdall/organizr/ombi, will help to access service 'transparently' whatever local or external ?

 

Thanks

I use authelia and it works great. There is no webui for user management yet (I hear it's in the works), but you can set up the users in a number of ways including ldap (I use a simple yaml file).

 

See here: https://blog.linuxserver.io/2020/08/26/setting-up-authelia/

 

For accessing the domain on lan, you need either a hairpin nat or nat loopback (if your router supports it), or you can set up a split dns (where you tell your local dns to resolve the domain to the unraid lan ip). The main caveat is that swag has to use port 443 on the host, which means you'll have to change unraid's https port to a different one first. Afterwards all requests for https://yourdomain.com will resolve to unraid and the client will connect to swag directly on lan (for http to https redirect, you'd need to change unraid's port 80 as well, so swag can use it, but I don't do that and instead only use the https endpoint so only port 443 goes to swag). Google the three terms I mentioned above and you'll find plenty of info for your router/setup.

Link to post

Hi there,

I posted the problem I'm facing on the Unraid general support but I received no replies. I'm hoping I can get some feedback here. I changed from Letsencrypt to Swag recently and after the change i lose access to multiple sections in Unraid and all dockers stop functioning properly... I lose access thru the UI to the Dashboard, Docker and the bottom portion of the Main tab. The console gets unresponsive to any docker command and to the "powerdown" capability so every time I restart the system it has to do a parity check. Of course none of the apps using the reverse proxy are working to the outside.

The migration was based on a fresh installation and I just copied the conf files from Letsecrypt. The Unraid logs show the following error (it varies depending on the page I'm trying):

nginx: 2020/10/12 10:06:48 [error] 32315#32315: *246154 upstream timed out (110: Connection timed out) while reading response header from upstream, client ... upstream: "fastcgi://unix:/var/run/php5-fpm.sock" ...

Any suggestion would be greatly appreciated. Please help!

Link to post
8 hours ago, aptalca said:

I don't know, you tell me. Check all the confs in the /config/nginx folder

It was the Emby subconfig file that had that configuration but I don't know were that came from.

Anyway, it's solved. Thank you!

Link to post
16 hours ago, Mesias said:

Hi there,

I posted the problem I'm facing on the Unraid general support but I received no replies. I'm hoping I can get some feedback here. I changed from Letsencrypt to Swag recently and after the change i lose access to multiple sections in Unraid and all dockers stop functioning properly... I lose access thru the UI to the Dashboard, Docker and the bottom portion of the Main tab. The console gets unresponsive to any docker command and to the "powerdown" capability so every time I restart the system it has to do a parity check. Of course none of the apps using the reverse proxy are working to the outside.

The migration was based on a fresh installation and I just copied the conf files from Letsecrypt. The Unraid logs show the following error (it varies depending on the page I'm trying):

nginx: 2020/10/12 10:06:48 [error] 32315#32315: *246154 upstream timed out (110: Connection timed out) while reading response header from upstream, client ... upstream: "fastcgi://unix:/var/run/php5-fpm.sock" ...

Any suggestion would be greatly appreciated. Please help!

I don't see how swag can have anything to do with loosing access to parts of unraid. Turn off the container and see if it helps, if not, it has nothing to do with swag. If it helps, you have missconfigured something, but I do not know how you could manage that.

Link to post
1 hour ago, SPOautos said:

My Swag GUI looks like this....it basically looks like data from my Heimdall app. Am I doing something wrong between the two? If this is messed up what would be the most likely cause?

 

swag gui.jpg

Swag doesn't have a GUI.

Link to post
Just now, saarg said:

Swag doesn't have a GUI.

 

okay, so its in the dropdown where you can select webgui but its not actually built in yet, correct?  So is what I am seeing normal when I select on that webgui in the swag dropdown (for someone with Heimdall)?

Link to post
3 minutes ago, SPOautos said:

 

okay, so its in the dropdown where you can select webgui but its not actually built in yet, correct?  So is what I am seeing normal when I select on that webgui in the swag dropdown (for someone with Heimdall)?

That goes to the default landing page of swag if you haven't changed it your self in the nginx default file. Nginx is the webserver.

Have you added Heimdall to swag?

You should post your docker run command.

Link to post
1 hour ago, saarg said:

That goes to the default landing page of swag if you haven't changed it your self in the nginx default file. Nginx is the webserver.

Have you added Heimdall to swag?

You should post your docker run command.

 

I have the Heimdall template network type pointing to the reverse proxy network and I have Heimdall listed but as "server" instead of Heimdall so that my url that pulls up Heimdall is server.myurl.com.....and it all functions perfectly except this one issue.

 

How do I post my "docker run command"? Please forgive the ignorance but I'm brand new to all of this....."all of this" being computers, networks, servers, Unraid, all of it.  I've been working on my server for about 2 months and just trying my best to learn everything as I go. A couple months ago I'd never heard of a reverse proxy, VPN, VM....nothing  lol.  So I'm about as newbie as they come....BUT slowly Im getting it all working great!

 

If you can get me a little more info regarding the docker run command I'll post it and maybe we can figure out if I need to edit something in nginx.

Link to post
7 hours ago, SPOautos said:

 

I have the Heimdall template network type pointing to the reverse proxy network and I have Heimdall listed but as "server" instead of Heimdall so that my url that pulls up Heimdall is server.myurl.com.....and it all functions perfectly except this one issue.

 

How do I post my "docker run command"? Please forgive the ignorance but I'm brand new to all of this....."all of this" being computers, networks, servers, Unraid, all of it.  I've been working on my server for about 2 months and just trying my best to learn everything as I go. A couple months ago I'd never heard of a reverse proxy, VPN, VM....nothing  lol.  So I'm about as newbie as they come....BUT slowly Im getting it all working great!

 

If you can get me a little more info regarding the docker run command I'll post it and maybe we can figure out if I need to edit something in nginx.

If you have set up nginx to serve Heimdall as the landing page, then it's no wonder that you get Heimdall when opening the webgui link in swag. 

Of you want help, the best way is to provide the config files you have changed stuff in. That way it's much easier for the ones helping.

 

The docker run command is the command popping up when you update or change something in the container template. Just add something to a field and remove it, then hit apply and you will get the command.

Link to post
17 hours ago, saarg said:

If you have set up nginx to serve Heimdall as the landing page, then it's no wonder that you get Heimdall when opening the webgui link in swag. 

Of you want help, the best way is to provide the config files you have changed stuff in. That way it's much easier for the ones helping.

 

The docker run command is the command popping up when you update or change something in the container template. Just add something to a field and remove it, then hit apply and you will get the command.

Thank You!

So this is the docker run command you were refering too, correct? I want sure if you meant the one for Swag or Heimdall so I just attached them both....

 

SWAG....

Command:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='swag' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'EMAIL'='stephen@mywebsite.com' -e 'URL'='mywebsite.com' -e 'SUBDOMAINS'='ombi,server,sonarr,radarr,lidarr,nextcloud,sabnzbd,nzbget,plex' -e 'ONLY_SUBDOMAINS'='true' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'

76457241e9b946d99184a4254b3963fe78876f13c10d23e0fed380eb7a8ceb4e

The command finished successfully!

 

 

Heimdall.....

Command:root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='heimdall' --net='proxynet' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '280:80/tcp' -p '2443:443/tcp' -v '/mnt/user/appdata/heimdall':'/config':'rw' 'linuxserver/heimdall'

773977f9c74aa209781671d43f3d93c6b6200b45132fc58ae73bc2f27b1402cb

The command finished successfully!

 

 

 

 

I went to appdata/Heimdall/nginix/site-confs/default but when I open it and highlight it all and copy, it wont let me paste it in here. What is the best way to provide the config files?

 

Edited by SPOautos
Link to post
7 hours ago, SPOautos said:

Thank You!

So this is the docker run command you were refering too, correct? I want sure if you meant the one for Swag or Heimdall so I just attached them both....

 

SWAG....

 

 

Heimdall.....

 

 

 

 

I dont know what all config files I should post, I went to appdata/Heimdall/nginix/site-confs/default but when I open it and highlight it all and copy, it wont let me paste it in here. What is the best way to provide the config files?

 

It's better to copy the text and add it as code in the post. That way it's easier to read and you can redact your mail and URL.

The easiest way is to mark the text, copy it and add it as code.

You post all the configs that you changed. We can't know which ones you changed.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.