[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5529 posts in this topic Last Reply

Recommended Posts

30 minutes ago, H2O_King89 said:

Dutch the duck and buy a domain they're like seven bucks a year

Sent from my Pixel 4 XL using Tapatalk
 

Most people are still going to use duckdns even if they buy a domain, unfortunately, as space invader says so...

Link to post
  • Replies 5.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

59 minutes ago, H2O_King89 said:

Dutch the duck and buy a domain they're like seven bucks a year

Sent from my Pixel 4 XL using Tapatalk
 

 

I'm a total newbie to these things so I'm trying to figure this stuff out.....

 

How would you go about ditching dynamic DNS (duck dns)?  Are you saying it's better to create a static wan IP and use A records instead of cnames that point to the dynamic dns? If so, what are the benifits?

Link to post
3 hours ago, saarg said:

 

Don't use duckdns.org as the domain. You don't own it. you need to use whateveruseryoucreated.duckdns.org as the domain and then the subdomains are subdomains.whateveruseryoucreated.duckdns.org

 

You might also have the port forwarding wrong. You need to forward port 80 also since you are doing http validation.

External port is 443 and internal port is 1443. Hard to say what you have in your screenshot as it's in german ;)

Also port forward external port 80 to whatever port you have on the swag container.

Hey saarg, thx for your reply :)

 

ok... I didn't see anything on the duckdns.org control panel to create subdomains. Because in my previous DynDNS provider, things like "mimimi.momomo" in front of the domain name was not allowed. i thought duckdns was the same.

 

will try it as you said once i'm allowed to certificate again :D

 

As for the ports i might have it wrong. In the picture i opened port 443, and the "external preferred port (that's what it says in German) i put 1443. i think it's the other way around, right?

 

I will do so for both port 80 and 443.

 

One last question, since i'm a real noob:

 

My router has entries for dyndns providers like duckdns as well. Should i only configure the docker containers on unraid, or can i set up the dyndns on my router menu as well? Sorry if it's a terribly dumb question...

 

Thx for all the help :)

 

Cheers

 

 

 

 

Edited by MMeirolas
Link to post
On 10/20/2020 at 2:06 AM, saarg said:

 

As I have said before, turn off swag and then see what happens if you go to the wan IP. If it still loads Heimdall, you have a port forwarding issue. If nothing loads, you have configured something in swag that makes Heimdall load.

 

 

I was able to look at this again this morning. I stopped Swag and here is what I get.....if I go to heimdall via the internet using my custom url it says "the website cant be reached".  If I go in Unraid to dockers/heimdall/webui then it just opens another instance of Unraid.

 

Heimdall is setup in the template to use the custom network type for reverse proxy, just like the other apps (radarr, sonarr, etc)....is that a issue? Should i not have set heimdall up in the reverse proxy network?

 

Here are screenshots of the templates......

Heimdall:

image.thumb.png.328c4557dcf1c1c82010265b8b35ae76.png

 

SWAG:

image.thumb.png.d47bc6d224f7716cd3e9bb7afd00a451.png

image.thumb.png.47eaf7c7b4a28bc3f5fea80acadb7574.png

Edited by SPOautos
Link to post
 
I'm a total newbie to these things so I'm trying to figure this stuff out.....
 
How would you go about ditching dynamic DNS (duck dns)?  Are you saying it's better to create a static wan IP and use A records instead of cnames that point to the dynamic dns? If so, what are the benifits?
I'd buy a domain from cloudflare. There's two ways to go about this depending how the cloudflare DDNS docker works. For clarifications I don't use DDNS due to having a static IP from my ISP.

First way is make a records and the cf docker updates them all. Don't know if the is possible.

Or make one a record and use CF docker to update it then make c names for the other subdomain's.


This way should be alot easier then dealing with duck

Sent from my Pixel 4 XL using Tapatalk

Link to post
2 hours ago, MMeirolas said:

Hey saarg, thx for your reply :)

 

ok... I didn't see anything on the duckdns.org control panel to create subdomains. Because in my previous DynDNS provider, things like "mimimi.momomo" in front of the domain name was not allowed. i thought duckdns was the same.

 

will try it as you said once i'm allowed to certificate again :D

 

As for the ports i might have it wrong. In the picture i opened port 443, and the "external preferred port (that's what it says in German) i put 1443. i think it's the other way around, right?

 

I will do so for both port 80 and 443.

 

One last question, since i'm a real noob:

 

My router has entries for dyndns providers like duckdns as well. Should i only configure the docker containers on unraid, or can i set up the dyndns on my router menu as well? Sorry if it's a terribly dumb question...

 

Thx for all the help :)

 

Cheers

 

 

 

 

I haven't really used duckdns, so not 100% sure on how it works, but just logged in and saw that you can create 5 (sub)domains on one account. So the subdomain you create there is the URL you add in the domain env variable in swag.

There is no way to configure the subdomains there, so I think those are configured if you add them in the swag setup. If I got something wrong, @aptalca
will arrest me 😁

If you use DNS validation you can use wildcard for subdomains so the SSL certificate is valid for everything under blablabla.duckdns.org. But the SSL certificate will not be valid for blablabla.duckdns.org.

 

You should set staging to true when testing, as that will allow you to test the configuration without being rate limited.

 

External port is the port on the outside of your router, 80 & 443.

 

I would set up the dyndns on your router if it supports it.

Link to post
2 hours ago, SPOautos said:

 

I'm a total newbie to these things so I'm trying to figure this stuff out.....

 

How would you go about ditching dynamic DNS (duck dns)?  Are you saying it's better to create a static wan IP and use A records instead of cnames that point to the dynamic dns? If so, what are the benifits?

The biggest domain registrars usually have an API to update the IP in case you don't have a static IP, so you don't need a static IP even if you buy a domain. And you can always use the free cloudflare DNS. They also have an API to update your IP.

Link to post
2 hours ago, SPOautos said:

 

I was able to look at this again this morning. I stopped Swag and here is what I get.....if I go to heimdall via the internet using my custom url it says "the website cant be reached".  If I go in Unraid to dockers/heimdall/webui then it just opens another instance of Unraid.

 

Heimdall is setup in the template to use the custom network type for reverse proxy, just like the other apps (radarr, sonarr, etc)....is that a issue? Should i not have set heimdall up in the reverse proxy network?

 

Here are screenshots of the templates......

Heimdall:

image.thumb.png.328c4557dcf1c1c82010265b8b35ae76.png

 

SWAG:

image.thumb.png.d47bc6d224f7716cd3e9bb7afd00a451.png

image.thumb.png.47eaf7c7b4a28bc3f5fea80acadb7574.png

 

Hey @Saarg I just thought I'd quote this post, I think you may have not seen it since there were other posts after it. Hoping to get your input on it when you have some time. Thank You!

Edited by SPOautos
Link to post
54 minutes ago, saarg said:

And you can always use the free cloudflare DNS. They also have an API to update your IP.

I also threw myself in at the deep end with all this when I first set up unraid, & used the SpaceInvaderOne's videos to get up & running for a bunch of stuff. I'm (very) slowly learning, though.

Is there an advantage to using Cloudflare over DuckDNS for this, or does it come down to preference? 

 

Quote

Most people are still going to use duckdns even if they buy a domain, unfortunately, as space invader says so...

This part makes me think DuckDNS isn't required for your own domains, but my domain registrar doesn't have their own API to update & I also can't get a static IP off my ISP.

Link to post
This part makes me think DuckDNS isn't required for your own domains, but my domain registrar doesn't have their own API to update & I also can't get a static IP off my ISP.

I think the whole point of duck is you can get a free subdomain.

 

Yes you can use duck for DDNS to update your domains. Or you can have your domain use CF name servers and use the CF docker to update as a DDNS

 

I feel CF is better and easier to work with. Also you can by domains from CF. I moved mine from google to CF

 

Sent from my Pixel 4 XL using Tapatalk

 

Edit: I did a quick search and apparently you cannot buy a domain directly from cloud flare yet. You can only transfer your existing domain.

 

 

Link to post
1 hour ago, SPOautos said:

 

Hey @Saarg I just thought I'd quote this post, I think you may have not seen it since there were other posts after it. Hoping to get your input on it when you have some time. Thank You!

It should be like that if you stop swag.

And if you use the wan IP, you get the same respons?

 

You have double up for ports in your Heimdall template. Delete the extra set.

Link to post
1 hour ago, xxDeadbolt said:

I also threw myself in at the deep end with all this when I first set up unraid, & used the SpaceInvaderOne's videos to get up & running for a bunch of stuff. I'm (very) slowly learning, though.

Is there an advantage to using Cloudflare over DuckDNS for this, or does it come down to preference? 

 

This part makes me think DuckDNS isn't required for your own domains, but my domain registrar doesn't have their own API to update & I also can't get a static IP off my ISP.

If owning your own domain, I would use cloudflare, especially since your domain registrar doesn't have an API.

The advantage of using cloudflare is that you have less things to complicate your setup.

Link to post

EDIT:  I increased the Propagation parameter to 60 seconds in the container, and that has fixed the issue.

 

I just updated this docker and now it is failing to get my cloudflare DNS verification.  Anyone know why/how?   I see it is inserting the TXT acme-challenge records in the cloudflare dashboard.  This has taken down my production sites, so if anyone knows of an issue please let me know.

 

Unsafe permissions on credentials configuration file: /config/dns-conf/cloudflare.ini
Waiting 10 seconds for DNS changes to propagate
Waiting for verification...
Waiting for verification...
Challenge failed for domain my.domain
Challenge failed for domain my.domain
dns-01 challenge for my.domain
dns-01 challenge for my.domain
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: my.domain
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.my.domain - check that a DNS record exists for
this domain

Domain: my.domain
Type: dns
Detail: DNS problem: NXDOMAIN looking up TXT for
_acme-challenge.my.domain - check that a DNS record exists for
this domain
ERROR: Cert does not exist! Please see the validation error above. Make sure you entered correct credentials into the /config/dns-conf/cloudflare.ini file.

 

 

 

 

Edited by guythnick
Link to post
2 hours ago, saarg said:

It should be like that if you stop swag.

And if you use the wan IP, you get the same respons?

 

You have double up for ports in your Heimdall template. Delete the extra set.

If I stop Swag and go to my WAN address over the internet it does "this site cant be reached".

 

I'm not following you regarding the Heimdall template ports. I only see one set of ports the http (280) and https (2443)....do you mean that I only need one of those, not both?

Link to post
8 hours ago, saarg said:

I haven't really used duckdns, so not 100% sure on how it works, but just logged in and saw that you can create 5 (sub)domains on one account. So the subdomain you create there is the URL you add in the domain env variable in swag.

There is no way to configure the subdomains there, so I think those are configured if you add them in the swag setup. If I got something wrong, @aptalca
will arrest me 😁

If you use DNS validation you can use wildcard for subdomains so the SSL certificate is valid for everything under blablabla.duckdns.org. But the SSL certificate will not be valid for blablabla.duckdns.org.

 

You should set staging to true when testing, as that will allow you to test the configuration without being rate limited.

 

External port is the port on the outside of your router, 80 & 443.

 

I would set up the dyndns on your router if it supports it.

Thx for your reply saarg,

 

with every message i get more and more confused unfortunately... "DNS verification"? Never heard of it...

 

could you tell me what dns provider you use? Maybe it's easier to use than duckdns, and u could just tell me how you set up yours...

 

it's getting more and more frustrating to use unraid since you have no tutorials that work out of the box, like you have a gazillion on ubuntu :(

 

cheers

 

 

 

 

Link to post
5 hours ago, SPOautos said:

If I stop Swag and go to my WAN address over the internet it does "this site cant be reached".

 

I'm not following you regarding the Heimdall template ports. I only see one set of ports the http (280) and https (2443)....do you mean that I only need one of those, not both?

You have two http and two https in the container template. The two on the bottom can be deleted.

Link to post
1 hour ago, MMeirolas said:

Thx for your reply saarg,

 

with every message i get more and more confused unfortunately... "DNS verification"? Never heard of it...

 

could you tell me what dns provider you use? Maybe it's easier to use than duckdns, and u could just tell me how you set up yours...

 

it's getting more and more frustrating to use unraid since you have no tutorials that work out of the box, like you have a gazillion on ubuntu :(

 

cheers

 

 

 

 

Sorry, but I don't have time to explain everything you might not understand. One needs to educate one self also. It's easy to do a Google search for things you don't understand.

 

I use cloudflare, but as said before, I don't have time to go into detail of my setup.

 

You can start by reading the readme we have on GitHub 🙂

Link to post
32 minutes ago, saarg said:

Sorry, but I don't have time to explain everything you might not understand. One needs to educate one self also. It's easy to do a Google search for things you don't understand.

 

I use cloudflare, but as said before, I don't have time to go into detail of my setup.

 

You can start by reading the readme we have on GitHub 🙂

Believe me: Googling is all i have been doing... I am on day 7 of my test phase for Unraid, and have read the whole wiki page. Have watched all spaceinvader one videos, have read a lot of answers on this topic.

 

Unfortunately for each app you want to install in unraid, there is very little Information available. Yes there are tutorials on the syncthing webpage, but for "docker/docker-compose"... That's messing with the terminal, and not the reason i switched to unraid. So i had to to resort to this forum...

 

With Ubuntu one can google: "how to install syncthing?" and a million Webpages show up.

 

And don't get me wrong, i know people are here helping out on a volunteer basis, which all of us noobs are greatful for. But telling people: "you need to make a linux course to learn the terminal, then a networking course, then an unraid course and then a syncthing course..." Only to be able to sync a few files from your smartphone to your server... instead of writing a tutorial for unraid, is not a beginner friendly approach and shoves people to other OS's where they have those tutorials.

 

But anyways, enough written.

 

Thx for trying to help.

Off to Ubuntu again :)

 

 

Cheers

 

 

 

 

Link to post

Hey

 

i just migrated from letsencrypt to Swag and wanted to setup UniFi docker as part of my reverse setup. I’m using the sub folder setup for all my dockers, but that isn’t supported for the unify controller. 

 

Could anyone guide me on how to setup the UniFi as subdomain. It says that I need to setup a Cname for unifi. What should the cname settings be? 
 

i’m using my own domain and a static Ip with DNS at Cloudflare  

 

Link to post
4 hours ago, fc0712 said:

Hey

 

i just migrated from letsencrypt to Swag and wanted to setup UniFi docker as part of my reverse setup. I’m using the sub folder setup for all my dockers, but that isn’t supported for the unify controller. 

 

Could anyone guide me on how to setup the UniFi as subdomain. It says that I need to setup a Cname for unifi. What should the cname settings be? 
 

i’m using my own domain and a static Ip with DNS at Cloudflare  

 

Create a cname in cloudflare with just an asterisk as the name "*", pointing to the A record for your domain and that's it. Then in swag docker settings, set the subdomains variable to "wildcard" without the quotes.

Link to post
6 hours ago, saarg said:

You have two http and two https in the container template. The two on the bottom can be deleted.

 

I know I sound retarded but I cant find a second set.  Are you refering to the Heimdall template?  Under the "show more settings" there is a PUID and PGID, are you refering to those? I can only find the one set of ports in my Heimdall template.

image.thumb.png.328c4557dcf1c1c82010265b8b35ae76.png

 

 

OHHH was my last post that had the template images confusing because I had Heimdall and Swag templates in the post back to back?

 

Edited by SPOautos
Link to post
12 hours ago, MMeirolas said:

Believe me: Googling is all i have been doing... I am on day 7 of my test phase for Unraid, and have read the whole wiki page. Have watched all spaceinvader one videos, have read a lot of answers on this topic.

 

Unfortunately for each app you want to install in unraid, there is very little Information available. Yes there are tutorials on the syncthing webpage, but for "docker/docker-compose"... That's messing with the terminal, and not the reason i switched to unraid. So i had to to resort to this forum...

 

With Ubuntu one can google: "how to install syncthing?" and a million Webpages show up.

 

And don't get me wrong, i know people are here helping out on a volunteer basis, which all of us noobs are greatful for. But telling people: "you need to make a linux course to learn the terminal, then a networking course, then an unraid course and then a syncthing course..." Only to be able to sync a few files from your smartphone to your server... instead of writing a tutorial for unraid, is not a beginner friendly approach and shoves people to other OS's where they have those tutorials.

 

But anyways, enough written.

 

Thx for trying to help.

Off to Ubuntu again :)

 

 

Cheers

 

 

 

 

Are you expecting to learn everything on an instant? That's not how it works.

 

There isn't much command line stuff you need to do in unraid, so I'm not sure what you mean.

 

You have alot of applications in CA that you can just click to install and fill in what is needed in the template. No command line or docker compose needed.

 

Comparing guides for Ubuntu with guides for unraid isn't really fair, is it?

Link to post
7 hours ago, SPOautos said:

 

I know I sound retarded but I cant find a second set.  Are you refering to the Heimdall template?  Under the "show more settings" there is a PUID and PGID, are you refering to those? I can only find the one set of ports in my Heimdall template.

image.thumb.png.328c4557dcf1c1c82010265b8b35ae76.png

 

 

OHHH was my last post that had the template images confusing because I had Heimdall and Swag templates in the post back to back?

 

I think you need to go check your eyes. Don't you see on the left side you have http port and https port twice?

 

 

Screenshot_20201022-214125.jpg

Link to post
1 hour ago, saarg said:

I think you need to go check your eyes. Don't you see on the left side you have http port and https port twice?

 

 

Screenshot_20201022-214125.jpg

 

Confusion......do you mean to remove the line item with "remove" to the right?  I thought you were meaning to remove any actual port number.

 

How would those have got there if they aren't supposed to be there?? Does the fact that its duplicated mean there may be something wrong with the install?

Edited by SPOautos
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.