[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5524 posts in this topic Last Reply

Recommended Posts

On 11/5/2020 at 4:06 PM, BurntOC said:

I just got this container set up yesterday morning and man, it is so great.  I have a handful of my containers proxied already, but I've hit a snag that I can't figure out and I'm hoping someone can help.  These 5-7 other servers I'm trying to proxy fall into 3 categories:

  1. On this Unraid server, but assigned to a different network and VLAN
  2. On my other Unraid server
  3. On a Raspberry Pi

I'm hoping that some sort of editing the configuration files and also my OPNsense firewall rules will solve items #2 and #3.  I'm wondering if #1 acts differently, though, and if so how I am supposed to make those proxyable by Swag.  Here are a few more details if you can help guide me I would appreciate it.

  • Swag and currentlly proxied containers - br1.60, network 192.168.60.0/24
  • Non-working containers - br0.20, network 192.168.20.0/24

Thanks for any help.

 

UPDATE:  So getting item 1  handled turned out to be easier than I feared.  By using an IP for upstream app it worked great.  I thought then that #3 would be easy, but it's not working.  Specifically, I'm trying to get to my Hass (Home Assistant Supervised) on it, which is available when I hit it directly via its 192.168.60.X:8123 address.  If I try to hit it via the proxy I get the Nginx default page and I don't see any traffic trying to proxy from the swag IP to the hass server.  It's like it isn't recognizing the hass.mydomain.me even though I edited the conf to reflect that subdomain name of hass and the app IP.  Any ideas as to what could be up there?

So I've gotten it all operating fine - EXCEPT Home Assistant Supervised on my Pi.  I still get the 502 Gateway error and I don't see it even trying to proxy request to the Pi.  I know there are some pointers to ensure the Hass instance accepts the proxy, but why the heck would it not even be forwarding the proxy requests like it does the other dozen servers and containers I'm running just fine?

Link to post
  • Replies 5.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

Finally, finished making my video on setting up a reverse proxy. Hope it helps people who haven't set it up before    

Posted Images

13 hours ago, BurntOC said:

So I've gotten it all operating fine - EXCEPT Home Assistant Supervised on my Pi.  I still get the 502 Gateway error and I don't see it even trying to proxy request to the Pi.  I know there are some pointers to ensure the Hass instance accepts the proxy, but why the heck would it not even be forwarding the proxy requests like it does the other dozen servers and containers I'm running just fine?

You probably don't have your routing correct if you have set up the proxy conf correctly, which is hard to say since you didn't post it.

Can you ping the RPI from inside swag?

Link to post
6 hours ago, saarg said:

You probably don't have your routing correct if you have set up the proxy conf correctly, which is hard to say since you didn't post it.

Can you ping the RPI from inside swag?

Fair observation.  I thought about including it originally but if the connectivity is there, it seems like this would be some well-known trick that I don't know about.  To that point, your question is a great one to which I believed the answer was "Yes, I've tested it.".  But if so I'd have been wrong, as checking right now it is not getting a response.  I'm up to 15 other devices that are working just fine across the other 2 situations I included in my initial post on this.  Since it is working for other servers in that same domain it would seem like the traffic should have no problems getting from my Unraid server to the firewall headed to the Pi, but clearly I do.  Here's my proxy, in any event (I use hassio.mydomain.me and the device is on 192.168.60.4 in this example):

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hassio.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
#        set $upstream_app homeassistant;
        set $upstream_app 192.168.60.4;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Link to post

Maybee a stupid Q

 

But is it okay to add multiple subdomains like this?

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photo.doamin.dk;
    server_name photos.domain.dk;
    server_name piwigo.domain.dk;

And could I just add a piwigo.domain2.dk also?

It might work but I dont want to go against the approved structure

Link to post
3 hours ago, casperse said:

Maybee a stupid Q

 

But is it okay to add multiple subdomains like this?


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photo.doamin.dk;
    server_name photos.domain.dk;
    server_name piwigo.domain.dk;

And could I just add a piwigo.domain2.dk also?

It might work but I dont want to go against the approved structure

You can put multiple names in a single server name directive, don't use multiple directives

Link to post
4 hours ago, BurntOC said:

Fair observation.  I thought about including it originally but if the connectivity is there, it seems like this would be some well-known trick that I don't know about.  To that point, your question is a great one to which I believed the answer was "Yes, I've tested it.".  But if so I'd have been wrong, as checking right now it is not getting a response.  I'm up to 15 other devices that are working just fine across the other 2 situations I included in my initial post on this.  Since it is working for other servers in that same domain it would seem like the traffic should have no problems getting from my Unraid server to the firewall headed to the Pi, but clearly I do.  Here's my proxy, in any event (I use hassio.mydomain.me and the device is on 192.168.60.4 in this example):

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name hassio.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
#        set $upstream_app homeassistant;
        set $upstream_app 192.168.60.4;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

If you can't ping 192.168.60.4 it's not the proxy conf that is the issue. Since you have other services working, I would assume your firewall blocks access from the unraid network to your hassio RPI.

Link to post
17 minutes ago, saarg said:

If you can't ping 192.168.60.4 it's not the proxy conf that is the issue. Since you have other services working, I would assume your firewall blocks access from the unraid network to your hassio RPI.

So I verified that I had port isolation enabled on both the Unifi switch port connected to that Unraid network and the port the Pi is connected to.  Disabling it on the Pi port allowed swag to ping the Pi, but I am still getting the Nginx gateway error.  The isolation observation and the lack of entries in the logs confirms this is transiting port to port without the firewall seeing it, but it's even more puzzling as to why it still isn't working... 

Link to post
1 hour ago, BurntOC said:

So I verified that I had port isolation enabled on both the Unifi switch port connected to that Unraid network and the port the Pi is connected to.  Disabling it on the Pi port allowed swag to ping the Pi, but I am still getting the Nginx gateway error.  The isolation observation and the lack of entries in the logs confirms this is transiting port to port without the firewall seeing it, but it's even more puzzling as to why it still isn't working... 

I can't really help with network issues.

You are sure you use the correct port and that it is http and not https?

Are you accessing the domain from your network or using your phone?

Edited by saarg
Link to post
2 hours ago, saarg said:

I can't really help with network issues.

You are sure you use the correct port and that it is http and not https?

Are you accessing the domain from your network or using your phone?

Port was correct, but though I'd tested http vs https earlier with no effect (of course because port isolation was probably blocking it in any case), I just tried switching it to https and it works.  I have had Hass pulling a cert with the LetsEncrypt addon and I had it set to access via HTTPS.  I'm tempted to leave it for now.  As I understand it, I'm doing SSL to Swag, but it's doing HTTP to the proxied hosts in most cases per the template default, right?  And there would be some risk of something else on the same subnet trying to sniff the unencrypted traffic, but in this case I'm doing SSL to swag and then also to the proxied server so the full path is encrypted, right?  If not, I will leave these other connections be, as I was going to look into usings HTTPS with them as well.

Link to post
4 hours ago, BurntOC said:

Port was correct, but though I'd tested http vs https earlier with no effect (of course because port isolation was probably blocking it in any case), I just tried switching it to https and it works.  I have had Hass pulling a cert with the LetsEncrypt addon and I had it set to access via HTTPS.  I'm tempted to leave it for now.  As I understand it, I'm doing SSL to Swag, but it's doing HTTP to the proxied hosts in most cases per the template default, right?  And there would be some risk of something else on the same subnet trying to sniff the unencrypted traffic, but in this case I'm doing SSL to swag and then also to the proxied server so the full path is encrypted, right?  If not, I will leave these other connections be, as I was going to look into usings HTTPS with them as well.

If it's within your own network, I would drop SSL and just do http.

Edited by saarg
Link to post
11 hours ago, aptalca said:

You can put multiple names in a single server name directive, don't use multiple directives

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photo.doamin.dk,photos.domain.dk,piwigo.domain.dk,piwigo.domain2.dk;

I tried combining them but got a strange error afterwards?

nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised

Link to post

Hi,

im trying to get swag to reverse proxy to my vm in unraid. i used spaceinvader video to set it up at start but now when im trying to send to the vm, the log give me this... any one has any idea? i mean it work great when im using it on docker but i cant get it to send it to my vm

Thanks for any help

P.S. I actually want to send it to a vm for nextcloud instead of using a docker for it.

 

2020/11/10 00:45:08 [error] 431#431: *63 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 66.70.148.95, server: myServer.*, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.8.13:443/favicon.ico", host: "myHost", referrer: "https://myHost/"

Link to post
On 11/9/2020 at 10:05 AM, casperse said:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name photo.doamin.dk,photos.domain.dk,piwigo.domain.dk,piwigo.domain2.dk;

I tried combining them but got a strange error afterwards?

nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised

Strange only when I list them in sepereate lines it works and I dont get the below error

 

 

nginx: [emerg] could not build server_names_hash, you should increase server_names_hash_bucket_size: 64
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

 

server_name photo.domain1.dk;

server_name photos.domain1.dk;

server_name piwigo.domain1.dk;

 

It works no errors (Even if the syntax is not right)

Link to post

I have multiple services running behind a reverse nginx proxy. But I am having issues with home assistant. The UI loads but the calls don't get forwarded and error out 


 

Failed to call service homeassistant/turn_off. Unable to find service light/turn_off

I am running https://hub.docker.com/r/homeassistant/home-assistant on Unraid. This is the nginx config. The site loads but gives errors when I try to turn on lights.
 

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

 

This is the command used to run the container:


 

usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='HomeAssistant' --net='proxynet' --privileged=true -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -p '8123:8123/tcp' --device='/dev/ttyUSB0' 'homeassistant/home-assistant' 

 

 I am not sure if its more suited for home assistant? 

Edited by BoKKeR
Link to post
3 hours ago, BoKKeR said:

I have multiple services running behind a reverse nginx proxy. But I am having issues with home assistant. The UI loads but the calls don't get forwarded and error out 


 


Failed to call service homeassistant/turn_off. Unable to find service light/turn_off

I am running https://hub.docker.com/r/homeassistant/home-assistant on Unraid. This is the nginx config. The site loads but gives errors when I try to turn on lights.
 


# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name ha.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location /api/websocket {
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

 

This is the command used to run the container:


 


usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='HomeAssistant' --net='proxynet' --privileged=true -e TZ="America/Los_Angeles" -e HOST_OS="Unraid" -p '8123:8123/tcp' --device='/dev/ttyUSB0' 'homeassistant/home-assistant' 

 

 I am not sure if its more suited for home assistant? 

You have the name wrong for the container. You have to name it homeassistant with small letters.

Link to post
25 minutes ago, BoKKeR said:

thanks I tried that also. Same result I can resolve home assistant over nginx, but all the service calls fail. 

We don't have the /api location in our proxy-conf and I'm not sure why you need it?

Link to post
9 hours ago, BoKKeR said:

Removing the block rebooting SWAG, I get even less access. I get to the login page. After login I am greeted with 

 

image.thumb.png.15cb45e6f4aecf562ce86f4b1b0df87f.png

Did you set homeassistant to use https om that port? If so, change it back to http. There is a similar problem like this fixed on this page.

Link to post

I am wondering if anyone has any idea how to use SWAG with a SQL docker to reverse proxy a MSSQL server for remote access through SSMS?

 

I have spent most of a couple of days looking into it, and I know that I need to use a stream process, however I can't get it to work with the nginx within SWAG docker. Anyone have this working and could give me some guidance on how to setup the subdomain conf file?

Link to post
10 hours ago, saarg said:

Did you set homeassistant to use https om that port? If so, change it back to http. There is a similar problem like this fixed on this page.

 

I cant find this option, but to make sure I made a new container with a new config location and adjusted the config in swag, restarted swagger. I get the https login page on the subdomain, upon login I end up with the same error page. 

Link to post
7 hours ago, deanpelton said:

I am wondering if anyone has any idea how to use SWAG with a SQL docker to reverse proxy a MSSQL server for remote access through SSMS?

 

I have spent most of a couple of days looking into it, and I know that I need to use a stream process, however I can't get it to work with the nginx within SWAG docker. Anyone have this working and could give me some guidance on how to setup the subdomain conf file?

You can't as it's not web traffic.

Link to post
On 11/12/2020 at 2:29 PM, deanpelton said:

I am wondering if anyone has any idea how to use SWAG with a SQL docker to reverse proxy a MSSQL server for remote access through SSMS?

 

I have spent most of a couple of days looking into it, and I know that I need to use a stream process, however I can't get it to work with the nginx within SWAG docker. Anyone have this working and could give me some guidance on how to setup the subdomain conf file?

 

On 11/12/2020 at 10:24 PM, saarg said:

You can't as it's not web traffic.

standard tcp or udp traffic is like mentioned not supported with http server blocks, it works single as stream "passthrough".

 

if there would be this module included we may could play and bind domains to the stream(s), but its not included so ... sadly no.

 

https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

 

Link to post
3 hours ago, alturismo said:

 

standard tcp or udp traffic is like mentioned not supported with http server blocks, it works single as stream "passthrough".

 

if there would be this module included we may could play and bind domains to the stream(s), but its not included so ... sadly no.

 

https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html

 

Thanks alturismo,

I saw your previous comments on this topic but I couldn't load the stream module into my swag container.

Any other methods of doing this with a IP address whitelisting for safety?

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.