[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

On 11/17/2020 at 8:16 PM, jonathanm said:

The image shows the internal and external ports reversed.

Thanks mate, i figured they were but had tried in the correct setup but was still failing. Turns out i had static DNS that was incorrect on the modem. All working now.

 

EDIT: Literally a few hours later and it all stopped again. Seems to be a DNS issue with the Netcomm modem i'm using. I wasn't having any issues with the Netgear. But i wanted to NAT loopback features of the Netcomm

Edited by xxbigfootxx
Link to comment
On 11/23/2020 at 6:22 PM, Abigel said:

Hi,

is it possible to connect to a mariaDB over https with swag?
So that I use an URL to work with a database and set the port 443 for connections?

 

not using http or https, you can use the stream function but this wont work on the same port(s) as your reverse server(s)

Link to comment

Hi I am new to SWAG and am struggling to get it working, I tried to start off small and used some of the online turtorials on setup. I set up the SWAG container with plex and sonarr docker. I setup my own domain and when i start SWAG it creates the ssl keys and says server ready in the log. I can open a webpage and go to the dockers plex.mydomain.com and sonarr.mydomain.com and each go the the docker webpage and work correctly. But if i try to go to those addresses from an external network it just seems to time out and says the site cant be reached, took to long to respond. I am using google domain and created a dynamic dns then created cname's for plex and sonarr that point to that dynamic dns.

 

Is their something im missng?

Link to comment
On 11/26/2020 at 6:42 AM, reyes136 said:

Is their something im missng?

Well, yes, there might be.

You have to check, whether your ISP has you connected on Dual-Stack or DS-Lite.

The latter has the problem, that it is unreachable from the outside for services like FTP or openVPN, or any other service that needs to reach a certain IP and port, because in this case many people/users share one real IPv4 that gets tunneled through the ISP's IPv6-net to the different users. This means there is an extra address to resolve, which can't be done. Why? I don't know. If you are interested in knowing more, google "Dual Stack vs DS-Lite".

 

But don't worry, even if you are on DS-Lite, there are ways:

- you could switch to IPv6 entirely or

- use a service like Feste-IP.net to get a DS-Lite/IPv6-Portmapper. Check or compare, prices for this should be rather low.

 

And you can always try and ask your ISP to provide you with a fixed IPv4. Many providers do it for free again since the internet provider industry did the switch to IPv6 recently, thus freeing a lot of IPv4 addresses.

Edited by McFex
Link to comment

I seem to be having an issue with the automatic start feature if i let things run as normal on system boot i get the following error
 

[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: supervisor died
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

if i manually start it from the docker tab in my unraid instance it functions correctly at that point but this is a pretty major issue imho

 

Edited by TechnicalPyro
fixed a spelling error
Link to comment
11 hours ago, TechnicalPyro said:

I seem to be having an issue with the automatic start feature if i let things run as normal on system boot i get the following error
 


[cont-finish.d] executing container finish scripts...
[cont-finish.d] done.
[s6-finish] waiting for services.
s6-svwait: fatal: supervisor died
[s6-finish] sending all processes the TERM signal.
[s6-finish] sending all processes the KILL signal and exiting.

if i manually start it from the docker tab in my unraid instance it functions correctly at that point but this is a pretty major issue imho

 

Set a startup delay on swag. Something on your system makes the container die.

A full log is also preferred.

Link to comment
On 11/27/2020 at 5:30 AM, McFex said:

Well, yes, there might be.

You have to check, whether your ISP has you connected on Dual-Stack or DS-Lite.

The latter has the problem, that it is unreachable from the outside for services like FTP or openVPN, or any other service that needs to reach a certain IP and port, because in this case many people/users share one real IPv4 that gets tunneled through the ISP's IPv6-net to the different users. This means there is an extra address to resolve, which can't be done. Why? I don't know. If you are interested in knowing more, google "Dual Stack vs DS-Lite".

 

But don't worry, even if you are on DS-Lite, there are ways:

- you could switch to IPv6 entirely or

- use a service like Feste-IP.net to get a DS-Lite/IPv6-Portmapper. Check or compare, prices for this should be rather low.

 

And you can always try and ask your ISP to provide you with a fixed IPv4. Many providers do it for free again since the internet provider industry did the switch to IPv6 recently, thus freeing a lot of IPv4 addresses.

I ran a test at this site https://whatismyipaddress.com/ds-check and it only shows IPv4 address, and says IPv6 not detected , IPv4/IPv6 Dual Stack Test. Does this mean that my provider is not using Dual-Stack or DS-Lite?

Link to comment

Hi, i´m using SWAG for multiple services now, but want to change the ports/give it an own ip. I want swag to have an own ip in my network, to resolve all my domains in my lan to it and dont have problems with ports (80,443). I´m also running a pi-hole as main dns in my network, but not on unraid, its on a pi 4.

I created a own docker network for all services which have to use this reverse proxy like in the spaceinvaderone tutorial, but cant give the correct ip to the docker due subnet issues.

I have 2 NICs in my system, the onboard one and a second PCIe NIC.

I also tried to create a custom docker network by using macvlan, but then i couldnt enter my network informations like i need.

Are I´m on the right way with this or is there a trick i can use to get this run?

 

My NIC configuration:

 

eth0

IP: 192.168.2.131/24

Gateway: 192.168.2.1

 

eth1

IP: 192.168.2.131/24

Gateway: 192.168.2.1

 

 

Available Network types:

grafik.png.8b6b8330fcac654405c923f02392e20c.png

 

 

Routing:

grafik.thumb.png.a450d3428a3e0855620352a4795e0e9b.png

 

 

 

Available networks:

grafik.thumb.png.398226ccb0a7913d5adc6bb630b3a898.png

 

 

Docker custom networks:

grafik.thumb.png.1677ee079e49e94aed82a21a0bf26d02.png

 

 

Thanks

Edited by CryPt00n
Adding NIC informations
Link to comment

Hi all,

 

I tried updating my Nextcloud container with the help of this SpaceInvader One video (https://www.youtube.com/watch?v=un4L5inokZE) and it broke.
I tried reinstalling, but when I try to enable the reverse proxy I get a 504 Gateway Time-out. Sometimes I can get through to Nextcloud but the site is incredibly slow.

I tried to fix it, but I don't really understand what is wrong.

 

It can find the docker container, but most of the time it times out. Does anyone know what to do?



The nextcloud.subdomain.conf file:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;
#	add_header X-Frame-Options "SAMEORIGIN" always;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }
}

 

Link to comment
6 hours ago, Runi215 said:

I tried reinstalling, but when I try to enable the reverse proxy I get a 504 Gateway Time-out. Sometimes I can get through to Nextcloud but the site is incredibly slow.

Are any of your other reverse proxies displaying the same connection error? Post the logs from Nextcloud docker

Edited by xxbigfootxx
Link to comment
13 hours ago, xxbigfootxx said:

Are any of your other reverse proxies displaying the same connection error? Post the logs from Nextcloud docker

My other reverse proxies are working correctly.

Docker log:
 


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 40-config: executing...
[cont-init.d] 40-config: exited 0.
[cont-init.d] 50-install: executing...
[cont-init.d] 50-install: exited 0.
[cont-init.d] 60-memcache: executing...
[cont-init.d] 60-memcache: exited 0.
[cont-init.d] 70-aliases: executing...
[cont-init.d] 70-aliases: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 40-config: executing...
[cont-init.d] 40-config: exited 0.
[cont-init.d] 50-install: executing...
[cont-init.d] 50-install: exited 0.
[cont-init.d] 60-memcache: executing...
[cont-init.d] 60-memcache: exited 0.
[cont-init.d] 70-aliases: executing...
[cont-init.d] 70-aliases: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.

appdata/nextcloud/log/nginx/error.log:

2020/11/30 16:58:18 [crit] 377#377: *79 SSL_write() failed while sending response to client, client: 192.168.0.1, server: _, request: "GET /apps/text/js/files.js?v=9575ceb6-0 HTTP/1.1", host: "cloud.xxxxxxxxxx.nl"
2020/11/30 16:58:18 [crit] 377#377: *83 SSL_write() failed while sending response to client, client: 192.168.0.1, server: _, request: "GET /apps/recommendations/js/main.js?v=9575ceb6-0 HTTP/1.1", host: "cloud.xxxxxxxx.nl"
2020/11/30 16:58:18 [crit] 377#377: *86 SSL_write() failed while sending response to client, client: 192.168.0.1, server: _, request: "GET /apps/comments/js/comments.js?v=9575ceb6-0 HTTP/1.1", host: "cloud.xxxxxxxx.nl"

 

Link to comment

I wanted to start off by saying thank you for your hardwork and making using a reverse proxy easy to use,

I am successfully using swag for a lot of different services in my home so i know swag is working great with https

 

 

I can successfully access my Home-Assistant container from anywhere inside and outside my network with

 

http://homeassistant.home.specialdomain.com:8123

 

 

 

Questions

 

I am trying to get home assistant to work with swag reverse proxy https exactly the same way as my 10 other apps that i have but it is failing with 

 

502 Bad Gateway

 

After searching the Home Assistant forums there seem to be some extra steps that need to be added to the config file but i am not 100% sure what to do

 

Here are the 2 leading guides that explain how to use Lets Encrypt with HA from scratch

 

https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

 

https://community.home-assistant.io/t/nginx-reverse-proxy-set-up-guide-docker/54802

 

Hopefully there is something that is missing in the default SWAG container homeassistant.subdomain.conf file that needs to be added to get this to work

 

 

Here is my setup

Docker-Compose File

 

home-assistant: 
    image: homeassistant/home-assistant:stable
    container_name: home-assistant
    environment:
       - TZ=America/New_York
    volumes: 
      - /etc/localtime:/etc/localtime:ro
      - /media/username/nfsset/containers/home-assistant/config:/config
    ports:
      - 8123:8123
    #network_mode: host
    restart: unless-stopped

 

Completely Default homeassistant.subdomain.conf

# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

 

 

Sorry for the lengthy post but i tried to be as complete as possible

 


 

 

Edited by Cytomax
Link to comment
9 hours ago, Cytomax said:

I wanted to start off by saying thank you for your hardwork and making using a reverse proxy easy to use,

I am successfully using swag for a lot of different services in my home so i know swag is working great with https

 

 

I can successfully access my Home-Assistant container from anywhere inside and outside my network with

 

http://homeassistant.home.specialdomain.com:8123

 

 

 

Questions

 

I am trying to get home assistant to work with swag reverse proxy https exactly the same way as my 10 other apps that i have but it is failing with 

 

502 Bad Gateway

 

After searching the Home Assistant forums there seem to be some extra steps that need to be added to the config file but i am not 100% sure what to do

 

Here are the 2 leading guides that explain how to use Lets Encrypt with HA from scratch

 

https://community.home-assistant.io/t/reverse-proxy-using-nginx/196954

 

https://community.home-assistant.io/t/nginx-reverse-proxy-set-up-guide-docker/54802

 

Hopefully there is something that is missing in the default SWAG container homeassistant.subdomain.conf file that needs to be added to get this to work

 

 

Here is my setup

Docker-Compose File

 


home-assistant: 
    image: homeassistant/home-assistant:stable
    container_name: home-assistant
    environment:
       - TZ=America/New_York
    volumes: 
      - /etc/localtime:/etc/localtime:ro
      - /media/username/nfsset/containers/home-assistant/config:/config
    ports:
      - 8123:8123
    #network_mode: host
    restart: unless-stopped

 

Completely Default homeassistant.subdomain.conf


# make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name homeassistant.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app homeassistant;
        set $upstream_port 8123;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

 

 

Sorry for the lengthy post but i tried to be as complete as possible

 


 

 

Doesn't look like you are using unraid, so go to our discord server or post on our discourse forum to get help.

Link to comment

IneedHELP.png.ba90358fff9c8ab2a898f48b09737eff.png

The question which makes this post relevant in this forum is further down in bold.

 

On 11/29/2020 at 9:36 PM, CryPt00n said:

Hi, i´m using SWAG for multiple services now, but want to change the ports/give it an own ip. I want swag to have an own ip in my network, to resolve all my domains in my lan to it and dont have problems with ports (80,443).

 

Hi guys and CryPt00n, I have kind of a similar setup as CryPt00n here (I quoted him mainly to connect the posts, since we might be on a similar way). Except it's not an SBC, but a Fujitsu I want to have as kind of a gate-server between router and unRaid server. I installed Cent OS 7 and on it docker and docker-compose. I am aware I'll have to open the ports on the centos firewall.

Now I need to know how my docker-compose file would have to look like. I tried to translate the docker setup from unraid into a docker-compose.yml file:

version: '2.1'
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/Berlin
      - URL=mydomain.com
      - SUBDOMAINS=www,flexcloud,sonarr,radarr,hydra2,sabnzbd,tautulli,minecraft,documentserver,galacticraft
      - VALIDATION=http
      - EMAIL=my@email
    volumes:
      - /proxyflex/config:/config
      - /proxyflex/www:/config/www
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

Is something missing?

 

I also can't figure out what exactly my proxy_conf files would have to look like.

Let's take nextcloud, for example:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name nextcloud.*;

    include /config/nginx/ssl.conf;
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;	<= put unraid server IP there?*

        proxy_max_temp_file_size 2048m;
    }
}

Could someone be so kind and tell me the correct configuration?

For example what is the correct resolver IP if I host the swag container on the Fujitsu?

* Which IP to put there? Unraid official IP? Or the IP unraid has in the network created by swag on the Fujitsu? How would I find that out? Or not unraid's IP at all but the nextcloud container's on unraid?

 

I understand that the swag container and the other docker containers supposed to use the reverse proxy have to be in the network created by swag.

How would I do that in unraid with an external swag installation?

Simply check the networks on the Fujitsu and assign the corresponding IPs to the dockers on the unraid server in the docker setups?

Or would I create the same network in unraid? How would I do that?

 

I am fairly new to linux and unraid and docker, but I want to learn. I tried to be as clear as possible about my needs and hope someone will help me.

Thank you in advance and cheers :)

Edited by McFex
Link to comment
1 minute ago, McFex said:

Hi guys and CryPt00n...

 

Hi McFex,

 

i got a solution for my problem on reddit, maybe it also helps you.

 

I configured my nextcloud.subdomain.conf like this:

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name cloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass https://192.168.2.131:444;

        proxy_max_temp_file_size 2048m;
    }
}

So i just removed the whole variable things and added the ip/port of my nextcloud docker into it. Now it works fine for me. I think this should also work for your case.

I also added my domain (cloud.XXX.de) into my dns so all my devices now connect by domain to the service. Doesnt matter if its inside my LAN or WAN.

 

 

Link to comment
1 minute ago, CryPt00n said:

Hi McFex,

 

i got a solution for my problem on reddit, maybe it also helps you.

Hey CryPt00n,

 

thanks for sharing - I'll try that. My DNS is already setup, since I used to run swag on unraid.

So there is no need for setting up an extra network in unraid? Why? (As I said, I want to learn :) )

 

Link to comment
16 minutes ago, McFex said:

Hey CryPt00n,

 

thanks for sharing - I'll try that. My DNS is already setup, since I used to run swag on unraid.

So there is no need for setting up an extra network in unraid? Why? (As I said, I want to learn :) )

 

 

Hi McFex,

 

i dont know exatly why no extra network is needed, just got this hint from a reddit user:

Quote

Creating a docker network for SWAG isn't a requirement, really. It's a step that can make configuring reverse proxies easier because most of them already have been setup and it's just a matter of enabling them.

 

I just had to switch to a custom network (br1 in my case) to set an own ip for SWAG and change my config.

 

Maybe someone more experienced could explain this network thing for you/us. :)

 

 

EDIT:

But one question: Why do you want to use a vm with CentOS for SWAG? You can just create a SWAG docker with own IP on unraid and open the ports just for this address. Same effect, less used Ressources.

Edited by CryPt00n
Link to comment
On 11/29/2020 at 7:38 AM, reyes136 said:

I ran a test at this site https://whatismyipaddress.com/ds-check and it only shows IPv4 address, and says IPv6 not detected , IPv4/IPv6 Dual Stack Test. Does this mean that my provider is not using Dual-Stack or DS-Lite?

Well, the site says: "...if only IPv4 is detected, then your ISP doesn't provide Dual-Stack yet".

But I am not sure, if that means you are also not on DS-Lite.

 

Dual-Stack and DS-Lite are NOT the same, btw:

Dual-Stack means you are reachable from the internet via IPv6 and IPv4.

DS-Lite means that you are NOT reachable from the internet via IPv4, because several users share one public IPv4 which then gets tunnelled through the IPv6 network of the provider to the different users.

A better way to find out is to check in your router settings or write a quick mail to your provider.

Edited by McFex
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.