[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5531 posts in this topic Last Reply

Recommended Posts

On 1/1/2021 at 2:26 PM, saarg said:

You are exposing it to the whole world, that is not the same as having access on your local network.

You were right, I had port forwarded it on my router without realising it *Doh*
 

I have another issue with setting up photoprism, there isnt a sample file for that one. My set up is as the following:
 

location /photos {
    return 301 $scheme://$host/photos/;
}

location ^~ /photos/ {
    # enable the next two lines for http auth
    #auth_basic "Restricted";
    #auth_basic_user_file /config/nginx/.htpasswd;

    # enable the next two lines for ldap auth, also customize and enable ldap.conf in the default conf
    #auth_request /auth;
    #error_page 401 =200 /ldaplogin;

    # enable for Authelia, also enable authelia-server.conf in the default site config
    #include /config/nginx/authelia-location.conf;

    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app PhotoPrism;
    set $upstream_port 2342;
    set $upstream_proto http;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

}

This makes it accessable via my domain name however the site is uninteractable - It just shows a large logo. There is a config file displayed on the site for setting up photoprism with nginx however I don't really understand it. How would I re-write mine? The sample config is as follows:

 

http {
  server {
    server_name example.com
    client_max_body_size 500M;

    location / {
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header Host $host;

      proxy_pass http://photoprism:2342;

      proxy_buffering off;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
  }
}

 

Any help would be appreciated.

 

SP

Link to post
  • Replies 5.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

hi!

 

is it possible for the reverse proxy to point to emby in a vm? if so, could someone please help me? :) i'm clueless!

edit: if thats not possible, can i install rar2fs to an existing emby docker?

 

EDIT2: I figured it out :) But is there a way to just write emby.my.domain and being redirected to https instead of write https manually?

 

thanks in advance

Edited by Hugh Jazz
Link to post

by default your config should lead all to https ...

 

check your default conf file head

 

server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name _;
	return 301 https://$host$request_uri;
}

 

Link to post

Just for curiosity:

Is there any plan to extend swag container with native authelia and ldap server.

It would be an all-in-one easy solution for unraid with global users management and reverse proxy authentication.

 

I tried to achieve such a solution with swag + authelia + openldap + phpldapadmin, without success right now 😅

Link to post
3 hours ago, mika91 said:

Just for curiosity:

Is there any plan to extend swag container with native authelia and ldap server.

It would be an all-in-one easy solution for unraid with global users management and reverse proxy authentication.

 

I tried to achieve such a solution with swag + authelia + openldap + phpldapadmin, without success right now 😅

No it will not be an all in one.

Link to post

Hello all,

 

I have gone through the entire setup to the point where accessing my domain "overseerr.mydomain.com" results in just the SWAG welcome page displaying, instead of launching the Overseerr login page.

 

Any idea what steps I may have missed?

 

Log file for docker included.

 

EDIT: per the norm, I misinterpreted a step, and figured out what I was doing wrong. I was missing the "conf" files that I thought I only needed to modify if changes were required.

Edited by carnivorebrah
Link to post

Hi,

 

I am having an error getting SWAG to work following Spaceinvader's video. I am trying to get HTTP working so that I can access nextcloud, sonarr, etc outside of my network.

 

I have port forwarded my router ports 80 and 443 to 180 and 1443 respectively and listed those reports in Unraid for SWAG, but I get the following error when I try to create the certs. When I check whocanseeme.org, however, I am seeing a blocked port 80 and 443. I have already called my ISP and confirmed that they are not blocking the ports, so I'm not sure how to proceed. I am fairly new to this and have dome some research and was curious if it matters if my router's IP is the same as my public IP or not and how this relates to NAT. Currently my router's IP does not match my public IP when I look it up using whatsmyip, etc.

 

Domain: mydomain.com
Type: unauthorized
Detail: Invalid response from
http://mydomain.com/.well-known/acme-challenge/0OAvQT7bR4EqZoWAqvATD1_N6LTEeCUWQ1rpOsfhfiM
[199.188.201.227]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Screenshot_1.png

Screenshot_14.png

Link to post
7 minutes ago, semicole said:

Hi,

 

I am having an error getting SWAG to work following Spaceinvader's video. I am trying to get HTTP working so that I can access nextcloud, sonarr, etc outside of my network.

 

I have port forwarded my router ports 80 and 443 to 180 and 1443 respectively and listed those reports in Unraid for SWAG, but I get the following error when I try to create the certs. When I check whocanseeme.org, however, I am seeing a blocked port 80 and 443. I have already called my ISP and confirmed that they are not blocking the ports, so I'm not sure how to proceed. I am fairly new to this and have dome some research and was curious if it matters if my router's IP is the same as my public IP or not and how this relates to NAT. Currently my router's IP does not match my public IP when I look it up using whatsmyip, etc.

 

Domain: mydomain.com
Type: unauthorized
Detail: Invalid response from
http://mydomain.com/.well-known/acme-challenge/0OAvQT7bR4EqZoWAqvATD1_N6LTEeCUWQ1rpOsfhfiM
[199.188.201.227]: "<!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML
2.0//EN\">\n<html><head>\n<title>404 Not
Found</title>\n</head><body>\n<h1>Not Found</h1>\n<p"

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Screenshot_1.png

Screenshot_14.png

The IP in the screenshot is the LAN adress. You have to find the WAN adress and compare it to the one provided by the webpage. If those two are not the same, then you are behind CGNAT.

 

Hard to say if your port forward is correct as we don't see the description of the port forward table and we also don't have the docker run command of swag to see the validation method you have set up.

It looks like you have not port forwarded to 80 to 180, but to 80.

Link to post
Just now, saarg said:

The IP in the screenshot is the LAN adress. You have to find the WAN adress and compare it to the one provided by the webpage. If those two are not the same, then you are behind CGNAT.

 

Hard to say if your port forward is correct as we don't see the description of the port forward table and we also don't have the docker run command of swag to see the validation method you have set up.

It looks like you have not port forwarded to 80 to 180, but to 80.

When I check what’s my IP, I get my external IP address or WAN IP address. I’m struggling to figure out where my WAN is listed on my router page, is there another way to figure that out that may be easier.

 

I can post a better photo of the port forwarding, but yes I had changed 180 to 80 to try to troubleshoot, it’s correct now at 180, so my external ports are 80 and 443 and my internals are 180 and 1443 and going to the correct IP address of my server.

Link to post
9 minutes ago, saarg said:

The IP in the screenshot is the LAN adress. You have to find the WAN adress and compare it to the one provided by the webpage. If those two are not the same, then you are behind CGNAT.

 

Hard to say if your port forward is correct as we don't see the description of the port forward table and we also don't have the docker run command of swag to see the validation method you have set up.

It looks like you have not port forwarded to 80 to 180, but to 80.

Scratch that, I was able to find my WAN address of my router and it does match my public IP, so I think I’m good there and I have the correct ports forwarded and have verified from my ISP that they do not block ports 80 and 443, so what should my next steps be?

Link to post
12 hours ago, semicole said:

Scratch that, I was able to find my WAN address of my router and it does match my public IP, so I think I’m good there and I have the correct ports forwarded and have verified from my ISP that they do not block ports 80 and 443, so what should my next steps be?

Post the screenshot so we can see that your port forwards are correct and also the other info missing.

Link to post

I setup swag for the first time last week, and successfully pointed my domain to my nextcloud instance, and have been able to access it remotely all week.

Today I changed my Edgerouter X for a Unifi Security Gateway (USG) so that I could manage everything from the one Unifi Controller interface (I already had two of their APs, so thought this would be neat).

After having a heck of a time today getting it up and adopted, I do now have a

Link to post

I setup swag for the first time last week, and successfully pointed my domain to my nextcloud instance, and have been able to access it remotely all week via nextcloud.MYDOMAIN.COM*). I also set up a holding page (a single HTML file with an image) for my domain (without a subdomain).

Today I changed my Edgerouter X for a Unifi Security Gateway (USG) so that I could manage everything from the one Unifi Controller interface (I already had two of their APs, so thought this would be neat).

After having a heck of a time today getting it up and adopted, I do now have a running USG in my Unifi Controller.

I have also added my old DHCP reservation and Port Forwards.

But now to my problem relating to swag:

 

However, I just checked my domain via my phone (not connected to WiFi), and when I navigate to nextcloud.MYDOMAIN.COM it shows a cert error that it's self-signed. If I hit proceed, it takes me to a Unifi page that I believe is coming from my USG saying "Fatal error. There was an error handling your request. Please try again later."

WORSE YET though, is if I navigate to MYDOMAIN.COM it presents me (and anyone else on the internet) with my Unraid login screen!

I disabled the port forwards in USG, but the login screen remained, so I've shutdown swag, and it now doesn't appear when I navigate to that page.

 

Does anyone have ANY idea what's going on, and how I can fix it?

 

*not my actual domain for reasons that should be obvious with the problem I'm currently facing

 

OMG 🤦‍♂️ I just realised that when I set up the port frowarding on the USG, I accidentally had 80 > Unraid:80, and 443 to Unraid:443, rather than 80 > Unraid:180 and 443 > Unraid:1443. Classic.

All seems to be working as it should now. Nevermind!

Edited by jademonkee
Realising the error of my ways
Link to post
cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=duckdns.org
SUBDOMAINS=CHANGED
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
EMAIL=CHANGED@outlook.com
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d CHANGED.duckdns.org
E-mail address entered: daniel.vanderwal@outlook.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for CHANGED.duckdns.org
Performing the following challenges:
http-01 challenge for CHANGED.duckdns.org
Waiting for verification...
Challenge failed for domain CHANGED.duckdns.org
http-01 challenge for CHANGED.duckdns.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: CHANGED.duckdns.org
Type: connection
Detail: Fetching
http://CHANGED.duckdns.org/.well-known/acme-challenge/wkC33SQDnnXlUZuzXOIm63eO2kVOV1QUvw5tmZahyA0:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I used an nginx container with the same ports and its shows the default nginx page so its not pfsense.

Welcome to our server
The website is currently being setup under this address.
For help and support, please contact: me@example.com

image.thumb.png.2108c664b39e4d29db4d73aadf8161ac.png

 

I have been mucking about with changing from proxynet to host in swag itself.

Is there a limit on how many times you can do this regarding getting new certs?

 

ow and everything has been running great this week since I installed it on monday.

I am just asking if there is limitation ,DDOS protection or I dunno. something that would explain why now its not working :)

 

any help is appreciated greatly. its been a frustrating 6 hours so its time for bed.

Edited by BelgarionNL
Link to post
40 minutes ago, BelgarionNL said:

Is there a limit on how many times you can do this regarding getting new certs?

Yes, I don't remember what the limit is but for testing you should enable staging then the limit will be much higher.

Link to post
5 minutes ago, strike said:

Yes, I don't remember what the limit is but for testing you should enable staging then the limit will be much higher.

 

I hope someone can say if this connection refused is regarding me hitting that limit or if its something else.

but I appreciate you telling me that there is at least a limit! this is helpful.

 

ow and I tried staging. it gave me the same or similar error. but then with an not signed cert or something.

Edited by BelgarionNL
Link to post
10 minutes ago, BelgarionNL said:

 

I hope someone can actually say if this connection refused is regarding me hitting that limit or if its something else.

If it was working before and you have not changed the port forwarding it's probably because you're hitting the limit. Here you can see what the limits is: https://letsencrypt.org/docs/rate-limits/

 

Edit: Maybe check the let's encrypt log if it has any more info.

Edited by strike
Link to post
3 minutes ago, BelgarionNL said:

dont think so since I am not getting this message: too many certificates already issued

 

plus I have only changed it like 10 times max. not hitting the 50 as of yet :)

What does the letsencrypt log say? it's located in your appdata folder letsencrypt/log/letsencrypt

 

Quote

There is a Failed Validation limit of 5 failures per account, per hostname, per hour. This limit is higher on our staging environment, so you can use that environment to debug connectivity problems. Exceeding the Failed Validations limit is reported with the error message too many failed authorizations recently.

 

Link to post
8 hours ago, strike said:

What does the letsencrypt log say? it's located in your appdata folder letsencrypt/log/letsencrypt

image.png.3d7b29e2da6dfc47596719c26f586a62.png


there is no log?
 

And yes I can ping my duckdns domain and it shows my ip.

 

could it be a permissions thing?
it made a couple folders as root:

image.png.d1059b247de1274e7213eec344da22ab.png

Edited by BelgarionNL
Link to post
13 hours ago, BelgarionNL said:

cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=duckdns.org
SUBDOMAINS=CHANGED
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
EMAIL=CHANGED@outlook.com
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d CHANGED.duckdns.org
E-mail address entered: daniel.vanderwal@outlook.com
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Requesting a certificate for CHANGED.duckdns.org
Performing the following challenges:
http-01 challenge for CHANGED.duckdns.org
Waiting for verification...
Challenge failed for domain CHANGED.duckdns.org
http-01 challenge for CHANGED.duckdns.org
Cleaning up challenges
Some challenges have failed.
IMPORTANT NOTES:
- The following errors were reported by the server:

Domain: CHANGED.duckdns.org
Type: connection
Detail: Fetching
http://CHANGED.duckdns.org/.well-known/acme-challenge/wkC33SQDnnXlUZuzXOIm63eO2kVOV1QUvw5tmZahyA0:
Connection refused

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I used an nginx container with the same ports and its shows the default nginx page so its not pfsense.


Welcome to our server
The website is currently being setup under this address.
For help and support, please contact: me@example.com

image.thumb.png.2108c664b39e4d29db4d73aadf8161ac.png

 

I have been mucking about with changing from proxynet to host in swag itself.

Is there a limit on how many times you can do this regarding getting new certs?

 

ow and everything has been running great this week since I installed it on monday.

I am just asking if there is limitation ,DDOS protection or I dunno. something that would explain why now its not working :)

 

any help is appreciated greatly. its been a frustrating 6 hours so its time for bed.

Your URL is not duckdns.org, it's your_user.duckdns.org. You don't own duckdns.org.

Link to post

Hey, I just converted my UnRaid server from letsencrypt to SWAG.  For some reason when I left click and select the WebUI for SWAG I get "this site can't be reached".  Everything was working until I installed the SWAG docker.  
 

Now I can't get to the WebUI and I am failing the check to get a certificate. I am unable to access https://<serverIP>:<sslport>

 

Link to post
19 hours ago, saarg said:

Your URL is not duckdns.org, it's your_user.duckdns.org. You don't own duckdns.org.

 

image.thumb.png.e18c7417f1a54839e686341cb2ad742e.png

 

domain1 being my subdomain I created on the duckdns.org website.

 

I followed the video:

image.thumb.png.26391da8e8da4a3d3db7b60f3080e038.png

Edited by BelgarionNL
Link to post
1 hour ago, BelgarionNL said:

 

image.thumb.png.e18c7417f1a54839e686341cb2ad742e.png

 

domain1 being my subdomain I created on the duckdns.org website.

 

I followed the video:

image.thumb.png.26391da8e8da4a3d3db7b60f3080e038.png

It's still not correct even though you followed a guide. You do not own duckdns.org. you "own" blahblahblah.duckdns.org, so add that to domain name. Subdomains will be subdomain.blahblahblah.duckdns.org.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.