Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

Featured Replies

8 minutes ago, BTPBen said:

but shouldn't I be about to access https://abc.def.ghi.jkl:xx443 even if the cert isn't any good?

No you can't, as nginx isn't started until you have a valid cert.

  • Replies 6.2k
  • Views 1.5m
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • Confirming this worked for me too. Not sure I needed to replace both, but I did anyway and Swag and Nextcloud are both back and up and running. For noobs like me, here's what I did: 1. Stop

  • I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

  • BigBoyMarky
    BigBoyMarky

    I replaced both the ssl.conf and nginx.conf files with the sample ones to update them since I did not make any custom modifications to either one of those and this resolved my issue.

Posted Images

10 minutes ago, saarg said:

No you can't, as nginx isn't started until you have a valid cert.

 

So, at this point I am trying to figure things out.  

In my router I have configured port 80 and port 443 to forward to my UnRaid server on ports xx080 and xx443 which are the same ports on my SWAG configuration. 
I am getting timeouts try to renew my expired cert.

I tried to telnet into unraid on xx080 and it tells me it cannot open a connection. 

If I can't establish the connection to the SWAG container how can I renew my cert?

1 hour ago, BTPBen said:

 

So, at this point I am trying to figure things out.  

In my router I have configured port 80 and port 443 to forward to my UnRaid server on ports xx080 and xx443 which are the same ports on my SWAG configuration. 
I am getting timeouts try to renew my expired cert.

I tried to telnet into unraid on xx080 and it tells me it cannot open a connection. 

If I can't establish the connection to the SWAG container how can I renew my cert?

You have to fix your port forward or whatever it is that is blocking the connection.

So I have been banging my head off the wall trying to figure this out. I have searched this thread and google as much as I can. I think I might just not have the right search terms to get the info I need. (or something is not working right)

 

I am trying to get nginx to pass the real client IP to the backend. I cannot figure for the life of me why it does not work. My proxy.conf is set to default right now but I have tried every combination of settings I can think of. It appears that I am passing a list of IPs to the backend that includes both the reverse proxy and the client IPs but apps are only reading the reverse proxy IP. I need to get it to pass just the client IP. How do I do this?

 

10 hours ago, saarg said:

You have to fix your port forward or whatever it is that is blocking the connection.

 

That's what I can't seem to figure out what's blocking the connection. Based on the line below. If I open the UnRaid terminal should I be able to telnet to port 180 on the UnRaid server and get a response from SWAG before I get a certificate?
 

telnet 192.168.0.xxx 180

 

swagtelnet.png

5 hours ago, BTPBen said:

 

That's what I can't seem to figure out what's blocking the connection. Based on the line below. If I open the UnRaid terminal should I be able to telnet to port 180 on the UnRaid server and get a response from SWAG before I get a certificate?
 


telnet 192.168.0.xxx 180

 

swagtelnet.png

Follow this https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

31 minutes ago, BTPBen said:

Followed the guide, found out that my ISP is what's blocking port80 and SWAG won't work if I setup a dynu port redirect to something like 40080.  So I guess I will never get a certificate :/

If you use DNS validation you only need 443, only thing you really will lose is automatic http->https redirection.  

DuckDNS is free and supports DNS validation.  

Hi,

Is authelia integrated in swag?
I noticed that I have authelia files under /appdata/swag/nginx/:
auhtelia-location.conf and authelia-server.conf


When I look at my certificate, all of my sub-domains are in there
"Alternative holder designations"

Have I done something wrong ?
Shouldn't each subdomain have its own certificate?

5 hours ago, Abigel said:

Hi,

Is authelia integrated in swag?
I noticed that I have authelia files under /appdata/swag/nginx/:
auhtelia-location.conf and authelia-server.conf

It's not integrated. It has the config files to use authelia. Follow the guide on our blog to set it up.

https://blog.linuxserver.io

5 hours ago, Konfitüre said:


When I look at my certificate, all of my sub-domains are in there
"Alternative holder designations"

Have I done something wrong ?
Shouldn't each subdomain have its own certificate?

It only create one cert covering everything.

Hello, 
I have swag up and running and there has been no issues. However, recently I saw this pop up in the container log:

 

[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready


Has anyone ran across this or can shed some light on this?

Thank you,
 

I've been trying to search for a way to do this, but have come up empty-handed - probably because I haven't got the search terms quite right, so apologies if this has been covered before (as it almost certainly has).

 

I would like to access some internal-facing websites via SSL - ones that I do not want accessible from the internet, such as Unraid, and Unifi - but I can't find a guide to do this that doesn't also point them to the internet.

What settings can I change to a) have them receive an SSL via certbot (or is my wildcard cert already covering them?) and b) to be accessible by https://subdomain.mydomain.com address, but only from my LAN?

 

Can someone point me to the right place that explains how I can do this? As I said before, I couldn't find it in the documentation mainly because I'm not quite sure what to search for.

 

Bonus points for help on how (if it's possible) to set up a cert + SSL for my pi-hole instance, which is running on a separate RPi, rather than an Unraid Docker.

 

Many thanks for your help.

Edited by jademonkee
typo

7 hours ago, bombz said:

Hello, 
I have swag up and running and there has been no issues. However, recently I saw this pop up in the container log:

 


[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready


Has anyone ran across this or can shed some light on this?

Thank you,
 

See the pinned notice at the top of the thread.

Nothing to worry about.

Need Help Setting up swag for the first time . I have my own domain, and I have the DNS through my provider point the subdomains bitwarden.XXXX.xyz and nextcloud.XXXX.xyz at mydomain.duckdns.org. I currently have openvpn running, and when i go to my server address with openvpn enabled, it gets through to the server, so I'm pretty sure that the duckdns part is working.

 

Not sure what I'm doing wrong1899836940_SWAG1TS1.thumb.PNG.5084851d685d31f59cf0adbad8c80c79.PNG1762041178_Swag2TS1.thumb.PNG.8bdecfb86c0bb5326ddfa879a257c822.PNG664081158_gandiTS1.thumb.PNG.1540048ef3dd9da3d5897d5834983c0b.PNG

router TS1.png

TS1 Log.txt

Ok, now openvpn isn't working either

Sent from my SM-G986U using Tapatalk

I have trouble making outgoing connections from inside the Docker proxy net (not using the Unraid bridge).

  • curl -I google.com works
  • curl -I some.dyndns.for.same.lan fails  (e.g. cloudpi.dns.navy, a test device on a Raspberry Pi)
  • curl -I -x swag:80 some.dyndns.for.same.lan works

  E.g. when I open the console for the SWAG container and try to access a Raspberry Pi that's connected to the web:

 

# curl -Iv cloudpi.dns.navy
*   Trying 37.201.145.221:80...
*   Trying 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe:80...
* Immediate connect fail for 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe: Address not available
*   Trying 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe:80...
* Immediate connect fail for 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe: Address not available

 

This is puzzling me a lot. If you copy and paste the CURL command, you'll notice that this will work fine from a regular computer. (Maybe even from your own Unraid SWAG instance? Dunno)

 

If I define a proxy parameter in the request, this works out better:

 

# curl -I -x swag:80 cloudpi.dns.navy
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Fri, 22 Jan 2021 11:10:48 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://cloudpi.dns.navy/

 

The same -x parameter makes the CURL request reach the destination device from my SWAG container and my Nextcloud container.

 

I can't get it to work with a https:// URL when I specify swag:443 as the proxy. I get a 400 Bad Request by SWAG. Same for -x swag:443 https://google.com, so the port 443 forwarding isn't limited to my DynDNS.

 

I went down the CURL rabbit hole because my Nextcloud could connect to an instance I hosted on my web server, but not to the device with the dns.navy URL (it is in the same LAN). I don't know anybody with a DynDNS Nextcloud instance to try to figure out what may be going wrong.

 

Am I holding it wrong? Is there any other debugging tool for this I could use? nslookup works, ping works, curl doesn't -- and to that extend connecting Nextcloud instances here don't work either.

Edited by ctietze
added info that command usually works

with the latest update, unfortunately all of my reverse proxies are no longer working.

 

I have it configured to use my own domain, and there is a cname associated to each subdomain. My dynamic dns is resolved with DuckDNS, and I have all of the relevant containers set on proxynet along with the SWAG container.

 

My logs show that the Server is ready, however it is flagging that the Prox-conf files are out of date. Could this be causing the issue? did the templates change materially?

 

The containers in use are Bitwardenrs, Nextcloud, and OMbi

So I got openvpn working again, but I still can't get the certificate to issue I get the following error

Domain: bitwarden.XXXXX.xyz
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
bitwarden.XXXXX.xyz - check that a DNS record exists for this

 

I have Gandi liveDNS set to redirect from bitwarden.XXXXX.xyz to XXXXX.duckdns.org using CNAME

 

NAME         TYPE    TTL       VALUE

bitwarden CNAME 10800 XXXXX.duckdns.org

Can someone point me in the right direction on setting up PHP mail() function to work within SWAG?  Is this something I should expect to work or should I give up and use SMTP connectivity to Gmail, for example, to send email messages from a simple php script.

 

Thanks in advance,

Abner

2 hours ago, Ryguy said:

with the latest update, unfortunately all of my reverse proxies are no longer working.

 

I have it configured to use my own domain, and there is a cname associated to each subdomain. My dynamic dns is resolved with DuckDNS, and I have all of the relevant containers set on proxynet along with the SWAG container.

 

My logs show that the Server is ready, however it is flagging that the Prox-conf files are out of date. Could this be causing the issue? did the templates change materially?

 

The containers in use are Bitwardenrs, Nextcloud, and OMbi

 

Same with me ... I had my server down like for 3 weeks(I had my mainboard in the warenty) and everything worked  plex, gitea, sonarr, deluge, nextcloud ... finally I had all of them working and now all are down again

Funny thing now as an exception for other not working dates(misconfiguration of swag/pipeline until swag) is that swag is validating the certificate for everything domain and the above mentioned subdomains but am still getting Bad Gateway ...

22 minutes ago, alexandru360 said:

 

Same with me ... I had my server down like for 3 weeks(I had my mainboard in the warenty) and everything worked  plex, gitea, sonarr, deluge, nextcloud ... finally I had all of them working and now all are down again

Funny thing now as an exception for other not working dates(misconfiguration of swag/pipeline until swag) is that swag is validating the certificate for everything domain and the above mentioned subdomains but am still getting Bad Gateway ...

 

After some further investigation I had this lines in my swag log:

**** The following reverse proxy confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****
/config/nginx/proxy-confs/sonarr.subdomain.conf
/config/nginx/proxy-confs/plex.subdomain.conf
/config/nginx/proxy-confs/openvpn-as.subdomain.conf
/config/nginx/proxy-confs/nextcloud.subdomain.conf
/config/nginx/proxy-confs/gitea.subdomain.conf

I will investigate and comeback with results ...

Edited by alexandru360

5 minutes ago, alexandru360 said:

 

After some further investigation I had this lines in my swag log:

**** The following reverse proxy confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****
/config/nginx/proxy-confs/sonarr.subdomain.conf
/config/nginx/proxy-confs/plex.subdomain.conf
/config/nginx/proxy-confs/openvpn-as.subdomain.conf
/config/nginx/proxy-confs/nextcloud.subdomain.conf
/config/nginx/proxy-confs/gitea.subdomain.conf

I will investigate and comeback with results ...

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

1 hour ago, alexandru360 said:

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

I’m in the same boat. Same log warnings. Can’t figure this out at all. 

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.