[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5637 posts in this topic Last Reply

Recommended Posts

12 hours ago, BTPBen said:

Hey, I just converted my UnRaid server from letsencrypt to SWAG.  For some reason when I left click and select the WebUI for SWAG I get "this site can't be reached".  Everything was working until I installed the SWAG docker.  
 

Now I can't get to the WebUI and I am failing the check to get a certificate. I am unable to access https://<serverIP>:<sslport>

 

 

If it's trying to get a new cert, you have not managed to use the same appdata folder as you did for letsencrypt.

Link to post
  • Replies 5.6k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

I don't need support.  I just wanted to say thanks for this container and its continuous maintenance.  I started with Aptalca's container then switched to the linuxserver.io container.  Its been close

Posted Images

2 hours ago, saarg said:

It's still not correct even though you followed a guide. You do not own duckdns.org. you "own" blahblahblah.duckdns.org, so add that to domain name. Subdomains will be subdomain.blahblahblah.duckdns.org.

 

except with duckdns its blahblahblah.duckdns.org and subdomain.duckdns.org.

 

anyhow I got fed up so got my own domain + cloudflare dns verification and now it works.

 

I still think it was my ISP blocking something after I was messing around with it too long.

 

thanks for all the help!

Edited by BelgarionNL
Link to post
47 minutes ago, BelgarionNL said:

 

except with duckdns its blahblahblah.duckdns.org and subdomain.duckdns.org.

 

anyhow I got fed up so got my own domain + cloudflare dns verification and now it works.

 

I still think it was my ISP blocking something after I was messing around with it too long.

 

thanks for all the help!

No it's not.

Link to post
3 hours ago, saarg said:

 

If it's trying to get a new cert, you have not managed to use the same appdata folder as you did for letsencrypt.

but shouldn't I be about to access https://abc.def.ghi.jkl:xx443 even if the cert isn't any good?

Link to post
8 minutes ago, BTPBen said:

but shouldn't I be about to access https://abc.def.ghi.jkl:xx443 even if the cert isn't any good?

No you can't, as nginx isn't started until you have a valid cert.

Link to post
10 minutes ago, saarg said:

No you can't, as nginx isn't started until you have a valid cert.

 

So, at this point I am trying to figure things out.  

In my router I have configured port 80 and port 443 to forward to my UnRaid server on ports xx080 and xx443 which are the same ports on my SWAG configuration. 
I am getting timeouts try to renew my expired cert.

I tried to telnet into unraid on xx080 and it tells me it cannot open a connection. 

If I can't establish the connection to the SWAG container how can I renew my cert?

Link to post
1 hour ago, BTPBen said:

 

So, at this point I am trying to figure things out.  

In my router I have configured port 80 and port 443 to forward to my UnRaid server on ports xx080 and xx443 which are the same ports on my SWAG configuration. 
I am getting timeouts try to renew my expired cert.

I tried to telnet into unraid on xx080 and it tells me it cannot open a connection. 

If I can't establish the connection to the SWAG container how can I renew my cert?

You have to fix your port forward or whatever it is that is blocking the connection.

Link to post

So I have been banging my head off the wall trying to figure this out. I have searched this thread and google as much as I can. I think I might just not have the right search terms to get the info I need. (or something is not working right)

 

I am trying to get nginx to pass the real client IP to the backend. I cannot figure for the life of me why it does not work. My proxy.conf is set to default right now but I have tried every combination of settings I can think of. It appears that I am passing a list of IPs to the backend that includes both the reverse proxy and the client IPs but apps are only reading the reverse proxy IP. I need to get it to pass just the client IP. How do I do this?

 

Link to post
10 hours ago, saarg said:

You have to fix your port forward or whatever it is that is blocking the connection.

 

That's what I can't seem to figure out what's blocking the connection. Based on the line below. If I open the UnRaid terminal should I be able to telnet to port 180 on the UnRaid server and get a response from SWAG before I get a certificate?
 

telnet 192.168.0.xxx 180

 

swagtelnet.png

Link to post
5 hours ago, BTPBen said:

 

That's what I can't seem to figure out what's blocking the connection. Based on the line below. If I open the UnRaid terminal should I be able to telnet to port 180 on the UnRaid server and get a response from SWAG before I get a certificate?
 


telnet 192.168.0.xxx 180

 

swagtelnet.png

Follow this https://blog.linuxserver.io/2019/07/10/troubleshooting-letsencrypt-image-port-mapping-and-forwarding/

Link to post
31 minutes ago, BTPBen said:

Followed the guide, found out that my ISP is what's blocking port80 and SWAG won't work if I setup a dynu port redirect to something like 40080.  So I guess I will never get a certificate :/

If you use DNS validation you only need 443, only thing you really will lose is automatic http->https redirection.  

DuckDNS is free and supports DNS validation.  

Link to post
5 hours ago, Abigel said:

Hi,

Is authelia integrated in swag?
I noticed that I have authelia files under /appdata/swag/nginx/:
auhtelia-location.conf and authelia-server.conf

It's not integrated. It has the config files to use authelia. Follow the guide on our blog to set it up.

https://blog.linuxserver.io

Link to post
5 hours ago, Konfitüre said:


When I look at my certificate, all of my sub-domains are in there
"Alternative holder designations"

Have I done something wrong ?
Shouldn't each subdomain have its own certificate?

It only create one cert covering everything.

Link to post

Hello, 
I have swag up and running and there has been no issues. However, recently I saw this pop up in the container log:

 

[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready


Has anyone ran across this or can shed some light on this?

Thank you,
 

Link to post

I've been trying to search for a way to do this, but have come up empty-handed - probably because I haven't got the search terms quite right, so apologies if this has been covered before (as it almost certainly has).

 

I would like to access some internal-facing websites via SSL - ones that I do not want accessible from the internet, such as Unraid, and Unifi - but I can't find a guide to do this that doesn't also point them to the internet.

What settings can I change to a) have them receive an SSL via certbot (or is my wildcard cert already covering them?) and b) to be accessible by https://subdomain.mydomain.com address, but only from my LAN?

 

Can someone point me to the right place that explains how I can do this? As I said before, I couldn't find it in the documentation mainly because I'm not quite sure what to search for.

 

Bonus points for help on how (if it's possible) to set up a cert + SSL for my pi-hole instance, which is running on a separate RPi, rather than an Unraid Docker.

 

Many thanks for your help.

Edited by jademonkee
typo
Link to post
7 hours ago, bombz said:

Hello, 
I have swag up and running and there has been no issues. However, recently I saw this pop up in the container log:

 


[services.d] starting services
[services.d] done.
nginx: [alert] detected a LuaJIT version which is not OpenResty's; many optimizations will be disabled and performance will be compromised (see https://github.com/openresty/luajit2 for OpenResty's LuaJIT or, even better, consider using the OpenResty releases from https://openresty.org/en/download.html)

Server ready


Has anyone ran across this or can shed some light on this?

Thank you,
 

See the pinned notice at the top of the thread.

Nothing to worry about.

Link to post

Need Help Setting up swag for the first time . I have my own domain, and I have the DNS through my provider point the subdomains bitwarden.XXXX.xyz and nextcloud.XXXX.xyz at mydomain.duckdns.org. I currently have openvpn running, and when i go to my server address with openvpn enabled, it gets through to the server, so I'm pretty sure that the duckdns part is working.

 

Not sure what I'm doing wrong1899836940_SWAG1TS1.thumb.PNG.5084851d685d31f59cf0adbad8c80c79.PNG1762041178_Swag2TS1.thumb.PNG.8bdecfb86c0bb5326ddfa879a257c822.PNG664081158_gandiTS1.thumb.PNG.1540048ef3dd9da3d5897d5834983c0b.PNG

router TS1.png

TS1 Log.txt

Link to post

I have trouble making outgoing connections from inside the Docker proxy net (not using the Unraid bridge).

  • curl -I google.com works
  • curl -I some.dyndns.for.same.lan fails  (e.g. cloudpi.dns.navy, a test device on a Raspberry Pi)
  • curl -I -x swag:80 some.dyndns.for.same.lan works

  E.g. when I open the console for the SWAG container and try to access a Raspberry Pi that's connected to the web:

 

# curl -Iv cloudpi.dns.navy
*   Trying 37.201.145.221:80...
*   Trying 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe:80...
* Immediate connect fail for 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe: Address not available
*   Trying 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe:80...
* Immediate connect fail for 2a02:908:4b60:a2e0:ba27:ebff:fe83:4fe: Address not available

 

This is puzzling me a lot. If you copy and paste the CURL command, you'll notice that this will work fine from a regular computer. (Maybe even from your own Unraid SWAG instance? Dunno)

 

If I define a proxy parameter in the request, this works out better:

 

# curl -I -x swag:80 cloudpi.dns.navy
HTTP/1.1 301 Moved Permanently
Server: nginx/1.18.0
Date: Fri, 22 Jan 2021 11:10:48 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: https://cloudpi.dns.navy/

 

The same -x parameter makes the CURL request reach the destination device from my SWAG container and my Nextcloud container.

 

I can't get it to work with a https:// URL when I specify swag:443 as the proxy. I get a 400 Bad Request by SWAG. Same for -x swag:443 https://google.com, so the port 443 forwarding isn't limited to my DynDNS.

 

I went down the CURL rabbit hole because my Nextcloud could connect to an instance I hosted on my web server, but not to the device with the dns.navy URL (it is in the same LAN). I don't know anybody with a DynDNS Nextcloud instance to try to figure out what may be going wrong.

 

Am I holding it wrong? Is there any other debugging tool for this I could use? nslookup works, ping works, curl doesn't -- and to that extend connecting Nextcloud instances here don't work either.

Edited by ctietze
added info that command usually works
Link to post

with the latest update, unfortunately all of my reverse proxies are no longer working.

 

I have it configured to use my own domain, and there is a cname associated to each subdomain. My dynamic dns is resolved with DuckDNS, and I have all of the relevant containers set on proxynet along with the SWAG container.

 

My logs show that the Server is ready, however it is flagging that the Prox-conf files are out of date. Could this be causing the issue? did the templates change materially?

 

The containers in use are Bitwardenrs, Nextcloud, and OMbi

Link to post

So I got openvpn working again, but I still can't get the certificate to issue I get the following error

Domain: bitwarden.XXXXX.xyz
Type: dns
Detail: DNS problem: NXDOMAIN looking up A for
bitwarden.XXXXX.xyz - check that a DNS record exists for this

 

I have Gandi liveDNS set to redirect from bitwarden.XXXXX.xyz to XXXXX.duckdns.org using CNAME

 

NAME         TYPE    TTL       VALUE

bitwarden CNAME 10800 XXXXX.duckdns.org

Link to post

Can someone point me in the right direction on setting up PHP mail() function to work within SWAG?  Is this something I should expect to work or should I give up and use SMTP connectivity to Gmail, for example, to send email messages from a simple php script.

 

Thanks in advance,

Abner

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.