[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5641 posts in this topic Last Reply

Recommended Posts

5 hours ago, mattgob86 said:

I came here for this as well.  I have the Port 80 already in my template at the top.  Every time I update the docker, it adds another variable for port 80 and filled in as port 80 at the bottom and the conflict makes the docker die and it won't start until i remove the added variable.  No matter how many times I remove it, it adds it back. 

 

I don't know if this is because I just changed the repo when it was switched to swag and left the existing template alone.

If port 80 is taken, then simply use another port. That's what port mapping is for.

Link to post
  • Replies 5.6k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

7 hours ago, saarg said:

If port 80 is taken, then simply use another port. That's what port mapping is for.

image.thumb.png.12f3757f0a389e17c76576295bb06e5f.png

 

So why if this is at the top, after a docker update does it add automatically another 

image.thumb.png.4612ad2ed9e7560e9bcf66ea918ba6fd.png

 

I have seen this before and it hasn't been a problem with the exception of the last 2-3 weeks of updates not letting the docker start after update until that new http: variable is removed.

Link to post

Hello,

 

when I startup the swag container in the log I am concerned about these 2 lines

 

sed: /etc/conf.d/libmaxminddb: No such file or directory

and

/etc/periodic/weekly/libmaxminddb: .: line 3: can't open '/etc/conf.d/libmaxminddb': No such file or directory

 

are these anything to be worried about? or should I be fixing this? if so how?

 

thanks

 

Link to post
2 hours ago, schuu said:

sed: /etc/conf.d/libmaxminddb: No such file or directory

and

/etc/periodic/weekly/libmaxminddb: .: line 3: can't open '/etc/conf.d/libmaxminddb': No such file or directory

 

 

I do see those lines in the log as well. Not sure if it has anything to do with geoip2 or not

Link to post
8 hours ago, mattgob86 said:

image.thumb.png.12f3757f0a389e17c76576295bb06e5f.png

 

So why if this is at the top, after a docker update does it add automatically another 

image.thumb.png.4612ad2ed9e7560e9bcf66ea918ba6fd.png

 

I have seen this before and it hasn't been a problem with the exception of the last 2-3 weeks of updates not letting the docker start after update until that new http: variable is removed.

Then you have removed the original one and added a new yourself. Next time this happens, remove the one you have added and change the port in the one CA adds.

Link to post

I had this working in the LE days, and seem to have successfully updated to SWAG (my certificates are updating), however, my reverse proxy setup doesn't seem to be working in one specific instance.

 

Since originally installing LE, I've added a VPN. I have a connection for my primary desktop machine, and I have a connection that I use with my binhex-delugevpn client and I have several dockers accessing the outside world using that docker as a proxy.

 

When I try to connect to https://emby.myddns.com, I get the default "Welcome to our server page". However, when I disconnect the VPN [i]on my desktop machine[/i] and try to access it from there, I get the login page as I would expect. If I reconnect the VPN, again, I simply get the default page again.

 

Why would the VPN connection running on my desktop machine impact SWAG's forwarding of the connection to the server? I have confirmed that port 80 is forwarded to port 81 on my server (not 100% certain why I'd changed that originally, but all I've done is transfer my LE config files to the SWAG config directory, and it does work when the VPN connection is down).

 

As soon as I posted the question, it decided to start working properly. I don't know if it took some time after adding the emby config file in (I'd missed doing that originally) and restarting the SWAG docker, or what, but now I'm getting my login prompt again.

 

Now, to reset all my passwords because I'm sure nobody remembers theirs, it's been down a while.

 

Edited by FreeMan
Link to post

Hello

 

I have a problem. i i followed this video:

Im trying to get jellyfin working outside my local network so followed this video. the thing is that it´s not working :

i got this error: ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container..

how do i create a cert without the wildcard and cloudflare??

i´ve also tried swag and i think something is wrong..

the link to my duckdns is not working either?

 

thanks in advance

Link to post

Can anybody explain Fail2ban to me please.  I have guacamole setup and access granted through a nxginx reverse proxy using swag.  How exactly do I enable fail2ban?  I read that fail2ban is already setup with the swag install for nxginx.  Is this enough, or do I need to add another jail for guacamole or any other container I use? 

 

Also, when I run "fail2ban status" in the terminal for swag, it says fail2ban not found.  How can I check if fail2ban is on and working?

 

 

Link to post

I am getting this warning in my Swag log:

 

nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"
nginx: [warn] "ssl_stapling" ignored, host not found in OCSP responder "r3.o.lencr.org" in the certificate "/config/keys/letsencrypt/fullchain.pem"

 

Is this anything to worry about?

Edited by Stubbs
Link to post
1 hour ago, Mattti1912 said:

is there a way to get a wan address?? i dont think i can connect without it??

 

thank you

If you got internet, you have a wan address, unless you are behind double NAT.

Link to post
9 hours ago, Mattti1912 said:

oh im not behind double nat. But in the container when it is setup even without swag, i cant find my wan in the container.. Any idea why ??

 

Thanks

It's hard to help when you don't supply any info. My wild guess, something is wrong.

Link to post

Just updated the container and this warning is looping in the log

nginx: [emerg] dlopen() "/var/lib/nginx/modules/ngx_http_lua_module.so" failed (Error loading shared library /var/lib/nginx/modules/ngx_http_lua_module.so: No such file or directory) in /config/nginx/nginx.conf:12

 

If I roll back to 1.12.0-ls36 the warning is gone. Any idea how to fix it?

Link to post
On 3/18/2017 at 2:04 PM, local.bin said:

I moved the nextcloud.log to my nextcloud data directly, rather than mounting my data directly from letsencypt and note that the config.php edits are also needed to get nextcloud to output the log to the appropriate place

 

 

So I have been trying to get this setup... but seem to be hitting a bit of a barrier.   when you say edit of the config.php  to have the nextcloud to output the log to appropriate place... what edit are you putting in...  

 

I am trying to read through the forum to find this but no luck... any help is great.. 

 

I followed  dmacias's  setup above..... to try and get things working... after much trial and error found out that with my binhex emby the log path was embyserver-*.txt not just server-*.txt...... 

but as I noted I am stuck now with the nextcloud.log... ..

On 3/18/2017 at 12:12 PM, dmacias said:

Here's my setup. So for the LE docker I added

 

Link to post

Hello. I'm trying to get the reverse proxy for the Nextcloud docker container working through swag. I was following the steps located at https://docs.linuxserver.io/general/swag#nextcloud-subdomain-reverse-proxy-example for setup. However, after I'm done, I'm still getting a 502 bad gateway. Any help would be appreciated. I am including both the swag config & the nextcloud config below

nextcloud.subdomain.conf

## Version 2020/12/09
# make sure that your dns has a cname set for nextcloud
# assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['swag'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name home.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 18443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }
}

 

nextcloud's config.php

<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oczev557ynye',
  'passwordsalt' => 'wmc1ZRU+NWpNcgcYuvHtj8inWjqPou',
  'secret' => '61yA7Ruh4yWk39ykw7EUZ9L2PcApyvYSdhYVn75Tf1/0A0m1',
  'trusted_domains' =>
  array (
    0 => '192.168.1.115:444',
    1 => 'home.snreloaded.stream:444',
    2 => 'praemunio:444'
  ),
  'dbtype' => 'mysql',
  'version' => '20.0.1.1',
  'overwrite.cli.url' => 'https://192.168.1.115:444',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.115:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'nextcloudROOT',
  'installed' => true,
  'filesystem_check_changes' => 1,
  'trusted_proxies' => ['swag'],
  'overwrite.cli.url' => 'https://home.snreloaded.stream/',
  'overwritehost' => 'home.snreloaded.stream',
  'overwriteprotocol' => 'https',
);

 

Also, I have a DD-WRT enabled router, with port-from being 80/443, & port-to being 1880/18443. The cert validation did succeed with this. I've tried running nextcloud with both port 443 & 444 for the config in unraid. Any help would be greatly appreciated!

Edit: As a followup to this, I now have no access to nextcloud whatsoever. I'm tempted to just drop the swag redirect, & just tell people "yes, it's really safe, trust me" :(

Edited by SNReloaded
Link to post
4 hours ago, SNReloaded said:

Hello. I'm trying to get the reverse proxy for the Nextcloud docker container working through swag. I was following the steps located at https://docs.linuxserver.io/general/swag#nextcloud-subdomain-reverse-proxy-example for setup. However, after I'm done, I'm still getting a 502 bad gateway. Any help would be appreciated. I am including both the swag config & the nextcloud config below

nextcloud.subdomain.conf


## Version 2020/12/09
# make sure that your dns has a cname set for nextcloud
# assuming this container is called "swag", edit your nextcloud container's config
# located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
#  'trusted_proxies' => ['swag'],
#  'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
#  'overwritehost' => 'nextcloud.your-domain.com',
#  'overwriteprotocol' => 'https',
#
# Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
#  array (
#    0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
#    1 => 'nextcloud.your-domain.com',
#  ),

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name home.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app nextcloud;
        set $upstream_port 18443;
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_max_temp_file_size 2048m;
    }
}

 

nextcloud's config.php


<?php
$CONFIG = array (
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'datadirectory' => '/data',
  'instanceid' => 'oczev557ynye',
  'passwordsalt' => 'wmc1ZRU+NWpNcgcYuvHtj8inWjqPou',
  'secret' => '61yA7Ruh4yWk39ykw7EUZ9L2PcApyvYSdhYVn75Tf1/0A0m1',
  'trusted_domains' =>
  array (
    0 => '192.168.1.115:444',
    1 => 'home.snreloaded.stream:444',
    2 => 'praemunio:444'
  ),
  'dbtype' => 'mysql',
  'version' => '20.0.1.1',
  'overwrite.cli.url' => 'https://192.168.1.115:444',
  'dbname' => 'nextcloud',
  'dbhost' => '192.168.1.115:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'nextcloud',
  'dbpassword' => 'nextcloudROOT',
  'installed' => true,
  'filesystem_check_changes' => 1,
  'trusted_proxies' => ['swag'],
  'overwrite.cli.url' => 'https://home.snreloaded.stream/',
  'overwritehost' => 'home.snreloaded.stream',
  'overwriteprotocol' => 'https',
);

 

Also, I have a DD-WRT enabled router, with port-from being 80/443, & port-to being 1880/18443. The cert validation did succeed with this. I've tried running nextcloud with both port 443 & 444 for the config in unraid. Any help would be greatly appreciated!

Edit: As a followup to this, I now have no access to nextcloud whatsoever. I'm tempted to just drop the swag redirect, & just tell people "yes, it's really safe, trust me" :(

Why have you changed the port? There is nothing mentioned about it in the instructions. Leave it as it originally was.

 

Post the docker run commands for both nextcloud and and swag.

Link to post

HI all  thanks in advance for help.   thought this question might be better suited here under SWAG as the issue is with the FAiL2BAN setup of ...    So explanation of my situation.   I am working on setting up FAIL2BAN for Bitdefender as well as EMBY (had been doing nextcloud but realized it has built in one so don't have to now).    I have everything working in terms of the reverse proxy using spaceinvaders wonderful videos for support doing this.

 

With the SWAG FAIL2BAN  I have edited the jail.local to have the following additional under the default 4 jails.  

[bitwarden]
enabled = true
port = http,https
filter = bitwarden2
action = iptables-allports[name=bitwarden]
logpath = /log/bitwarden.log
ignoreip = 192.168.0.0/24
maxretry = 3
bantime = 14400
findtime = 14400


[bitwarden-admin]


enabled = true
port     = http,https
filter     = bitwarden-admin
action     = iptables-allports[name=bitwarden]
logpath = /log/bitwarden.log
ignoreip = 192.168.0.0/24
maxretry = 2
bantime = 14400
findtime = 14400


[emby]

enabled  = true
port     = http,https
filter   = emby
logpath  = /logs/emby/embyserver.txt
ignoreip = 192.168.0.0/24
maxretry = 3
bantime = 14400
findtime = 14400

 

Within the filter.d  folder I have  created the following three config files 

EMBY

# Fail2Ban filter for emby
#

[INCLUDES]

# Read common prefixes. If any customizations available -- read them from
# common.local
before = common.conf


[Definition]
failregex = AUTH-ERROR: <HOST> - Invalid user
	HTTP Response 401 to <HOST>.

 

Bitwarden2

# Fail2Ban filter for Bitwarden
# Detecting failed login attempts
# Logged in bwdata/logs/identity/Identity/log.txt

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Username or password is incorrect\. Try again\. IP: <ADDR>\. Username:.*$
ignoreregex =

 

Bitwarden-admin

[INCLUDES]
before = common.conf

[Definition]
failregex = ^.*Invalid admin token\. IP: <ADDR>\.*$
ignoreregex =

 

 

When I go to test the fail2ban (by going onto my cell network) and attempting to connect to the reverse proxy emby or bitwarden with incorrect login past the "maxretry"    It does not activate...   HOWEVER... When I go to reset the SWAG container,  then the blocking occurs.. (Confirmed by using the terminal tools  "docker exec -it swag fail2ban-client status"   and   "docker exec -it swag fail2ban-client status <jail name>"      While doing the testing    the Jails are all shown as active...  .  any thoughts on why this is ?  

Link to post
17 hours ago, saarg said:

Why have you changed the port? There is nothing mentioned about it in the instructions. Leave it as it originally was.

 

Post the docker run commands for both nextcloud and and swag.


I changed the ports because I was getting an error with certbot about the port already being in use (80/443), so I switched to 1880/18443 to be out of range of "commonly used ports".

Also, I know what a docker run command is when using the terminal, but I've never seen the docker run command myself from unraid. How do I go about getting the docker run command?

Link to post

Hey guys quick question.  I have a few things setup with Swag.  Radarr, Sonarr, BitwardenRS, and Nextcloud.   I moved Bitwarden back to them hosting it instead of me but i still have the docker on Unraid.  Sometimes when i try to use Nextcloud, it says server is not available.   To fix this, i fire up the Bitwarden docker and then Nextcloud works again.  Anything i can look at?   want to delete Bitwarden but for some strange reason, it is tied to Nextcloud.

Link to post
2 hours ago, SNReloaded said:


I changed the ports because I was getting an error with certbot about the port already being in use (80/443), so I switched to 1880/18443 to be out of range of "commonly used ports".

Also, I know what a docker run command is when using the terminal, but I've never seen the docker run command myself from unraid. How do I go about getting the docker run command?

Check the docker faq.

Link to post
40 minutes ago, saarg said:

Check the docker faq.

Here's the docker run (it would have been faster to just say "edit the config & it'll give the run command")

SWAG:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='swag' --net='bridge' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'EMAIL'='snreloaded@snreloaded.stream' -e 'URL'='snreloaded.stream' -e 'SUBDOMAINS'='home,' -e 'ONLY_SUBDOMAINS'='true' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '1880:80/tcp' -p '18443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'
1eb3775caaf9f7ab02460256f1579bb3ce6e34d1174f318cfcee9dd775e67091

 

Nextcloud:

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='nextcloud' --net='bridge' -e TZ="America/Chicago" -e HOST_OS="Unraid" -e 'PUID'='99' -e 'PGID'='100' -p '444:443/tcp' -v '/mnt/user/nextcloud/':'/data':'rw' -v '/mnt/user/appdata/nextcloud':'/config':'rw' 'linuxserver/nextcloud'
22e325a33923bd38a0e9e96159c43bbb20351efa7bcd948abdc4337ccce2d5fa

 

Link to post
1 hour ago, SNReloaded said:

Here's the docker run (it would have been faster to just say "edit the config & it'll give the run command")

The FAQ has answers to many more questions, it's good to browse through and see if your issue is already addressed.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.