[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


5497 posts in this topic Last Reply

Recommended Posts

1 hour ago, SimplePete said:

Thank you! I changed the bridge in the docker for the nextcloud container and upon restart it worked. I can now access it remotely, however I cannot seem to get it to work locally however. When I go the corect IP in firefox it tells me "The page isn't redirecting properly". I have changed in the config to add to the array the IP: '192.168.1.*' but still no luck.

Do you have any suggestions as to what is causing this?

 

I don't know why.

Link to post
  • Replies 5.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

I will only post this once. Feel free to refer folks to this post.   A few points of clarification:   The last update of this image didn't break things. Letsencrypt abruptly disabl

Application Name: SWAG - Secure Web Application Gateway Application Site:  https://docs.linuxserver.io/general/swag Docker Hub: https://hub.docker.com/r/linuxserver/swag Github: https:/

There is a PR just merged, it will be in next Friday's image, and will let you append php.ini via editing a file in the config folder   If you want to see how the sausage is made: https://gi

Posted Images

I have been testing SWAG and saw in the notes that Zerossl may be better to use for certs.  In the Zerossl site it says a free account entitles you to unlimited acme certs vs 5 a week for Letsencrypt. I assume that Swag uses acme certs exclusively?  During testing SWAG and different setups I hit the 5 cert limit for Letsencrypt. If I switch to Zerossl this should not be an issue?  So I have to get a free zerossl cert account and change the certprovider in the docker setup to zerossl.  I am not at home currently but assume the email from my zerossl account has to be entered in the docker setup as well. Does anything in the proxy.conf files need to be changed to use Zerossl?  

 

UPDATE: Up and running with ZeroSSL. So far so good.

Edited by Gragorg
Link to post
13 hours ago, saarg said:

upstream_app needs to be all lowercase, so you need to change the container name.

 

I have no idea about the location part as I'm no nginx wizard.

Thanks @saarg totally forgot about the capitol letters (The name came from the Docker pull)

 

But still seems like I am missing a connection (If anyone have any input to what I am missing then please give me a shout)

 

Swag is working for all other dockers (And I am getting cert. on all domains and sub domains)

The webserver is running and working 192.168.0.6:25568 (This port is also listed below on the docker)

The mineos docker creates a minecraft folder in the appdata (Not a mineos folder) don't know if this makes any difference

image.thumb.png.532de8e31bcc7038c99c90793c7bd839.png

 

My config file is now:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name map.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app mineos-node;
        set $upstream_port 25568;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
    location ~ (/mineos-node)?/api {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_app mineos-node;
        set $upstream_port 25568;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

Keep getting:

image.png.4e46bcc802f0d7507dda27846ce23e3e.png

 

Kind of stuck here have tried allot of different things but end up breaking Swag for all other containers 😞

 

UPdate found this: https://gist.github.com/DmitryRendov/1efb672a0733aca5314dc3332d9823ac

But this seems to overcomplicate a simple link to port 25568 (In the above example the default port is 8123) 

 

OK this works!

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;


    server_name map.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;
    
    # enable for ldap auth, fill in ldap details in ldap.conf 
    #include /config/nginx/ldap.conf;

     location / {
        proxy_pass http://192.168.0.6:25568;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

    location /api/websocket {
        proxy_pass http://192.168.0.6:25568/api/websocket;
        proxy_set_header Host $host;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}

 

Edited by casperse
Link to post

So I have one container setup to generate a wildcard cert for my domain, using dns validation on cloudflare. I was using the Global API key before, but I'm trying to convert over to an API token instead. I updated my cloudflare.ini file, removing the dns_cloudflare_email and dns_cloudflare_api_key values, and instead inserting a dns_cloudflare_api_token value.

However, since my cert is currently valid, I'm not seeing in the logs it attempting to regenerate the cert and use the new api token.

Is there an easy way I can force the certificate to regenerate to test my configuration change?

Link to post

Not sure what is going on but it seems the the registrar for the SSL signed cert is expired. What do I have to do to fix it? It doesn't seem like it is something that I have a lot of control over.

image.png.7cf0c6598ffd5a814451ac0719b48d5d.png

 

The other server I have that is still using the letsencrypt docker is using a different registrar to sign the certs (which is valid).

image.png.358f6b47e8754f3c6b1017df026e68f0.png

Link to post

I have an issue with SWAG nextcloud and cloudflare keep getting these in the log, by the thousands, the log file got to 200 GB in one day, and then nextcloud is not responding anymore, any ideas what's wrong ? 

I see this alert "zero size buf in chain writer t:1 r:1 f:0", I googled it but cannot find any resolution!

Does anyone here had a similar issue ?

 

Screenshot SWAG log.jpg

Edited by dianasta
updated more info
Link to post
2 hours ago, uByte said:

Not sure what is going on but it seems the the registrar for the SSL signed cert is expired. What do I have to do to fix it? It doesn't seem like it is something that I have a lot of control over.

image.png.7cf0c6598ffd5a814451ac0719b48d5d.png

 

The other server I have that is still using the letsencrypt docker is using a different registrar to sign the certs (which is valid).

image.png.358f6b47e8754f3c6b1017df026e68f0.png

Found the problem. Apparently there is an option in the SWAG settings when you set the value to true the certificate sets to staging. If you change it to false it will use a legit CA. Checking those settings matter. 

image.thumb.png.1643642c17c443507b7cd86195b8cbea.png

Link to post

Hi, is there anyway I can edit a config file or set an environment variable so that swag will add multiple domains to the let's encrypt?

I am using a duckdns https but I have a domain name that can redirect, whilst keeping the domain name in the address bar, but I need a certificate to be generated for this other domain, as well as the duckdns domain that it points at.

MTIA.

Link to post

I was running swag, nextcloud and bitwarden with cloudflare reverse proxy, everything were working just fine.

I saw update available for all 3 dockers i mentioned, so I stopped all the dockers and updated them, opened them again after finished, then suddenly I couldn't connect to nextcloud and bitwarden through my domain, it returns a status 503.

The log has no error at all, i am so confused. What would have cause the problem to exist?

Link to post
3 hours ago, Millerthegorilla said:

Hi, is there anyway I can edit a config file or set an environment variable so that swag will add multiple domains to the let's encrypt?

I am using a duckdns https but I have a domain name that can redirect, whilst keeping the domain name in the address bar, but I need a certificate to be generated for this other domain, as well as the duckdns domain that it points at.

MTIA.

@Millerthegorilla I saw this under the SWAG docker settings. Looks like how you can add a different domain.

image.thumb.png.9c1a8dd03f632ea19034279f2d8b578d.png

You could also maybe add it from the add another path, port, variable or device option at the bottom of the lets encrypt docker.

image.png.5ae729f8296d8071fd11b886ef04dfeb.png

Link to post

@vinckcent Can you open the edit menu for SWAG and check the settings? Maybe something go switched there (posting a screen shot with the account info blurred a little). Also try and restart the docker if you haven't already.

Link to post
3 hours ago, vinckcent said:

I was running swag, nextcloud and bitwarden with cloudflare reverse proxy, everything were working just fine.

I saw update available for all 3 dockers i mentioned, so I stopped all the dockers and updated them, opened them again after finished, then suddenly I couldn't connect to nextcloud and bitwarden through my domain, it returns a status 503.

The log has no error at all, i am so confused. What would have cause the problem to exist?

What are your setting in SWAG / nextcloud and cloudflare? could you post some screenshots ? 

Link to post

Probably a stupid question and easily solved, but my search always returns results solving the opposite problem.

I set up the reverse proxy and everything works fine. I can access the sites hosted under my subdomains perfectly.

 

Now I want to drop all connections not directly directed at one of my supported domains. 

If I access my Public IP I want to get no result at all.

 

As far as I figured out I should be able to do that be configuring the default config.
But so far I only managed to either block nothing or block everything. 

 

Any tips how to adapt the config?

Link to post

I did my setup following the tutorial from spaceinvader one just using the new swag docker container.

 

Due to the port forwarding if I access my WAN IP  I land on the "Welcome to your SWAG instance" Page. 

 

Now my goal is to simple drop these request (return 444) and only respond to requests targeting

supportedsubdomain.domain.com

supportedsubdomain2.domain.com

 

 

Link to post

I dont know what my problem was yesterday, I think I had something quite similar. But figured it out now.

Relevant Part of my default file:

 

server {
	return 444;
}

# redirect all traffic to https
server {
	listen 80 default_server;
	listen [::]:80 default_server;
	server_name mydomain.com;
	return 301 https://$host$request_uri;
}

# main server block
server {
	listen 443 ssl http2 default_server;
	listen [::]:443 ssl http2 default_server;

	root /config/www;
	index index.html index.htm index.php;

	server_name mydomain.com;

 

Additional Server Block to drop all requests.

Server name for http und https change to only work for my domain

 

Link to post

Do you have to use a lets encrypt cert?

 

I have an existing domain at hostinger that I would like to use, but you have to manually renew the ssl certificate if you want to use lets encrypt. There is an option to buy a lifetime ssl certificate from them for $12 which would be cheaper than buying a new domain somewhere else.

 

Also I don't want to move my domain over to a new host.

Link to post

Is this expected behavior?

From outside my home network, going to https://my-ip takes me to the Swag splash page. 

Right now, I have 4 unRAID dockers set at duckdns.org, and those all work. I was just surprised to see that my home ip by itself does this. 

Is this OK?

Screen Shot 2021-03-28 at 19.06.26.png

Link to post
19 hours ago, volcs0 said:

Is this expected behavior?

From outside my home network, going to https://my-ip takes me to the Swag splash page. 

Right now, I have 4 unRAID dockers set at duckdns.org, and those all work. I was just surprised to see that my home ip by itself does this. 

Is this OK?

Screen Shot 2021-03-28 at 19.06.26.png

That is normal.

Link to post
On 4/29/2020 at 3:02 PM, Heciruam said:

Is there an ngix .config.sample file for Mattermost? I just installed it and was wandering on how to get public access.
 

Edit:
Ok I figured it out. I found a guide on how to do it here

 

Can you by chance share a redacted version of your Conf? I cannot for the life of me get this working. I get an "nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /config/nginx/proxy-confs/mattermost.subdomain.conf:9" error.

Link to post

Hi there, 

 

so I am kinda new to unraid and docker and I have a little problem.

 

I run a website on swag which is supposed to pack some files into a .zip. Before I switched to unraid and swag i ran that website on apache on a raspberry and zipping some files with p7zip worked great but the performance was not - for this and some other reasons I switched to unraid and swag. I know i can not just "use" p7zip. As far as I know thats because swag does not have the right permissions. As I understand it p7zip is located at /usr/bin/. By using the webterminal I am able to see and execute 7z. When I try the same thing inside the swag-webterminal they just do not appear in the same directory. 

My next idea was to just copy those files into a directory which is owned by swag which worked and I am able to see those files now, but I can not execute them.

 

If somebody has any idea how to help me with my problem - a better way or workaround or something else - I would be happy :D

p7zip1.JPG

Link to post
22 minutes ago, ThereIsNo said:

As I understand it p7zip is located at /usr/bin/

You must have installed it yourself from Nerd Pack.

 

You can get to the console inside any of your dockers by clicking on its icon and selecting Console.

 

But it doesn't look like p7zip exists inside the SWAG container.

Link to post

Thanks for the fast reply!

 

I installed it from Nerd Pack and yeah, it does not exist inside SWAG. I dont know any other way than building swag myself with p7zip inside. And I dont think I am advanced enough for this or doing this frequently after swag updates. :/
chown or chmod also had no positive effect.

Link to post

Hi! 

I rebooted my containers yesterday and after that my SWAG container won’t listed to the ports I’ve chosen. It worked flawlessly the days before that. I use 80/443 and they are portforwarded in my pfsense. I thought I mucked something up in pfsense so I’ve wiped it and started over, but no success. When I tried Nginx Proxy Manager, the port is suddenly open, even on the same LAN IP. As soon as I stop Nginx and start swag, the port is suddenly closed. I have other port forwards in pfsense set up and they work too.

 

Swag is in br0.

 

Does anyone have a clue what happened? I’m on the latest version of swag. I’ve forced updates and I wiped swag too but no successful. 

Link to post

Hey all during an upgrade of swag it failed. And now ive removed it completely removed any files associated with it but when i go to resintall fresh it wont launch. I get this error.

 

driver failed programming external connectivity on endpoint swag (c09c532ca4cfa43c71f2affae682c2387117adc17070dda5db1b07ecc3d7b35f): Error starting userland proxy: listen tcp 0.0.0.0:80: bind: address already in use.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.