[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

8 minutes ago, tardezyx said:

Does SWAG automatically update the IP of the server at duckdns.org?

If not, what is the purpose of the duckdns token in the SWAG docker settings?

No. IIRC it has to do with DNS validation.

  • Thanks 1
Link to comment

Hi everyone,

 

I'm sad I have to post here... everything was working fine until 3 days ago when one of my cache pool drive died.
I had problems with my /appdata backup and I had to delete files from the swag config (probably chmod problems or busy files the moment I wanted to backup).

I changed my cache drive without any other issue.

 

When I try to launch swag, I got this error in my log :

https://pastebin.com/mMuxi79e

 

My ovh.ini credentials are good.

I cleaned the _acme-challenge DNS entry from my OVH manager console.

My domain DNS are all ok,  A and CNAME.

Restarted swag container multiple times.... nothing.

 

I don't understand what I'm doing wrong. Any help would be VERY appreciated !

 

Link to comment

I've had SWAG set up and running for a couple years now (back before it was SWAG) and it works great.  I have to admit I don't totally understand everything (or even much) about it, but via tutorials and this forum, I was able to get everything working. I switched to a wildcard cert a year or so ago without much issue. But I am having an issue trying to allow for a new subdomain.

 

I have had Radarr working all this time and I recently another instance to to handle 4K content.  I thought this would be super easy.  I went on to my Cloudflare dash and created a cname for radarr4k (the other is just radarr) and I copied my radarr site-conf, renamed it to radarr4k, replaced every instance of radarr inside with radarr4k and changes the port the port I use for radarr4k.  I thought it would be as simple as that and just work, but I get a 502 error whenvever I try to go to https://radarr4k.myserver.com.  

 

Here is my radarr file:

server {
    listen 443 ssl;

    server_name radarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr radarr;
        proxy_pass http://$upstream_radarr:7878;
    }
}

 

 

Here is my radarr4k file:

server {
    listen 443 ssl;

    server_name radarr4k.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr4k radarr4k;
        proxy_pass http://$upstream_radarr4k:7879;
    }
}

 

 

Any ideas what I am doing wrong?

Link to comment
23 hours ago, guilhem31 said:

Hi everyone,

 

I'm sad I have to post here... everything was working fine until 3 days ago when one of my cache pool drive died.
I had problems with my /appdata backup and I had to delete files from the swag config (probably chmod problems or busy files the moment I wanted to backup).

I changed my cache drive without any other issue.

 

When I try to launch swag, I got this error in my log :

https://pastebin.com/mMuxi79e

 

My ovh.ini credentials are good.

I cleaned the _acme-challenge DNS entry from my OVH manager console.

My domain DNS are all ok,  A and CNAME.

Restarted swag container multiple times.... nothing.

 

I don't understand what I'm doing wrong. Any help would be VERY appreciated !

 

Use an earlier tag. It's an upstream issue.

Link to comment
57 minutes ago, RockDawg said:

I've had SWAG set up and running for a couple years now (back before it was SWAG) and it works great.  I have to admit I don't totally understand everything (or even much) about it, but via tutorials and this forum, I was able to get everything working. I switched to a wildcard cert a year or so ago without much issue. But I am having an issue trying to allow for a new subdomain.

 

I have had Radarr working all this time and I recently another instance to to handle 4K content.  I thought this would be super easy.  I went on to my Cloudflare dash and created a cname for radarr4k (the other is just radarr) and I copied my radarr site-conf, renamed it to radarr4k, replaced every instance of radarr inside with radarr4k and changes the port the port I use for radarr4k.  I thought it would be as simple as that and just work, but I get a 502 error whenvever I try to go to https://radarr4k.myserver.com.  

 

Here is my radarr file:


server {
    listen 443 ssl;

    server_name radarr.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr radarr;
        proxy_pass http://$upstream_radarr:7878;
    }
}

 

 

Here is my radarr4k file:


server {
    listen 443 ssl;

    server_name radarr4k.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
#        auth_basic "Restricted";
#        auth_basic_user_file /config/nginx/.htpasswd;
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_radarr4k radarr4k;
        proxy_pass http://$upstream_radarr4k:7879;
    }
}

 

 

Any ideas what I am doing wrong?

You don't have to set a came in cloudflare when using wildcard. Wildcard is for everything.

 

I guess you are using a custom docker network for swag and radarrs, so no need to change the port in the proxy-conf as swag talks to the containers using the name. It is all internal in the custom network and therefor you use the container port.

  • Thanks 1
Link to comment
36 minutes ago, saarg said:

You don't have to set a came in cloudflare when using wildcard. Wildcard is for everything.

 

I guess you are using a custom docker network for swag and radarrs, so no need to change the port in the proxy-conf as swag talks to the containers using the name. It is all internal in the custom network and therefor you use the container port.

 

Changing to the container port worked.  I never considered that and that is the only container that I run where I changed the default port.  Thanks so much!

 

I thought I still needed the cname and the wildcard was just allowing any of my cnames through.  So I can delete all my subdomain cnames on Cloudflare?

Link to comment
14 hours ago, RockDawg said:

 

Changing to the container port worked.  I never considered that and that is the only container that I run where I changed the default port.  Thanks so much!

 

I thought I still needed the cname and the wildcard was just allowing any of my cnames through.  So I can delete all my subdomain cnames on Cloudflare?

As long as you have a wildcard cname set in cloudflare, you can delete the other subdomains.

  • Thanks 1
Link to comment

Unable to access Bitwarden externally using SWAG

 

Starting last week I was unable to access Bitwarden from my own domain. Without going too into what i've tried I'm basically back to square one.

I've uninstalled/reinstalled Bitwarden (to allow it to pull the new vaultwarden info)

I've uninstalled/reinstalled SWAG.

I've renamed my Bitwarden install to match the proxy-confs for bitwarden.

I've followed all the steps in Spaceinvaders Letsencrypt (SWAG)/Bitwarden/Cloudflare videos and just keep getting Error: 522 from cloudflare when I try and load my domain page.

I thought it might be tied to some firewall stuff I did on my unifi to isolate my IOT things on a different VLAN So i've completely removed all those settings and still not working.

The SWAG logs show that server is running and it can get certs for my domain but the site still won't load.

I currently have Cloudflare set up as my DNS to bypass my local internet provider from blocking port 80. Cloudflare is set to point to my Duckdns name which is pointing to my IP. All of this is in SpaceInvaders cloudflare set up video.

Here is are screen shots of my docker settings/Docker page/Port Forwarding setup.

https://i.imgur.com/NqsRNOs.png

Again this was all working from July of last year until last week.

Any assistance would be appreciated.

  • Like 1
Link to comment

Hi, I'm using Authelia and everything works as it should. I have a problem with LMS, I only proxied it to use Alexa skill and wanted to use Authelia instead of basic auth, but it seems Alexa can't/won't use 2-factor auth for this skill! Can I set somewhere in the config to use single-factor just for this container? 

Thanks,

Tim

Link to comment

Can someone point me in the right direction?

 

I have A75G's airsonic-advanced docker accessed through SWAG / reverse proxy with a duckdns subdomain and lets encrypt https certificate. I'm using the airsonic.subdomain.conf config and all is working well.

I'd like to start using fail2ban to block access to the airsonic URL but during testing, looking at the airsonic logs they show failed logins from the IP of the internal docker container and not the real external IP. 

 

I have the 'server.use-forward-headers=true' line added to the airsonic.properties file in the airsonic config as stated in the airsonic.subdomain.conf from SWAG but something seems missing

 

Any suggestions?

Link to comment
Posted (edited)

For a few days now I can't connect to my owncloud via my reverse proxy anymore as I get a 400 bad request anytime I try to do it. I have not changed anything in my proxy conf and have already contacted the dev of the owncloud docker container. He said that nothing has changed in the container since the issue came up for me, leading me to believe the error has to lie somewhere with the proxy. Does anyone know what it could be? It's now been a few weeks and I've tried to solve it on my own, without success. 

 

It worked until the 7th of may but has not worked since. I can not connect from either the browser, my phone, the owncloud windows or owncloud android client. Nothing works unfortunately. Does anyone have an idea? Here is my proxy conf that has, at least until the 7th of may, worked wonderfully.

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;


    server_name owncloud.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /login;

        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        set $upstream_owncloud owncloud;
        proxy_pass https://192.168.0.2:8000;
		
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header X-Forwarded-Port $server_port;
		proxy_set_header X-Forwarded-Proto $scheme;
    }

   
}

 

Edited by RedXon
Link to comment
9 hours ago, Arndroid said:

Is there a way to automatically set up individual certs for seperate (sub)domains instead of wildcard?
So my other domains aren't exposed through a cert on a domain/website? :)

No

Link to comment
Posted (edited)

Hi all,

 

I am getting 502 errors after setting up swag following the original SIO video for letsencrypt. The issue seems to be that name lookup of the containers is failing. 

 

  • I am using latest, but also tried with several other versions dating back to 1.8.0
  • I am using all sample configs with no modifications 
    • portainer
    • nextcloud
    • grafana
  • swag and containers are all on custom docker network
  • nslookup finds the docker container by name
  • can ping one container from another
  • Using linuxserverio containers with default names

 

nginx error.log:

2021/06/05 20:21:54 [error] 470#470: *1 nextcloud could not be resolved (3: Host not found), client: 192.168.100.1, server: nextcloud.*, request: "GET / HTTP/2.0", host: "nextcloud.domain.com"
2021/06/05 20:43:08 [error] 406#406: *6 portainer could not be resolved (3: Host not found), client: 192.168.100.1, server: portainer.*, request: "GET / HTTP/2.0", host: "portainer.domain.com"

root@unRAID:/mnt/user/appdata/swag/nginx/proxy-confs# docker container list
CONTAINER ID   IMAGE                                  COMMAND            CREATED             STATUS                    PORTS                                         NAMES
40368254d154   linuxserver/swag                       "/init"            12 minutes ago      Up 12 minutes             0.0.0.0:8081->80/tcp, 0.0.0.0:4443->443/tcp   swag
0130fe9243c4   portainer/portainer                    "/portainer"       About an hour ago   Up 24 minutes             0.0.0.0:44344->9000/tcp                       portainer


nslookups:

root@40368254d154:/# nslookup portainer
Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:
*** Can't find portainer: No answer

Non-authoritative answer:
Name:   portainer
Address: 172.18.0.2

root@40368254d154:/# 

root@40368254d154:/# ping portainer
PING portainer (172.18.0.2): 56 data bytes
64 bytes from 172.18.0.2: seq=0 ttl=64 time=0.161 ms
64 bytes from 172.18.0.2: seq=1 ttl=64 time=0.145 ms
^C

 

 

If I modify portainer.subdomain.conf as follows the 502 error goes away.

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app portainer;
        set $upstream_port 9000;
        set $upstream_proto http;
        #proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_pass $upstream_proto://172.18.0.2:$upstream_port; # hard code ip

 

I wonder if nginx is choking on the first failed nslookup? Is that a docker network issue?  Any other ideas?

Thanks in advance!

Edited by codebone
Add docker container names
Link to comment
Posted (edited)

Hi,

 

I have a big doubt regarding the using of sub-subdomains.

 

Until now I was using two domains (I did not know that sub-sub domains can be configured): exampleemby and examplenas with duckdns.org

 

I use "exampleemby" seting it up in swag as subdomain and "examplenas" with some subfolders configurations (x.e. nextcloud).

 

Now I want to setup 2 more subdomains (to use with photoprism that only has subdomain template).

 

Searching in the web I saw that it is possible to setp up unly one subdomain and with it configure several sub-subdomains. Am I right?

 

In this case, how I should setup swag container? What I am using now is:

Domain Name: duckdns.org

Subdomain (s): homeemby,homenas

 

I have also seen in linuxserver swag docker web page that it is not possible to use, at the same time, subdomains a sub-subdomains, but, is it possible to use "homemby" as subdomain and "homeother" as sub-subdomain?

 

I have tryed setups in swag container (empty, wildcard...) but I only can getting it work with above configuration (filling domain and all the subdomains)

 

Thank you

Edited by dellorianes
Link to comment
Posted (edited)

I've had letsencrypt/swag working for a number of years but it is now failing to renew the certificates. I have uninstalled and tried again but i get the same error. I am using proxynet and my domains are all duckdns, no cloudflare.

Can anyone point me in the right direction please?

 

Generating new certificate
Requesting a certificate for ***.duckdns.org and 3 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: ***.duckdns.org
Type: connection
Detail: Fetching http://***.duckdns.org/.well-known/acme-challenge/GX1N0HDQV9cetf0bUvB7E_68fh5OCaDdf168NYwJzpI: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority couldn't exterally verify that the standalone plugin completed the required http-01 challenges. Ensure the plugin is configured correctly and that the changes it makes are accessible from the internet.

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

 

EDIT - So i bounced my server and it now all works?! Anyway glad it's now working.

Edited by showstopper
Link to comment

Hello,

 

I am absolutely lost and unsure how to decipher the details everyone is discussing. Im a newbie to this kind of stuff and hoping for some help! My SWAG on unraid was connected to personal webhost. DuckDNS was used to update my IP address. it was working and all of the sudden has stopped receiving certificates.

-------------------------------------------------

Router Settings:

Port forwarding is open on router 80>81 and 443>442.

-------------------------------------------------

Container Settings:

http - 81

https - 442

 

domain name - mydomainname.com

subdomains - bw, etc...

only subdomains - true

validation - http

duckDNS Token - MyToken

----------------------------------------------------

Logs:

SWAG Log:

When running logs, the following errors are received: (obviously hid my domain stuff below)

 

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:


Domain: subdomainnamehere.domainhere.com
Type: connection
Detail: Fetching http://subdomainnamehere.domainhere.com/.well-known/acme-challenge/XXXXXHIDDEN: Timeout during connect (likely firewall problem)

 

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

---------------------------------------

LetsEncrypt Log:

Failed to renew certificate subdomainnamehere.domainhere.com with error: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0xHIDDEN>: Failed to establish a new connection: [Errno -3] Try again'))

--------------------------------------------

I appreciate help in advance. 

Link to comment

I installed Swag back in March and everything is going good.  I have been getting emails from zerossl that my certs will expire within 14 days.  I assume SWAG will automatically renew them when the time comes?  Or do I need to manually renew them?

Link to comment
6 hours ago, Gragorg said:

I installed Swag back in March and everything is going good.  I have been getting emails from zerossl that my certs will expire within 14 days.  I assume SWAG will automatically renew them when the time comes?  Or do I need to manually renew them?

Does your server run 24/7?

Link to comment
30 minutes ago, Gragorg said:

Yes it does.

couple scenarios off the top of my head

 

1. You set up some subdomains that have since been removed, so those specific certs are no longer being renewed because they aren't needed.

2. Your authentication method isn't working properly, so renewal is failing.

3. Something else is preventing the overnight scheduled renewal check from completing.

 

What does the container log show?

  • Like 1
Link to comment
13 hours ago, jonathanm said:

You set up some subdomains that have since been removed, so those specific certs are no longer being renewed because they aren't needed.

Looks like this may be the case I have a few extra certs from when i was setting up.  The log mentions that the certs are not going to expire.

 

"The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight"

 

I guess Ill just have to be patient and wait it out.  Thanks

 

Link to comment

Hey folks,

So I finally figured out where my hiccup was on swag. jonathonm commented on another post and suggested in was a porting issue. Turns out that was correct. So in my centurylink modem. I can port forward just fine, but I can not translate for example external 443 to internal 1443. 

 

What I did to figure this out is changed the ports that unraid uses. Once I did that I could port forward 443 in my modem/router and swag would connect. I could still access unraid at my internal ip 192.168.1.x:180 which is the "new" port I gave it. 


So I can not translate ports (terminology?) but I can forward. Are there any other options besides changing the unraid ports and letting swag have the 443 ports? I had thought about purchasing a router and bridging the modem. 

Link to comment
11 hours ago, 2000gtacoma said:

Hey folks,

So I finally figured out where my hiccup was on swag. jonathonm commented on another post and suggested in was a porting issue. Turns out that was correct. So in my centurylink modem. I can port forward just fine, but I can not translate for example external 443 to internal 1443. 

 

What I did to figure this out is changed the ports that unraid uses. Once I did that I could port forward 443 in my modem/router and swag would connect. I could still access unraid at my internal ip 192.168.1.x:180 which is the "new" port I gave it. 


So I can not translate ports (terminology?) but I can forward. Are there any other options besides changing the unraid ports and letting swag have the 443 ports? I had thought about purchasing a router and bridging the modem. 

This is what I did some months ago. I changed Unraid to run off of 180/1443 and let Swag have 80/443 and it worked flawlessly. Now swag completly refuses to issue certs despite me not having changed any settings between when I first set it up and now.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.