[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

Anyone familiar with this cert renewal error?

 

I set it up how I interpreted spaceinvaderone's video, which had subdomains as the separate variable from the dns provider that I don't own.

 

The description though seems to imply putting the subdomain.provider.com as one variable under domain name.  Which is correct?

Quote

20:37:27,070:ERROR:certbot._internal.renewal:  /etc/letsencrypt/live/myurl.com/fullchain.pem (
failure)
2021-06-29 20:37:27,070:DEBUG:certbot.display.util:Notifying user:
Additionally, the following renewal configurations were invalid:
2021-06-29 20:37:27,070:DEBUG:certbot.display.util:Notifying user:   /etc/letsencrypt/renewal/myurl.com-0
001.conf (parsefail)
  /etc/letsencrypt/renewal/myurl.com-0002.conf (parsefail)
2021-06-29 20:37:27,070:DEBUG:certbot.display.util:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - -
 - - - - - - - - - - - - -
2021-06-29 20:37:27,071:INFO:certbot.compat.misc:Running post-hook command: if ps aux | grep 's6-supervise nginx' | grep
 -v grep > /dev/null; then s6-svc -u /var/run/s6/services/nginx; fi;     cd /config/keys/letsencrypt &&     openssl pkcs
12 -export -out privkey.pfx -inkey privkey.pem -in cert.pem -certfile chain.pem -passout pass: &&     sleep 1 &&     cat
 privkey.pem fullchain.pem > priv-fullchain-bundle.pem &&     chown -R abc:abc /config/etc/letsencrypt
2021-06-29 20:37:28,158:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1552, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1439, in renew
    renewal.handle_renewal_request(config)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/renewal.py", line 499, in handle_renewal_request
    raise errors.Error("{0} renew failure(s), {1} parse failure(s)".format(
certbot.errors.Error: 1 renew failure(s), 2 parse failure(s)
2021-06-29 20:37:28,167:ERROR:certbot._internal.log:1 renew failure(s), 2 parse failure(s)

Despite this error, the reverse proxy still ended up working, with a cert error.

Edited by robobub
Link to comment

is here someone who got SWAG fully working on IPv6? i trying to get it working but after view weeks of trail and error i'm out of idea's...

Docker is fully working on IPv6, can confirm this. i have a tor relay running on unraid/docker and it external accessible through IPv6...

SWAG does have an working IPv6 address. but Cloudflare won't get connection to SWAG on IPv6, resulting many times with error 522

 

i did some research on nginx with ipv6, its needs '--with-ipv6'? when checking on SWAG with the command: nginx -V it gives me the following configure arguments:

Quote

nginx version: nginx/1.18.0
built with OpenSSL 1.1.1k  25 Mar 2021
TLS SNI support enabled
configure arguments: --prefix=/var/lib/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --pid-path=/run/nginx/nginx.pid --lock-path=/run/nginx/nginx.lock --http-client-body-temp-path=/var/lib/nginx/tmp/client_body --http-proxy-temp-path=/var/lib/nginx/tmp/proxy --http-fastcgi-temp-path=/var/lib/nginx/tmp/fastcgi --http-uwsgi-temp-path=/var/lib/nginx/tmp/uwsgi --http-scgi-temp-path=/var/lib/nginx/tmp/scgi --with-perl_modules_path=/usr/lib/perl5/vendor_perl --user=nginx --group=nginx --with-threads --with-file-aio --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module=dynamic --with-http_image_filter_module=dynamic --with-http_geoip_module=dynamic --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_slice_module --with-http_stub_status_module --with-http_perl_module=dynamic --with-mail=dynamic --with-mail_ssl_module --with-stream=dynamic --with-stream_ssl_module --with-stream_realip_module --with-stream_geoip_module=dynamic --with-stream_ssl_preread_module --add-dynamic-module=/home/buildozer/aports/main/nginx/src/njs-0.5.0/nginx --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_devel_kit-0.3.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_brotli-1.0.0rc/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_cache_purge-2.5.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-dav-ext-module-3.0.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/echo-nginx-module-0.62/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/encrypted-session-nginx-module-0.08/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx-fancyindex-0.5.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/headers-more-nginx-module-0.33/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/lua-nginx-module-0.10.19/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/lua-upstream-nginx-module-0.07/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nchan-1.2.7/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-http-shibboleth-2.0.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/redis2-nginx-module-0.15/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/set-misc-nginx-module-0.32/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-upload-progress-module-0.9.2/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-upstream-fair-0.1.3/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-rtmp-module-1.2.1/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-vod-module-1.27/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_http_geoip2_module-3.3/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/naxsi-1.3/naxsi_src --add-dynamic-module=/home/buildozer/aports/main/nginx/src/mod_zip-1.2.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx-module-vts-0.1.18/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/traffic-accounting-nginx-module-2.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_http_untar_module-1.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/ngx_upstream_jdomain-1.1.5/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/nginx_cookie_flag_module-1.1.0/ --add-dynamic-module=/home/buildozer/aports/main/nginx/src/array-var-nginx-module-0.05/

 

no --with-ipv6 in there...

anyone have in idea what i can do???

Link to comment
On 6/29/2021 at 5:14 PM, Unrayed said:

@saarg many thanks for your help. I've edited and uploaded the file to the server now. I've changed the cron expression to "30 20 1  *  *"  which I believe is the first of every month. Hopefully that'll sort things not autorenewing :)

Why did you change the third to 1? Only change the first two.

Link to comment
6 hours ago, sjaak said:

is here someone who got SWAG fully working on IPv6? i trying to get it working but after view weeks of trail and error i'm out of idea's...

Docker is fully working on IPv6, can confirm this. i have a tor relay running on unraid/docker and it external accessible through IPv6...

SWAG does have an working IPv6 address. but Cloudflare won't get connection to SWAG on IPv6, resulting many times with error 522

 

i did some research on nginx with ipv6, its needs '--with-ipv6'? when checking on SWAG with the command: nginx -V it gives me the following configure arguments:

 

no --with-ipv6 in there...

anyone have in idea what i can do???

 

You can't add it yourself. We use the packages from the alpine repo.

Link to comment

Hey All,

 

Im trying a get a custom web server running with swag and i'm having some dramas upstanding the documentation so i was wondering if i could get some help..

I have set up multiple reverse proxies but never hosted my own html.

 

I have created a .html file id like to host with my own sub-domain. As far as i understand i should move my html files into /config/www folder and in site-confs folder i should have a config file that points to said config/www folder. Within said conf file I should have which subdomain swag should be pointing too. 

 

Im not really sure if im missing anything or if my config file is correct or not. 

 

Does anyone have any guides or documentation that could help.

 

Regards,

 

Justin

Link to comment
33 minutes ago, Melawen said:

Looks like you have your ports the wrong way round on your router.  The external ports should be 80 & 443 and the internal ones should be 180 & 1443.

 

You might also want to hide your actual IP address in the images above.

Thanks a lot. You were right, everything works perfectly now.

Link to comment
On 4/25/2021 at 3:26 AM, saarg said:

Everything.

You have switched value and key and also remove =. Default value is also not -e. Just leave it blank.

 

On 4/25/2021 at 7:05 AM, Greygoose said:

 

Thank you,

 

I now have it working because of you help.

 

Much appreciated.

I too have this working now. 

 

Thank you

Link to comment

I set up Swag recently and have 2 domains set up with Let's Encrypt. Things have been running fine and then, today, I try and access my Nextcloud and I can't. I checked the Swag logs and see this:  

  

There were too many requests of a given type :: Error creating new order :: too many certificates (5) already issued for this exact set of domains in the last 168 hours

 

I understand there's a rate limit but why would this have been exceeded? I haven't done anything to cause more cert to get issued. I set up Swag, checked that it worked, and that was it. What am I missing here?

Link to comment

I apologize for the long post, running into two issues. I'll start with my main, more important one since it's a security issue. 

 

I have SWAG set up on my unRAID box and it seems to run fine, except for the fact I can't get it to work correctly for it's main purpose. I have a few docker containers I have going through SWAG, but to access them, I have to punch a hole through my firewall for them, and include the port in the address. My address for Home Assistant, for example, would end up looking like http://ha.mydomain.com:8123. I know this is a big hole I leave in my network, and the reason SWAG exists, but I can't seem to get the set up for this correct, and the documentation I can find doesn't seem to help. My end goal is to patch up the holes I put in my firewall, and clean up the address so the above link would appear as https://ha.mydomain.com instead. 

 

I'm not sure what all I should include to help diagnose my issue, but I'm more than willing to provide my set up.

 

-------

 

My second issue, I ran into while attempting to get the first issue fixed. Whenever I attempt to access a site, I can't access it within my own network (ex, while I'm on my desktop, or connected to Wi-Fi), but I can access it if I'm not on my network (ex, mobile data, friend's Wi-Fi).

 

I'm not quite sure why this ended up happening, but again, whatever you guys need out of my set up to help diagnose it, I'll be more than happy to provide.

 

Thanks in advance and again, I apologize for the giant wall of text.

Link to comment

Hi all - I'm having difficulty troubleshooting what looks like a port forwarding issue.

 

My SWAG reverse proxy was working fine until a week ago. I was getting BTRFS errors in my docker.img, so deleted it and created from new. After reloading my apps, I noticed my reverse proxy was not working anymore.

 

In my SWAG logs, I saw this error:

 

int: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

My port forwarding seemed to be correct for port 80 (to 180) and port 443 (to 1443) as per my SWAG docker template. I went to a number of port testing sites, and they all showed blocked for 80 and 443.

 

So at this point I contacted my ISP (Bell Canada) and they said they have not changed anything.

 

Where should I go now to figure this out? Thanks all.

Link to comment
On 6/27/2021 at 3:03 AM, Cytomax said:

So i figured it out... 

1.16.0-ls67 and 1.16.0-ls68 dont work for me

1.16.0-ls66 does work for me...

 

I have a very basic setup and I've just experienced this as well - all sites returning:

 

refused to connect.

 

Nothing logged in access.log or error.log

 

something broke between:

1.17.0-ls70 and

1.17.0-ls71

 

For anyone else seeing this, edit swag docker and change repo to:

 

linuxserver/swag:1.17.0-ls70

 

edit: Don't do the above, instead rename:

swag/nginx/proxy-confs/youtube-dl.subfolder.conf

 

to this

swag/nginx/proxy-confs/youtube-dl.subfolder.conf-notused

 

(unless you do actually use this config file, in which case remove the line containing:

proxy_redirect  off;

 

Edited by jortan
  • Thanks 1
Link to comment

After updating to 1.17.0-ls71 SWAG doen't start:

nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/debianbullseye.subdomain.conf:36
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/debianbuster.subdomain.conf:36
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/ferdi-client.subdomain.conf:36
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/onlyoffice.subdomain.conf:22

 

i have to commenting out "proxy_redirect" in my all *.subdomain.conf to get SWAG work.

  • Thanks 2
Link to comment
2 hours ago, sonic6 said:

After updating to 1.17.0-ls71 SWAG doen't start:


nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/debianbullseye.subdomain.conf:36
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/debianbuster.subdomain.conf:36
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/ferdi-client.subdomain.conf:36
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/onlyoffice.subdomain.conf:22

 

i have to commenting out "proxy_redirect" in my all *.subdomain.conf to get SWAG work.

i get similar errors since last update which stops SWAG from staring up

nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22

 

Link to comment
38 minutes ago, bastl said:

i get similar errors since last update which stops SWAG from staring up


nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22
nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22

 

same here.

Link to comment
11 hours ago, Marioawe said:

I apologize for the long post, running into two issues. I'll start with my main, more important one since it's a security issue. 

 

I have SWAG set up on my unRAID box and it seems to run fine, except for the fact I can't get it to work correctly for it's main purpose. I have a few docker containers I have going through SWAG, but to access them, I have to punch a hole through my firewall for them, and include the port in the address. My address for Home Assistant, for example, would end up looking like http://ha.mydomain.com:8123. I know this is a big hole I leave in my network, and the reason SWAG exists, but I can't seem to get the set up for this correct, and the documentation I can find doesn't seem to help. My end goal is to patch up the holes I put in my firewall, and clean up the address so the above link would appear as https://ha.mydomain.com instead. 

 

I'm not sure what all I should include to help diagnose my issue, but I'm more than willing to provide my set up.

 

-------

 

My second issue, I ran into while attempting to get the first issue fixed. Whenever I attempt to access a site, I can't access it within my own network (ex, while I'm on my desktop, or connected to Wi-Fi), but I can access it if I'm not on my network (ex, mobile data, friend's Wi-Fi).

 

I'm not quite sure why this ended up happening, but again, whatever you guys need out of my set up to help diagnose it, I'll be more than happy to provide.

 

Thanks in advance and again, I apologize for the giant wall of text.

You have not configured your proxy-confs correctly if you have to use the port. The container needs to have the same name as in upstream_app in the proxy conf and all lowercase. You also need to remove the sample part from the file name.

For this to work you need to create a custom bridge and add swag and set all the containers you reverse proxy to use that bridge.

As it is now you are not going through Swag.

 

The second issue has nothing to do with swag, but your router. You need to find out if it supports hairpinning or split DNS.

 

Do you get the default welcome page if you just go to your domain?

Link to comment

Same errors as above, proxy sites worked late yesterday but after an overnight update getting the following (example) and no sites reachable:

 

nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/freshrss.subdomain.conf:38

Link to comment
8 hours ago, jortan said:

 

I have a very basic setup and I've just experienced this as well - all sites returning:

 


refused to connect.

 

Nothing logged in access.log or error.log

 

something broke between:

1.17.0-ls70 and

1.17.0-ls71

 

For anyone else seeing this, edit swag docker and change repo to:

 


linuxserver/swag:1.17.0-ls70

 

No need to pull an earlier version. Just comment out the proxy_redirect off; statement in all confs nginx complains about.

  • Thanks 2
Link to comment

I was also getting the error

Quote

nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22

 

Which I thought odd as I've never setup youtube-dll. In the end I renamed youtube-dl.subfolder.conf to youtube-dl.subfolder.conf_BAK, restarted Swag and everything is back up and running normally

  • Thanks 3
Link to comment
No need to pull an earlier version. Just comment out the proxy_redirect off; statement in all confs nginx complains about.

Is that a new thing this specific build, 71, is “looking for” since it has been an issue before out of curiosity?

(I’m gonna spot check a few of my Confs to see how many it may be issue with before I upgrade…)
Link to comment
5 hours ago, Yak said:

Which I thought odd as I've never setup youtube-dll. In the end I renamed youtube-dl.subfolder.conf to youtube-dl.subfolder.conf_BAK, restarted Swag and everything is back up and running normally

oh, yeah! solved my problem! ty!

  • Thanks 1
Link to comment
9 hours ago, Yak said:

I was also getting the error

 

Which I thought odd as I've never setup youtube-dll. In the end I renamed youtube-dl.subfolder.conf to youtube-dl.subfolder.conf_BAK, restarted Swag and everything is back up and running normally

If it doesn't have .sample at the end you have enabled it at one point.

Link to comment
9 hours ago, blaine07 said:


Is that a new thing this specific build, 71, is “looking for” since it has been an issue before out of curiosity?

(I’m gonna spot check a few of my Confs to see how many it may be issue with before I upgrade…)

The log says which proxy confs has the issue. No need to go through all configs.

 

Alpine was updated from 3.13 to 3.14 and nginx also and they changed some things.

  • Like 1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.