[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

OK, I *think* it works now. Can anyone take a look and see if I am missing anything? Anything I should add to make it safer?

 

Thanks

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bi.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.31;
        set $upstream_port 7968;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
    }
}

Link to comment
On 7/7/2021 at 10:10 PM, joshallen2k said:

Hi all - I'm having difficulty troubleshooting what looks like a port forwarding issue.

 

My SWAG reverse proxy was working fine until a week ago. I was getting BTRFS errors in my docker.img, so deleted it and created from new. After reloading my apps, I noticed my reverse proxy was not working anymore.

 

In my SWAG logs, I saw this error:

 

int: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

My port forwarding seemed to be correct for port 80 (to 180) and port 443 (to 1443) as per my SWAG docker template. I went to a number of port testing sites, and they all showed blocked for 80 and 443.

 

So at this point I contacted my ISP (Bell Canada) and they said they have not changed anything.

 

Where should I go now to figure this out? Thanks all.

Any ideas here anyone? Or have I messed up some way in how I posted

Link to comment

so, add your custom ip's again (dont forget the other reversed dockers ...) ;) that should solve your issue

 

and i meant "when your docker image crashes" ... custom bridge settings are gone

 

and may your "old" forwarding to "ATLANTIS" doesnt fit anymore as the ip may changed

 

may ping ATLANTIS and see if the internal ip still fits for your forwarding

Edited by alturismo
Link to comment
11 hours ago, alturismo said:

so, add your custom ip's again (dont forget the other reversed dockers ...) ;) that should solve your issue

 

and i meant "when your docker image crashes" ... custom bridge settings are gone

 

and may your "old" forwarding to "ATLANTIS" doesnt fit anymore as the ip may changed

 

may ping ATLANTIS and see if the internal ip still fits for your forwarding

Thanks for the reply. I double checked my WAN IP and its fine. For some reason my router when I specify an IP it resolves to the host name. WHat I'm unsure of is where you say to add my custom IP's again in the SWAG template. I don't think I specified anything there before. What should it be?

Link to comment
3 hours ago, turnipisum said:

What gives with the last update adding youtube-dl.subfolder.conf and swag doesn't start saying duplicate .conf.

Check the recent posts for the solution. The last update did not add the youtube-dl.subfolder.conf.  That happened last year.

  • Like 1
Link to comment
17 minutes ago, saarg said:

Check the recent posts for the solution. The last update did not add the youtube-dl.subfolder.conf.  That happened last year.

Yeah i have sorted it. But update must of done it because i had youtube-dl.subfolder.conf and youtube-dl.subfolder.conf.sample in the folder! i've not touched it since installing it!

  • Like 1
Link to comment
3 hours ago, joshallen2k said:

Thanks for the reply. I double checked my WAN IP and its fine. For some reason my router when I specify an IP it resolves to the host name. WHat I'm unsure of is where you say to add my custom IP's again in the SWAG template. I don't think I specified anything there before. What should it be?

when using custom br0 most likely to assign static ip's for the docker(s) in your home net like 192.168.1.0/24

 

in terms you stay on dhcp, your port forwarding goes to ATLANTIS, now, when u ping ATLANTIS locally, does it resolve to your swag ip ? your swag docker will have its own ip in the subnet like 192.168.2.25 as sample, so your port forwarding have to match it.

 

as when your docker image crashes or you rebuild it, all network setups will also "reset", so may your swag docker will use a different local lan ip now, you can check in your docker tab on which ip swag is listening to ... and make sure your routers port forwarding for rules 80 and 443 are leading to 180 1443 to that local ip.

Link to comment
3 hours ago, alturismo said:

when using custom br0 most likely to assign static ip's for the docker(s) in your home net like 192.168.1.0/24

 

in terms you stay on dhcp, your port forwarding goes to ATLANTIS, now, when u ping ATLANTIS locally, does it resolve to your swag ip ? your swag docker will have its own ip in the subnet like 192.168.2.25 as sample, so your port forwarding have to match it.

 

as when your docker image crashes or you rebuild it, all network setups will also "reset", so may your swag docker will use a different local lan ip now, you can check in your docker tab on which ip swag is listening to ... and make sure your routers port forwarding for rules 80 and 443 are leading to 180 1443 to that local ip.

Thanks for the clarification, but I'm still having difficulty. With the setup in the screens below, the SWAG docker container fails to start with Execution Error 403. Note the fixed IP I specified in the template is the IP of my Unraid server (192.168.2.229). The IP of "ATLANTIS" is 192.168.2.229

Capture11.JPG

Capture10.JPG

Edited by joshallen2k
added detail
Link to comment
4 hours ago, joshallen2k said:

Thanks for the clarification, but I'm still having difficulty. With the setup in the screens below, the SWAG docker container fails to start with Execution Error 403. Note the fixed IP I specified in the template is the IP of my Unraid server (192.168.2.229). The IP of "ATLANTIS" is 192.168.2.229

you cant assign it to the same ip as unraid has it already, change to bridge instead custom br0, then you dont have to worry about ip's and your docker port mappings are valid,

 

also your other docker(s) then rather to bridge instead custom:br0, when i see what you try todo, i guess you didnt used custom:br0 before, you prolly either used bridge or may even did the proxynet bridge from the common tutorial video fro @SpaceInvaderOne which is also gone when your image broke and you have to start over ... you can pretty easy check how your configs look like, in bridge mode you cant use dockernames as targets ...

Edited by alturismo
Link to comment

SWAG stopped working for me, using duckdns. It worked OK for the last several months. I did not do any config change.

Here's the docker log. Any idea?

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=mydomain.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=duckdns
CERTPROVIDER=
DNSPLUGIN=
[email protected]
STAGING=false

grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to 127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 4
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of mydomain.duckdns.org will be requested
E-mail address entered: [email protected]
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem!
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for *.mydomain.duckdns.org
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with output:
OKsleeping 60
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with error output:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2 0 2 0 0 3 0 --:--:-- --:--:-- --:--:-- 3

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: mydomain.duckdns.org
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.mydomain.duckdns.org - the domain's nameservers may be malfunctioning

 

Has anybody had any problem with duckdns recently?

Of course I checked that all the settings, including the token, are correct.

Link to comment
11 hours ago, alturismo said:

you cant assign it to the same ip as unraid has it already, change to bridge instead custom br0, then you dont have to worry about ip's and your docker port mappings are valid,

 

also your other docker(s) then rather to bridge instead custom:br0, when i see what you try todo, i guess you didnt used custom:br0 before, you prolly either used bridge or may even did the proxynet bridge from the common tutorial video fro @SpaceInvaderOne which is also gone when your image broke and you have to start over ... you can pretty easy check how your configs look like, in bridge mode you cant use dockernames as targets ...

Yes, it was the @SpaceInvaderOne tutorial that I originally used for the setup. I changed my network to bridge and had the same error. I just used the troubleshooting guide https://www.linuxserver.io/blog/2019-07-10-troubleshooting-letsencrypt-image-port-mapping-and-forwarding which suggests using the Nginx docker to test connectivity and forwarding. Using nginx seems to work - I can reach the standard web page, and when I use a port checker, port 80 and 443 are open/green. When I delete the nginx docker and launch swag (using the same port forward and network settings), then port 80/443 are showing up as closed.

Link to comment
On 7/8/2021 at 1:10 PM, Yak said:

I was also getting the error

 

Which I thought odd as I've never setup youtube-dll. In the end I renamed youtube-dl.subfolder.conf to youtube-dl.subfolder.conf_BAK, restarted Swag and everything is back up and running normally

Maybe in enabled this at some point, I don't recall, but I had the same error this weekend, only realising while away so I couldn't remote in to fix it....

 

I deleted the .conf (I've still got the .sample) and all good again. Thanks. Need to set up another method to connect!

Link to comment
On 7/8/2021 at 11:21 PM, saarg said:

If it doesn't have .sample at the end you have enabled it at one point.

I am getting the same error with youtube.dl but I know 100% sure I have never removed the sample on it, I dont even know what it is. I only use Swag with Nextcloud.

 

Tho I see that that config was last updated summer 2020...

Edited by Mihle
Link to comment

I woke this morning to SWAG not working.

 

In the log I get this:

 

nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22

 

youtube-dl.subfolder.conf in the proxy-confs is there without a .sample at the end.

 

I did not change this.

Link to comment
On 7/6/2018 at 6:47 PM, Tuumke said:

Found the culprit. All the proxy-conf subfolder conf files have a /servicename and organizr just has the /

what is that mean ? how can  I fix this ?

thank you firstly , I found once i unable "proxy_redirect" in the .conf file ,

"nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28" will happen . 

 

Link to comment
On 7/11/2021 at 1:18 PM, OdinEidolon said:

SWAG stopped working for me, using duckdns. It worked OK for the last several months. I did not do any config change.

Here's the docker log. Any idea?

 


[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=mydomain.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=duckdns
CERTPROVIDER=
DNSPLUGIN=
[email protected]
STAGING=false

grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to 127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 4
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of mydomain.duckdns.org will be requested
E-mail address entered: [email protected]
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem!
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for *.mydomain.duckdns.org
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with output:
OKsleeping 60
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with error output:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2 0 2 0 0 3 0 --:--:-- --:--:-- --:--:-- 3

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: mydomain.duckdns.org
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.mydomain.duckdns.org - the domain's nameservers may be malfunctioning

 

Has anybody had any problem with duckdns recently?

Of course I checked that all the settings, including the token, are correct.

 

 

Does anybody have any hint about what's going on here? I do not understand ifthis is an issue on duckDNS's side or some configuration mishap.

Link to comment

My swag broke on update.  None of my sites work.  I had 2 domains and several subdomains on my 1st domain running.  This is only error I get:

 

nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/site-confs/mydomain2.conf:28

 

What does this mean?  I created the mydomain2.conf file in the past and I need it as it redirects to my wordpress docker.  Heres the contents of mydomain2.conf

server {
listen 80;
listen [::]:80;
server_name mydomain2.com;
return 301 https://$host$request_uri;
}

# main server block
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;

server_name mydomain2.com;

# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;

client_max_body_size 0;

  location / {
    include /config/nginx/proxy.conf;
    resolver 127.0.0.11 valid=30s;
    set $upstream_app 192.168.1.102;
    set $upstream_port 8086;
    set $upstream_proto http;
    proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    proxy_redirect off;
  }
}


In the meantime I rolled back to an older version using linuxserver/swag:version-1.16.0 as the repository (Which works fine).

What is changed in Swag 1.17 that is causing this error? Swag is just so overly complicated.  I would switch to nginx proxy manager in a heartbeat but I need fail2ban.

Edited by 007craft
  • Thanks 1
Link to comment
On 6/30/2021 at 11:20 PM, saarg said:

Why did you change the third to 1? Only change the first two.

Using cronguru, it seemed to me that "30 20 1 * *" appears to translate to the 1st of every month, whereas "30 20 * * *" translates to a trigger of half past eight pm every single day - or have I misunderstood?

Edited by Unrayed
Link to comment

I found out today my swag broke. It was working properly in the past until today. Does anyone encounter the same issue? If so, do you guy know any fix?

 

My swag broke with this log error.

image.thumb.png.d56082bcb41caf3288922767d0f38ba5.png

 

This is my CONF. file setup for only office subdomain

image.png.b74def3614667feabf6bea3cd8bb27fc.png

Link to comment
I found out today my swag broke. It was working properly in the past until today. Does anyone encounter the same issue? If so, do you guy know any fix?
 
My swag broke with this log error.
image.thumb.png.d56082bcb41caf3288922767d0f38ba5.png
 
This is my CONF. file setup for only office subdomain
image.png.b74def3614667feabf6bea3cd8bb27fc.png

Comment out the “proxy_redirect” line in the OnlyOffice CONF. Restart Swag. Profit.
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.