[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

5 hours ago, saarg said:

If it doesn't have .sample at the end you have enabled it at one point.

 

Nope, mine was also youtube-dl.subfolder.conf and I know I never enabled this as I only use *.subdomain.conf

 

I think somehow in a previous version of swag docker a non-sample conf must have been pushed out.  Possibly even from back before this docker was renamed?

 

edit: judging by the file date, this happened early July 2020.

Edited by jortan
Link to comment

Hello, 

Any idea what need to be changed in new sonarr conf ?

So far i am getting 502 bad gateway error nginx/1.20.1 for my sonarr subdomain

I managed to make bitwarden working, now trying to make sonarr alive

Edited by J05u
Link to comment
2 hours ago, J05u said:

Hello, 

Any idea what need to be changed in new sonarr conf ?

So far i am getting 502 bad gateway error nginx/1.20.1 for my sonarr subdomain

I managed to make bitwarden working, now trying to make sonarr alive

The upstream_app name doesn't match your container name or swag and sonarr is not in the same custom bridge

Link to comment

Hello,

 

Sorry I am total noob, I have been using Nginx Proxy Manger for a long time and all of sudden it won't renew my certificates for some reason. So I installed Swag. I think I got the certificate and the ports set up properly because when I go to my subdomain bi.xxxx.com it does open page saying "Welcome to your SWAG instance"

 

However I can't figure out how to make it forward to my Blue Iris IP running on a Unraid VM as it used to with Nginx. 

 

I understand I need to create xxx.subdomain.conf file but I don't know how to make it work. I found a .conf file from my nginx docker but the format seems to be different? This is what the old one looked like:

 

server {
  set $forward_scheme https;
  set $server         "192.168.1.31";
  set $port           7968;

  listen 8080;
listen [::]:8080;


  server_name bi.redacted.us;

  access_log /data/logs/proxy_host-1.log proxy;

  location / {        

    # Proxy!
    include conf.d/include/proxy.conf;
  }
  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}
 

I just need it to forward to 192.168.1.31:7968 

 

Any ideas what the swag conf file should look like? Thanks!

Link to comment

OK, I *think* it works now. Can anyone take a look and see if I am missing anything? Anything I should add to make it safer?

 

Thanks

 

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name bi.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app 192.168.1.31;
        set $upstream_port 7968;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
    }
}

Link to comment
On 7/7/2021 at 10:10 PM, joshallen2k said:

Hi all - I'm having difficulty troubleshooting what looks like a port forwarding issue.

 

My SWAG reverse proxy was working fine until a week ago. I was getting BTRFS errors in my docker.img, so deleted it and created from new. After reloading my apps, I noticed my reverse proxy was not working anymore.

 

In my SWAG logs, I saw this error:

 

int: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

My port forwarding seemed to be correct for port 80 (to 180) and port 443 (to 1443) as per my SWAG docker template. I went to a number of port testing sites, and they all showed blocked for 80 and 443.

 

So at this point I contacted my ISP (Bell Canada) and they said they have not changed anything.

 

Where should I go now to figure this out? Thanks all.

Any ideas here anyone? Or have I messed up some way in how I posted

Link to comment

so, add your custom ip's again (dont forget the other reversed dockers ...) ;) that should solve your issue

 

and i meant "when your docker image crashes" ... custom bridge settings are gone

 

and may your "old" forwarding to "ATLANTIS" doesnt fit anymore as the ip may changed

 

may ping ATLANTIS and see if the internal ip still fits for your forwarding

Edited by alturismo
Link to comment
11 hours ago, alturismo said:

so, add your custom ip's again (dont forget the other reversed dockers ...) ;) that should solve your issue

 

and i meant "when your docker image crashes" ... custom bridge settings are gone

 

and may your "old" forwarding to "ATLANTIS" doesnt fit anymore as the ip may changed

 

may ping ATLANTIS and see if the internal ip still fits for your forwarding

Thanks for the reply. I double checked my WAN IP and its fine. For some reason my router when I specify an IP it resolves to the host name. WHat I'm unsure of is where you say to add my custom IP's again in the SWAG template. I don't think I specified anything there before. What should it be?

Link to comment
3 hours ago, turnipisum said:

What gives with the last update adding youtube-dl.subfolder.conf and swag doesn't start saying duplicate .conf.

Check the recent posts for the solution. The last update did not add the youtube-dl.subfolder.conf.  That happened last year.

  • Like 1
Link to comment
17 minutes ago, saarg said:

Check the recent posts for the solution. The last update did not add the youtube-dl.subfolder.conf.  That happened last year.

Yeah i have sorted it. But update must of done it because i had youtube-dl.subfolder.conf and youtube-dl.subfolder.conf.sample in the folder! i've not touched it since installing it!

  • Like 1
Link to comment
3 hours ago, joshallen2k said:

Thanks for the reply. I double checked my WAN IP and its fine. For some reason my router when I specify an IP it resolves to the host name. WHat I'm unsure of is where you say to add my custom IP's again in the SWAG template. I don't think I specified anything there before. What should it be?

when using custom br0 most likely to assign static ip's for the docker(s) in your home net like 192.168.1.0/24

 

in terms you stay on dhcp, your port forwarding goes to ATLANTIS, now, when u ping ATLANTIS locally, does it resolve to your swag ip ? your swag docker will have its own ip in the subnet like 192.168.2.25 as sample, so your port forwarding have to match it.

 

as when your docker image crashes or you rebuild it, all network setups will also "reset", so may your swag docker will use a different local lan ip now, you can check in your docker tab on which ip swag is listening to ... and make sure your routers port forwarding for rules 80 and 443 are leading to 180 1443 to that local ip.

Link to comment
3 hours ago, alturismo said:

when using custom br0 most likely to assign static ip's for the docker(s) in your home net like 192.168.1.0/24

 

in terms you stay on dhcp, your port forwarding goes to ATLANTIS, now, when u ping ATLANTIS locally, does it resolve to your swag ip ? your swag docker will have its own ip in the subnet like 192.168.2.25 as sample, so your port forwarding have to match it.

 

as when your docker image crashes or you rebuild it, all network setups will also "reset", so may your swag docker will use a different local lan ip now, you can check in your docker tab on which ip swag is listening to ... and make sure your routers port forwarding for rules 80 and 443 are leading to 180 1443 to that local ip.

Thanks for the clarification, but I'm still having difficulty. With the setup in the screens below, the SWAG docker container fails to start with Execution Error 403. Note the fixed IP I specified in the template is the IP of my Unraid server (192.168.2.229). The IP of "ATLANTIS" is 192.168.2.229

Capture11.JPG

Capture10.JPG

Edited by joshallen2k
added detail
Link to comment
4 hours ago, joshallen2k said:

Thanks for the clarification, but I'm still having difficulty. With the setup in the screens below, the SWAG docker container fails to start with Execution Error 403. Note the fixed IP I specified in the template is the IP of my Unraid server (192.168.2.229). The IP of "ATLANTIS" is 192.168.2.229

you cant assign it to the same ip as unraid has it already, change to bridge instead custom br0, then you dont have to worry about ip's and your docker port mappings are valid,

 

also your other docker(s) then rather to bridge instead custom:br0, when i see what you try todo, i guess you didnt used custom:br0 before, you prolly either used bridge or may even did the proxynet bridge from the common tutorial video fro @SpaceInvaderOne which is also gone when your image broke and you have to start over ... you can pretty easy check how your configs look like, in bridge mode you cant use dockernames as targets ...

Edited by alturismo
Link to comment

SWAG stopped working for me, using duckdns. It worked OK for the last several months. I did not do any config change.

Here's the docker log. Any idea?

 

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=mydomain.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=duckdns
CERTPROVIDER=
DNSPLUGIN=
EMAIL=mymail@mail.com
STAGING=false

grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to 127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 4
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of mydomain.duckdns.org will be requested
E-mail address entered: mymail@mail.com
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem!
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for *.mydomain.duckdns.org
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with output:
OKsleeping 60
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with error output:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2 0 2 0 0 3 0 --:--:-- --:--:-- --:--:-- 3

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: mydomain.duckdns.org
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.mydomain.duckdns.org - the domain's nameservers may be malfunctioning

 

Has anybody had any problem with duckdns recently?

Of course I checked that all the settings, including the token, are correct.

Link to comment
11 hours ago, alturismo said:

you cant assign it to the same ip as unraid has it already, change to bridge instead custom br0, then you dont have to worry about ip's and your docker port mappings are valid,

 

also your other docker(s) then rather to bridge instead custom:br0, when i see what you try todo, i guess you didnt used custom:br0 before, you prolly either used bridge or may even did the proxynet bridge from the common tutorial video fro @SpaceInvaderOne which is also gone when your image broke and you have to start over ... you can pretty easy check how your configs look like, in bridge mode you cant use dockernames as targets ...

Yes, it was the @SpaceInvaderOne tutorial that I originally used for the setup. I changed my network to bridge and had the same error. I just used the troubleshooting guide https://www.linuxserver.io/blog/2019-07-10-troubleshooting-letsencrypt-image-port-mapping-and-forwarding which suggests using the Nginx docker to test connectivity and forwarding. Using nginx seems to work - I can reach the standard web page, and when I use a port checker, port 80 and 443 are open/green. When I delete the nginx docker and launch swag (using the same port forward and network settings), then port 80/443 are showing up as closed.

Link to comment
On 7/8/2021 at 1:10 PM, Yak said:

I was also getting the error

 

Which I thought odd as I've never setup youtube-dll. In the end I renamed youtube-dl.subfolder.conf to youtube-dl.subfolder.conf_BAK, restarted Swag and everything is back up and running normally

Maybe in enabled this at some point, I don't recall, but I had the same error this weekend, only realising while away so I couldn't remote in to fix it....

 

I deleted the .conf (I've still got the .sample) and all good again. Thanks. Need to set up another method to connect!

Link to comment
On 7/8/2021 at 11:21 PM, saarg said:

If it doesn't have .sample at the end you have enabled it at one point.

I am getting the same error with youtube.dl but I know 100% sure I have never removed the sample on it, I dont even know what it is. I only use Swag with Nextcloud.

 

Tho I see that that config was last updated summer 2020...

Edited by Mihle
Link to comment

I woke this morning to SWAG not working.

 

In the log I get this:

 

nginx: [emerg] "proxy_redirect" directive is duplicate in /config/nginx/proxy-confs/youtube-dl.subfolder.conf:22

 

youtube-dl.subfolder.conf in the proxy-confs is there without a .sample at the end.

 

I did not change this.

Link to comment
On 7/6/2018 at 6:47 PM, Tuumke said:

Found the culprit. All the proxy-conf subfolder conf files have a /servicename and organizr just has the /

what is that mean ? how can  I fix this ?

thank you firstly , I found once i unable "proxy_redirect" in the .conf file ,

"nginx: [emerg] duplicate location "/" in /config/nginx/site-confs/default:28" will happen . 

 

Link to comment
On 7/11/2021 at 1:18 PM, OdinEidolon said:

SWAG stopped working for me, using duckdns. It worked OK for the last several months. I did not do any config change.

Here's the docker log. Any idea?

 


[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=Europe/Berlin
URL=mydomain.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=duckdns
CERTPROVIDER=
DNSPLUGIN=
EMAIL=mymail@mail.com
STAGING=false

grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to 127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 4
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for only the subdomains of mydomain.duckdns.org will be requested
E-mail address entered: mymail@mail.com
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Different validation parameters entered than what was used before. Revoking and deleting existing certificate, and an updated one will be created
Saving debug log to /var/log/letsencrypt/letsencrypt.log
No match found for cert-path /config/etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem!
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for *.mydomain.duckdns.org
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with output:
OKsleeping 60
Hook '--manual-auth-hook' for mydomain.duckdns.org ran with error output:

% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed

0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2 0 2 0 0 3 0 --:--:-- --:--:-- --:--:-- 3

Certbot failed to authenticate some domains (authenticator: manual). The Certificate Authority reported these problems:

Domain: mydomain.duckdns.org
Type: dns
Detail: DNS problem: SERVFAIL looking up TXT for _acme-challenge.mydomain.duckdns.org - the domain's nameservers may be malfunctioning

 

Has anybody had any problem with duckdns recently?

Of course I checked that all the settings, including the token, are correct.

 

 

Does anybody have any hint about what's going on here? I do not understand ifthis is an issue on duckDNS's side or some configuration mishap.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.