[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I have a (likely) very basic question on SWAG. I am running several internal applications inside my internal network. Using nextcloud as an example which I do have set up with a domain name, the docker port mappings show up like this:

 

172.17.0.1:443 > [unraid ip]:[port]

 

This works fine until I reboot and then Docker may or may not change the IP of the container from 172.17.0.1 to something else. This breaks swag until I go in to the terminal and manually update the configuration file for nextcloud to the new IP address. It's not a huge deal but I feel like I am missing some very obvious step to prevent this from happening. I have tried mapping SWAG's proxy config using the container host name but it never works, it only seems to be able to resolve to the internal IP. Would appreciate any ideas on what I need to update if it's possible to fix this. Thanks!

Link to comment

Hello, I am using SWAG to get my nextcloud docker to access the internet. But now all of the sudden when I try to start SWAG it tries to generate a new cert for nextcloud.FQDN but fails saying that it could not download the challenge files from the temporary standalone webserver started by Certbot on port 80. I followed @SpaceInvaderOne's tutorial and have the same NAT rules as he did to allow it into the network. I'm really just confused and don't know a whole lot about certs to dive into it.

Link to comment

Edit: I realized that I cannot do this without forwarding port 80. Since I cannot do that, I changed to trying duckdns validation. While I now see that port 443 is open, I am still not able to get my reverse proxy running. I've asked about this in a new thread here:

 

 

--------

 

 

This is a bit of complex question. I'm unable to forward in requests, and I think it has to do with the way that Comcast/Xfinity's modem/router works/doesn't work.

 

I'm using default settings for the docker for port 80 (8080-->80) and 443. 

 

I have port 443 forwarded to my unRAID box.

I do not have port 80 forwarded. Do I need to?

I'm getting this error:

 

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
Domain: XXXXX.duckdns.org
Type: connection
Detail: Fetching http://XXXXXX.duckdns.org/.well-known/acme-challenge/0JQsgWcr6OCovXfDLxU8F4m3U3t_jHOqawZJ1DyVI: Timeout during connect (likely firewall problem)

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

 

 

 

Do I need to set up port 80 to forward to port 8080 on my unRAID?

If so, I think I'm out of luck, as XFinity's XFi gateway does not allow you to map one port to another. 

 

Any advice on how to mitigate these errors is appreciated.

 

Thanks.

 

 

Edited by volcs0
Link to comment
On 8/24/2021 at 10:54 AM, emptyfish said:

I have a (likely) very basic question on SWAG. I am running several internal applications inside my internal network. Using nextcloud as an example which I do have set up with a domain name, the docker port mappings show up like this:

 

172.17.0.1:443 > [unraid ip]:[port]

 

This works fine until I reboot and then Docker may or may not change the IP of the container from 172.17.0.1 to something else. This breaks swag until I go in to the terminal and manually update the configuration file for nextcloud to the new IP address. It's not a huge deal but I feel like I am missing some very obvious step to prevent this from happening. I have tried mapping SWAG's proxy config using the container host name but it never works, it only seems to be able to resolve to the internal IP. Would appreciate any ideas on what I need to update if it's possible to fix this. Thanks!

 

You shouldn't be using the internal docker IP for any of the configs. You need a custom docker network, then you'll be able to refer to the docker name instead of an IP address.

 

Check out Ibracorp's video on Docker Custom networks: 

 

 

or Spaceinvaderone's video on Reverse Proxy with Swag: 

 

Link to comment

I've followed Spaceinvaderone's video for setting up SWAG, but the docker container is giving an error:

Requesting a certificate for <mySubDomain>.duckdns.org

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: <mySubDomain>.duckdns.org
Type: unauthorized
Detail: Invalid response from http://<mySubDomain>.duckdns.org/.well-known/acme-challenge/U9o-N70woR3z5jnFl0cEVPWd711PJT8SAqRPiZLYAXc [<My IP>]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body>\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>nginx</center>\r\n"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

 

I have two gateways, AT&T for ISP and a Google WiFi mesh, but I believe I have the port forwarding correct.  Two reasons for this.

1) I can see my Plex server, so the two hop forwarding to that container is working

2) I was getting timeout errors in the log, but those have now changed to this unauthorized/404 error.

 

For SWAG, I am have AT&T forward 80 and 443 directly (the only option I saw), and Google changing the ports to 180 and 1443.  SWAG is set up for 180 and 1443.

 

I'm trying to get http auth working as that seemed like the best place to start.  I need to understand the other options better, too.

 

Any tips for debugging?

Link to comment
On 11/9/2020 at 10:59 PM, LifeBasher said:

Hi,

im trying to get swag to reverse proxy to my vm in unraid. i used spaceinvader video to set it up at start but now when im trying to send to the vm, the log give me this... any one has any idea? i mean it work great when im using it on docker but i cant get it to send it to my vm

Thanks for any help

P.S. I actually want to send it to a vm for nextcloud instead of using a docker for it.

 

2020/11/10 00:45:08 [error] 431#431: *63 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 66.70.148.95, server: myServer.*, request: "GET /favicon.ico HTTP/2.0", upstream: "https://192.168.8.13:443/favicon.ico", host: "myHost", referrer: "https://myHost/"

Did you ever get this figured out? I'm also trying to pass through Ubuntu VM running Nextcloud. 

Link to comment
  • 2 weeks later...
On 9/7/2021 at 12:58 PM, stottle said:

I have two gateways, AT&T for ISP and a Google WiFi mesh, but I believe I have the port forwarding correct.  Two reasons for this.

1) I can see my Plex server, so the two hop forwarding to that container is working

2) I was getting timeout errors in the log, but those have now changed to this unauthorized/404 error.

 

For SWAG, I am have AT&T forward 80 and 443 directly (the only option I saw), and Google changing the ports to 180 and 1443.  SWAG is set up for 180 and 1443.

 

I'm trying to get http auth working as that seemed like the best place to start.  I need to understand the other options better, too.

 

Any tips for debugging?

The error turned out to be a mismatch in ports between the two routers (mixing which was internal vs. external).

 

Also, to the earlier person who mentioned still getting "insecure" messages due to having staging set to `true` - thanks, I hit that as well.

Link to comment
On 5/6/2021 at 4:38 PM, tetrapod said:

I had the same issue and I think, if I remember correctly, that Spaceinwader's video didn't mention that you had to turn of proxy for the subdomain CNAME record. Maybe this worked differently before at Cloudflare? But when I turn on "proxied" for any CNAME that URL will no longer point to my server, it will point to a cloudflare server. How this proxy via Cloudflare is supposed to work I do not know.
I can keep "proxied" on for my A records though

Anyone ever get to the bottom of this ? :)

 

Link to comment

I searched this thread and generally online for an answer to this, but I don't see it or I missed it.  I've been running swag to front end a couple of dozen containers for a year or so and it has worked great.  I tried adding another one today and I went to ssh into it to modify the config file and I'm getting an error that the target actively refused it.  I've made no changes to my network, and I've restarted the container and even rebooted Unraid but I'm still getting the same error.  

 

Any ideas on what I might be missing?

 

NVM - Needed more coffee. I remembered I ssh into Unraid and then go to the appdata from there rather than ssh into the swag container IP.

Edited by BurntOC
Link to comment

Ain't nobody got time to troll thru 228! pages of messages to figure out how to use swag with zerossl on unraid.  Looks like linuxserver.io even spends precious little describing what is needed for zerossl.

I did find that the github link for docker-swag has a little info though!.

There has got to be a better way to support it than this forum.

Link to comment

Need help.

 

I have an error while intalling the docker swag: I cannot see the logs since after installation and running the docket setup remove the image. But  I see the commands generated:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='swag' --net='proxynet' -e TZ="Europe/Madrid" -e HOST_OS="Unraid" -e 'EMAIL'='test@gmail.com' -e 'URL'='myownadomain.com' -e 'SUBDOMAINS'='cloud' -e 'ONLY_SUBDOMAINS'='false' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'
8234a2c63b968ed9a9ee04b5d0f10e93352e6424393d2d9531ce27b587916872

 

 

Link to comment
1 hour ago, altyne said:

Need help.

 

I have an error while intalling the docker swag: I cannot see the logs since after installation and running the docket setup remove the image. But  I see the commands generated:

 

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker create --name='swag' --net='proxynet' -e TZ="Europe/Madrid" -e HOST_OS="Unraid" -e 'EMAIL'='test@gmail.com' -e 'URL'='myownadomain.com' -e 'SUBDOMAINS'='cloud' -e 'ONLY_SUBDOMAINS'='false' -e 'VALIDATION'='http' -e 'DNSPLUGIN'='' -e 'EXTRA_DOMAINS'='' -e 'STAGING'='false' -e 'DUCKDNSTOKEN'='' -e 'PROPAGATION'='' -e 'PUID'='99' -e 'PGID'='100' -p '180:80/tcp' -p '1443:443/tcp' -v '/mnt/user/appdata/swag':'/config':'rw' --cap-add=NET_ADMIN 'linuxserver/swag'
8234a2c63b968ed9a9ee04b5d0f10e93352e6424393d2d9531ce27b587916872

 

 

i resolve my issue is port used.

 

However i have issue again:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cloud.myowndomain.com
Type: connection
Detail: Fetching http://cloud.myowndomain.com/.well-known/acme-challenge/MW0vkuKtEVdJrtPHQhH-_BqvajZK31sTq18SZuk2qug: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

Link to comment
On 9/24/2021 at 4:01 PM, altyne said:

i resolve my issue is port used.

 

However i have issue again:

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cloud.myowndomain.com
Type: connection
Detail: Fetching http://cloud.myowndomain.com/.well-known/acme-challenge/MW0vkuKtEVdJrtPHQhH-_BqvajZK31sTq18SZuk2qug: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I managed to installed the SSL via cloudflare. However, my router blocks port 80 and showing the router web admin page? Did ignore port forwarding ?

internet -> router (port 80 forwarded  -> unraid server port 192.168.x.x:180 -> nextcloud : 80)

internet -> router (blocks here returns web admin page from router)?

Link to comment

Like many people here I followed spaceinvader one guide to give online access to nextcloud using a domain name. I followed his guide to the letter and everything seems to be working fine other than my router not supporting NAT reflection.

 

This means that I can only access my nextcloud GUI via my domain name using a VPN or when I'm away from home. which is fine by me, EXCEPT that I can no longer access my nextcloud GUI AT ALL on my home network, when I try to access it via localhost:444 it gets redirected to my domain name (nextcloud.mydomain.com). is there a way I can retain the ability to connect to owncloud on my home network?

 

This problem is only with nextcloud, I can access sonarr with both my domain and my local ip depending on if I'm connected to my local network or not.

Edited by sloob
Link to comment
On 9/25/2021 at 4:19 PM, altyne said:

 

I managed to installed the SSL via cloudflare. However, my router blocks port 80 and showing the router web admin page? Did ignore port forwarding ?

internet -> router (port 80 forwarded  -> unraid server port 192.168.x.x:180 -> nextcloud : 80)

internet -> router (blocks here returns web admin page from router)?

 

It working for me right now,  what I did; was disabled the firewall settings built in in my router and upnp options.

 

Well, looks like this thread is like a rant and nobody cares to read for 228 pages long. what I bummer. 

 

What I observed from SpaceInvaderOne guides are still good but most are outdated unless he updated in the comment section. For others content, you can follow but you should be cautious because settings will likely not compatible with latest version. Some tips and gotcha I'd observed, you can get the instruction inside cnf/config files in comments section.  And also read author documentations/wiki guides on how to configure.

 

Unraid server (particularly docker) just present the configuration in the screen and eventually submitted into command line. You can read author's guide or clicking the question mark in the top right screen below your username; to see some valid values and tips.

Link to comment
32 minutes ago, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

I'm having this untrusted certificate issue with nextcloud. Just started today for me as well.

Link to comment
23 hours ago, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

Same for me here.

Link to comment
On 9/30/2021 at 5:24 PM, Carlos said:

Hi there folks!

 

Today an expired certificate error message from my Win10 Nextcloud client hit me when I logged in. Looking around I found this, should I clic "Trust this certificate anyway" and forget about it or should I change something in my SWAG config?

 

Thanks

Nevermind, looks like it's fixed with the latest client update recently deployed

 

Cheers

Link to comment

Hi, Has something changed on swag recently? its been working fine and nothing has changed on my FW or network now i am getting this error:

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.