[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

I had my Swag docker still failing with the Letsencrypt cert renewal.  My issue renewing was caused with Cloudflare proxing the traffic.   I turned off Proxying for my A and CNAME records (under the DNS tab in Cloudflare).  I then restarted docker and it came right.  I could then go back to Cloudflare and turned the Proxying back on.  Hope this may help someone else

Link to comment
On 10/5/2021 at 8:51 AM, dfox1787 said:

Hi, Has something changed on swag recently? its been working fine and nothing has changed on my FW or network now i am getting this error:

 

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

restored a backup all working now. thanks for the help.....

Edited by dfox1787
Link to comment

Hi! I'm trying to host my own git server, using Gitea combined with SWAG, I followed @SpaceInvaderOne's guide on how to add reverse proxies for select applications, I think I did it right, as I get to an error page, saying Error 403 Permission Denied; SWAG redirects the traffic "correctly", but I can't figure out what I configured wrongly. Could someone help me? app.iniis Gitea's own config.

gitea.subdomain.conf

Link to comment
On 9/25/2021 at 2:23 PM, sloob said:

EXCEPT that I can no longer access my nextcloud GUI AT ALL on my home network, when I try to access it via localhost:444 it gets redirected to my domain name (nextcloud.mydomain.com). is there a way I can retain the ability to connect to owncloud on my home network?

 

I have the same issue, where my router doesn't allow NAT loopback or hairpinning. To access nextcloud on my home network, type the localhost:444, which then redirects it to the nextcloud.mydomain.com (like you indicated). After that first redirect I change the "nextcloud.mydomain.com" with "localhost:444" in the url and it works.

Edited by bat2o
Link to comment

Solved
My issue turned out to be this and removing the resolver.conf and having it regenerate fixed my issue.

Quote

 

  • The container originally ran with host networking, or the default bridge.
    • In most cases the contents of /config/nginx/resolver.conf; should be ...resolver 127.0.0.11 valid=30s;, if this is not the case, you can:
    • Delete it, and restart the container to have it regenerate
    • Manually set the content(we wont override it)

 


Old message
I'm having an issue I can't find much about.
My custom docker network isn't properly doing auto dns.

So far I've followed and adjusted some things based on How to Setup and Configure a Reverse Proxy on unRAID with LetsEncrypt & NGINX since it's mostly the same.

NGINX is working from what I can tell. I can access www.subdomain.duckdns.org without any issues.
I'm trying to get Emby configured. So I've made an emby.subdomain.conf in the proxy folder based on the sample.

Spoiler

server {

    listen 443 ssl;

    listen [::]:443 ssl;

 

    server_name emby.*;

 

    include /config/nginx/ssl.conf;

 

    client_max_body_size 0;

 

    location / {

        include /config/nginx/proxy.conf;

        include /config/nginx/resolver.conf;

        set $upstream_app LinuxServer-Emby;

        set $upstream_port 8096;

        set $upstream_proto http;

        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

 

        proxy_set_header Range $http_range;

        proxy_set_header If-Range $http_if_range;

    }

}

However the above does not work.

[error] 495#495: *1 linuxserver-emby could not be resolved (110: Operation timed out), client: 192.168.1.1, server: emby.*, request: "GET / HTTP/2.0", host: "emby.subdomain.duckdns.org"

If I however use the unraid or the container specific IP instead of my container name it works without issues.


If I open the console for the swag container and do a "ping linuxserver-emby" it returns properly
An "nslookup linuxserver-emby" comes back with

Server:         127.0.0.11
Address:        127.0.0.11:53

Non-authoritative answer:
*** Can't find linuxserver-emby: No answer

Non-authoritative answer:
Name:   linuxserver-emby
Address: 172.18.0.2

 

I'll also include my "docker network inspect bridge-dnsres" output. As that is the custom network I made with "docker network create"
 

Spoiler

[
    {
        "Name": "bridge-dnsres",
        "Id": "da0c7b689a7e0db97a1d768673709630dfb84c08514253f84d89d5d8b6885ab3",
        "Created": "2021-10-12T19:34:00.972223414+02:00",
        "Scope": "local",
        "Driver": "bridge",
        "EnableIPv6": false,
        "IPAM": {
            "Driver": "default",
            "Options": {},
            "Config": [
                {
                    "Subnet": "172.18.0.0/16",
                    "Gateway": "172.18.0.1"
                }
            ]
        },
        "Internal": false,
        "Attachable": false,
        "Ingress": false,
        "ConfigFrom": {
            "Network": ""
        },
        "ConfigOnly": false,
        "Containers": {
            "a98c8b65116c3a4a14dfe974f0ca7d09d7633f167fffef1652e25af5fad79447": {
                "Name": "LinuxServer-Emby",
                "EndpointID": "7f7343d63d26b399073229cb9a5a01cda9ba7ec11d9d64c6d537e5b1604876d6",
                "MacAddress": "02:42:ac:12:00:02",
                "IPv4Address": "172.18.0.2/16",
                "IPv6Address": ""
            },
            "f4e5a8ba0be35e8de976f796272dd212675316ed8b0fa75e858e01f2f67a5d76": {
                "Name": "LinuxServer-Swag",
                "EndpointID": "fa158bec314864f546c3cd799f85586563388a3f41068842fa49fa2aa8d06f6a",
                "MacAddress": "02:42:ac:12:00:03",
                "IPv4Address": "172.18.0.3/16",
                "IPv6Address": ""
            }
        },
        "Options": {},
        "Labels": {}
    }
]


I'm completely stumped at this point as to why NGINX refuses to see the emby container by name.

Edited by ErikRedbeard
Solution
Link to comment

I'm having a recent issue with SWAG that I need help to solve.

 

Specs:

  • Unraid version 6.9.2 (rebooted earlier today)
  • SWAG (linuxserver) - up-to-date

 

Problem:  My duckdns subdomains will no longer work and I can't access any of my reverse proxies (on or off network).  This all worked fine a few months ago.  My ports are forwarded for 80 and 443 (I can see both ports as open using https://canyouseeme.org/)

 

SWAG LOG: (redacted some private info)

ErrorWarningSystemArrayLogin


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=duckdns.org
SUBDOMAINS=cdrA,cdrB,cdrC
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
EMAIL=REMOVED
STAGING=false

grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to 127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 4
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d cdrA.duckdns.org -d cdrB.duckdns.org -d cdrC.duckdns.org
E-mail address entered: REMOVED
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for cdrnasrp.duckdns.org and 2 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cdrA.duckdns.org
Type: unauthorized
Detail: Invalid response from http://cdrA.duckdns.org/.well-known/acme-challenge/nJv_R9lJk8sxZtsoGX1gkZySREMOVED [98.156.3.999]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Domain: cdrB.duckdns.org
Type: unauthorized
Detail: Invalid response from http://cdrB.duckdns.org/.well-known/acme-challenge/VMwvJ3ck1dFUxwL12FG1CzRtmrs8REMOVED [98.156.3.999]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Domain: cdrC.duckdns.org
Type: unauthorized
Detail: Invalid response from http://cdrC.duckdns.org/.well-known/acme-challenge/7jQsQISoHcKOZpF_ajOE-AcDxz_REMOVED [98.156.3.999]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Edited by perfect
Link to comment
19 hours ago, perfect said:

I'm having a recent issue with SWAG that I need help to solve.

 

Specs:

  • Unraid version 6.9.2 (rebooted earlier today)
  • SWAG (linuxserver) - up-to-date

 

Problem:  My duckdns subdomains will no longer work and I can't access any of my reverse proxies (on or off network).  This all worked fine a few months ago.  My ports are forwarded for 80 and 443 (I can see both ports as open using https://canyouseeme.org/)

 

SWAG LOG: (redacted some private info)

ErrorWarningSystemArrayLogin


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01-envfile: executing...
[cont-init.d] 01-envfile: exited 0.
[cont-init.d] 10-adduser: executing...

-------------------------------------
_ ()
| | ___ _ __
| | / __| | | / \
| | \__ \ | | | () |
|_| |___/ |_| \__/


Brought to you by linuxserver.io
-------------------------------------

To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot

To support LSIO projects visit:
https://www.linuxserver.io/donate/
-------------------------------------
GID/UID
-------------------------------------

User uid: 99
User gid: 100
-------------------------------------

[cont-init.d] 10-adduser: exited 0.
[cont-init.d] 20-config: executing...
[cont-init.d] 20-config: exited 0.
[cont-init.d] 30-keygen: executing...
using keys found in /config/keys
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=duckdns.org
SUBDOMAINS=cdrA,cdrB,cdrC
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=true
VALIDATION=http
CERTPROVIDER=
DNSPLUGIN=
EMAIL=REMOVED
STAGING=false

grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to 127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 4
Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
SUBDOMAINS entered, processing
Only subdomains, no URL in cert
Sub-domains processed are: -d cdrA.duckdns.org -d cdrB.duckdns.org -d cdrC.duckdns.org
E-mail address entered: REMOVED
http validation is selected
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Requesting a certificate for cdrnasrp.duckdns.org and 2 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: cdrA.duckdns.org
Type: unauthorized
Detail: Invalid response from http://cdrA.duckdns.org/.well-known/acme-challenge/nJv_R9lJk8sxZtsoGX1gkZySREMOVED [98.156.3.999]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Domain: cdrB.duckdns.org
Type: unauthorized
Detail: Invalid response from http://cdrB.duckdns.org/.well-known/acme-challenge/VMwvJ3ck1dFUxwL12FG1CzRtmrs8REMOVED [98.156.3.999]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Domain: cdrC.duckdns.org
Type: unauthorized
Detail: Invalid response from http://cdrC.duckdns.org/.well-known/acme-challenge/7jQsQISoHcKOZpF_ajOE-AcDxz_REMOVED [98.156.3.999]: "<html>\r\n<head><title>404 Not Found</title></head>\r\n<body bgcolor=\"white\">\r\n<center><h1>404 Not Found</h1></center>\r\n<hr><center>"

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

I might have actually solved my problem...

 

My home router is a Unifi USG PRO-4.  I did some reading and discovered that SWAG (Let's Encrypt) has been experiencing a certificate expiration issue since 9/30/2021 (right around the time that this started). 

 

This page really helped me better understand the issue.

 

I did a firmware update to my USG PRO-4 and restarted my SWAG docker... and everything works now!!!

Link to comment

How do I forward a subdomain to an EXTERNAL site?  For example I have games.mydomain.com and when a user goes there I want to redirect them to https://dosgames.com

 

I set up a games.subdomain.conf file which contains:

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name games.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        resolver 127.0.0.11 valid=30s;
        proxy_pass https://www.dosgames.com/;

        proxy_max_temp_file_size 2048m;
    }
}

 

But when I goto the site it looks wrong and says connection not secure.  Like it wont switch over to https for some reason.  How do I fix this?  Im running other subdomains going to various dockers like jellyfin, radar, ect and those all work, but this is the first time Ive tried to direct a subdomain to an EXTERNAL site, and not some app on my server.

Link to comment

As many other, the expiration of the root certificate made my TVs swag reverse proxy of plex stop working.

Is there something I can do to fix this without resorting to removing the reverseproxy altogether? On some emby threads https://emby.media/community/index.php?/topic/102144-several-lg-tvs-cannot-connect-to-server/page/2/ they suggested to switch to zerossl: I recreated my certs last week, but still no luck, and I don't know honestly if zerossl is built into letsencrypt or not, this is way beyond my tech competence.
Can someone help me?

 

Link to comment

Any chance anyone can help me with some samesite/sameorigin issues im having with swag+organizr?

 

I was able to use the chrome flags when they were available to get things working, then they removed the flags so i resorted to a registry tweak but that no longer works for me either. I would like to get this fixed once and for all so i can continue to use things.

 

Right now i have everything going through swag using a name.domain.com format. If i use local ips for organizr + the organizr tabs use local ips i get the attached image when i inspect the tab. If i go through my reverse proxy with organizr.domain.com and all the tabs using service.domain.com i get the same thing. How do i resolve this once and for all?

1.png

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.