[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)


Recommended Posts

On 3/2/2022 at 9:02 PM, Matmat07_2 said:

Edit: I made a new container using swag instead of the old letsencrypt. Only changed the domain and email settings: Same result

 

Edit2: using "nc -l localhost -p 80" and shutting down the Swag container, I made sure I could access port 80 from outside. I'm not sure what else I changed, but now it works. You can always help me, but now I'l be trying to add back my old settings slowly.

 

Hi, I just had to change my domain and now I can't seem to make letsencrypt/swag work again. I changed the domain name in most files/area I could think of, but I guess I'm forgetting something important.

 

Requesting a certificate for mydomain.fun and www.mydomain.fun

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: mydomain.fun
Type: connection
Detail: Fetching http://mydomain.fun/.well-known/acme-challenge/AxgorMtHjklmjngO0kvrKsu3Pi-EuATqWmPA9x-tvUc: Timeout during connect (likely firewall problem)

Domain: www.mydomain.fun
Type: connection
Detail: Fetching http://www.mydomain.fun/.well-known/acme-challenge/Lo35xswjM0aVaWMmlHuYYLNu3VgF5GEHvGHSGGPeiao: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

"www" is the only subdomain I tried adding so far.

 

Over at Namecheap, I've got:

AAAA Record        @       *IPV6 address*

Cname Record      ombi   mydomain.fun

Cname Record      www   mydomain.fun

 

 

Any idea what I might have forgotten, or where I could find more info? The logs I'm getting aren't super usefull (from the little I understand)

 

 

Hi there.
I'm having the same issue as you. Where did you added "nc -l localhost -p 80" ?

 

Thanks

Link to comment
  • 2 weeks later...

hello, I had a power failure that wiped my pfsense vm, and now my proxy containers don't work.

Everything is up and running, no errors; I've checked that ports 80 and 443 are open on the rebuilt pfsense vm, and SWAG, Vaultwarden, and Guac are all running/accessible locally.

 

I'm stumped on what to troubleshoot next - I've looked at the proxy config files, everything looks correct.
What couldI be missing?

Link to comment
On 1/30/2022 at 12:48 PM, Rex099 said:

Wondering if someone might be willing to help point me in the right direction to what is going on with my Issue. 

As of 3am this morning everything was working fine with my swag setup, then i went to bed... when I awoke today my website (dlongo.net)  is no longer accessible from inside my local network.(The site just times out ERR_CONNECTION_TIMED_OUT) But it seems to work fine if I turn on my VPN or access it from my mobile connection. Also if I ping dlongo.net it seems to resolve the correct IP. Anyone have any ideas on what I can check? Im just kinda lost at this point. 

hi,i have got the same problem

did you solve that?

Link to comment
  • 4 weeks later...
  • 3 weeks later...
On 3/2/2022 at 6:02 PM, Matmat07_2 said:

Edit: I made a new container using swag instead of the old letsencrypt. Only changed the domain and email settings: Same result

 

Edit2: using "nc -l localhost -p 80" and shutting down the Swag container, I made sure I could access port 80 from outside. I'm not sure what else I changed, but now it works. You can always help me, but now I'l be trying to add back my old settings slowly.

 

Hi, I just had to change my domain and now I can't seem to make letsencrypt/swag work again. I changed the domain name in most files/area I could think of, but I guess I'm forgetting something important.

 

Requesting a certificate for mydomain.fun and www.mydomain.fun

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:

Domain: mydomain.fun
Type: connection
Detail: Fetching http://mydomain.fun/.well-known/acme-challenge/AxgorMtHjklmjngO0kvrKsu3Pi-EuATqWmPA9x-tvUc: Timeout during connect (likely firewall problem)

Domain: www.mydomain.fun
Type: connection
Detail: Fetching http://www.mydomain.fun/.well-known/acme-challenge/Lo35xswjM0aVaWMmlHuYYLNu3VgF5GEHvGHSGGPeiao: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.


Some challenges have failed.

Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.
ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

"www" is the only subdomain I tried adding so far.

 

Over at Namecheap, I've got:

AAAA Record        @       *IPV6 address*

Cname Record      ombi   mydomain.fun

Cname Record      www   mydomain.fun

 

 

Any idea what I might have forgotten, or where I could find more info? The logs I'm getting aren't super usefull (from the little I understand)

I also have this issue.  It seems it started when I modified the subdomain list.  I'm seeing similar reports on the LetsEncrypt community page.

 

I had to change over to dns-plugin (Cloudflare) to get the validation working.

Link to comment
  • 2 weeks later...

Hey all, I set up a reverse proxy originally with Let's Encrypt following the Spaceinvaderone tutorial.

 

At some point while I was able to continue to access all my subdomain stuff, I couldn't connect to my actual website. I was getting Cloudflare 525 SSL handshake errors 

 

I upgraded Let's Encrypt to Swag, and I tried some simple fixes on Cloudflare (changing SSL from full to flexible, adding some page rules) but nothing gives.

 

Anyone have any ideas how I can sort out this SSL issue and get my site up and running? (It's my work portfolio and I'm on the job hunt so I'm kind of handcuffed until I can send it out again).

Link to comment

I've been using let'se encrypt/swag for years now, so I know the bare steps to succesfully set up a reverse proxy to access the webgui of my docker images from remote (I have emby and nextcloud behind reverse proxy, they work as a charm).
Recently I installed Komga, which is similar to plex but for books and comics. Set up the reverse proxy, worked perfectly.
Ten days later, I get 502. Tried to update unraid OS, downgrade the container, uninstall it, clean the appdata folder and reinstall it, tried another url on duckdns - nothing works. But it worked a week ago, and I literally didn't touch the NAS in the meanwhile.
Can anyone help me find out what's the issue?

Docker command:

Quote

root@localhost:# /usr/local/emhttp/plugins/dynamix.docker.manager/scripts/docker run -d --name='Komga' --net='proxynet' -e TZ="Europe/Berlin" -e HOST_OS="Unraid" -e HOST_HOSTNAME="Tower" -e HOST_CONTAINERNAME="Komga" -e 'KOMGA_LIBRARIES_SCAN_DIRECTORY_EXCLUSIONS'='#recycle,@eaDir' -l net.unraid.docker.managed=dockerman -l net.unraid.docker.webui='http://[IP]:[PORT:8080]' -l net.unraid.docker.icon='https://raw.githubusercontent.com/selfhosters/unRAID-CA-templates/master/templates/img/komga.png' -p '8095:8080/tcp' -v '/mnt/user/Media/books':'/books':'rw' -v '/mnt/user/fullshare/Manga/':'/manga':'rw' -v '/mnt/user/fullshare/Libri/':'/libri':'rw' -v '/mnt/user/appdata/Komga':'/config':'rw' 'gotson/komga'


komga.subdomain.conf file content, with redacted subdomain

Quote

## Version 2021/05/18
# make sure that your dns has a cname set for komga and that your komga container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name [REDACTED].*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app komga;
        set $upstream_port 8095;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }

    location ~ (/komga)?/api {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app komga;
        set $upstream_port 8095;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

    }
}

 

The error.log file of swag says this every time I try to access the webgui of the Komga container by remote
 

Quote

2022/07/10 22:27:13 [error] 742#742: *7689 connect() failed (111: Connection refused) while connecting to upstream, client: 67.211.212.202, server: [REDACTED].*, request: "GET /wp-login.php HTTP/1.1", upstream: "http://172.18.0.4:8095/wp-login.php", host: "[REDACTED].duckdns.org", referrer: "http://[REDACTED].duckdns.org/wp-login.php"
2022/07/10 22:27:13 [error] 742#742: *7689 connect() failed (111: Connection refused) while connecting to upstream, client: 67.211.212.202, server: [REDACTED].*, request: "GET /wp-login.php HTTP/1.1", upstream: "http://172.18.0.4:8095/502.html", host: "[REDACTED].duckdns.org", referrer: "http://[REDACTED].duckdns.org/wp-login.php"


These same exact steps made this container work not even 2 weeks ago, and now it doesn't.

EDIT:
It now works, I changed the port back to 8080. It's quite annoying that the container doesn't work unless it's on this port, but it's a problem from Komga side.

Edited by anongum
Link to comment

Im hoping you all have an answer to this.  I had to delete my Docker.img and re-install all my docker containers.  Everything is great but SWAG.  Every time it tried to get a cert it says Connection refused on all connections.  I have had SWAG and its predecessor running for years with no problems.   I have troubleshot it for 2 days and found that whatever ports I assign to the SWAG container refuse connection.  I can try it on my LAN taking the firewall out of the equation and get the same results.  I have assigned multiple ports to the container and it refuses them.  I can put the same ports on other containers and they work fine.  I have tried it on proxynet, Host, and Br0 networks and same results.   Just for some reason SWAG refuses any connection.  Im desperate for help.

Link to comment
12 minutes ago, SplitHoirzon said:

Im hoping you all have an answer to this.  I had to delete my Docker.img and re-install all my docker containers.  Everything is great but SWAG.  Every time it tried to get a cert it says Connection refused on all connections.  I have had SWAG and its predecessor running for years with no problems.   I have troubleshot it for 2 days and found that whatever ports I assign to the SWAG container refuse connection.  I can try it on my LAN taking the firewall out of the equation and get the same results.  I have assigned multiple ports to the container and it refuses them.  I can put the same ports on other containers and they work fine.  I have tried it on proxynet, Host, and Br0 networks and same results.   Just for some reason SWAG refuses any connection.  Im desperate for help.

OK i had an inspiration as soon as I posted this.  I was correct as the container was refusing the connection itself.  I didnt go far enough.  When I reinstalled SWAG I used the "previous apps' section and reinstalled it with all my old settings.  For some reason when the container, the premade port inside the container that is greyed out and cannot be changed was assigned http 185:180 and https 1445:1443.  So basically I had to delete those setting and create then from scratch using the correct internal of 80:180 and 443:1443.  I have no idea why the template did this but its fixed and working.  

Edited by SplitHoirzon
Link to comment

Hi All,

 

I am trying to get Organizr server auth setup for all of my reverse proxied docker containers so that I can use Organizr as the single entry point into my server and I have been struggling to get it working.

 

I already have all of my containers setup correctly with Swag and can reverse proxy into all of them just fine, but now when I am trying to get the Organizr server auth working I think I am doing something wrong in my nginx proxy conf files.

 

According to the Swag proxy-conf templates it should be as simple as renaming the organizr-auth.subfolder.conf.sample file as a conf file and including the following below into each conf file that I want to setup through Organizr server auth.

 

auth_request /auth-0;
location ~ /auth-(.*) {
    internal;
    proxy_pass http://server ip address that organizr is running on:organizr port/api/?v1/aut>
    proxy_set_header Content-Length "";
}

 

However, when I do that, I get the following error below in Swag logs and when trying to access the container through Organizr server auth, I get a refused to connect error.

 

nginx: [emerg] "location" directive is not allowed here in /config/nginx/proxy-confs/radarr.subdomain.conf:6

 

I get the same error above for the organizr-auth.subfolder.conf.sample file as well, pointed to the "location" line in the file.

 

Any ideas what I am doing wrong?

Link to comment

Hi all.

 

I'm having a problem getting my swag set up and can't figure out why I'm getting this error. I've already got the port forwarding set up and have tried several different ports (updated in the config files as well as the router). I'm using a domain name that I purchased on google domains and have confirmed that both ports 80 and 443 are in fact open and correctly routed. They are not being blocked by either my router nor my ISP. I've set up dynamic dns on google domains with the correct subdomains entered and have even tried the generic duckdns set up using a subdomain and encounter the same problem. I have tried this from a fresh install and unmodified config files as well as some edits after failed attempts.

 

Any help provided would be greatly appreciated.

 

Quote

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: (domain name)
  Type:   unauthorized
  Detail: xxx.xxx.xx.xx: Invalid response from (server name): 404

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container

 

Link to comment
  • 3 weeks later...
On 5/19/2022 at 11:10 AM, xenoblade said:

hi,i have got the same problem

did you solve that?

Sorry I never actually figured out what the issue was. But after ~ 3 weeks everything just started working again on its own. I'm still thinking that it was something the ISP was doing but don't have any proof. 

Link to comment

when trying to run a test on the Emby log file, I get back a Python error. Anyone has an idea what could be wrong here?

root@f12caf6bf9ed:/# fail2ban-regex /log/EmbyServer/embyserver.txt /config/fail2ban/filter.d/EmbyServer

Running tests
=============

Use   failregex filter file : EmbyServer, basedir: /config/fail2ban
Use         log file : /log/EmbyServer/embyserver.txt
Use         encoding : UTF-8

Traceback (most recent call last):
  File "/usr/bin/fail2ban-regex", line 34, in <module>
    exec_command_line()
  File "/usr/lib/python3.9/site-packages/fail2ban/client/fail2banregex.py", line 836, in exec_command_line
    if not fail2banRegex.start(args):
  File "/usr/lib/python3.9/site-packages/fail2ban/client/fail2banregex.py", line 776, in start
    self.process(test_lines)
  File "/usr/lib/python3.9/site-packages/fail2ban/client/fail2banregex.py", line 584, in process
    line_datetimestripped, ret, is_ignored = self.testRegex(line)
  File "/usr/lib/python3.9/site-packages/fail2ban/client/fail2banregex.py", line 456, in testRegex
    found = self._filter.processLine(line, date)
  File "/usr/lib/python3.9/site-packages/fail2ban/server/filter.py", line 613, in processLine
    timeMatch = self.dateDetector.matchTime(line)
  File "/usr/lib/python3.9/site-packages/fail2ban/server/datedetector.py", line 368, in matchTime
    (line[distance] == self.__lastPos[2] and not self.__lastPos[2].isalnum())
IndexError: string index out of range
root@f12caf6bf9ed:/# 

 

Link to comment

I want to add the geoip2 database stuff.  It says to do this :

In the container's docker arguments, set an environment variable DOCKER_MODS=linuxserver/mods:swag-maxmind

However where does that go in the unraid cntainer setup ?

Thanks.

Link to comment

Hello, I followed ibracorp's tutorial on setting up swag/nginx.  I'm reasonably sure I have everything correct, however the first service I tried, plex doesn't seem to work.  I have installed all mods except for authelia.  My DNS is through cloudflare.  I had A records for all my services before, but it seems that this wants an A record for the domain only and CNAME records for subdomains.  I removed the A record I had for plex and replaced with CNAME/domain.  I would prefer to run this proxied if possible.  Setting the CNAME record to DNS only also does not work.  I have forwarded ports 80 and 443 to unraid.  I also tried the 44301 and 8001 ports as suggested in the tutorial.  I'm not sure what I'm missing.  Per the swag log, the auto-proxy does appear to recognize plex.  In an attempt to see how it was configuring it, I tried to look at the 

/mnt/user/appdata/swag/nginx/proxy-confs/plex.subdomain.conf.sample

but it is blank.  I looked at a few of the other sample configs and they are blank as well.

 

I'm not sure what's missing.  Any help is appreciated.  My swag container log is below:

cont-init: info: /etc/cont-init.d/10-adduser exited 0
cont-init: info: running /etc/cont-init.d/20-config
cont-init: info: /etc/cont-init.d/20-config exited 0
cont-init: info: running /etc/cont-init.d/30-keygen
cont-init: info: /etc/cont-init.d/30-keygen exited 0
cont-init: info: running /etc/cont-init.d/50-config
cont-init: info: /etc/cont-init.d/50-config exited 0
cont-init: info: running /etc/cont-init.d/60-renew
cont-init: info: /etc/cont-init.d/60-renew exited 0
cont-init: info: running /etc/cont-init.d/70-templates
cont-init: info: /etc/cont-init.d/70-templates exited 0
cont-init: info: running /etc/cont-init.d/90-custom-folders
cont-init: info: /etc/cont-init.d/90-custom-folders exited 0
cont-init: info: running /etc/cont-init.d/95-docker
cont-init: info: /etc/cont-init.d/95-docker exited 0
cont-init: info: running /etc/cont-init.d/98-auto-proxy
cont-init: info: /etc/cont-init.d/98-auto-proxy exited 0
cont-init: info: running /etc/cont-init.d/98-cloudflare-real-ip
cont-init: info: /etc/cont-init.d/98-cloudflare-real-ip exited 0
cont-init: info: running /etc/cont-init.d/98-inotify
cont-init: info: /etc/cont-init.d/98-inotify exited 0
cont-init: info: running /etc/cont-init.d/99-custom-files
cont-init: info: /etc/cont-init.d/99-custom-files exited 0
s6-rc: info: service legacy-cont-init successfully started
s6-rc: info: service init-mods: starting
s6-rc: info: service init-mods successfully started
s6-rc: info: service init-mods-package-install: starting
s6-rc: info: service init-mods-package-install successfully started
s6-rc: info: service init-mods-end: starting
s6-rc: info: service init-mods-end successfully started
s6-rc: info: service init-services: starting
s6-rc: info: service init-services successfully started
s6-rc: info: service legacy-services: starting
services-up: info: copying legacy longrun cron (no readiness notification)
services-up: info: copying legacy longrun fail2ban (no readiness notification)
services-up: info: copying legacy longrun inotify (no readiness notification)
services-up: info: copying legacy longrun nginx (no readiness notification)
services-up: info: copying legacy longrun php-fpm (no readiness notification)
s6-rc: info: service legacy-services successfully started
s6-rc: info: service 99-ci-service-check: starting
s6-rc: info: service 99-ci-service-check successfully started
User gid:    100
-------------------------------------

using keys found in /config/keys
Variables set:
PUID=99
PGID=100
TZ=America/Chicago
URL=********.***
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=dns
CERTPROVIDER=
DNSPLUGIN=cloudflare
EMAIL=********@******.***
STAGING=false

Using Let's Encrypt as the cert provider
SUBDOMAINS entered, processing
Wildcard cert for ********.*** will be requested
E-mail address entered: ********@******.***
dns validation via cloudflare plugin is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
**** installing docker and docker compose ****
**** docker and docker-compose already installed, skipping ****
**** Remote docker service dockersocket will be used ****
**** Using preset proxy conf for plex ****
**** No preset proxy conf found for swag, generating from scratch ****
**** Setting upstream address swag for swag ****
**** Setting port 443 for swag ****
**** Setting proto http for swag ****
**** Setting url swag.* for swag ****
fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/main/x86_64/APKINDEX.tar.gz
fetch http://dl-cdn.alpinelinux.org/alpine/v3.14/community/x86_64/APKINDEX.tar.gz
OK: 257 MiB in 229 packages
[custom-init] no custom files found exiting...
[ls.io-init] done.
MOD Auto-reload: Watching the following files/folders for changes
/config/nginx/authelia-location.conf
/config/nginx/authelia-server.conf
/config/nginx/ldap.conf
/config/nginx/nginx.conf
/config/nginx/proxy-confs
/config/nginx/proxy.conf
/config/nginx/site-confs
/config/nginx/ssl.conf
Server ready

 

Edited by diehardbattery
Link to comment

All working fine for remote use, ie when I turn wifi off in my phone.  But while in wifi, on and off my wifi devices, so on same network, it does not work.  Makes testing and checking a bit hard.  Anything I should setup to make it work? 

Link to comment
  • 2 weeks later...

I'm usually pretty good at following guides to set up things I'd like to have/use. But, when something goes wrong, especially for networking, I'm apparently not yet good enough to troubleshoot it properly (but hey, I can plug and unplug an ethernet cable?), so here we are...  I am doing my best to document every step I have taken thus far, so apologies if it's incomplete.

 

Currently I am stuck with what appears to be a port forwarding situation on my OPNsense router with regard to SWAG. I get a 502 when trying to access the subdomain from either LAN or another WAN (Verizon Wireless from phone). I can hit the SWAG Welcome Page when trying to access the root domain from another WAN (also Verizon Wireless from phone) but not from LAN.  I am trying to figure out the correct sequence for OPNsense.  

 

What I've tried so far with OPNsense:

  • Sequence: WAN interface ANY > WAN ADDRESS > TCP 80/443 > 18001/18443 > (Unraid IP)/32 (1 entry each).
  • In other words, I have port forwarding rules for 80 and 443 from ANY, to WAN address, then forward as ports 18443 and 18001 respectively to the Unraid server with a /32 CIDR. 
  • Enabling or disabling NAT Reflection (hairpin NAT?). 
  • Filter rule association set to pass.
  • For NAT Outbound, I have it set to hybrid due to having rules for my gaming consoles/upnp.

What I've tried so far for Cloudflare:

  • Turning proxy on/off for the domain/subdomains.  
  • Purging the site cache.
  • Changing SSL/TLS encryption modes (Full and Full Strict).

 

What I have done with SWAG:

  • Consulted with linuxserver.io SWAG page under troubleshooting 502 errors: port unchanged except for upstream_port and upstream_app match the guacamole container (see conf below).
  • Recreated relevant conf parameters for auto proxy in the ApacheGuacamole Docker template (added labels for swag=enable, swag_port and swag_url).

 

My guacamole.subdomain.conf:

## Version 2021/05/18
# make sure that your dns has a cname set for guacamole and that your guacamole container is not using a base url

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name guaca.*;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app ApacheGuacamole;
        set $upstream_port 7575;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_buffering off;
    }
}

 

The nginx error log says this:

[error] 8002#8002: *6 connect() failed (111: Connection refused) while connecting to upstream, client: xxx.xx.xx.xxx, server: guaca.*, request: "GET / HTTP/2.0", upstream: "http://172.18.0.2:7575/", host: "guaca.xxxxxx.io"

 

Where client is my WAN IP, guaca.* is my subdomain (with CNAME pointed to @), 172. address is the custom docker network.  If the problem lies within SWAG, I'm not sure what is not correct as there are no errors in the logs.  If it is within OPNsense, I'm also not sure about that as it looks correct to me.

 

Any other combination of port forwards (i.e. reversing the ports, doing 443/80 for everything, etc) gets a 522. I know something is not right, but I am not experienced enough to determine what.  I wish I knew what to do next... hopefully someday I will lol...

Link to comment
  • 4 weeks later...

I am having issues with my SWAG install and it not updating certificates. Seems as though the last time it updated was back in April some time and has failed ever since. It was working fine before then and i cannot find anything that has changed. The errors that it keeps throwing are about timeouts and port 80 not being available, but i have verified that i am forwarding Port 80 to the container like always. I have a Unifi Security Gateway Pro and have forwarded port 80 on the outside to the appropriate IP address and port 80 on the inside (the IP and Port of the SWAG container). This automatically sets up a firewall rule allowing that traffic, but for some reason either this is not working, or the container is not responding to those HTTP requests. 

 

Any Ideas?

 

Certbot output (anonymized domain and IP address)

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/plex.domain.tld.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for plex.domain.tld and 4 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: homeassistant.domain.tld
  Type:   connection
  Detail: aa.bb.cc.dd: Fetching http://homeassistant.domain.tld/.well-known/acme-challenge/yh5SakI-iluZRukPZrhi7DAzwPVnN09r6q-S4OwIO7c: Timeout during connect (likely firewall problem)

  Domain: nextcloud.domain.tld
  Type:   connection
  Detail: aa.bb.cc.dd: Fetching http://nextcloud.domain.tld/.well-known/acme-challenge/kq8c_9WqjEfhmmixjCJnMLShXxp1I21T42Nv3Sou1gM: Timeout during connect (likely firewall problem)

  Domain: ombi.domain.tld
  Type:   connection
  Detail: aa.bb.cc.dd: Fetching http://ombi.domain.tld/.well-known/acme-challenge/cOCO5wmZM8N-WcLYwUjUjvDJh2cGbMh66s2VePAJ0fs: Timeout during connect (likely firewall problem)

  Domain: plex.domain.tld
  Type:   connection
  Detail: aa.bb.cc.dd: Fetching http://plex.domain.tld/.well-known/acme-challenge/a8xsYJhw1CRGMyUwPhDQ4opxJRXr4AfGvbm2vqmHhC8: Timeout during connect (likely firewall problem)

  Domain: unifi.domain.tld
  Type:   connection
  Detail: aa.bb.cc.dd: Fetching http://unifi.domain.tld/.well-known/acme-challenge/jU2jB7sLax3NxOcVBHdygQ1f-PJLWH1UJjXvKSq7KbM: Timeout during connect (likely firewall problem)

Hint: The Certificate Authority failed to download the challenge files from the temporary standalone webserver started by Certbot on port 80. Ensure that the listed domains point to this machine and that it can accept inbound connections from the internet.

Failed to renew certificate plex.domain.tld with error: Some challenges have failed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/plex.domain.tld/fullchain.pem (failure)
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
1 renew failure(s), 0 parse failure(s)
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

 

Link to comment
14 hours ago, JonathanM said:

Try temporarily shutting down SWAG and standing up a plain nginx container listening on the same IP and port, and see if it's reachable from the WAN side.

So it appears that my ISP is to blame. There were some changes around that April timeline and it appears they are now blocking Port 80 inbound on residential connections (oddly everything else they seem to be fine with). But that means that i cannot use HTTP as the method of certificate authentication. 

 

I use Dreamhost as my registrar and hosting platform. Is there a way to use DNS as the authentication? I know that they have an API, but am not sure how to make it work with the SWAG container. 

Link to comment

Boy....With so much unRAID experience,  I hate to ask this question.

 

For ages, I used to have a folder inside my /appdata/swag/ folder called custom-cont-init.d. In here I had a bash script that installed a few things to my container.

 

I see now that this is a legacy way; and that the new way is place/locate this folder outside the docker's /config folder.

 

Thinking that a more updated docker template would have this volume mapping;  I compared my template to the latest Swag template and they are different! Like SCARY different. Plus it did not have anything pre-set for the custom script.

 

What should I do?

 

In reading Cutomizing LSIO Dockers, do I need to go my original template and ... +Add Another Path...?

image.png.ce8e9f74cb789769859a003c0b5c2177.png

 

Will this work? I am afraid of ruining my Swag setup.

 

I am also scared of updating my template to the latest. Things were nicely working w/ LetsEncrypt... I'm not a master at DNS and certificates.

 

Thank you,

 

H.

 

Edited by hernandito
Link to comment
3 minutes ago, hernandito said:

Boy....With so much unRAID experience,  I hate to ask this question.

 

For ages, I used to have a folder inside my /appdata/swag/ folder called custom-cont-init.d. In here I had a bash script that installed a few things to my container.

 

I see now that this is a legacy way; and that the new way is place/locate this folder outside the docker's /config folder.

 

Thinking that a more updated docker template would have this volume mapping;  I compared my template to the latest Swag template and they are different! Like SCARY different. Plus it did not have anything pre-set for the custom script.

 

What should I do?

 

In reading Cutomizing LSIO Dockers, do I need to go my original template and ... +Add Another Path...?

image.png.ce8e9f74cb789769859a003c0b5c2177.png

 

Will this work? I am afraid of ruining my Swag setup.

 

I am also scared of updating my template to the latest. Things were nicely working w/ LetsEncrypt... I'm not a master at DNS and certificates.

 

Thank you,

 

H.

 

You've already seen this; does this help? It talks about some of the things you are...?

 

https://info.linuxserver.io/issues/2022-08-29-custom-files/

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.