[Support] Linuxserver.io - SWAG - Secure Web Application Gateway (Nginx/PHP/Certbot/Fail2ban)

[Ninoslav]

Any idea why each swag update breaks my remote jellyfin? Out of the 5 files mentioned in the screenshot, only one I edited was jellyfin.subdomain.conf

 

I have 2 servers and both died so I tried this. On the first one I replaced all files with new ones starting from the bottom and it was dead until all 5 were replaced with samples and old ones renamed to old. On the second one I started from the top and as soon as I replaced first two authelia server was back online. On that 2nd server I still have warning about /config/nginx/proxy.conf, /config/nginx/proxy-confs/jellyfin.subdomain.conf and /config/nginx/site-confs/default.conf but jellyfin works just fine.

 

Is there something I need to do so swag update doesnt mess it up each time? 
 

[vurt]

If I have .htpasswd for password protection, is there a way to whitelist a specific url so it can be accessed without password? I want KOReader to browse my ebooks at https://calibre-web.mydomain.net/opds .

Edited February 12 by vurt

[alturismo]

10 minutes ago, vurt said:

If I have .htpasswd for password protection, is there a way to whitelist a specific url so it can be accessed without password? I want KOReader to browse my ebooks at https://calibre-web.mydomain.net/opds .

may start reading here

 

https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/

[vurt]

Thanks for the link.

 

I just realized the conf for calibre-web seems to have made an accomodation for OPDS:

 

	# OPDS feed for eBook reader apps
	# Even if you use Authelia, the OPDS feed requires a password to be set for
	# the user directly in Calibre-Web, as eBook reader apps don't support
	# form-based logins, only HTTP Basic auth.
    location /opds/ {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app calibre-web;
        set $upstream_port 8083;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_set_header X-Scheme $scheme;
    }

 

Does that suggest /opds doesn't need password? The / above has:

 

    location / {
        # enable the next two lines for http auth
        auth_basic "Restricted";
        auth_basic_user_file /config/nginx/.htpasswd;

 

[alturismo]

9 minutes ago, vurt said:

Does that suggest /opds doesn't need password? The / above has:

 

sadly looks like you didnt read the link i posted ... so i do the copy / paste now instead ...

 

[vurt]

I did, and modified the conf like this but it didn't work, still asked for password:

 

	# OPDS feed for eBook reader apps
	# Even if you use Authelia, the OPDS feed requires a password to be set for
	# the user directly in Calibre-Web, as eBook reader apps don't support
	# form-based logins, only HTTP Basic auth.
    location /opds/ {
        auth_basic off;
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app calibre-web;
        set $upstream_port 8083;
        set $upstream_proto http;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        proxy_set_header X-Scheme $scheme;
    }

 

EDIT: Turned out it wasn't a reverse proxy issue for a change. Was on KOReader's end.

Edited February 12 by vurt

[srepper]

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name mynextcloud.de;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        #set $upstream_app Nextcloud;
        #set $upstream_port 443;
        #set $upstream_proto https;

        proxy_hide_header X-Frame-Options;
        proxy_max_temp_file_size 4096m;
        proxy_pass https://192.168.1.2:8666;
    }
}

this is my nextcloud.conf ( proxy-confs/nextcloud.conf )
and under ( site-confs/default )

but still coming to the swag default page

what I did  wrong?

[alturismo]

4 hours ago, srepper said:

this is my nextcloud.conf ( proxy-confs/nextcloud.conf )
and under ( site-confs/default )

well, there is a reason why there xxxx.subdomain.conf and xxxx.subfolder.conf

 

so in case you didnt changed the default behaviour of swag, your config will never be loaded ... what does your swag logs say ?

 

and "default.conf", also you didnt hopefully added another nextcloud entry in there, would work, yes, if you dont collide ...

 

so from what i see i would suggest read the manuals howto, also useful for further proxy's you may want to add to understand how swag is working.

 

there are also samples in the proxy-conf folder ... and consider where goes what, you added ip, port (8666 ?) instead using the variables and so on and so on ...

[tazire]

I'm looking to try and follow the zero trust hosting and reverse proxy guide 

 

https://www.linuxserver.io/blog/zero-trust-hosting-and-reverse-proxy-via-cloudflare-swag-and-authelia

 

just wondering if anyone has tried this or got it working?

I'm having difficulty with the cloudflare connection atm. Also not sure how to add the "extra_hosts: - lsio-test.com:127.0.0.1"?? just an extra parameter?

 

EDIT: 

Disregard... figured out that my cloudflare.ini hadnt updated with the api token. fixed this and im up and running. also found the --add-host command that solved the extra hosts portion. 

Edited February 18 by tazire

[Gragorg]

On 2/9/2023 at 3:18 PM, JonathanM said:

nge proxy_pass https://192.168.XXX.XXX:XXXX; to the address that works to access the container from a desktop on the LAN.

Thanks finally got around to doing this.  Worked like a charm thanks again!

[srepper]

20 hours ago, alturismo said:

well, there is a reason why there xxxx.subdomain.conf and xxxx.subfolder.conf

 

so in case you didnt changed the default behaviour of swag, your config will never be loaded ... what does your swag logs say ?

 

and "default.conf", also you didnt hopefully added another nextcloud entry in there, would work, yes, if you dont collide ...

 

so from what i see i would suggest read the manuals howto, also useful for further proxy's you may want to add to understand how swag is working.

 

there are also samples in the proxy-conf folder ... and consider where goes what, you added ip, port (8666 ?) instead using the variables and so on and so on ...

 

nextcloud/config/config.php

<?php
$CONFIG = array (
  'htaccess.RewriteBase' => '/',
  'memcache.local' => '\\OC\\Memcache\\APCu',
  'apps_paths' => 
  array (
    0 => 
    array (
      'path' => '/var/www/html/apps',
      'url' => '/apps',
      'writable' => false,
    ),
    1 => 
    array (
      'path' => '/var/www/html/custom_apps',
      'url' => '/custom_apps',
      'writable' => true,
    ),
  ),
  'instanceid' => 'oxpbb9w',
  'passwordsalt' => 'pw',
  'secret' => 'password',
  'trusted_domains' => 
  array (
    0 => '192.168.1.2:8666', ## Nextcloud 
    1 => 'https://nextcloud.de', ## Domain
    2 => '192.168.1.2:1443',  ## SWAG Container
  ),
  'datadirectory' => '/var/www/html/data',
  'dbtype' => 'mysql',
  'version' => '25.0.3.2',
  'overwrite.cli.url' => 'https://nextcloud.de',
  'dbname' => 'database',
  'dbhost' => '192.168.1.2:3306',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => 'user',
  'dbpassword' => 'password',
  'installed' => true,
  'filesystem_check_changes' => 1,
);

proxy-confs/nextcloud.subdomain.config

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name patrickseemann.de;

    include /config/nginx/ssl.conf;

    client_max_body_size 0;

    location / {
        include /config/nginx/proxy.conf;
        include /config/nginx/resolver.conf;
        set $upstream_app Nextcloud; ## My Container is with a big N
        set $upstream_port 8666; ## Port of the container
        set $upstream_proto https;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;

        proxy_hide_header X-Frame-Options;
        proxy_max_temp_file_size 2048m;
    }
}

site-confs/default.conf

 

# redirect all traffic to https
server {
    listen 80;
    listen [::]:80;
    server_name nextclouddomain.de;
    return 301 https://nextclouddomain.de;

}

# main server block
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;

    server_name nextclouddomain.de;


#root /config/www;
 #   index index.html index.htm index.php;

    # enable subfolder method reverse proxy confs
   #include /config/nginx/proxy-confs/*.subfolder.conf;
   include /config/nginx/proxy-confs/*.subdomain.conf; ## should include my nextcloud.subdomain.conf

    # enable for ldap auth (requires ldap-location.conf in the location block)
    #include /config/nginx/ldap-server.conf;

    # enable for Authelia (requires authelia-location.conf in the location block)
    #include /config/nginx/authelia-server.conf;

    # enable for Authentik (requires authentik-location.conf in the location block)
    #include /config/nginx/authentik-server.conf;

    location / {
        # enable for basic auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable for ldap auth (requires ldap-server.conf in the server block)
        #include /config/nginx/ldap-location.conf;

        # enable for Authelia (requires authelia-server.conf in the server block)
            #include /config/nginx/authelia-location.conf;

        # enable for Authentik (requires authentik-server.conf in the server block)
        #include /config/nginx/authentik-location.conf;
        #proxy_pass https://192.168.1.2:8666;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
        # try_files $uri $uri/ /index.html /index.php$is_args$args;
    }

    location ~ ^(.+\.php)(.*)$ {
        fastcgi_split_path_info ^(.+\.php)(.*)$;
        fastcgi_pass 127.0.0.1:9000;
        fastcgi_index index.php;
        include /etc/nginx/fastcgi_params;
    }

    # deny access to .htaccess/.htpasswd files
    location ~ /\.ht {
        deny all;
    }
}

# enable subdomain method reverse proxy confs
include /config/nginx/proxy-confs/*.subdomain.conf; ## should include my nextcloud.subdomain.conf
# enable proxy cache for auth
proxy_cache_path cache/ keys_zone=auth_cache:10m;

weird, I get error on nextcloud.subdomain.conf

I remove the sample. In the default file I include *.subdomain.conf to get all of the data. Only nextcloud.subdomain.conf is activated.

I only change nextcloud to Nextcloud (container name)'
the port to 8666.

Thank you

[alturismo]

3 hours ago, srepper said:

I only change nextcloud to Nextcloud (container name)'
the port to 8666.

 

3 hours ago, srepper said:

site-confs/default.conf

actually this is not true ... you added at least this 

 

 

which doesnt belong there ...

 

now im coming back to ...

 

23 hours ago, alturismo said:

so from what i see i would suggest read the manuals howto, also useful for further proxy's you may want to add to understand how swag is working.

 

sample why

 

 

so, you made changes in the deafult like trying to point somewhere directly (which will result in conflicts with the loaded *.subdomain.conf ...) and you didnt read the manual as sample about hostnames and case sensitive behaviour, also how the port usage then would be inside the bridge ... this is what i see quickly here, so i would suggest, start from scratch and read the manual's cause it looks like we may cant resolve this anymore as i dont know what you also may "didnt change"

[srepper]

15 hours ago, alturismo said:

 

so, you made changes in the deafult like trying to point somewhere directly (which will result in conflicts with the loaded *.subdomain.conf ...) and you didnt read the manual as sample about hostnames and case sensitive behaviour, also how the port usage then would be inside the bridge ... this is what i see quickly here, so i would suggest, start from scratch and read the manual's cause it looks like we may cant resolve this anymore as i dont know what you also may "didnt change"

 

 

Thanks, I read the handbook again. Reinstalled everything. In this case my docker named on 'nextcloud' with port 9443
swag is on port 1443 and 180 (forwarding in router 443:1443, 180:80)

didn't touch the default in site-confs/
just
$: mv nextcloud.subdomain.conf.sample nextcloud.subdomain.conf

in the next way I change the config in this way: (look at the picture, changed server_name and port.

 

changed the config in the nextcloud. (look at the picture)

after a restart, I got error 502 when I want going to my website.

In the tutorial we get help for this:



The dockernetwork is in the same network.
the container has the same name.
I changed the port from 443 to 9443 ( changed the config also )
resolver should be 127.0.0.11, but why? default is by me 1.1.1.1 both do errors.

 

[Taddeusz]

Is there any guide on how to configure Authentik for use with subdomain applications in SWAG? I'm currently using Keycloak and vouch-proxy for authentication. I think Authentik could replace both but I haven't been able to get it to work.

[alturismo]

9 hours ago, srepper said:

I changed the port from 443 to 9443 ( changed the config also )

what you changed is the port mapping to access NC "outside", like from another bridge, from LAN, ...

 

consider this mapping more like a "router mapping", when you change the WAN port to access something ...

 

so, in result you change your subdomain config port back to 443 where NC inside the bridge is listening on.

 

then, how you come to the point adding ports in the trusted sections of config.php ?

 

here a sample from mine ...

 

 

i call my nc locally either by ip .84, by name nextcloud or by its domain name (also externally)

trusted proxies are my LAN 192.... or the docker bridge LAN 172.... (im normally using custom:br0 where all running on 192...)

 

as you see, only masks, no ports ... manual ...

 

also, may test if you can access your NC Installation locally in LAN on port 9443 when ist fired up (after correcting both trusted sections as described)

[vw-kombi]

I have installed crowdsec to replace fail2ban.  All seems to work fine.  Instructions say to disable fail2ban as they will conflict.

I have set all jails to false but I see in some log files online that their logs say 'fail2ban service disabled'.

How do I do that ?

[Paul Rockliffe]

Morning, I have a quick question, well quick in that I know if there's nothing obvious when I ask it that I need to go away and read the manuals when I have a bit more time.

 

I am setting up Swag and was following the Spaceinvader One YouTube video for LetsEncrypt.  I've done everything in the video, but appreciate it's quite old now and I'm having issues.  I am using my own domain, I've setup DuckDNS and all of the subdomain forwarding is working as far as I can tell. 

 

I setup Swag with the subdomains, "www,nextcloud,sonarr,radarr" and these are configured on my domain host to forward to DuckDNS.  I have configured the proxy-conf files as per the YouTube instructions.  All my subdomains began with 502 errors except www, which correctly displays a website I dropped into the www folder in swag.  I played around with a few things, didn't get anywhere, then I resetup resolver.conf. 

 

Now Nextcloud is working, but sonarr and radarr both return the www website that I setup.  I feel like someone that knows what they're doing might be able to point out some really obvious thing I need to change, but unfortunately that isn't me!  Does anyone have a quick-fix before I start trying to learn this properly?

 

Thanks

[srepper]

On 2/20/2023 at 5:44 AM, alturismo said:

what you changed is the port mapping to access NC "outside", like from another bridge, from LAN, ...

 

consider this mapping more like a "router mapping", when you change the WAN port to access something ...

 

so, in result you change your subdomain config port back to 443 where NC inside the bridge is listening on.

 

then, how you come to the point adding ports in the trusted sections of config.php ?

 

here a sample from mine ...

 

 

i call my nc locally either by ip .84, by name nextcloud or by its domain name (also externally)

trusted proxies are my LAN 192.... or the docker bridge LAN 172.... (im normally using custom:br0 where all running on 192...)

 

as you see, only masks, no ports ... manual ...

 

also, may test if you can access your NC Installation locally in LAN on port 9443 when ist fired up (after correcting both trusted sections as described)

Thank you!

I change it back to 443. Locally is everything fine, but not in swag. I get 502 Error,
but my log and the config.php looks fine.

I added nextcloud in the trusted domain.

[ksebak]

I recently made the switch from google domains to cloudflared (ISP started blocking ports 80 and 443). Using a tunnel and pointing to my swag docker everything was initially running fine. I started having a new issue and I can't for the life of me figure it out.  Any ideas how I can fix this? 

Generating new certificate
Requesting a certificate for domain.com and 19 more domains

Certbot failed to authenticate some domains (authenticator: standalone). The Certificate Authority reported these problems:
  Domain: subdomain.domain.com
  Type:   unauthorized
  Detail: 2606:4700:3033::6815:2a16: Invalid response from http://subdomain.domain.com/.well-known/acme-challenge/Oz-GBT7I96FMKM7UEf0buI6nA5-QjK64ILvPB5zYZM8: 502

 

I followed the instructions from - https://docs.ibracorp.io/cloudflare-tunnel/

 

So the tunnel was working for a couple days but just randomly stopped.

 

i tried updating the ssl.conf to the pem file generated by cloudflared but didnt fix anything.

 

Anyone run into this or have ideas for a fix?

 

 

[Nodiaque]

Hello everyone,

 

I'm trying to have qbittorrent working with Swag and Fail2Ban. The reverse proxy work perfectly, but in the log file of qbbittorrent, everything is logged as the docker ip. Thus, all login shows as:

 

WebAPI login failure. Reason: invalid credentials, attempt count: 3, IP: ::ffff:192.168.255.5, username: Hh

 

If I connect directly to the docker, the ip is good. Because of that, I cannot set either "local ip" or fail2ban to work cause it block everyone (since it's the same ip).

 

I tried the original qbittorrent.subfolder.conf, I tried adding these:

proxy_set_header X-Forwarded-Host $http_host;

proxy_set_header X-Forwarded-For $remote_addr;

 

I tried

proxy_set_header X-Forwarded-Host $host;

proxy_set_header X-Forwarded-For $remote_addr;

 

I tried

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Server $host;

proxy_set_header X-Forwarded-Host $host;

 

Nothing work

[ijuarez]

On 2/11/2023 at 5:21 PM, Ninoslav said:

Any idea why each swag update breaks my remote jellyfin? Out of the 5 files mentioned in the screenshot, only one I edited was jellyfin.subdomain.conf

 

I have 2 servers and both died so I tried this. On the first one I replaced all files with new ones starting from the bottom and it was dead until all 5 were replaced with samples and old ones renamed to old. On the second one I started from the top and as soon as I replaced first two authelia server was back online. On that 2nd server I still have warning about /config/nginx/proxy.conf, /config/nginx/proxy-confs/jellyfin.subdomain.conf and /config/nginx/site-confs/default.conf but jellyfin works just fine.

 

Is there something I need to do so swag update doesnt mess it up each time? 
 

I had to replace all of mine and then it worked

[Born8bit]

At this point, swag is driving me crazy ...

After each update, I get this error message:

nginx: [emerg] "stream" directive is not allowed here in /etc/nginx/conf.d/stream.conf:3

So I move the file like this:

mv -v /etc/nginx/conf.d/stream.conf /etc/nginx/stream.d/

and restart the docker, all is fine.

Next update, same procedure - and I don't get it, how come this file always ends up where supposedly it's not supposed to be?

I checked all the config files that were outdated, but none were related to stream.conf, most were just newer templates, I transitioned but keep getting the same problem.

[Nodiaque]

Did you change that file? Cause I don't have that problem at all. My file is in /etc/nginx/conf.d/stream.conf and no problem. This file isn't saved on a mounted drive, it's in the docker and why it's always coming back. I think you have something wrong with your nginx conf. Try starting with a fresh config and work your way down on your modification.

[mgranger]

I am not getting 502 errors for a lot of my subdomains?  A few work but most are getting this error?  I have taken the sample file and tried to modify it to work but I am not having much luck.

[lusitopp]

Hi, 

 

I have a problem that I have had for 1-2 weeks now, every morning I cannot access my stuff that is behind SWAG.

I'm not sure if this is a unraid or a SWAG problem but after a simple restart of SWAG I can access all my stuff again.
In which logs shall I begin the troubleshooting?