SWAG: NGINX Reverse Proxy with Docker, Mods & Authelia
HTML-код
- Опубликовано: 1 авг 2024
- In our next episode in the Reverse Proxy series, we introduce SWAG - (Secure Web Application Gateway by LinuxServer.io), set up an Nginx web server and reverse proxy with PHP support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.
We'll show you how to install it using Docker on Unraid and use some extra tricks to have it work even harder for you, saving you time and effort.
Looking for a written guide? Here you go:
ibracorp.gitbook.io/swag-2/
Official SWAG Docs: docs.linuxserver.io/general/swag
🔔 Subscribe for more tech tips and tutorials: @IBRACORP
👍 Like this video if you find it helpful, and tell us in the comments what other tutorials you'd like to see.
🚀 Timestamps:
0:00 Intro
2:58 - Our Docs
3:56 - SWAG
8:19 - Cloudflare
11:55 - Docker Mods
13:10 - Cloudflare IP
14:38 - Auto Reload
15:54 - Auto Proxy
18:21 - Reverse Proxy an App
20:07 - Authelia
📌 Follow us on social media for the latest updates:
Website: ibracorp.io/
Discord: / discord
Reddit: / ibracorp
Twitter: / ibracorp_io
Facebook: / ibracorp
💖 Support Us:
Your support helps us to keep producing high-quality tech tutorials and content. If you've found value in our videos, consider supporting us in the following ways:
PayPal: www.paypal.com/donate/?hosted...
Shop: shop.ibracorp.io/
Subscribe and share our videos with friends and colleagues.
Every bit of support makes a huge difference and enables us to continue delivering content that helps you make the most of the latest technology!
For business enquiries, please email support@ibracorp.io
#swag #linuxserver #nginx proxy manager #traefik #selfhosted #nginx tutorial 
Наука
Hope you guys enjoyed todays video! Anything you'd like to see in a future episode? Let us know here or on Discord! discord.gg/VWAG7rZ 🙂
Ok, you have convinced me. I'll deploy Nginx Proxy Manager.
😆
This plus Tailscale is a massive life improvement without opening any ports on my router and my VPN is safeguarded by a company that's been in that business for a long time with a reputation to lose rather than myself who may not be up to snuff at all times.
Major win. Hello photo and media library on the go, it's a pleasure to have you!
Good timing, I'm just just looking for a reverse proxy for my newly built Unraid box. I'll check this out tomorrow
BTW, Thank you for this. I constantly have to try to remember how to set up swag on my unraid server for different things and this is one of the few videos which covers everything.
That’s great to hear! Thanks so much for the feedback. Appreciate you watching our content!! I’ll be honest, I also watch back on the videos when setting up a new server 😂
Great Video! An Absolutely terrific looking application with SWAG as well. I feel like I'm too much of a control freak for all of the automated stuff, but still really great even if you don't use all of that.
Nothing wrong with being a control freak when it comes to this topic mate!
But at least it's optional
Hi, IBRACORP, I am really impressed with all those tutorials you guys have. since I found this channel I have been addicted to it. I can notice that all your tutorial has been done on unraid, is there any specific motive? Can you do the equivalent for Truenas?
Will this work with an existing cloudflare Argo tunnel? Or do I need to modify more?
Thanks for this very interesting video! However I have an issue with the backup path created in the container... not able to access it from the gui of duplicacy... any idea of the problem ? thx
Thanks for sharing
for authelia to correctly redirect you to the authelia login, you need to enable authelia by having
path: "authelia"
in the configuration.yaml, which is also in the ibracorp swag documentation.
Thank you for this, i missed this step and it was the cause of 9 straight hours down the drain. fixed now.
I followed this guide and got almost everything to work except the authelia login prompt never appeared for me I got straight to my container application. Had to make one small change to the configuration.yml in your github file it says path: "" under the server: section, had to change this to path: "authelia"
But still a well put together guide.
Dude, this has been eating my time for nearly a day. Thank you.
hello. thx for your video !
Hello. Great video. Are you able to use the Auto-Proxy docker mod AND add preconfigured Nginx Templates for applications not on the custom docker network? I have containers on a 2nd unraid server on the same LAN. Thanks.
I don't think it was mentioned in this video, but I was stuck with a browser infinite redirect issue for all the subdomains I added via auto-proxy mod until I went into my Cloudflare account and under SSL/TLS settings for my domain and changed the encryption mode from Flexible to Full.
Just putting this here in case anyone else runs into the same problem. :)
Hero! :)
Thank you so much! Had exactly the same problem and this instantly solved it for me!
Thanks! This fixed my problem!!!
This saved me hours of troubleshooting. thanks man. edit: BTW this issue also occurs with the default swag configuration without auto-proxy mod. Setting the SSL/TLS encryption mode to full seems necessary when using a self-signed certificate.
Heya, I can't seem to find the video that shows the Let's encrypt certificate part? I am unable to add the certs to Nginx without adding the Let's encrypt first.
Hello so I have a question I'm on a provider via cgnat and I can use tailscale etc in a vm without any problems directly on unraid it has issues with ipv6. But my main thing is I'm trying to figure out how to use tailscale or zerotier and use the ip addresses with swag or another proxy solution can you point me the right direction. Thank you!
Hello. Thanks for the video!
One question. If I'm following this tutorial, at 9.42, just after creating the wildcard cname, should i be able to access my server from the internet? typing my domain, should take me to the webui? I only get an "ERR_CONNECTION_TIMED_OUT" message in chrome
Thanks for the great tutorial. I only have one question, is there also the possibility to use "SSL Full (Strict) with SWAG? Can't find anything in the documentation.
Yes, absolutely
very helpful! and i also want to know how to set up swag with IPV6? is there anyone know hot to do it? i creat a custom network,but it doesn't have IPV6
Did you cancel the AUTO RELOAD WATCHLIST variable or actually add it?
Are there any additional steps needed that are not in this video to switch from Nginx Proxy Manager to SWAG or is it as simple as setting this up and just turning off NPM?
99% of the included proxy configuration files don't need editing and will work out of the box as long as they are enabled
When you proxy A and C names on cloudflare, how do you manage NAT reflection in pfsense such that LAN clients can directly communicate to swag?
Not sure on this one mate but I'm sure some community members in our Discord will be able to answer it for you!
Pls do a tutorial for ebooks
Can this method be used to enable remote connection to Home Assistant docker in Unraid? Or are there any suggestions for alternative methods (such as Nginx Proxy Manager and DuckDNS)?
Yes, you can
is there some unraid setting we need to change? I can not connect to host
I pretty much followed this video to the T and am having some issues with getting Nextcloud running using this how could I find some assistance with this?
your ibracorp website seems to be down? Nothing is showing up when loading the webpage
at 21:56 you uncommented a comment that said "enable for authelia" this will have broken your configuration because it meant the line underneath which was already uncommented.
# enable for Authelia
include /config/nginx/authelia-server.conf; #
Yeah apologies there, it was missed in editing
Followed guide to a T and still not able to get it to work :(
Edit: Ended up just going with NGINXProxyManager. Seems to be fine with my use case. Love the videos IBRACORP
Hi Jay, thank you for watching!
Some time ago, I migrated from LetsEncrypt to Nginx Proxy Manager, mainly due to the fact that (at the time), LE used SAN certs and I didn't want all my fqdns lumped together in one cert.
So I moved to NPM and I've been pretty happy with it but it seems to me like documentation for it is essentially non-existent. If it's out there, I've been unable to find it.
So, today I got to thinking about moving to SWAG but I wanted to ask the question before I even start - does SWAG utilize SAN certs, lumping all FQDNs into one cert, or does it utilize unique certs for each FQDN similar to what NPM does?
I'd like to get clarification on that prior to putting any effort into a migration. Thanks in advance.
what’s the reason you don’t like san certs?
@@snowwsquire if I’m hosting multiple domains I don’t want them lumped together, for a variety of reasons.
Why does your SWAG docker have an icon to load a UI? SWAG has a UI?
Thank you for this tutorial. Docker mod functionality and fail2ban make swag very interesting. Perhaps a follow up video could be fail2ban, I tried following the scarce documentation and got it to work but it bans the docker network as opposed to the client real ip. I installed the "real ip" mod and it still doesnt show it. The other problem is that fail2ban is inside the container and whilst it creates a ban it actually doesnt close anything.
I followed closely and I am unable to connect. Auto proxy doesn't work for me. I had to manually add the configs but it works now.
Glad you got it working! Have you had a look at our Traefik guide? Another alternative to try out.
Hey Question: Why would having dockersocket be more secure than giving swag access to the docker socket? Doesn't dockersocket need access too, thus having the same security risk? THX!
It’s removing a layer of access to the docker socket. Instead of giving a publicly accessible application full access to the docker socket, you’re giving a secure app that has one job in the backend access to the proxy. That apps job is to give limited access for other apps to the docker socket. So any publicly facing apps are only able to read the information required instead of being able to spin up malicious containers with root access to everything in your server for example. The only way to access the docker socket proxy if set up correctly is via the dockers secure internal network and so you have added a layer of security
Hi Ibra!
Can you tell us what's your router model?
Hi there!
I run a Ubiquiti UDM Pro 🙂
Hello, using auto proxy, is there a way to use subfolders instead of subdomain?
Thanks!
Not sure on that one, head over to our discord and you will be able to ask the developers yourself.
Whats a good use case for Cloudflare real IP? Im trying to decide if I need it or not.
For example reading a user's real IP for fail2ban is one
After making the custom proxy in swag, whenever I switch swag to the custom proxy and try to access my server, i get a webpage that says "website redirected you too many times".
change ssl/tls to full
Showing both NGINX proxy manager and swag both running at same time How does one do this? see 11:58 on video
I did everything in this video and when I try to connect to my subdomain I just get a "Welcome to your SWAG instance".
For some reason the docker mod `swag-auto-proxy` didn't get saved. Now I'm getting a 502 error. Fun times all around.
I assume this video is out of date? I do not see anything located past the /mnt/ folder when I go to edit anything in the terminal. There is no cloudflare.ini file. Having difficulty putting my Cloudflare API in.
It wherever you have the folder mapped in your docker container template for CloudFlare. So you'll need to check
I don't know if if this will help me with what I'm trying to do, but I think I'm gonna do just about everything in this video.
Always a good start! 😎
Would appreciate a duckdns version just in case....
How would this work with containers being passed through a seperate vpn container (sonarr, radarr, etc theough nordvpn container for example)? At all or not??
I got it working with my delugevpn container, but question, how would the auto-proxy work? 1 address for all containers or would I have to still make up a different address per container? I'm working the El cheapo method of just duckdns and no payed services.
P.s. you didn't show how to test the address/proxy to make sure it works and how to navigate multiple dockers with the auto setup enabled.
Approx 5:00 mark question ( custom docker network question), how would I do this in the case of sonarr, radarr, etc while tunneling them through a nordvpn docker? Do I just add them all to that docker network? How do you tell the dockers to use the vpn since the --net something isn't there with the network set to something other than "none".
Much appreciated. Should I ditch traefik? 🤔
Yes
Give it a try and see which you prefer
@@JoelTony Why?
Do I need to open any firewall port or port forwarding for SWAG to work?
Yes. Unless you use our CloudFlare Tunnel video which lets have all ports closed
@@IBRACORP can u list out the ports?
80 and 443. (HTTP AND HTTPS)
Swag is nice. But it sucks when updates to the container break your existing app specific proxy.confs. I finally got tried of it and switched to NPM. Sure, Swag does give you more granular control over configuration. But its a PITA having to deal with template updates.
Good feedback thanks Nirav!
Great video! Is it possible to use an origin certificate with swag?
Yes! It is
@@IBRACORP With such a short answer, can we expect a follow up video anytime soon? :)
@@IBRACORP I'd love a video on how to setup the Cloudflare origin certificate with SWAG too. Plus content with how to setup Fail2Ban with SWAG would be an awesome bonus. Thanks heaps for the great content. This is coming from a fellow Aussie currently still stuck overseas...
No problem mate we'll check it out, hope you can come home safe soon mate ✌️
SIGN! Would be a pleasure to see this... Thinking to move from NPM to Swag
I prefer the old community applications as this one requires an additional click to install something for no reason.
Fair point!
It did not work for me, I followed the guide perfectly. I was hoping to automate things but with no web interface for SWAG I found it actually takes more of my time as troubleshooting requires many extra steps. I will just go back to NPM and setup things manually as before.
Thank you for making a guide anyway, I hope it helps somebody else.
agree, there is a lot of missing information in this tutorial.
Why do they always reuse acronyms lol
I thought swag was just the API testing tool
And NPM was for node package manager
And now there's 2 let's encrypts at least they changed it to something more distinguished
the swag container was originally called letsencrypt (because it included letsencrypt and nginx in an easy to use container), swag stands for Secure Web Application Gateway, npm in this case means Nginx Proxy Manager
not once did you show the result of any of the commands or modification.
Are you asking me to? The result has no impact on the method shown or the instructions provided.
Oh good you only go over this when using mods. Should be in the title.
Halting a guide to talk about mods. Stay on topic and make another video.