Cloudflare & Swag: no more access to subdomains configured

mbinax · 6. September 2021

Hi,

coming back home from holidays, my previously configured services (I use Docker and Portainer) are no more reachable outside my house/router: I obtain "Impossible to reach" them in the browser.

Obviously, they're still fully functional from the inside using IP address and port (e.g. http://<ip>:<port>/)

I use CloudFlare and SWAG, and they were all available before as subdomains (es. heimdall.<mydomain.com>, nextcloud.<mydomain.com>, etc...).

Currently I'm not able to understand what happened.

Nothing has been changed in configuration files (theoretically) and CloudFlare DNS, but... for sure:

Ouroboros is active and running, so docker containers have been continuatively updated
OMV has been updated via-GUI

Have you got some ideas?

Soma · 6. September 2021

Start by checking your SWAG logs to see if there's anything that stands out.

Or maybe your WAN IP got changed and Cloudflare didn't updated it.

Using Ouroboros, or Watchtower for that matter (in my opinion) isn't a good approach because sometimes there's changes to the containers that need a bit of assistance from us (for instance: SWAG changed some things in the "default" nginx folder and created a "resolver.conf" that changed how the xxx.subdomains.conf and xxxx.subfolders.conf resolve the internal IP. To update, you need to delete some files and restart the container, for eg)

Check the logs, and we'll go from there.

You can also post your SWAG yml on a code box to help you better (hide sensible data)

mbinax · 7. September 2021

Hi Soma,

thank you so much for your help!

My DNS domain in CF is http://www.binax.it

WAN Address is right and it is always monitored by ddclient (another container).

SWAG stack in Portainer is this:

Code

version: "2"
services:
  swag:
    image: ghcr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=100
      - TZ=Europe/Rome
      - URL=binax.it
      - SUBDOMAINS=wildcard   #DNS validation
      - VALIDATION=dns        #DNS validation
      - DNSPLUGIN=cloudflare  #DNS validation
      - EMAIL=<my-address-mail>
    volumes:
      - /srv/dev-disk-by-label-RAID5/appdata/swag:/config
    ports:
      - 443:443
      - 80:80 #optional
    restart: unless-stopped

Alles anzeigen

...and this is the network used by SWAG and other apps containers (e.g. ombi, heimdall, ...) in order to "talk" with SWAG:

Code

Name                           swag_default
ID                             c2ecd3ca25759e2126d495b9d5fc58b493495ab00c7f2f037fee7f6c364168dd 
Driver                         bridge
Scope                          local
Attachable                     true 
Internal                       false
IPV4 Subnet - 172.24.0.0/16    IPV4 Gateway - 172.24.0.1
IPV4 IP range -                IPV4 Excluded Ips

____

About logs...

This is the /swag/log/letsencrypt.log

Code

<------------------------------------------------->
cronjob running on Tue Sep 7 02:08:00 CEST 2021
Running certbot renew
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Processing /etc/letsencrypt/renewal/binax.it.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Certificate not yet due for renewal

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
The following certificates are not due for renewal yet:
  /etc/letsencrypt/live/binax.it/fullchain.pem expires on 2021-10-28 (skipped)
No renewals were attempted.
No hooks were run.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Alles anzeigen

Here attached both SWAG access and error log files.

logs.zip

Soma · 8. September 2021

I just tried your webpage with heimdall and with nextcloud and it seems ok.

I got to the login page on both of them

mbinax · 8. September 2021

Oh my gosh!

Soma, you're right and I feel so stupid.

But... I can't understand what can be changed because I can't get none of my services using the Wi-Fi!

KM0201 · 9. September 2021

Why do some folks use cloudflare over just using swag as a reverse proxy. Is there something I'm missing?

Soma · 9. September 2021

Zitat von mbinax

But... I can't understand what can be changed because I can't get none of my services using the Wi-Fi!

I don't really understand what your problem is...

Your services are working (at least, the access to the login pages) via Internet/browser which means that the redirects from CloudFlare to your SWAG, and then to the server are working.

So, what do you mean by "I can't get none of my services using the Wi-Fi!" ????

Zitat von KM0201

Why do some folks use cloudflare over just using swag as a reverse proxy. Is there something I'm missing?

SWAG is still beeing used,

But instead of using DUCKDNS or redirect the own DOMAIN straight to the server, it first goes to CloudFlare and then redirects to the server.

From what I know, this is just a way to further "mask" your IP via CloudFlare.

Honestly, before DUCKDNS, I tried it but the headaches it gave me just to configure it weren't worth it so, I turned to DUCKDNS.

KM0201 · 9. September 2021

Zitat von Soma

I don't really understand what your problem is...
Your services are working (at least, the access to the login pages) via Internet/browser which means that the redirects from CloudFlare to your SWAG, and then to the server are working.

So, what do you mean by "I can't get none of my services using the Wi-Fi!" ????

SWAG is still beeing used,
But instead of using DUCKDNS or redirect the own DOMAIN straight to the server, it first goes to CloudFlare and then redirects to the server.

From what I know, this is just a way to further "mask" your IP via CloudFlare.
Honestly, before DUCKDNS, I tried it but the headaches it gave me just to configure it weren't worth it so, I turned to DUCKDNS.

Alles anzeigen

Yeah, I know "what" it does... I just don't get what it offers over just using swag to reverse proxy your domain, or using duckdns if you want a free service. I agree with you, i tried cloudflare and it gave me nothing but problems.

mbinax · 8. Oktober 2021

Sorry for late response.

Before switching to duckdns I'd like to catch out the issue, if possible.

My services are always on, and they're working fine (with DNS Cloudflare and SWAG): and you can also contact them by their domain.

But... they're available only from outside my home network.

Cloudflare & Swag: no more access to subdomains configured

Jetzt mitmachen!

Tags