[How-To] Web services using Swag (Proxy) in docker

Installation of swag (reverse proxy) in Docker. This will allow access to local services from the internet through an protected connection.

August 2023.

Warning. I've stopped using swag so I no longer maintain this guide. Some concepts might be outdated, make sure everything is still valid in the official swag documentation.

• SWAG (Secure Web Application Gateway) configures an Nginx web server and reverse proxy with php support and a built-in certbot client that automates the free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). You can also optionally configure other security measures such as fail2ban for intrusion prevention.
• This image supports x86-64, arm64, and armhf architectures.

1 Initial System Preparation

• General preparation of the OMV system to install applications in docker, create user for docker and create folder for application configuration. You can do it by following this document https://wiki.omv-extras.org/doku.php?id=omv6:docker_in_omv
• If you have followed the guide, your user will be appuser and your folder will be /SSD/appdata. You can customize it if you want. Define your UID and GID of appuser, see how to do it in the previous link.

2.Define required parameters in Swag

• Domain: To access a service from the internet we will need a domain that points to our server. If you don't have one, you can do it like this:
  • If your IP is fixed (check with your ISP), you can get a free domain on DuckDNS, for example, and have it point to your IP.
  • If your IP is dynamic (the most common) you can solve it by following the instructions here https://wiki.omv-extras.org/do…th_duckdns_fix_dynamic_ip or here. [How-To] Install DuckDNS. Automatic dynamic IP update. or alternatively use one of the Swag plugins.
• Port forwarding on your router: (see your router's user manual on how to do this). Since OMV uses ports 80 and 443 by default, we will forward the Swag ports to 81 and 444 on the router and send them back to 80 and 443 in the container. In this way we free those ports for the OMV interface. If you do not use these ports in the OMV GUI this detour would not be necessary.
  • External port 80 to internal port 81 (IP of your NAS)
  • External port 443 to internal port 444 (IP of your NAS)

3. Network creation in Docker

• So that Swag can communicate with the rest of the containers we have three options. The most suitable solution in this case is the second one. Create a user-defined bridge network and attach the containers to this network.
  • Attach the service stack to the same stack where Swag is, in this way all the containers connect to the default bridge network, being able to communicate with each other. Communication between containers will only be possible through the IP of the subnet. In addition, this forces to have all the stacks together, complicating maintenance.
  • Create a user-defined bridge network and attach the containers to this network. In this way the containers will communicate with each other, being able to do so by IP or by host name. In this case the hostname of each container will be the name of the container, which must be in lowercase. This also allows you to have separate stacks making editing easier.
    • We created a network in openmediavault-compose that we will call swag-net. To add a container to this network we must add the line network_mode: swag-net on the stack.
  • Create multiple independent networks and attach Swag to all networks. In this way the communication between containers will be restricted, being able to communicate Swag with all of them. To do this, follow the above procedure for each container.

4.Installing Swag on Docker

• To adjust and implement the following stack in openmediavault-compose, you can see how to do it in the link in point 1. Make sure before here if this stack has undergone modifications.

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag:latest
    container_name: swag  #Comment 1
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1002    #Comment 2
      - PGID=100     #Comment 2
      - TZ=Europe/Madrid    #Comment 3
      - URL=your_domain.es    #Comment 4
      - SUBDOMAINS=your_subdomain1,your_sudomain2   #Comment 5
      - ONLY_SUBDOMAINS=true
      - VALIDATION=http
      - EMAIL=your_email@gmail.com    #Comment 6
    volumes:
      - /path/to/appdata/swag:/config    #Comment 7
    ports:
      - 444:443
      - 81:80
    restart: unless-stopped

• Comment 1: See point 3.
• Comment 2: See point 1.
• Comment 3: Adjust it to your location. You can see it by typing cat/etc/timezone in a terminal.
• Comment 4: Enter your domain here. See point 2 of this guide -> 2. Define required parameters in Swag
• Comment 5: Write your subdomains separated with commas here. Each subdomain will give access to a different service (Jellyfin, Plex, Heimdall, ...). For example for Jellyfin you could define a subdomain like this jellyfin.my_subdomain_duckdns.duckdns.org if you had configured a domain with duckdns called my_subdomain_duckdns.duckdns.org In this case that line would look like this:
  - SUBDOMAINS=jellyfin

• Comment 6: Write your email address here. At this address you will receive notifications regarding the renewal of your domain certificate. A gmail account will work. Another type of account could cause problems.
• Comment 7: Enter the path to your config folder here. Make sure appuser has write permission to config folder. See point 1.
• Run the stack, this will download the necessary images and start the container. You can see how to do it in the link in point 1.
• Check that swag is working. Execute the command docker logs -f swag The output should be the information regarding the download of your domain certificates, expiration date, etc, the last line should say ready. Press ctrl+c to exit.

5.Set up a service

• Let's take as an example that we have a service configured in our local Jellyfin network and we want to access it from the internet through swag. The current compose file could look something like this:

---
version: "2.1"
services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    environment:
      - PUID=1000  # may differ on your system
      - PGID=100   # may differ on your system
      - TZ=Europe/Madrid   # may differ on your system
    volumes:
      - /SSD/appdata/Jellyfin:/config   # may differ on your system
      - /DATA/media:/data   # may differ on your system
    ports:
      - 8096:8096   # may differ on your system
    restart: unless-stopped

• This application will be working through its own subnet. You can check it in openmediavault-compose in the Networks tab, there you will check that the jellyfin container is working on the jellyfin_default subnet.
• For swag to divert internet traffic to this container, both containers must work on the same network. This is achieved by defining in this container the same network that we created for swag. See point 3. Edit the jellyfin stack (see point 1 for help) and add the line network_mode: swag-net like this:

---
version: "2.1"
services:
  jellyfin:
    image: lscr.io/linuxserver/jellyfin:latest
    container_name: jellyfin
    network_mode: swag-net
    environment:
      - PUID=1000  # may differ on your system
      - PGID=100   # may differ on your system
      - TZ=Europe/Madrid   # may differ on your system
    volumes:
      - /SSD/config/Jellyfin:/config   # may differ on your system
      - /DATA/media:/data   # may differ on your system
    ports:
      - 8096:8096   # may differ on your system
    restart: unless-stopped

• This will make this container work on the same network as the Swag container, but it will be isolated from the rest of the containers. Click on the up button.
• The next step is to add this service to Swag. Swag has many services preconfigured using files located in /nginx/proxy-confs/ inside the container. They all have the ending sample. To activate a service we only have to remove this termination. In a terminal write:

cp /path_to_config_swag/nginx/proxy-confs/jellyfin.subdomain.conf.sample /path_to_config_swag/nginx/proxy-confs/jellyfin.subdomain.conf

where path_to_config_swag is the path to your swag config folder

• If our service is configured in a standard way, the jellyfin domain and port 8096 will coincide. In case we have customized it, we must edit this file and adapt it.
• Restart the swag container in openmediavault-compose or by using the command docker restart swag in a terminal.
• From now on we can access Jellyfin from the internet by typing in any browser the address of the domain that we have configured for jellyfin, in this case jellyfin.my_subdomain_duckdns.duckdns.org
  • In the case of Jellyfin, you will need the following to make it work: Enter the Jellyfin GUI and go to Control Panel>Networks Click the checkbox Allow remote connections to this server.
• Make sure you have strong passwords for all services exposed to the internet.

6.More information

• If you want to configure Nextcloud, since it requires some special configuration, here is a detailed guide on how to do it. [How-To] Nextcloud with swag (Letsencrypt) using OMV and docker-compose
• More information about Swag here and here Follow the linuxserver instructions on this website to update the container.
• Swag Networks https://docs.linuxserver.io/general/swag#docker-networking

I hope it is useful !!

To secure swag with additional options like fail2ban, geo-blocking or authelia you can check here https://virtualize.link/secure/