[How-To] Web services using Swag (Proxy) in docker - Q&A

  • So, I'm starting this off with a few questions myself. First of all, thank you, chente , for creating your helpful tutorials!


    I have two questions regarding the user-defined bridge, which might also be of interest to other users:

    1. When using SWAG and Jellyfin (for example), the line network_mode: swag should be added to both compose files, right? Otherwise, SWAG would stay in its own default network. At least for me, this wasn't clear when reading the tutorial.
    2. To isolate additional apps (if I add Nextcloud to the mix, for example), it should be helpful to create another network to isolate traffic between SWAG and Nextcloud, so Nextcloud and Jellyfin containers don't see each other. I was reading the docker documentation (Network Tutorial) and it seems that having separate networks would be beneficial for isolation of traffic.
      --> For example: Create two networks named swag_jellyfin and swag_nextcloud, where SWAG is part of both, while Jellyfin and Nextcloud are only part of their respective bridge.

    I haven't tested this and wanted to confirm before I try anything that doesn't make sense. I assume that it would be necessary to use "networks" instead of "network_mode" to add SWAG to several networks, as described in the docker documentation (Networking in Compose)?

  • If you really want to isolate the the networks of your containers, you have to

    1. Create an individual network for each container (docker network create <name_of_network>
    2. Attach the new container to that network
    3. Attach the swag container to all these networks using (in the docker-compose.yml)
    Code
      some-service:
        networks:
         - some-network
         - other-network

    See: https://docs.docker.com/compos…compose-file-v3/#networks

    And define the networks as documented here: https://docs.docker.com/compos…k-configuration-reference


    But why would you do this?

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • Thank you for this!


    I was reading the SWAG documentation and they said it makes sense to use a user-defined bridge network (container names can be used as hostnames). Because I didn't quite understand how this worked, I read the docker documentation and they use an example to isolate the containers. I thought this might be a sensible approach to protect the other containers if one container is compromised, but also making sure that SWAGs reverse proxy still functions?


    My docker-compose.yaml for SWAG (I removed a few lines under "environment")

    My docker-compose.yaml for Jellyfin

    So, would it be better to change my docker-compose.yaml (instead of using network_mode = swag) to something like this?

  • I am not quite sure about the difference between network_mode and networks, only that network_mode can only take one network and does not require the networks definition in the docker-compose.


    In the last file, you need to add

    Code
    networks:
      swag:
        external: true

    after line 17. Mind the indent of 0 spaces.

    If you got help in the forum and want to give something back to the project click here (omv) or here (scroll down) (plugins) and write up your solution for others.

  • is really simple:


    1 - in portainer create a new network ( in my case my-net)

    2 - add this after version "x.x" to your dockers.yaml file to deploy:


    Code
    version: "2.1"
    networks:
      default:
        external:
          name: my-net

    Done, all your dockers are attached to my-net network and can be name resolved by swag ( swag must have this lines too to run on my-net network)



    and example of my airsonic.yaml file ( to deploy in portainer stack:


  • Thanks to everyone's help, it is now working as expected. I can confirm that pinging containers by hostname that are outside of the network does not work.


    Something else I figured out: When using user-defined bridge networks, it is not necessary to expose ports (makes sense when I think about it...)


    My files for future reference:

    docker-compose.yml for Jellyfin

    docker-compose.yml for SWAG

    docker-compose.yml for Nextcloud

  • Hi all. First of all, I apologize for the writing, I use the translator xD I followed @chente's tutorial for swag (thanks). But I have a problem, when I enter my domain I get the swag welcome message but the browser lock makes me not secure. how can it be solved?

  • Hi all. First of all, I apologize for the writing, I use the translator xD I followed @chente's tutorial for swag (thanks). But I have a problem, when I enter my domain I get the swag welcome message but the browser lock makes me not secure. how can it be solved?

    Is the output of docker logs -f swag correct? Do you get the certificates?

  • [cont-init.d] 10-adduser: exited 0.

    [cont-init.d] 20-config: executing...

    [cont-init.d] 20-config: exited 0.

    [cont-init.d] 30-keygen: executing...

    using keys found in /config/keys

    [cont-init.d] 30-keygen: exited 0.

    [cont-init.d] 50-config: executing...

    Variables set:

    PUID=1000

    PGID=100

    TZ=Europe/Madrid

    URL=xxxx.duckdns.org

    SUBDOMAINS=ha.xxxx.duckdns.org

    EXTRA_DOMAINS=

    ONLY_SUBDOMAINS=true

    VALIDATION=http

    CERTPROVIDER=

    DNSPLUGIN=

    EMAIL=xxxxxx@hotmail.com

    STAGING=


    Using Let's Encrypt as the cert provider

    SUBDOMAINS entered, processing

    SUBDOMAINS entered, processing

    Only subdomains, no URL in cert

    Sub-domains processed are: -d ha.xxxx.duckdns.org.xxxx.duckdns.org

    E-mail address entered: xxxxxx@hotmail.com

    http validation is selected

    Certificate exists; parameters unchanged; starting nginx

    [cont-init.d] 50-config: exited 0.

    [cont-init.d] 60-renew: executing...

    The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).

    [cont-init.d] 60-renew: exited 0.

    [cont-init.d] 70-templates: executing...

    [cont-init.d] 70-templates: exited 0.

    [cont-init.d] 90-custom-folders: executing...

    [cont-init.d] 90-custom-folders: exited 0.

    [cont-init.d] 99-custom-files: executing...

    [custom-init] no custom files found exiting...

    [cont-init.d] 99-custom-files: exited 0.

    [cont-init.d] done.

    [services.d] starting services

    [services.d] done.

    Server ready

  • I haven't gotten there yet because of this certificate issue, but my idea is to remove ngm and use homeassistant that I have in a VM (remember from yesterday). My idea is to change a swag to put fail2ban, geoip, etc. everything that your forum tutorial does, it seems safer than ngm.

  • SUBDOMAINS=ha.xxxx.duckdns.org

    Your YML/stack is wrong.


    Post it here but hide sensible data.

  • After what Soma told you, on the road

    /path_to_your_config_swag/nginx/proxy-confs/

    you have a configuration file called homeassistant.subdomain.conf.sample

    You must copy this file to another called homeassistant.subdomain.conf and edit it to suit your domain.

  • Realemente firefox me indica que tengo un certificado proporcionado por letsencrypt que caduca en abril de 2022 y que la conexion esta cifrada con tls aes

    Your YML/stack is wrong.


    Post it here but hide sensible data.

    you mean the xxxx? I put it on purpose to avoid exposing my information

  • After what Soma told you, on the road

    /path_to_your_config_swag/nginx/proxy-confs/

    you have a configuration file called homeassistant.subdomain.conf.sample

    You must copy this file to another called homeassistant.subdomain.conf and edit it to suit your domain.

    If I understand that and it is very clear in your tutorial, I am not doing it because when I try to enter my domain and I see the swag welcome screen and I see that the browser lock says not secure I do not continue for fear, that is my really ask. that is normal??

    I also tell you that I look in firefox and it tells me that I have a certificate obtained by letsencryt until April 2022 and the connection is encrypted with tls aes.


    P.D. right now i made a jellyfin container i add it to the swag network and it works perfectly.

    but the same thing happens to me the padlock that goes before https puts not sure that's what you don't put right.

  • you mean the xxxx? I put it on purpose to avoid exposing my information

    Not that, your swag docker-compose.yml has an error on that line I posted:


    Since you didn't post it, I'm guessing:

    Code
    ......
    PUID=1000
    PGID=100
    TZ=Europe/Madrid
    URL=xxxx.duckdns.org
    SUBDOMAINS=ha.xxxx.duckdns.org # <--- This is wrong. only use the name you want. For eg:
    SUBDOMAINS=www,ha,nextcloud,jellyfin # will make certs for all of those.
    EXTRA_DOMAINS=
    ONLY_SUBDOMAINS=true
    ......
  • Not that, your swag docker-compose.yml has an error on that line I posted:


    Since you didn't post it, I'm guessing:

    Code
    ......
    PUID=1000
    PGID=100
    TZ=Europe/Madrid
    URL=xxxx.duckdns.org
    SUBDOMAINS=ha.xxxx.duckdns.org # <--- This is wrong. only use the name you want. For eg:
    SUBDOMAINS=www,ha,nextcloud,jellyfin # will make certs for all of those.
    EXTRA_DOMAINS=
    ONLY_SUBDOMAINS=true
    ......

    Oh yeah. what's more I realized before the message because I created jellyfin, but now it's correct and it works but the lock in jellyfin keeps putting not sure

  • If you post your docker-compose.yml, it will be easier to make it work for ALL services you need.


    You're using duckdns, so it's better to use wildcard.

    That way, you'll have subdomain access without much confusion:


    nextcloud.xxxxxx.duckdns.org

    jellyfin.xxxxx.duckdns.org

    ha.xxxxxxduckdns.org

    etc

    etc

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!