I thought you'd still need to pull a new cert
That is what the wildcard is doing there: the cert is created for subdomain.duckdns.org
Then, SWAG proxy it to any sub-subdomain you want/need.
At the very least you're going to have to restart the container to pick up the new subdomain.conf.
That is always mandatory when editing/creating new proxy-confs
I have a feeling his whole problem is that IP he has is not on the same network as docker.
I just set this up in like 10sec in a virtual machine. It's not rocket surgery by any stretch. (10sec may be a stretch, but it was less than 2min I'm sure)
version: "2.2"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=100
- URL=ken0201-test.duckdns.org
- DUCKDNSTOKEN=my-token
- SUBDOMAINS=wildcard
- VALIDATION=duckdns
- EMAIL=my-email
- CERTPROVIDER=zerossl
volumes:
- /NAS/AppData/swag:/config
- /etc/localtime:/etc/localtime:ro
ports:
- 444:443
- 81:80
restart: unless-stopped-----
[cont-init.d] 30-keygen: exited 0.
[cont-init.d] 50-config: executing...
Variables set:
PUID=1000
PGID=100
TZ=
URL=ken0201-test.duckdns.org
SUBDOMAINS=wildcard
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=duckdns
CERTPROVIDER=zerossl
DNSPLUGIN=
EMAIL=
STAGING=
grep: /config/nginx/resolver.conf: No such file or directory
Setting resolver to 127.0.0.11
grep: /config/nginx/worker_processes.conf: No such file or directory
Setting worker_processes to 1
Created .donoteditthisfile.conf
ZeroSSL is selected as the cert provider, registering cert with
SUBDOMAINS entered, processing
Wildcard cert for ken0201-test.duckdns.org will be requested
E-mail address entered:
duckdns validation is selected
the resulting certificate will only cover the subdomains due to a limitation of duckdns, so it is advised to set the root location to use www.subdomain.duckdns.org
Retrieving EAB from ZeroSSL
Generating new certificate
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for *.ken0201-test.duckdns.org
Hook '--manual-auth-hook' for ken0201-test.duckdns.org ran with error output:
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0
100 2 0 2 0 0 8 0 --:--:-- --:--:-- --:--:-- 8
Hook '--manual-auth-hook' for ken0201-test.duckdns.org ran with output:
OKsleeping 60
Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/ken0201-test.duckdns.org/fullchain.pem
Key is saved at: /etc/letsencrypt/live/ken0201-test.duckdns.org/privkey.pem
This certificate expires on 2022-09-06.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
* Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
* Donating to EFF: https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
New certificate generated; starting nginx
[cont-init.d] 50-config: exited 0.
[cont-init.d] 60-renew: executing...
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[cont-init.d] 60-renew: exited 0.
[cont-init.d] 70-templates: executing...
[cont-init.d] 70-templates: exited 0.
[cont-init.d] 90-custom-folders: executing...
[cont-init.d] 90-custom-folders: exited 0.
[cont-init.d] 99-custom-files: executing...
[custom-init] no custom files found exiting...
[cont-init.d] 99-custom-files: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
Server readyjoe0201@omv6-test:~$ cd /NAS/AppData/swag/nginx/proxy-confs/
joe0201@omv6-test:/NAS/AppData/swag/nginx/proxy-confs$ cp _template.subdomain.conf.sample openmediavault.subdomain.conf
joe0201@omv6-test:/NAS/AppData/swag/nginx/proxy-confs$ nano openmediavault.subdomain.confedited my openmediavault.subdomain.conf as follows. Whether you use omv, openmediavault, or something completely different, is really irrelevant to the discussion so long as you know what it is
## Version 2021/05/18
# REMOVE THIS LINE BEFORE SUBMITTING: The structure of the file (all of the existing lines) should be kept as close as possible to this template.
# REMOVE THIS LINE BEFORE SUBMITTING: Look through this file for <tags> and replace them. Review other sample files to see how things are done.
# REMOVE THIS LINE BEFORE SUBMITTING: The comment lines at the top of the file (below this line) should explain any prerequisites for using the proxy such as DNS or app settings.
# make sure that your dns has a cname set for <container_name> and that your <container_name> container is not using a base url
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name openmediavault.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia
#include /config/nginx/authelia-location.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
set $upstream_app 192.168.1.146;
set $upstream_port 99;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
# REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
}
# REMOVE THIS LINE BEFORE SUBMITTING: Some proxies require one or more additional location blocks for things like API or RPC endpoints.
# REMOVE THIS LINE BEFORE SUBMITTING: If the proxy you are making a sample for does not require an additional location block please remove the commented out section below.
# location ~ (/<container_name>)?/api {
# include /config/nginx/proxy.conf;
# include /config/nginx/resolver.conf;
# set $upstream_app <container_name>;
# set $upstream_port <port_number>;
# set $upstream_proto <http or https>;
# proxy_pass $upstream_proto://$upstream_app:$upstream_port;
#
# # REMOVE THIS LINE BEFORE SUBMITTING: Additional proxy settings such as headers go below this line, leave the blank line above.
# }
}At this point, I changed the port for the OMV webUI to 99, as reflected in the subdomain.conf
root@omv6-test:~# docker restart swagliterally less than 10sec later (note, it didn't pull a new cert. Obviously I've not used wildcards in a while)
http://172.16.10.100:50000 also opens the web UI
So finally I should have to be able to access: https://172.16.10.100:443 or https://omv.blablabla.duckdns.org ?
That does not work currently.
Now I understand what you are doing.
You have an internal dns which resolves the same name but to an internal ip and you have an external dns for the same name resolving to the external ip.
What are the symptoms of "not work currently"?
Even with an invalid cert you should see something.
Really? I thought you'd still need to pull a new cert.. At the very least you're going to have to restart the container to pick up the new subdomain.conf. I don't use wildcard domains with my personal domain, so I have to identify each subdomain in my domain panel... which will require redeployment.
You need to pull a new cert if you are using http validation, as all names are validated by letsencrypt. If it is possible to use DNS validation, letsencrypt will provide wildcard certs.
As I do not use DuckDNS, I can not tell which methods are supported.
I don't use wildcard domains with my personal domain, so I have to identify each subdomain in my domain panel... which will require redeployment.
In that case, yes you have to pull a new cert. I have about eight subdomains and only have to restart the swag container after creating a new proxy.conf file.
Just thinking about it this morning - for reverse proxy to work for multiple containers, all of them need to be on the same network with the swag container. That is what the first part of my How-To was about. But omv is not set up in a container, so it doesn’t have a network set up like that. I still haven’t gone to my files to see what my .conf file looks like. Way busy today. 
for reverse proxy to work for multiple containers, all of them need to be on the same network with the swag container.
Not entirely true. This is only valid if you don't want to edit the proxy-conf samples.
To have the services on different networks, all you have to do is change the conf to point to the IP:port of the service you want.
In fact, you can even proxy it to a different server on the same LAN.
For eg: I have 2 instances (2x RPi) running on the LAN each with it's own OMV and I have 2 different proxy-confs to point to each of those instances.
So I can access them both via WAN.
Not only OMV but also all other services that are running on the LAN.
Of course there's a catch to this: whenever Linuxserver updates the proxy-confs (NOT OMV since this was made by us but those pre-made) and were edited to suit our needs, it's necessary to update them by hand to reflect those changes.
Thanks everyone, I got it working now!
I had everything set correct, the only thing I missed was that the SWAG container has to open ports on 443 and 80 on the server itself:
After doing that, I could access my OMV via the DNS name.
By the way, is there any difference between ghcr.io/linuxserver/swag and lscr.io/linuxserver/swag:latest (which I used previously)?
They are equal:
root@omv:~# docker manifest inspect ghcr.io/linuxserver/swag
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 2418,
"digest": "sha256:4f3cd4b9dcb12001d228ec15a669fd911a2e60e03b66db3ba195e17a9fb86c50",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 2418,
"digest": "sha256:8f28ecf9b8a7bc2f4b438fe64833a188fa6d0e67486adc9b53928817e89730c2",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 2418,
"digest": "sha256:34472695ad1aefc2005748686980dd30120142d40d13189864ee874381ea9058",
"platform": {
"architecture": "arm64",
"os": "linux",
"variant": "v8"
}
}
]
}
root@omv:~# docker manifest inspect lscr.io/linuxserver/swag:latest
{
"schemaVersion": 2,
"mediaType": "application/vnd.docker.distribution.manifest.list.v2+json",
"manifests": [
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 2418,
"digest": "sha256:4f3cd4b9dcb12001d228ec15a669fd911a2e60e03b66db3ba195e17a9fb86c50",
"platform": {
"architecture": "amd64",
"os": "linux"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 2418,
"digest": "sha256:8f28ecf9b8a7bc2f4b438fe64833a188fa6d0e67486adc9b53928817e89730c2",
"platform": {
"architecture": "arm",
"os": "linux",
"variant": "v7"
}
},
{
"mediaType": "application/vnd.docker.distribution.manifest.v2+json",
"size": 2418,
"digest": "sha256:34472695ad1aefc2005748686980dd30120142d40d13189864ee874381ea9058",
"platform": {
"architecture": "arm64",
"os": "linux",
"variant": "v8"
}
}
]
}It is the same manifest in two different registries.
By the way, is there any difference between ghcr.io/linuxserver/swag and lscr.io/linuxserver/swag:latest (which I used previously)?
linuxserver has underwent several image name changes... *usually* the old ones continue to work, and just link to proper image.
Their images used to be called linuxserver/swag, linuxserver/nextcloud, linuxserver/mariadb, etc.
Then they went to ghcr.io/linuxserver/swag
Then (and I believe currently) lscr.io/linuxserver/swag.
I have no idea why the constant namge change them but when they do it they seem to change them across the board, As Zoki said, the old names still work.
The first part is not part of the name, but gives the dns name of the registry where the image is stored.
no dns part -> dockerhub
ghcr.io -> github registry
lscr.io -> linuxserver own registry (or a proxy to other directories. https://www.linuxserver.io/blog/wrap-up-warm-for-the-winter)
Alles anzeigenThanks!
I now went ahead and configured a conf file for portainer which worked as well.
Although both URLs (server.blablabla.duckdns.org and portainer.blablabla.duckdns.org) resolve to the same local IP > 172.16.10.100, I land on the correct login page depending on the uses URL.
Does this work this way because of the SNI - TLS extension?
Yes, in the config you define a server name which is matched against the sni.
Yes, in the config you define a server name which is matched against the sni.
Alright, understood.
Thanks everyone
In fact, you can even proxy it to a different server on the same LAN.
For eg: I have 2 instances (2x RPi) running on the LAN each with it's own OMV and I have 2 different proxy-confs to point to each of those instances.So I can access them both via WAN.
Not only OMV but also all other services that are running on the LAN.
Interesting. I thought everything had to be on the same ip. Could you post a sample .conf file?
Interesting. I thought everything had to be on the same ip. Could you post a sample .conf file?
There's no science on this,
Let's say you have SWAG running on IP 192.168.1.2 with duckdns/wildcard and you have services running on that same IP for eg: Portainer, OMV, adguard just to name a few).
And on another IP 192.168.1.3 there's OMV, Portainer, emby.
Now, to access to all them, make several copies of a standard conf.sample and name them with a simple name:
omv1.subdomain.conf omv2.subdomain.conf portainer1.subdomain.conf etc...
Next, just make the changes on the conf to reflect the IPs and ports where those services are running:
omv1.subdomain.conf:
....
server_name omv1.*; # note: this is OMV running on the 192.68.1.2 for eg.
.....
set $upstream_app 192.168.1.2; # note: edit with the LAN IP of your OpenMediaVault server.
set $upstream_port XX; # note: same port used on the server for OpenMediaVault.Now do the same for omv2.subdomain.conf changing the IP and the port it uses:
....
server_name omv2.*; # note: this is OMV running on the 192.68.1.3 for eg.
.....
set $upstream_app 192.168.1.3; # note: edit with the LAN IP of your OpenMediaVault server.
set $upstream_port XX; # note: same port used on the server for OpenMediaVault.Now do this for portainer also, if you want.
And this is valid for any pre-made conf.sample that SWAG has.
So, bottom line is:
SWAG runs on an IP and reverse-proxies to all LAN if required.
Heck, it can probably also be reversed to WAN (haven't tried it or needed it)
All it takes is to point any single conf to the proper IP:port and with a unique name.
Soma well I am embarrassed.
If I had just looked at my original .conf file, I would have seen all of this at a glance. I would be less embarrassed if I had asked you how to fall down. Thanks Soma.
I would have seen all of this at a glance.
Sometimes the simple answer is the hardest to see, 😁
Glad you're sorted.
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!