Can I place other containers behind swag for https?

I have a docker server with 9 containers running on it. All the containers are accessible through their web interfaces on port 80. Can I use the swag container, to put all the containers behind https?

I’ve used swag in the past, and I understand I need to have a domain, and ports 80/443 open, for letsencrypt validation. I have no problem setting up and configuring swag as a web server.

But I’ve never configured it as a proxy server. What must I do to put these containers behind swag, and what configuration is required on the containers themselves?

The containers need no configuration as far as I know.

There are a bunch of files named something.subdomain.conf.sample in swag’s nginx/proxy-conf directory. For example, if you’re running nextcloud, rename nextcloud.subdomain.conf.sample to nextcloud.subdomain.conf and edit it as needed. There are usually instructions as comments in the files.

Then you need to assign the subdomains for swag. See swag - LinuxServer.io for details.

I don’t understand how you can access all your containers from port 80 though, so maybe I’m missing something here.

sorry, when I said port 80, I meant insecure connection.

That is one of the most common uses of SWAG.

Once configured properly, you can access all of your services over your domain with https, remotely and locally. I would recommend setting up auth through Authelia or Authentik.

Once SWAG is set up to access the other containers via the docker network, you can remove the port mappings in those other containers so they can only be accessed through SWAG with the security protections in place.

Apart from the main SWAG doc linked above, you can also check out this document that provides a bunch of examples: SWAG - LinuxServer.io

I’ve been through the document, and I tried a bunch of stuff, but it’s not really clear what configuration needs to be done on the other containers besides swag.

This is my docker-compose.yml, where I’m trying to put portainer behind swag.
Swag is accessible on “my_domain_here.com” with a secure ssl, but portainer.my_domain_here.com just takes me to the default page generated by swag.

services:
  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    hostname: swag
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1001
      - PGID=1001
      - URL=my_domain_here.com
      - SUBDOMAINS=www,portainer
      - VALIDATION=http
      - CERTPROVIDER=zerossl
      - EMAIL=my@email.here
    networks:
      - network
    ports:
      - 80:80
      - 443:443
    volumes:
      - swag:/config

  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    hostname: portainer
    restart: unless-stopped
    environment:
      - PUID=1001
      - PGID=1001
      - DOCKER_MODS=linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-proxy
    networks:
      - network
    ports:
      - 9000:9000
    volumes:
      - portainer:/data
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - swag=enable

networks:
  network:

volumes:
  swag:
  portainer:

It’s prudent to be as specific as possible when asking for support.

You asked about SWAG and reverse proxy, but now I see that you’re attempting to use the auto-proxy mod, which is a completely different thing.

The auto proxy readme explains it but in a nutshell, you only add the auto-proxy and docker mods to SWAG, and then you add the relevant labels to the other container. After that just watch the SWAG logs and it will tell you everything it’s attempting to do.

I was under the impression that auto-proxy is like a plugin for swag, to enable using it as a reverse proxy.

swag logs aren’t really telling me anything. Everything seems to be ok.

[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────
      ██╗     ███████╗██╗ ██████╗
      ██║     ██╔════╝██║██╔═══██╗
      ██║     ███████╗██║██║   ██║
      ██║     ╚════██║██║██║   ██║
      ███████╗███████║██║╚██████╔╝
      ╚══════╝╚══════╝╚═╝ ╚═════╝
   Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID:    1001
User GID:    1001
───────────────────────────────────────
Linuxserver.io version: 3.0.0-ls334
Build-date: 2024-11-05T20:25:10+00:00
───────────────────────────────────────
    
using keys found in /config/keys
Variables set:
      
1
      
1
TZ=
URL=domain_here.com
SUBDOMAINS=www,portainer
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=http
CERTPROVIDER=zerossl
DNSPLUGIN=
EMAIL=my@email.here
STAGING=
ZeroSSL is selected as the cert provider, registering cert with my@email.here
SUBDOMAINS entered, processing
Sub-domains processed are: www.domain_here.com,portainer.domain_here.com
E-mail address entered: my@email.here
http validation is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[custom-init] No custom files found, skipping...
[ls.io-init] done.
      
Server ready

Check in the volume for swag: /log/nginx/access.log

You did not enable the auto proxy mod

ok I figured out my mistake. This was the correct docker-compose.yml

services:
  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    hostname: swag
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1001
      - PGID=1001
      - URL=my_domain_here.com
      - SUBDOMAINS=www,portainer
      - VALIDATION=http
      - CERTPROVIDER=zerossl
      - EMAIL=my@email_here.net
      - DOCKER_MODS=linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-proxy
    networks:
      - network
    ports:
      - 80:80
      - 443:443
    volumes:
      - swag:/config
      - /var/run/docker.sock:/var/run/docker.sock:ro

  portainer:
    image: portainer/portainer-ce:latest
    container_name: portainer
    hostname: portainer
    restart: unless-stopped
    environment:
      - PUID=1001
      - PGID=1001
    networks:
      - network
    ports:
      - 9000:9000
    volumes:
      - portainer:/data
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - swag=enable

networks:
  network:

volumes:
  swag:
  portainer:

According to the documentation (and the logs) this is now using the preset proxy conf for portainer, located in “nginx/proxy-confs”.

If I use a container that doesn’t have a preset proxy conf, will it automatically use a generic configuration? Or it will simply be unsupported, and won’t work?