I have a docker server with 9 containers running on it. All the containers are accessible through their web interfaces on port 80. Can I use the swag container, to put all the containers behind https?
I’ve used swag in the past, and I understand I need to have a domain, and ports 80/443 open, for letsencrypt validation. I have no problem setting up and configuring swag as a web server.
But I’ve never configured it as a proxy server. What must I do to put these containers behind swag, and what configuration is required on the containers themselves?
The containers need no configuration as far as I know.
There are a bunch of files named something.subdomain.conf.sample in swag’s nginx/proxy-conf directory. For example, if you’re running nextcloud, rename nextcloud.subdomain.conf.sample to nextcloud.subdomain.conf and edit it as needed. There are usually instructions as comments in the files.
Then you need to assign the subdomains for swag. See swag - LinuxServer.io for details.
I don’t understand how you can access all your containers from port 80 though, so maybe I’m missing something here.
sorry, when I said port 80, I meant insecure connection.
That is one of the most common uses of SWAG.
Once configured properly, you can access all of your services over your domain with https, remotely and locally. I would recommend setting up auth through Authelia or Authentik.
Once SWAG is set up to access the other containers via the docker network, you can remove the port mappings in those other containers so they can only be accessed through SWAG with the security protections in place.
Apart from the main SWAG doc linked above, you can also check out this document that provides a bunch of examples: SWAG - LinuxServer.io
I’ve been through the document, and I tried a bunch of stuff, but it’s not really clear what configuration needs to be done on the other containers besides swag.
This is my docker-compose.yml, where I’m trying to put portainer behind swag.
Swag is accessible on “my_domain_here.com” with a secure ssl, but portainer.my_domain_here.com just takes me to the default page generated by swag.
services:
swag:
image: lscr.io/linuxserver/swag
container_name: swag
hostname: swag
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1001
- PGID=1001
- URL=my_domain_here.com
- SUBDOMAINS=www,portainer
- VALIDATION=http
- CERTPROVIDER=zerossl
- EMAIL=my@email.here
networks:
- network
ports:
- 80:80
- 443:443
volumes:
- swag:/config
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
hostname: portainer
restart: unless-stopped
environment:
- PUID=1001
- PGID=1001
- DOCKER_MODS=linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-proxy
networks:
- network
ports:
- 9000:9000
volumes:
- portainer:/data
- /var/run/docker.sock:/var/run/docker.sock
labels:
- swag=enable
networks:
network:
volumes:
swag:
portainer:
It’s prudent to be as specific as possible when asking for support.
You asked about SWAG and reverse proxy, but now I see that you’re attempting to use the auto-proxy mod, which is a completely different thing.
The auto proxy readme explains it but in a nutshell, you only add the auto-proxy and docker mods to SWAG, and then you add the relevant labels
to the other container. After that just watch the SWAG logs and it will tell you everything it’s attempting to do.
I was under the impression that auto-proxy is like a plugin for swag, to enable using it as a reverse proxy.
swag logs aren’t really telling me anything. Everything seems to be ok.
[migrations] started
[migrations] 01-nginx-site-confs-default: skipped
[migrations] done
usermod: no changes
───────────────────────────────────────
██╗ ███████╗██╗ ██████╗
██║ ██╔════╝██║██╔═══██╗
██║ ███████╗██║██║ ██║
██║ ╚════██║██║██║ ██║
███████╗███████║██║╚██████╔╝
╚══════╝╚══════╝╚═╝ ╚═════╝
Brought to you by linuxserver.io
───────────────────────────────────────
To support the app dev(s) visit:
Certbot: https://supporters.eff.org/donate/support-work-on-certbot
To support LSIO projects visit:
https://www.linuxserver.io/donate/
───────────────────────────────────────
GID/UID
───────────────────────────────────────
User UID: 1001
User GID: 1001
───────────────────────────────────────
Linuxserver.io version: 3.0.0-ls334
Build-date: 2024-11-05T20:25:10+00:00
───────────────────────────────────────
using keys found in /config/keys
Variables set:
1
1
TZ=
URL=domain_here.com
SUBDOMAINS=www,portainer
EXTRA_DOMAINS=
ONLY_SUBDOMAINS=false
VALIDATION=http
CERTPROVIDER=zerossl
DNSPLUGIN=
EMAIL=my@email.here
STAGING=
ZeroSSL is selected as the cert provider, registering cert with my@email.here
SUBDOMAINS entered, processing
Sub-domains processed are: www.domain_here.com,portainer.domain_here.com
E-mail address entered: my@email.here
http validation is selected
Certificate exists; parameters unchanged; starting nginx
The cert does not expire within the next day. Letting the cron script handle the renewal attempts overnight (2:08am).
[custom-init] No custom files found, skipping...
[ls.io-init] done.
Server ready
Check in the volume for swag: /log/nginx/access.log
You did not enable the auto proxy mod
ok I figured out my mistake. This was the correct docker-compose.yml
services:
swag:
image: lscr.io/linuxserver/swag
container_name: swag
hostname: swag
restart: unless-stopped
cap_add:
- NET_ADMIN
environment:
- PUID=1001
- PGID=1001
- URL=my_domain_here.com
- SUBDOMAINS=www,portainer
- VALIDATION=http
- CERTPROVIDER=zerossl
- EMAIL=my@email_here.net
- DOCKER_MODS=linuxserver/mods:universal-docker|linuxserver/mods:swag-auto-proxy
networks:
- network
ports:
- 80:80
- 443:443
volumes:
- swag:/config
- /var/run/docker.sock:/var/run/docker.sock:ro
portainer:
image: portainer/portainer-ce:latest
container_name: portainer
hostname: portainer
restart: unless-stopped
environment:
- PUID=1001
- PGID=1001
networks:
- network
ports:
- 9000:9000
volumes:
- portainer:/data
- /var/run/docker.sock:/var/run/docker.sock
labels:
- swag=enable
networks:
network:
volumes:
swag:
portainer:
According to the documentation (and the logs) this is now using the preset proxy conf for portainer, located in “nginx/proxy-confs”.
If I use a container that doesn’t have a preset proxy conf, will it automatically use a generic configuration? Or it will simply be unsupported, and won’t work?