### Example User ID Output Source: https://github.com/linuxserver/docker-swag/blob/master/README.md This is an example output from the 'id your_user' command, showing the user and group IDs. ```text uid=1000(your_user) gid=1000(your_user) groups=1000(your_user) ``` -------------------------------- ### Certbot Deploy Hook Example Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/ARCHITECTURE.md Example of a deploy hook script for Certbot. This hook is responsible for generating additional certificate formats like PFX and PEM bundles after a successful renewal. ```bash Deploy hook: /config/etc/letsencrypt/renewal-hooks/deploy/10-default └─ Generate PFX and pem bundle formats ``` -------------------------------- ### Docker Compose Minimal Volume Setup Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Configure volume mounts in Docker Compose for minimal setup, including an optional named volume for certificates. ```yaml volumes: - /host/path/swag/config:/config - swag-letsencrypt:/config/etc/letsencrypt # (optional) named volume for certs ``` -------------------------------- ### Start Session and Set Session Variable (PHP) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Initiates a session and sets a session variable. Ensure session.save_path is configured appropriately. ```php session_start(); $_SESSION['username'] = 'john'; ``` -------------------------------- ### SWAG Docker Compose Example Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md A full Docker Compose configuration for the SWAG container. This example includes essential environment variables, volume mappings, port configurations, and network settings. ```yaml version: '3.9' services: swag: image: lscr.io/linuxserver/swag:latest container_name: swag cap_add: - NET_ADMIN environment: - PUID=1000 - PGID=1000 - TZ=America/New_York - URL=example.com - VALIDATION=dns - SUBDOMAINS=www,api,admin - DNSPLUGIN=cloudflare - CERTPROVIDER=letsencrypt - EMAIL=admin@example.com - STAGING=false - SWAG_AUTORELOAD=true volumes: - /path/to/config:/config - /etc/localtime:/etc/localtime:ro ports: - "80:80" - "443:443" - "443:443/udp" restart: unless-stopped healthcheck: test: ["CMD", "wget", "--quiet", "--spider", "https://localhost/"] interval: 30s timeout: 10s retries: 3 start_period: 40s networks: - swag networks: swag: driver: bridge ``` -------------------------------- ### Loading PFX Certificate in C#/.NET Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/CERTBOT-CERTIFICATE-MANAGEMENT.md Example of loading the PKCS#12 formatted certificate (`privkey.pfx`) in a C# or .NET application. No password is required. ```csharp // C# / .NET example var certificate = new X509Certificate2("/config/keys/privkey.pfx"); // No password needed, file is unencrypted ``` -------------------------------- ### Mounting Certs to Other Containers Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Examples for mounting SSL certificates to other containers, either the full config or just the letsencrypt directory for enhanced security. ```bash # Method 1: Mount full config -v /host/swag/config:/swag-ssl # Use certs at: /swag-ssl/keys/letsencrypt/ # Method 2: Mount only letsencrypt (more secure) -v /host/swag/config/etc:/swag-ssl # Use certs at: /swag-ssl/letsencrypt/live/example.com/ ``` -------------------------------- ### Custom Fail2Ban Filter Example Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Example of a custom Fail2Ban filter configuration file, defining regex patterns for rate limiting and invalid user attempts, along with an ignore rule. ```ini [Definition] failregex = ^ \[.*?\] ".*?" 429 # Rate limit exceeded ^ \[.*?\] invalid user ignoreregex = ^ .* admin.* ``` -------------------------------- ### Configure Redis Session Storage (PHP) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Connect to a Redis instance and start a session. Session data will automatically persist to Redis. ```php connect('redis-container', 6379); session_start(); // $_SESSION data automatically persists to Redis ?> ``` -------------------------------- ### Install Certbot DNS Plugin with Docker Mods Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Use this to install a specific Certbot DNS plugin not included by default. Ensure the plugin's credentials are configured in `/config/dns-conf/.ini`. It's recommended to use `STAGING=true` for initial testing. ```yaml DOCKER_MODS=linuxserver/mods:universal-package-install INSTALL_PIP_PACKAGES=certbot-dns- ``` -------------------------------- ### Check Installed Certbot Plugins Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/CERTBOT-CERTIFICATE-MANAGEMENT.md List all available Certbot plugins and their current status. Use this to verify that the DNS plugin you are trying to use is installed and recognized. ```bash docker exec swag certbot plugins ``` -------------------------------- ### Docker CLI Command for SWAG Setup Source: https://github.com/linuxserver/docker-swag/blob/master/README.md This command demonstrates how to run the SWAG container using the Docker CLI. It includes essential flags for networking, environment variables, and volume mounting. ```bash docker run -d \ --name=swag \ --cap-add=NET_ADMIN \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Etc/UTC \ -e URL=example.com \ -e VALIDATION=http \ -e SUBDOMAINS=www, `#optional` \ -e CERTPROVIDER= `#optional` \ -e DNSPLUGIN=cloudflare `#optional` \ -e PROPAGATION= `#optional` \ -e EMAIL= `#optional` \ -e ONLY_SUBDOMAINS=false `#optional` \ -e EXTRA_DOMAINS= `#optional` \ -e STAGING=false `#optional` \ -eDISABLE_F2B= `#optional` \ -e SWAG_AUTORELOAD= `#optional` \ -e SWAG_AUTORELOAD_WATCHLIST= `#optional` \ -p 443:443 \ -p 80:80 `#optional` \ -p 443:443/udp `#optional` \ -v /path/to/swag/config:/config \ --restart unless-stopped \ lscr.io/linuxserver/swag:latest ``` -------------------------------- ### Nginx Authentication Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/INDEX.md Example Nginx configuration directives to enable basic authentication using an htpasswd file. Ensure the path to the .htpasswd file is correct. ```nginx auth_basic "Restricted"; auth_basic_user_file /config/nginx/.htpasswd; ``` -------------------------------- ### View Active Nginx Configuration Files Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/TROUBLESHOOTING-AND-DEBUGGING.md Inspect the main Nginx configuration file and search for included configuration files or server names to understand the active setup. ```bash docker exec swag cat /etc/nginx/nginx.conf ``` ```bash docker exec swag nginx -T | grep "include\|server_name" ``` -------------------------------- ### Customize HTTP Auth Jail Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md An example demonstrating how to customize the `nginx-http-auth` jail with specific retry limits, ban times, and whitelisted IPs. ```ini [nginx-http-auth] enabled = true filter = nginx-http-auth port = http,https logpath = /config/log/nginx/access.log maxretry = 5 # Allow 5 failures instead of 3 findtime = 900 # 15-minute window instead of 10 bantime = 7200 # 2 hours instead of 1 ignoreip = 127.0.0.1 192.168.1.0/24 # Whitelist local network ``` -------------------------------- ### Docker Compose Separate Cert Volume Setup Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Set up Docker Compose with separate volume mounts for configuration, certificates, and logs. ```yaml volumes: - /host/path/swag/config:/config - /host/path/swag/certs:/config/etc/letsencrypt - /host/path/swag/logs:/config/log ``` -------------------------------- ### SWAG Docker Compose Minimal Example Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/README.md A basic Docker Compose configuration to set up the SWAG container. Ensure to replace placeholder values like PUID, PGID, TZ, URL, and the config volume path with your specific settings. ```yaml version: '3.9' services: swag: image: lscr.io/linuxserver/swag:latest container_name: swag cap_add: - NET_ADMIN environment: - PUID=1000 - PGID=1000 - TZ=Etc/UTC - URL=example.com - VALIDATION=http volumes: - /path/to/config:/config ports: - "443:443" - "80:80" restart: unless-stopped ``` -------------------------------- ### Configure Brotli Compression (Optional) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Enable Brotli compression for potentially better compression ratios than Gzip, if the nginx-mod-http-brotli module is installed. Configures compression level and content types. ```nginx brotli on; brotli_comp_level 6; brotli_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/json; ``` -------------------------------- ### Get SWAG Container Version Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Retrieve the build version label from the running SWAG container. ```bash docker inspect -f '{{ index .Config.Labels "build_version" }}' swag ``` -------------------------------- ### Generate htpasswd Hash Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/INDEX.md Use this command to generate an htpasswd file for basic authentication. Ensure the user and path are correct for your setup. ```bash docker exec swag htpasswd -c /config/nginx/.htpasswd user ``` -------------------------------- ### Get SWAG Image Version Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Retrieve the build version label from the SWAG Docker image. ```bash docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/swag:latest ``` -------------------------------- ### Enable Fail2Ban Debug Logging Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Set loglevel to DEBUG and specify a logpath in jail.local to get detailed output for troubleshooting. Remember to restart Fail2Ban after changes. ```ini [DEFAULT] loglevel = DEBUG logpath = /var/log/fail2ban.log ``` -------------------------------- ### Set and Get Value from Redis Cache (PHP) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Connects to a Redis instance, sets a key-value pair with an expiration time, and then retrieves the value. ```php connect('redis-host', 6379); $redis->set('key', 'value', 3600); // 1 hour TTL echo $redis->get('key'); ?> ``` -------------------------------- ### Create PHP Info Page Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Create this file to generate a PHP info page. Access it via your domain to verify installed PHP extensions. Remember to remove this file in production environments as it exposes sensitive information. ```php ``` -------------------------------- ### Define a Custom Webhook Action for Fail2Ban Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Create a custom action to send ban and unban events to a webhook endpoint using cURL. This example defines actions for starting, stopping, banning, and unbanning. ```ini [Definition] actionstart = echo "Jail started" | curl -X POST http://webhook:8080/fail2ban actionstop = echo "Jail stopped" | curl -X POST http://webhook:8080/fail2ban actionban = echo "Banning " | curl -X POST http://webhook:8080/ban -d "ip=" actionunban = echo "Unbanning " | curl -X POST http://webhook:8080/unban -d "ip=" ``` -------------------------------- ### Troubleshoot Container Startup Issues Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/INDEX.md Check environment variables like URL and VALIDATION, and review container logs for startup problems. ```bash docker logs swag ``` -------------------------------- ### Copy Sample Proxy Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Copies a sample proxy configuration file to an active configuration, removing the `.sample` suffix. This is the first step in enabling a pre-defined proxy configuration. ```bash cp /config/nginx/proxy_confs/plex.subdomain.conf.sample /config/nginx/proxy_confs/plex.subdomain.conf ``` -------------------------------- ### Certbot Pre-renewal Hook Example Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/ARCHITECTURE.md Example of a pre-renewal hook script for Certbot. This hook stops the Nginx server to prevent conflicts during certificate validation. ```bash Pre-renewal hook: /config/etc/letsencrypt/renewal-hooks/pre/10-nginx └─ nginx -s stop (prevents validation conflicts) ``` -------------------------------- ### Run QEMU Static for Cross-Architecture Builds Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Use `qemu-static` to enable building ARM variants on x86_64 hardware, or vice versa. This command resets the static binaries. ```bash docker run --rm --privileged lscr.io/linuxserver/qemu-static --reset ``` -------------------------------- ### Enable Authentik Nginx Proxy Configurations Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Copy the sample Authentik Nginx configuration files to enable Authentik integration with SWAG. These files are similar to Authelia's but tailored for Authentik. ```bash cp /config/nginx/proxy_confs/authentik-server.conf.sample /config/nginx/proxy_confs/authentik-server.conf cp /config/nginx/proxy_confs/authentik-location.conf.sample /config/nginx/proxy_confs/authentik-location.conf ``` -------------------------------- ### Docker Mods for SWAG Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/ARCHITECTURE.md Utilize Docker Mods to extend SWAG functionality, such as installing additional packages or PHP extensions. Specify mods using the `DOCKER_MODS` environment variable and install pip packages with `INSTALL_PIP_PACKAGES`. ```bash DOCKER_MODS=linuxserver/mods:universal-package-install INSTALL_PIP_PACKAGES=certbot-dns-extra-plugin ``` -------------------------------- ### Enable Authelia Nginx Proxy Configurations Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Copy the sample Authelia Nginx configuration files to enable Authelia integration with SWAG. These files define how Nginx handles authentication requests. ```bash cp /config/nginx/proxy_confs/authelia-server.conf.sample /config/nginx/proxy_confs/authelia-server.conf cp /config/nginx/proxy_confs/authelia-location.conf.sample /config/nginx/proxy_confs/authelia-location.conf ``` -------------------------------- ### Test Nginx Syntax and Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/TROUBLESHOOTING-AND-DEBUGGING.md Use these commands to test Nginx configuration syntax and view the full configuration. Essential before reloading Nginx after changes. ```bash docker exec swag nginx -t ``` ```bash docker exec swag nginx -T | head -100 ``` -------------------------------- ### Update Specific Docker Compose Container Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Recreate and start a single service, 'swag', to use its updated image. ```bash docker-compose up -d swag ``` -------------------------------- ### Update All Docker Compose Containers Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Recreate and start all services defined in your docker-compose.yml file to use the updated images. ```bash docker-compose up -d ``` -------------------------------- ### Access SWAG Container Shell Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Use this command to get a shell inside the running SWAG container for debugging or inspection. ```bash docker exec -it swag /bin/bash ``` -------------------------------- ### Pull Specific Docker Compose Image Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Update the image for a single service, 'swag' in this case, within your Docker Compose setup. ```bash docker-compose pull swag ``` -------------------------------- ### Let's Encrypt Configuration (Default) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/CERTBOT-CERTIFICATE-MANAGEMENT.md Configure Certbot to use Let's Encrypt as the ACME provider. This is the default if CERTPROVIDER is omitted. Ensure your URL is set correctly. ```yaml URL: example.com CERTPROVIDER: letsencrypt # (default if omitted) VALIDATION: http or dns ``` -------------------------------- ### Generate htpasswd file for SWAG Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Use this command to create the initial htpasswd file and add the first user. You will be prompted to enter a password. ```bash docker exec -it swag htpasswd -c /config/nginx/.htpasswd username ``` -------------------------------- ### Connect to MySQL/MariaDB using MySQLi (PHP) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Establishes a connection to a MySQL or MariaDB database using the MySQLi extension and executes a query. ```php connect_error) { die('Connection failed: ' . $conn->connect_error); } $result = $conn->query('SELECT * FROM users'); ?> ``` -------------------------------- ### Fail2Ban Architecture Overview Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/ARCHITECTURE.md Illustrates the Fail2Ban architecture, showing how it monitors log files, filters for violations, applies jail policies, and takes action to ban malicious IPs. ```text Log files (Nginx access log) ↓ (monitored via inotify) Fail2Ban daemon ├─ Filter (regex matching) │ └─ Detect violation patterns ├─ Jail (policy) │ └─ Enforce maxretry/findtime └─ Action (punishment) ├─ iptables (block IP) ├─ sendmail (notify admin) └─ webhook (custom) ↓ iptables rules created └─ DROP/REJECT packets from banned IP ↓ After bantime expires: └─ iptables rules deleted (unban) ``` -------------------------------- ### Enable HTTP/2 Server Push with Link Headers Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Configure NGINX to proactively push critical resources like CSS and JavaScript to clients using Link headers. This improves initial page load times. ```nginx add_header Link "; rel=preload; as=style" always; add_header Link "; rel=preload; as=script" always; ``` -------------------------------- ### s6 Init System Behavior Setting Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/ARCHITECTURE.md Configures s6 to exit if any service fails during the init stage. This prevents containers from running in an inconsistent or zombie state. ```bash S6_BEHAVIOUR_IF_STAGE2_FAILS=2 ``` -------------------------------- ### Check Fail2Ban Status Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/TROUBLESHOOTING-AND-DEBUGGING.md Use this command to get an overview of the Fail2Ban service status, including enabled jails and the number of currently banned IPs. ```bash # Check Fail2Ban status docker exec swag fail2ban-client status ``` -------------------------------- ### Check Port 443 Usage Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/TROUBLESHOOTING-AND-DEBUGGING.md If Nginx fails to start due to port 443 being in use, this command helps identify which process is occupying the port. ```bash docker exec swag ss -tlnp | grep 443 ``` -------------------------------- ### Build SWAG Docker Image Locally Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Clone the SWAG repository and build the Docker image locally. Use `--no-cache` to ensure a fresh build and `--pull` to fetch the latest base image. ```bash git clone https://github.com/linuxserver/docker-swag.git cd docker-swag docker build \ --no-cache \ --pull \ -t lscr.io/linuxserver/swag:latest . ``` -------------------------------- ### Check Container Logs Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/TROUBLESHOOTING-AND-DEBUGGING.md Use 'docker logs' to view container output. Check for error messages to diagnose startup issues. Follow logs in real-time or view specific time ranges. ```bash docker logs swag # Check for error messages ``` ```bash # Full logs since startup docker logs swag ``` ```bash # Last 100 lines docker logs --tail 100 swag ``` ```bash # Follow logs in real-time docker logs -f swag ``` ```bash # Logs from specific time docker logs --since 10m swag ``` -------------------------------- ### Mounting SWAG SSL Configuration in Other Containers (Option 2) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/CERTBOT-CERTIFICATE-MANAGEMENT.md Mount only the necessary SSL configuration directory for increased security. Access certificates via the live symlink. ```bash -v /path-to-swag-config/etc:/swag-ssl # In other container, use: /swag-ssl/letsencrypt/live/example.com/ ``` -------------------------------- ### Per-User Rate Limiting Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Limit request rates on a per-user basis, using the Authorization header to identify users. This example allows 100 requests per minute per user. ```nginx map $http_authorization $api_user { default ""; "~^Basic (.+)$" $1; } limit_req_zone $api_user zone=user_limit:10m rate=100r/m; location /api/ { limit_req zone=user_limit burst=10; proxy_pass http://api:8000; } ``` -------------------------------- ### Create htpasswd File Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Command to create or update an htpasswd file for HTTP Basic Authentication within the SWAG container. ```bash docker exec swag htpasswd -c /config/nginx/.htpasswd username ``` -------------------------------- ### Custom Nginx Resolver Configuration for SWAG Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Override SWAG's auto-generated DNS resolvers by editing `/config/nginx/resolver.conf`. This example uses Cloudflare and Google DNS servers with a custom timeout. ```nginx resolver 1.1.1.1 1.0.0.1 8.8.8.8 8.8.4.4; resolver_timeout 10s; ``` -------------------------------- ### Troubleshoot HTTPS Not Working Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/INDEX.md Verify that port 443 is open and accessible, and check the validity dates of your SSL certificate. ```bash docker exec swag ss -tlnp ``` ```bash docker exec swag openssl x509 -in /config/keys/cert.pem -noout -dates ``` -------------------------------- ### Docker Compose for LDAP Authentication Setup Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md This Docker Compose configuration sets up a separate container for ldap-auth, which is required for LDAP authentication in SWAG. It defines environment variables and volumes for configuration. ```yaml services: ldap-auth: image: lscr.io/linuxserver/ldap-auth:latest container_name: ldap-auth environment: - TZ=Etc/UTC - PHPLDAPADMIN_HTTPS=false - LDAP_ORGANIZATION=Example Corp - LDAP_DOMAIN=example.com - LDAP_BASE_DN=dc=example,dc=com volumes: - /path/to/ldap/config:/config networks: - swag restart: unless-stopped networks: swag: ``` -------------------------------- ### Nginx Resolver Configuration for SWAG Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Configure Nginx resolvers for upstream host resolution within SWAG. This example uses Google's public DNS servers and sets a validation timeout. ```nginx resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ``` -------------------------------- ### Mounting SWAG SSL Configuration in Other Containers (Option 1) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/CERTBOT-CERTIFICATE-MANAGEMENT.md Mount the entire SWAG configuration directory to access SSL keys. This method is less secure. ```bash -v /path-to-swag-config:/swag-ssl # In other container, use: /swag-ssl/keys/letsencrypt/ ``` -------------------------------- ### Configure Nginx Server Block for Authelia Integration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Include the Authelia location configuration in your application's Nginx server block to enforce authentication. This setup assumes Authelia is running and accessible. ```nginx server { listen 443 ssl http2; server_name myapp.example.com; # Include Authelia location include /config/nginx/proxy_confs/authelia-location.conf; location / { include /config/nginx/proxy.conf; proxy_pass http://app:8080; } } ``` -------------------------------- ### Minimal Docker Run Volume Mount Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Use this for a basic Docker run command to mount the configuration directory. ```bash docker run -v /host/path:/config ... ``` -------------------------------- ### Default NGINX Reverse Proxy Headers Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md These headers are essential for passing client information to upstream servers in a reverse proxy setup. They ensure the upstream receives accurate details about the original request. ```nginx proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Port $server_port; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_http_version 1.1; proxy_request_buffering off; proxy_buffering off; ``` -------------------------------- ### Per-IP Rate Limiting Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Implement rate limiting for API endpoints based on the client's IP address to prevent abuse. This example allows 10 requests per second with a burst of 20. ```nginx limit_req_zone $binary_remote_addr zone=api_limit:10m rate=10r/s; location /api/ { limit_req zone=api_limit burst=20 nodelay; proxy_pass http://api:8000; } ``` -------------------------------- ### Inspect SWAG Container Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/TROUBLESHOOTING-AND-DEBUGGING.md Use `docker inspect` to view detailed configuration of the SWAG container. Pipe to `jq` for formatted JSON output, or use `--format` to extract specific fields like environment variables or mounts. ```bash # Inspect all configuration docker inspect swag | jq . ``` ```bash # View only environment docker inspect swag --format='{{json .Config.Env}}' ``` ```bash # View mounts docker inspect swag --format='{{json .Mounts}}' ``` -------------------------------- ### Get User and Group IDs Source: https://github.com/linuxserver/docker-swag/blob/master/README.md Determine the user (PUID) and group (PGID) identifiers for your host user to resolve potential volume permission issues. Ensure host volume directories are owned by the same user. ```bash id your_user ``` -------------------------------- ### Typical NGINX Proxy Configuration Structure Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Illustrates a typical NGINX configuration for proxying to an upstream application, including defining an upstream server block and proxying requests. ```nginx # Upstream application upstream plex { server plex-container:32400; keepalive 32; } server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name plex.example.com; include /config/nginx/ssl.conf; include /config/nginx/headers.conf; location / { include /config/nginx/proxy.conf; proxy_pass http://plex; # Application-specific settings proxy_intercept_errors on; } } ``` -------------------------------- ### Enable HTTP/3 (QUIC) in NGINX Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Configure NGINX to support HTTP/3 (QUIC) by enabling the 'quic' and 'reuseport' options on the listen directive and adding the Alt-Svc header. Requires exposing UDP port 443. ```nginx listen 443 ssl http2 quic reuseport; listen [::]:443 ssl http2 quic reuseport; # Add Alt-Svc header in ssl.conf add_header Alt-Svc 'h3=":443"; ma=86400' always; ``` -------------------------------- ### Configure SQLite Database Backend Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Switch Fail2Ban to use SQLite for its database backend instead of file-based storage, which can improve performance on high-traffic sites. ```ini [DEFAULT] backend = sqlite3 dbfile = /config/fail2ban/fail2ban.sqlite3 ``` -------------------------------- ### Configure Docker Compose Health Check for SWAG Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Use this health check in Docker Compose to monitor SWAG's HTTPS connectivity. It checks the default site, retries on failure, and has a start period before checks begin. ```yaml healthcheck: test: ["CMD", "wget", "--quiet", "--tries=1", "--spider", "https://localhost/"] interval: 30s timeout: 10s retries: 3 start_period: 40s ``` -------------------------------- ### Configure Global IP Whitelist Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Add IPs to the global ignore list in jail.local to prevent them from ever being banned. ```ini [DEFAULT] ignoreip = 127.0.0.1 ::1 192.168.0.0/16 10.0.0.0/8 ``` -------------------------------- ### Check Specific Fail2Ban Jail Status via Docker Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Use fail2ban-client status with a specific jail name to get detailed information about its filter, actions, banned IPs, and log files. Useful for diagnosing issues with a particular jail. ```bash docker exec swag fail2ban-client status nginx-http-auth ``` -------------------------------- ### View Fail2Ban Logs Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Execute this command to stream Fail2Ban logs in real-time. Useful for monitoring ban and unban events. ```bash docker exec swag tail -f /var/log/fail2ban.log ``` -------------------------------- ### Configure Opcache Settings Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Adjust opcache settings for performance. Increase memory_consumption for large applications. Disable validate_timestamps in production for better performance. ```ini [opcache] opcache.enable = 1 opcache.memory_consumption = 128M opcache.interned_strings_buffer = 8 opcache.max_accelerated_files = 10000 opcache.validate_timestamps = 1 opcache.revalidate_freq = 2 ``` -------------------------------- ### Test Nginx Configuration Syntax Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/INDEX.md Check the Nginx configuration files for syntax errors within the SWAG container. This is a crucial step before reloading Nginx. ```bash docker exec swag nginx -t ``` -------------------------------- ### Check Nginx Status and Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Dump the full NGINX configuration or check its current status. Use `nginx -T` to see the compiled configuration and `nginx -s status` for runtime status. ```bash docker exec swag nginx -T ``` ```bash docker exec swag nginx -s status ``` -------------------------------- ### Simple Reverse Proxy Docker Compose Environment Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/README.md Configure SWAG to act as a reverse proxy for a single application with automatic SSL. Set the main domain and desired subdomains. ```yaml environment: URL: example.com VALIDATION: http SUBDOMAINS: www # Backend app on http://app-container:8080 location / { proxy_pass http://app-container:8080; } ``` -------------------------------- ### Connect to PostgreSQL using PDO (PHP) Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Establishes a connection to a PostgreSQL database using PDO and executes a query. ```php query('SELECT * FROM users'); ?> ``` -------------------------------- ### Modify and Test PHP-FPM Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Demonstrates how to copy a PHP-FPM pool configuration file, test its syntax, and restart the PHP-FPM service within the Docker container. ```bash cp /config/nginx/php-fpm/pool.d/www.conf.bak /config/nginx/php-fpm/pool.d/www.conf # Edit as needed docker exec swag php-fpm8 -t # Test syntax docker exec swag rc-service php-fpm8 restart ``` -------------------------------- ### Troubleshoot Proxy Returning 502 Errors Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/INDEX.md Check the upstream service availability, test Nginx configuration syntax, and review proxy pass directives in Nginx site configurations. ```bash docker exec swag wget http://upstream:port ``` ```bash docker exec swag nginx -t ``` ```bash grep proxy_pass /config/nginx/site-confs/*.conf ``` -------------------------------- ### Authelia Configuration Snippet Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Essential Authelia configuration settings for authentication backend, session management, and storage. Adjust domain and Redis host as needed. ```yaml authentication_backend: file: path: /authelia/users_database.yml session: domain: example.com redis: host: redis port: 6379 storage: sqlite: path: /authelia/db.sqlite3 ``` -------------------------------- ### Test PHP-FPM Configuration Syntax Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/PHP-RUNTIME.md Test the syntax of your PHP-FPM configuration files before applying changes. This command helps prevent errors caused by incorrect syntax. ```bash docker exec swag php-fpm8 -t ``` -------------------------------- ### Deploy Authelia with Docker Compose Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/AUTHENTICATION-AND-ACCESS-CONTROL.md Use this Docker Compose configuration to deploy Authelia as a separate service. Ensure the volume path for configuration is correctly set. ```yaml services: authelia: image: authelia/authelia:latest container_name: authelia environment: - TZ=Etc/UTC volumes: - /path/to/authelia/config:/config networks: - swag restart: unless-stopped ``` -------------------------------- ### Archive SWAG Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Use tar to create compressed archives of your SWAG configuration. This can be used for full backups or selective backups of specific directories like certificates. ```bash # Archive entire config tar czf swag-backup.tar.gz /path/to/swag/config/ # Selective backup (certificates only) tar czf swag-certs-backup.tar.gz /path/to/swag/config/etc/ ``` ```bash # Named volume backup docker run --rm -v swag-config:/data -v $(pwd):/backup \ busybox tar czf /backup/swag-backup.tar.gz -C /data . ``` -------------------------------- ### Supported DNS PLUGIN Values Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/CONFIGURATION.md Lists the DNS providers supported by the SWAG image for ACME challenge validation. Credentials for each plugin should be stored in `/config/dns-conf/.ini`. ```text acmedns, aliyun, azure, bunny, cloudflare, cpanel, desec, digitalocean, directadmin, dnsimple, dnsmadeeasy, dnspod, do, domeneshop, dreamhost, duckdns, dynu, freedns, gandi, gehirn, glesys, godaddy, google, he, hetzner, hetzner-cloud, infomaniak, inwx, ionos, linode, loopia, luadns, namecheap, netcup, njalla, nsone, ovh, porkbun, rfc2136, route53, sakuracloud, standalone, transip, vultr ``` -------------------------------- ### Test DNS Plugin Credentials Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/TROUBLESHOOTING-AND-DEBUGGING.md Perform a dry run of obtaining a certificate using a specific DNS plugin and credentials file. This verifies that the plugin can authenticate and interact with the DNS provider. ```bash # Test DNS plugin credentials docker exec swag certbot certonly --dry-run \ --authenticator dns-cloudflare \ --dns-cloudflare-credentials /config/dns-conf/cloudflare.ini \ -d example.com ``` -------------------------------- ### Configure Gzip Compression Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Enable and configure Gzip compression for text-based content to reduce bandwidth usage and improve load times. Specifies minimum response size and content types to compress. ```nginx gzip on; gzip_vary on; gzip_min_length 1000; gzip_types text/plain text/css text/xml text/javascript application/x-javascript application/xml+rss application/json; ``` -------------------------------- ### Basic NGINX Site Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/NGINX-CONFIGURATION.md Defines a server block for a specific subdomain, listening on SSL/HTTP2, setting the root directory, and proxying requests to a backend application. ```nginx server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name myapp.example.com; root /config/www; index index.html; include /config/nginx/ssl.conf; include /config/nginx/headers.conf; location / { include /config/nginx/proxy.conf; proxy_pass http://myapp-container:8080; } } ``` -------------------------------- ### Disable Fail2Ban via Environment Variable Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md To completely disable Fail2Ban during container startup, set the DISABLE_F2B environment variable to true. ```bash docker run -e DISABLE_F2B=true ... ``` -------------------------------- ### Configure Dynamic IP Whitelist Command Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Use a custom script to dynamically determine if an IP should be ignored. The script must return 0 for ignore, non-zero otherwise. ```ini [nginx-http-auth] ignorecommand = /usr/local/bin/check-whitelist.sh ``` -------------------------------- ### PEM Bundle Format for ZNC Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/CERTBOT-CERTIFICATE-MANAGEMENT.md The `priv-fullchain-bundle.pem` file combines the private key and the full certificate chain in PEM format, suitable for applications like ZNC. ```text -----BEGIN RSA PRIVATE KEY----- [private key content] -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- [certificate content] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- [intermediate cert] -----END CERTIFICATE----- ``` -------------------------------- ### Custom PHP Configuration Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/ARCHITECTURE.md Customize PHP settings by editing `/config/nginx/php-fpm/conf.d/php.ini` or create a custom FPM pool configuration by creating `/config/nginx/php-fpm/pool.d/custom.conf`. ```bash Edit /config/nginx/php-fpm/conf.d/php.ini ├─ Change PHP settings ├─ Add extensions (via docker mod) └─ Modify FPM pools OR Create /config/nginx/php-fpm/pool.d/custom.conf └─ Add custom pool ``` -------------------------------- ### SWAG Docker Custom Network Creation Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md Create a custom Docker network named `swag-net` for SWAG and then run the container attached to it, enabling hostname communication between containers. ```bash docker network create swag-net docker run --network=swag-net ... ``` -------------------------------- ### Accessing Container Output Logs Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/DOCKER-RUNTIME.md View the general container output logs using `docker logs`. ```bash # Container output docker logs -f swag ``` -------------------------------- ### Configure Exponential Backoff for Bans Source: https://github.com/linuxserver/docker-swag/blob/master/_autodocs/FAIL2BAN-SECURITY.md Set bantime and enable decrban to configure increasing ban times for repeat offenders within a specified period. ```ini [DEFAULT] bantime = 3600 decrban = true decriputc = 86400 ```