SWAG: NGINX Reverse Proxy with Docker, Mods & Authelia (2021)

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

We know some of you prefer written guides. Our written version for this video can be found at https://docs.ibracorp.io after the video premieres.

👍︎︎ 3 👤︎︎ u/sycotix 📅︎︎ Oct 24 2021 🗫︎ replies

Captions

hi guys and welcome back to another ibra corp video thanks for coming back and checking out the channel this week absolute pleasure to have you as usual i hope you guys enjoyed last week's video we covered some really really good apps and got the word out there to get more people on board with some great tools for their unraid setup with some great tools for their docker setup at home wherever you're running your server this week we're going to be looking back into the topic of reverse proxy now i know on my channel for a long time we've been using nginx proxy manager i absolutely love it and nothing has changed i still love it i think it's a great application but in the interest of staying balanced and fair there are some other tools out there so it's always a good option to show some more off and give you an unbiased opinion so that you can have have a play and learn how to use the technology and find out which one you prefer so thanks to all the community relationships we have in our discord we've worked together with linux server io who are the developers and publishers of the swag application among many other applications that they also create over at linuxerver.io swag is the replacement for the formerly known app of let's encrypt now i know you guys might have seen a video on this before we do things a little bit different here at ibracorp so today we've added some extra little features and notes for you to take note of to make swag work for you so if you're interested you want another reverse proxy option to get you going on your way and getting your server up into the internet with a plethora of features and advanced techniques swag can allow you to do so with relative ease and this video might be the one for you if you like what we're doing here you like our work and you want to help support us feel free to check the description give us a like and subscribe we really appreciate it so without further ado guys let's just get stuck into it all right guys so thank you for coming back and a long requested topic here has been swag so as it says here swag or the secure web application gateway formerly known as let's encrypt and is no relation to let's encrypt the company sets up an nginx web server and reverse proxy with php support with a built-in cert bot client that automates free ssl certificate generation and renewal processes let's encrypt and zero ssl it also contains fail to ban so this is something that we don't get in engine x proxy manager which appeals to a lot of people to set up failed to ban and for obvious reasons having that sort of functionality is good it makes it a lot easier for us to automate the moderation of people who are trying to access our servers so definitely a big plus for swag in that respect and at this point guys we're going to be following this through obviously i'm going to be presenting it maybe a little differently but if you prefer to read as we go for it this is going to be off to the side now and we're going to get into the install now the first thing we'll do before we start is check out your port 40. if you are using ports to get access to your network we're going to be showing you how to have that running on ports four four three zero one and eight zero zero one so make sure those ports are free on your unread server or you're gonna change them as we go along in the video that's just what we're gonna show you as an example if you decide to change those numbers because they're not free then just change them to whatever you've come up with so in our case we're in our router right now and we're looking at the port forwarding so we're saying from port 443 send it over to 44301 as you can see here sending it to this ip address which is our server and to this port apply changes and then do the same for eight zero zero one as you can see here once you've done that we've basically laid the foundation now so that we can start working on swag so hop into your unraid server and head over to the app store as you can see we're running the new version of the app store which has recently been released so a big props to squid it looks really really good i think in my opinion it might take a bit of time to get used to of course but overall it looks and feels really really good so search for swag we're going to see the option there which is obviously by the linux servers team and once we're ready we can go ahead to click to install now i recommend that you keep the naming of the containers simple now there's a reason for that because a lot of the time you can refer to other containers using the container name if they're on the same docker network so in that case you wouldn't want a bunch of fancy little names you know try to keep it simple exactly what it is so then if you have to change or edit it anywhere it's smooth and easy first thing we'll set inside the template is the network type so rather than bridge we always like to use our custom docker network if you don't know how to do that i've made a small video on how to do that with the addition of one step which i forgot in the video where i showed you how to create the custom docker network i forgot one very important tip come into settings and then docker and under advanced view here you'll see preserve user defined network so we want to make sure that yes now you have to have docker service stopped so up here and then it will allow you to edit it so make sure you do that otherwise any custom networks you make will be lost and so we can continue with our template the web ui is saying 443 by default now if you're following our guide we've changed that to 443.01 for 80 on the other hand we've been forwarding that now to 8001. so we change those numbers respectively next is our url so obviously our url that that we want to use and we're going to go with a different one today i'm going to go with unraid.io we've got our domain the next thing is validation so validation you've got three options there we've got http dns or duck dns and it explains how each option works for our guide we're going to be going with dns the reason is it's much easier and quicker for us to go with the dns option which we'll explain later in the video for sub domains we want all of our sub domains to be covered so instead of us having to specify every single individual domain or subdomain we can put them here instead to do that we type wildcard exactly like this for the cert provider you can just leave that blank and it will use let's encrypt if you want to use xero ssl as it says you need an account and then you can enter that information instead for the dns plugin we're going to be going with cloudflare there's a whole bunch of different options they support and if you haven't seen we have videos on how to set up and use cloudflare there's a couple other options so propagation if we want to change that by default it seems fine for the cloudflare option so we don't need to change that if you are using duckdns token this is where that goes for an email address we recommend that you definitely put one in here for notifications so that way the cert agency can send you reminders saying this certificate's about to expire then we have the only subdomains options so if you have that set to false it means that anything that you set up is only for sub domains you don't want your root domain to be covered and that could be in a situation where your domain points one way and your subdomain points somewhere else for example a different server you can also use multiple domains with swag so you don't have to have separate containers you can just have the one and update this parameter so if you had another one for example you could put ibrocorp to io comma another sub domain another domain blah blah blah then you have staging so if it's set to true it will retrieve it in staging mode so that means that rate limits will be much higher however they will not be valid certificates and this allows you just to check that okay if i go to actually go for the certificate it will work or or if it won't and if it won't what's the issue and the reason for this list encrypt for example has rate limits and if you hit it and request too many times they'll actually block you for like a week but in our case we're comfortable with what it is so we're going to leave it as false so once you're happy with all that go ahead and click apply now while the container is installing we can go on to the next step which is setting up our cloudflare account and there's basically two ways we can do this and it's really up to you how you want to deploy it for yourself option a is using dns only so what it means is it's going to be a little bit easier and you're going to create a wild card scene and the benefit is that we can add a wildcard cname pointing all sub domains to the root domain this means we will never have to add another cname to the domain while adding more apps to your unread server so i'm sure you guys can relate every time you deploy an app and you're like okay i need to reverse proxy this now i've got a oh i've got to log into cloudflare i've got to go into there i've got to set up nginx proxy manager proxy etc etc this eliminates that one extra step so if you wanted to wild card you wouldn't have to worry about it and if you wanted to do that so what we would do is create an a record that points to our public ip so for example we've expanded our a record it's going to unrate the i o obviously we've got our ip address in here you'll just set the proxy to dns only and click save then create a cname so type cname and put a star in here followed by the root domain or at go ahead and click save so by doing this we've basically got a wild card there so anything we create at our domain with swag it will automatically be working via cloudflare however you lose on a couple of things one you don't get the ddos protection that cloudflare offers and two if your domain is well known it basically shows your ip address straight away if somebody wants to look it up so the best option is always with cloudflare on but depends how you want to go about it so if you want to go with this option you don't have to come and create cnames for every single app if you go with option b which is the usual way then we would set that back to proxied and then set up an app name for every single app that you're deploying so in today's example we're going to try going for sonar now the next step is setting up let's encrypt with our dns provider so in our case again we're going with cloudflare so to do that we'll go to this little person once you go into my profile go to api tokens and then click on create token click on create custom token and we can call this for example swag under permissions go to zone followed by dns and click on edit under zone resources leave it as include all zones if you have multiple accounts in cloudflare and you only want it to apply to the one then just click the drop down and pick the one that you want once you're done click continue to summary create the token and then it's going to give you this token number so make sure you copy that and now the container is finished so with that token we just created open up a terminal window and type in nano open the terminal window and type in nano all the way to this low file location in here we're going to see a couple of options so as you can see we've got the global api or if we want to use a token because we can go with the global api option we're going to comment these two lines out then come down here and uncomment this line remove the placeholder token that's in there and then add the one that we just got from cloudflare once we're done ctrl o enter and then control x while we're in the terminal we now need to restart the container for swag we'll say docker restart swag so as you can see the container is installed and it's running everything looks okay so far the next thing we're going to show you guys is docker mods so this is something that i don't believe has been really covered and it's a really really cool feature of swag so big props to the linux server guys for this it's really really cool the docker mods are some additional modifications that you can plug in straight into swag and give it some more versatile features the first one we're going to install is the universal docker this is used for a few other docker mods so it basically acts as a foundation mod so we're going to start with that first head over to your container and edit it if you guys are curious on how my docker looks like this and all these extra graphs etc check out our docker folders video once we're in the template scroll down and go to add another path for in here select variable as the option and just call it docker mods for the key docker mods again followed by linux server forward slash mods pollen universal docker all in our guide as well guys so if you're following along with that you'll be able to click and paste all this stuff with that done just go ahead and click add and we're done so again we'll just click apply to allow that to take effect so now we can actually add even more and it's really really easy the hardest part was honestly just creating that extra parameter now we can just add them to the string so for example the next thing we'll show you guys is the cloudflare real ip so if you don't know if you're using cloudflare sometimes a visitors ips are going to be showing from actual cloudflare servers rather than the user themself so what we'll be instructing to do is tell swag to give us the real ip of the person not from cloudflare so in that case we just edit the same string we've already put here under docker mods and for the value right on the end we're going to paste what we've shown you in our guide very important part is this part here which is a separator between the two so the more you add you need to make sure you have a separator there once we're done click save and then click apply so after running that we should have had a file be created called cloudflare real ip so what we're going to do is go to edit it so we need to make sure that that file is included by nginx so that it's used when it's processing information so in the terminal again we're going to edit this nginx.conf file look for this part here which says http and then drop it a line as you can see we've added the three lines up here which are in our documentation once we're done we can type control o followed by control x it also pays to neaten it up a little bit so that you can actually see what it is you've added so having a little comment in there just keeps it nice and neat once again we want to restart our container so go ahead and restart the next mod we're going to add is auto reload so as you've noticed we've had to restart the container after making these changes but what if there's a way for us to automatically do that so we don't have to do it manually well there is and that's this mod so when making edits in the swag config files it's pretty annoying to have to restart the container all the time these guys have got it covered and have made a docker mod to auto reload when it detects a file change so to do that we grab the string that we have in our documentation go to edit edit the docker mods again and right at the end we'll add ours with the separator there with the new docker mod click save and click apply so now anytime we make changes to a specific list of files the container will actually restart itself and apply them for us however if you do have files or folders that aren't in the default list that it looks at you can actually add your own so from swag go ahead and edit it again in the container template add another variable give it a name give it the key of watch list followed by the directories or files that you want to monitor so from here if we wanted to add another one we add that separator again and then you can type another directory and that works well because you may have a lot of custom files that aren't considered in the normal list so then you can just add them yourself pretty cool feature i like that and finally the last docker mod that we're going to show you or swag is the auto proxy so the auto proxy gives swag the ability to auto detect running containers via labels and automatically enable reverse proxy for them yes you heard me correct so we don't have to set that up individually in the actual reverse proxy itself we can have it automatically done for us just by using a label so make sure you've installed the universal docker mod which was the first one that we showed you because it relies on that mod the other thing to note is that like we said we want them all on the custom docker network this will not work properly if you are not on the same custom docker network so i highly recommend you do that before you continue now this docker mod uses the docker api to locate new apps to add them to the reverse proxy so we need to give it some more permissions and there's two methods one is pretty easy but less secure and option a which is a little bit longer but is much more secure in the app store look for docker socket you'll find it here under our repository click on it and go to install make sure we put it on the same custom docker network and then that's it you can pretty much go ahead and click apply now head back to docker and go into the swag container click on edit go right to the bottom and we're going to add another port path variable change it to variable and give it a name so give it the details like we've said here with the key docker underscore host and the value of docker socket go ahead and click add once you've got it click apply so now the swag container will be able to actually retrieve info from other containers read only but will not be able to spin up other containers or run any commands via the docker api so go back and edit it again and under the docker mods we can now add the docker mod for auto proxy so go ahead and add that to the end of our list we've got our separator looks good click save and apply if you didn't want to use that proxy method with docker socket that's fine just go back into the editor and underneath here instead of doing what we've done you don't install the other app you just want to get it the easiest way possible click on add another path give it a name of docker api so you can just create this path here making sure we set it to read only and then click add then as we already said you add the auto proxy mods and then that will work so that's the easier option obviously but it's a little bit less secure so with all that nitty gritty done let's actually now reverse proxy our first app to find something that you want to test with i'm going to go ahead and test with sonar so let's click on edit and in sonar we're going to go to add another path or variable in here we're going to actually give it a label in the label we're going to give it a name of swag with a key of swag and a value of enable once you're done click add and click apply and click done so i'm not going to look at the logs and i'm just going to take a stab at it and see whether it actually comes up live so let's have a look and see now we should see it at the sub domain because as you can see here on cloudflare we've got sonar.unraid.io now that's by far the easiest way to reverse proxy something now with swag thanks to the auto proxy but if you didn't want to use that option the other option that you can use is via the configuration files so open up your terminal here and paste the following we've got to list everything in proxy confs and hit enter and these are pre-configured files for all the different apps that you can possibly think of so all you would need to do is take out the dot sample off the end and have it as just.conf and we can do this with command line so for example we're going to do it with sonar if i scroll down here we'll paste this command in that's in our docs so with the command it's going to move it and rename it for us hit enter and that should be done now if you have the auto reload mod on then swag is going to restart by itself we're not going to actually have to do anything there if you don't have it on then you'll have to restart your container and we can do that through the command line as well with docker restart swag but like i said with our auto mod we don't need to do that anymore now here's another cool tip you're not going to get anywhere else we're going to show you how to enable orthelia using our autoproxy method and it's so much easier than any other option you can think of so if you have ophelia already up and working and it's working for you perfectly fine now you want to apply it to your apps if you haven't got it working yet we've covered it in our videos but let's say we do have it going and we want to now apply it to our apps to protect them so find the app you want to protect again we're going to go with our sonar example here we'll scroll down add another path variable template change that to label we're going to set the name to swag auth the key is swag underscore auth and the value is orthelia you can then call it swag protection if you like and click add and then apply now let's say you want to bypass a particular path like we do with orthelia you can actually do it with the label now so if we go back into edit for sonar for example we'll click add and in this case we're saying swag underscore auth underscore bypass with a value of forward slash api so anything ending in api we want it to bypass orthelia you can then click add and then apply it so obviously that's a much easier way to do things instead of managing a lot of files manually and the other thing is we've made those changes anything that's you know changing in swag is going to update for us automatically so pretty cool now if you've used the manual method to reverse proxy your apps then you will need to use this method that i'm going to show you now for enabling orthealia for your apps and that's if you're not using the auto proxy method so open up a terminal and paste in the following which is in our guide and we've given you the exact template that we have on our guides there so i've just pasted that in and as it says in the guide remove the hash at the beginning of the line where it says enable for orthelia so right here where it says enable for other we just back that and there you go make sure we go to control o then control x and if you have auto reload enable it will reload it for us if you don't have it enabled then you'll need to do the manual command which was docker restart swag that's pretty much it guys you have swag up and running you've got some extra tools and plugins to make it work really really well for you it's going to be a nice smooth use i think and look it's been a long time since i used it back in the days where it was basically all manual you didn't have a lot of auto reload you didn't have auto anything and now they've made a lot better so big props to the linux server guys thank you very much a special thank you to gil van as well who has written a lot of great guides a lot of great articles on his blog and works for the linux server team so big props to them make sure you check out their work we really appreciate them we hope you guys enjoyed that video and um it's taken a lot of effort especially by hawks our community leader we really appreciate you as well if you enjoyed the video please like and subscribe there are also options for you to help support us in the description below if you so choose we really appreciate you and we can't wait to see you in the next hebrew corp video you

Info

Channel: IBRACORP

Views: 7,913

Rating: undefined out of 5

Keywords: ibracorp, ibraco, ibra corp, ibracorp unraid, nginx proxy manager, swag, swag reverse proxy, letsencrypt unraid, letsencrypt, linuxserver.io, unraid, selfhosted, nginx, reverse proxy, install swag proxy, nginx proxy manager docker, nginx tutorial, reverse proxy tutorial, unraid docker, docker, nginx reverse proxy, traefik, traefik v2 tutorial, reverse proxy setup, nginx proxy, unraid tutorial, linuxserver swag, swag setup, swag unraid, unraid letsencrypt, linux server, linux, esxi

Id: N7FlsvhpVGE

Channel Id: undefined

Length: 23min 28sec (1408 seconds)

Published: Sun Oct 24 2021