SWAG: NGINX Reverse Proxy with Docker, Mods & Authelia (2021)

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments

We know some of you prefer written guides. Our written version for this video can be found at https://docs.ibracorp.io after the video premieres.

👍︎︎ 3 👤︎︎ u/sycotix 📅︎︎ Oct 24 2021 🗫︎ replies
Captions
hi guys and welcome back to another ibra corp  video thanks for coming back and checking out   the channel this week absolute pleasure to have  you as usual i hope you guys enjoyed last week's   video we covered some really really good apps and  got the word out there to get more people on board   with some great tools for their unraid setup with  some great tools for their docker setup at home   wherever you're running your server this week  we're going to be looking back into the topic   of reverse proxy now i know on my channel for a  long time we've been using nginx proxy manager   i absolutely love it and nothing has changed i  still love it i think it's a great application but   in the interest of staying balanced and fair there  are some other tools out there so it's always a   good option to show some more off and give you an  unbiased opinion so that you can have have a play   and learn how to use the technology  and find out which one you prefer   so thanks to all the community relationships  we have in our discord we've worked together   with linux server io who are the developers and  publishers of the swag application among many   other applications that they also create over  at linuxerver.io swag is the replacement for the   formerly known app of let's encrypt now i know  you guys might have seen a video on this before   we do things a little bit different here at  ibracorp so today we've added some extra little   features and notes for you to take note of to  make swag work for you so if you're interested   you want another reverse proxy option to get you  going on your way and getting your server up into   the internet with a plethora of features and  advanced techniques swag can allow you to do so   with relative ease and this video might be the  one for you if you like what we're doing here   you like our work and you want to help support us  feel free to check the description give us a like   and subscribe we really appreciate it so without  further ado guys let's just get stuck into it all right guys so thank you for coming back and  a long requested topic here has been swag so as   it says here swag or the secure web application  gateway formerly known as let's encrypt and is   no relation to let's encrypt the company sets  up an nginx web server and reverse proxy with   php support with a built-in cert bot client  that automates free ssl certificate generation   and renewal processes let's encrypt and zero ssl  it also contains fail to ban so this is something   that we don't get in engine x proxy manager which  appeals to a lot of people to set up failed to   ban and for obvious reasons having that sort of  functionality is good it makes it a lot easier for   us to automate the moderation of people who are  trying to access our servers so definitely a big   plus for swag in that respect and at this point  guys we're going to be following this through   obviously i'm going to be presenting it maybe  a little differently but if you prefer to read   as we go for it this is going to be off to the  side now and we're going to get into the install   now the first thing we'll do before we start  is check out your port 40. if you are using   ports to get access to your network we're  going to be showing you how to have that   running on ports four four three zero one and  eight zero zero one so make sure those ports are   free on your unread server or you're gonna change  them as we go along in the video that's just what   we're gonna show you as an example if you decide  to change those numbers because they're not free   then just change them to whatever you've come  up with so in our case we're in our router right   now and we're looking at the port forwarding so  we're saying from port 443 send it over to 44301   as you can see here sending it to  this ip address which is our server   and to this port apply changes and then do the  same for eight zero zero one as you can see here   once you've done that we've basically laid  the foundation now so that we can start   working on swag so hop into your unraid  server and head over to the app store   as you can see we're running the new version of  the app store which has recently been released so   a big props to squid it looks really really good  i think in my opinion it might take a bit of time   to get used to of course but overall it looks and  feels really really good so search for swag we're   going to see the option there which is obviously  by the linux servers team and once we're ready we   can go ahead to click to install now i recommend  that you keep the naming of the containers simple   now there's a reason for that because a lot  of the time you can refer to other containers   using the container name if they're on the same  docker network so in that case you wouldn't want   a bunch of fancy little names you know try to keep  it simple exactly what it is so then if you have   to change or edit it anywhere it's smooth and  easy first thing we'll set inside the template   is the network type so rather than bridge we  always like to use our custom docker network   if you don't know how to do that i've made a small  video on how to do that with the addition of one   step which i forgot in the video where i showed  you how to create the custom docker network i   forgot one very important tip come into settings  and then docker and under advanced view here   you'll see preserve user defined network so we  want to make sure that yes now you have to have   docker service stopped so up here and then it  will allow you to edit it so make sure you do   that otherwise any custom networks you make will  be lost and so we can continue with our template   the web ui is saying 443 by default now if you're  following our guide we've changed that to 443.01   for 80 on the other hand we've  been forwarding that now to 8001.   so we change those numbers respectively next is  our url so obviously our url that that we want   to use and we're going to go with a different one  today i'm going to go with unraid.io we've got our   domain the next thing is validation so validation  you've got three options there we've got http dns   or duck dns and it explains how each option works  for our guide we're going to be going with dns   the reason is it's much easier and quicker  for us to go with the dns option which we'll   explain later in the video for sub domains  we want all of our sub domains to be covered   so instead of us having to specify every  single individual domain or subdomain   we can put them here instead to do  that we type wildcard exactly like this for the cert provider you can just leave  that blank and it will use let's encrypt   if you want to use xero ssl as it says you need  an account and then you can enter that information   instead for the dns plugin we're going to be going  with cloudflare there's a whole bunch of different   options they support and if you haven't seen we  have videos on how to set up and use cloudflare   there's a couple other options so propagation  if we want to change that by default it seems   fine for the cloudflare option so we don't need  to change that if you are using duckdns token   this is where that goes for an email address we  recommend that you definitely put one in here   for notifications so that way the cert agency can  send you reminders saying this certificate's about   to expire then we have the only subdomains  options so if you have that set to false   it means that anything that you set up is only  for sub domains you don't want your root domain   to be covered and that could be in a  situation where your domain points one way   and your subdomain points somewhere else for  example a different server you can also use   multiple domains with swag so you don't have to  have separate containers you can just have the one   and update this parameter so if you had another  one for example you could put ibrocorp to io   comma another sub domain another domain blah blah  blah then you have staging so if it's set to true   it will retrieve it in staging mode so that means  that rate limits will be much higher however they   will not be valid certificates and this allows  you just to check that okay if i go to actually   go for the certificate it will work or or if  it won't and if it won't what's the issue and   the reason for this list encrypt for example has  rate limits and if you hit it and request too many   times they'll actually block you for like a week  but in our case we're comfortable with what it is   so we're going to leave it as false so once you're  happy with all that go ahead and click apply now   while the container is installing we can go on to  the next step which is setting up our cloudflare   account and there's basically two ways we can do  this and it's really up to you how you want to   deploy it for yourself option a is using  dns only so what it means is it's going   to be a little bit easier and you're going  to create a wild card scene and the benefit   is that we can add a wildcard cname pointing all  sub domains to the root domain this means we will   never have to add another cname to the domain  while adding more apps to your unread server   so i'm sure you guys can relate every  time you deploy an app and you're like   okay i need to reverse proxy this now i've got a  oh i've got to log into cloudflare i've got to go   into there i've got to set up nginx proxy manager  proxy etc etc this eliminates that one extra step   so if you wanted to wild card you wouldn't have  to worry about it and if you wanted to do that   so what we would do is create an a record that  points to our public ip so for example we've   expanded our a record it's going to unrate the  i o obviously we've got our ip address in here   you'll just set the proxy to dns only and  click save then create a cname so type cname   and put a star in here followed by the root domain  or at go ahead and click save so by doing this   we've basically got a wild card there so  anything we create at our domain with swag   it will automatically be working via cloudflare  however you lose on a couple of things one   you don't get the ddos protection that cloudflare  offers and two if your domain is well known   it basically shows your ip address straight  away if somebody wants to look it up   so the best option is always with cloudflare on  but depends how you want to go about it so if   you want to go with this option you don't have  to come and create cnames for every single app   if you go with option b which is the  usual way then we would set that back to   proxied and then set up an app name for  every single app that you're deploying   so in today's example we're going to try going  for sonar now the next step is setting up let's   encrypt with our dns provider so in our case again  we're going with cloudflare so to do that we'll go   to this little person once you go into my profile  go to api tokens and then click on create token   click on create custom token and we can call this  for example swag under permissions go to zone   followed by dns and click on edit under  zone resources leave it as include all zones   if you have multiple accounts in cloudflare and  you only want it to apply to the one then just   click the drop down and pick the one that you  want once you're done click continue to summary   create the token and then it's going to give  you this token number so make sure you copy that   and now the container is finished so with that  token we just created open up a terminal window   and type in nano open the terminal window and type  in nano all the way to this low file location in   here we're going to see a couple of options so as  you can see we've got the global api or if we want   to use a token because we can go with the global  api option we're going to comment these two lines   out then come down here and uncomment this line  remove the placeholder token that's in there and   then add the one that we just got from cloudflare  once we're done ctrl o enter and then control x   while we're in the terminal we now need to restart  the container for swag we'll say docker restart   swag so as you can see the container is installed  and it's running everything looks okay so far   the next thing we're going to show you guys  is docker mods so this is something that i   don't believe has been really covered and it's a  really really cool feature of swag so big props   to the linux server guys for this it's really  really cool the docker mods are some additional   modifications that you can plug in straight into  swag and give it some more versatile features   the first one we're going to install is the  universal docker this is used for a few other   docker mods so it basically acts as a foundation  mod so we're going to start with that first head   over to your container and edit it if you guys  are curious on how my docker looks like this and   all these extra graphs etc check out our docker  folders video once we're in the template scroll   down and go to add another path for in here select  variable as the option and just call it docker   mods for the key docker mods again followed by  linux server forward slash mods pollen universal   docker all in our guide as well guys so if  you're following along with that you'll be   able to click and paste all this stuff with that  done just go ahead and click add and we're done   so again we'll just click apply to allow that  to take effect so now we can actually add even   more and it's really really easy the hardest part  was honestly just creating that extra parameter   now we can just add them to the string so for  example the next thing we'll show you guys is   the cloudflare real ip so if you don't know if  you're using cloudflare sometimes a visitors ips   are going to be showing from actual cloudflare  servers rather than the user themself so what   we'll be instructing to do is tell swag to give  us the real ip of the person not from cloudflare   so in that case we just edit the same string  we've already put here under docker mods   and for the value right on the end we're going  to paste what we've shown you in our guide   very important part is this part here which is  a separator between the two so the more you add   you need to make sure you have a separator there  once we're done click save and then click apply   so after running that we should have had a  file be created called cloudflare real ip   so what we're going to do is go to edit it so  we need to make sure that that file is included   by nginx so that it's used when it's processing  information so in the terminal again we're going   to edit this nginx.conf file look for this part  here which says http and then drop it a line as   you can see we've added the three lines up here  which are in our documentation once we're done   we can type control o followed by control  x it also pays to neaten it up a little bit   so that you can actually see what it is you've  added so having a little comment in there just   keeps it nice and neat once again we want to  restart our container so go ahead and restart   the next mod we're going to add is auto reload  so as you've noticed we've had to restart the   container after making these changes but what if  there's a way for us to automatically do that so   we don't have to do it manually well there  is and that's this mod so when making edits   in the swag config files it's pretty annoying to  have to restart the container all the time these   guys have got it covered and have made a docker  mod to auto reload when it detects a file change   so to do that we grab the string that we have  in our documentation go to edit edit the docker   mods again and right at the end we'll add ours  with the separator there with the new docker mod   click save and click apply so now anytime we make  changes to a specific list of files the container   will actually restart itself and apply them for  us however if you do have files or folders that   aren't in the default list that it looks at you  can actually add your own so from swag go ahead   and edit it again in the container template add  another variable give it a name give it the key   of watch list followed by the directories or files  that you want to monitor so from here if we wanted   to add another one we add that separator again  and then you can type another directory and that   works well because you may have a lot of custom  files that aren't considered in the normal list   so then you can just add them yourself pretty  cool feature i like that and finally the last   docker mod that we're going to show you or swag  is the auto proxy so the auto proxy gives swag   the ability to auto detect running containers via  labels and automatically enable reverse proxy for   them yes you heard me correct so we don't have  to set that up individually in the actual reverse   proxy itself we can have it automatically done  for us just by using a label so make sure you've   installed the universal docker mod which was the  first one that we showed you because it relies on   that mod the other thing to note is that like we  said we want them all on the custom docker network   this will not work properly if you are not on the  same custom docker network so i highly recommend   you do that before you continue now this docker  mod uses the docker api to locate new apps to add   them to the reverse proxy so we need to give it  some more permissions and there's two methods one   is pretty easy but less secure and option a which  is a little bit longer but is much more secure   in the app store look for docker socket you'll  find it here under our repository click on it   and go to install make sure we put it on the same  custom docker network and then that's it you can   pretty much go ahead and click apply now head  back to docker and go into the swag container   click on edit go right to the bottom and we're  going to add another port path variable change   it to variable and give it a name so give it the  details like we've said here with the key docker   underscore host and the value of docker socket go  ahead and click add once you've got it click apply   so now the swag container will be able to actually  retrieve info from other containers read only but   will not be able to spin up other containers  or run any commands via the docker api so go   back and edit it again and under the docker mods  we can now add the docker mod for auto proxy so   go ahead and add that to the end of our list  we've got our separator looks good click save   and apply if you didn't want to use that proxy  method with docker socket that's fine just go   back into the editor and underneath here  instead of doing what we've done you don't   install the other app you just want to get it the  easiest way possible click on add another path   give it a name of docker api so  you can just create this path here   making sure we set it to read only and then click  add then as we already said you add the auto proxy   mods and then that will work so that's the easier  option obviously but it's a little bit less secure   so with all that nitty gritty done let's actually  now reverse proxy our first app to find something   that you want to test with i'm going to go  ahead and test with sonar so let's click on edit   and in sonar we're going to go to add another  path or variable in here we're going to actually   give it a label in the label we're going to  give it a name of swag with a key of swag   and a value of enable once you're done  click add and click apply and click done   so i'm not going to look at the logs and i'm  just going to take a stab at it and see whether   it actually comes up live so let's have a look  and see now we should see it at the sub domain   because as you can see here on cloudflare we've  got sonar.unraid.io now that's by far the easiest   way to reverse proxy something now with swag  thanks to the auto proxy but if you didn't want   to use that option the other option that you can  use is via the configuration files so open up your   terminal here and paste the following we've got  to list everything in proxy confs and hit enter   and these are pre-configured files for all the  different apps that you can possibly think of   so all you would need to do is take out the dot  sample off the end and have it as just.conf and we   can do this with command line so for example we're  going to do it with sonar if i scroll down here   we'll paste this command in that's in our docs so  with the command it's going to move it and rename   it for us hit enter and that should be done now if  you have the auto reload mod on then swag is going   to restart by itself we're not going to actually  have to do anything there if you don't have it on   then you'll have to restart your container and  we can do that through the command line as well   with docker restart swag but like i said with  our auto mod we don't need to do that anymore   now here's another cool tip you're not going to  get anywhere else we're going to show you how   to enable orthelia using our autoproxy method and  it's so much easier than any other option you can   think of so if you have ophelia already up and  working and it's working for you perfectly fine   now you want to apply it to your apps if you  haven't got it working yet we've covered it in our   videos but let's say we do have it going and we  want to now apply it to our apps to protect them   so find the app you want to protect again  we're going to go with our sonar example here   we'll scroll down add another path variable  template change that to label we're going to set   the name to swag auth the key is swag underscore  auth and the value is orthelia you can then call   it swag protection if you like and click add and  then apply now let's say you want to bypass a   particular path like we do with orthelia you can  actually do it with the label now so if we go back   into edit for sonar for example we'll click add  and in this case we're saying swag underscore auth   underscore bypass with a value of forward slash  api so anything ending in api we want it to bypass   orthelia you can then click add and then apply it  so obviously that's a much easier way to do things   instead of managing a lot of files manually  and the other thing is we've made those changes   anything that's you know changing in swag  is going to update for us automatically so   pretty cool now if you've used the manual method  to reverse proxy your apps then you will need to   use this method that i'm going to show you now  for enabling orthealia for your apps and that's   if you're not using the auto proxy method so  open up a terminal and paste in the following   which is in our guide and we've given you the  exact template that we have on our guides there   so i've just pasted that in and as it says in the  guide remove the hash at the beginning of the line   where it says enable for orthelia so right here  where it says enable for other we just back that   and there you go make sure we go to control o then  control x and if you have auto reload enable it   will reload it for us if you don't have it enabled  then you'll need to do the manual command which   was docker restart swag that's pretty much it guys  you have swag up and running you've got some extra   tools and plugins to make it work really really  well for you it's going to be a nice smooth use   i think and look it's been a long time since i  used it back in the days where it was basically   all manual you didn't have a lot of auto reload  you didn't have auto anything and now they've made   a lot better so big props to the linux server guys  thank you very much a special thank you to gil van   as well who has written a lot of great guides a  lot of great articles on his blog and works for   the linux server team so big props to them make  sure you check out their work we really appreciate   them we hope you guys enjoyed that video and um  it's taken a lot of effort especially by hawks our   community leader we really appreciate you as well  if you enjoyed the video please like and subscribe   there are also options for you to help support  us in the description below if you so choose   we really appreciate you and we can't wait  to see you in the next hebrew corp video you
Info
Channel: IBRACORP
Views: 7,913
Rating: undefined out of 5
Keywords: ibracorp, ibraco, ibra corp, ibracorp unraid, nginx proxy manager, swag, swag reverse proxy, letsencrypt unraid, letsencrypt, linuxserver.io, unraid, selfhosted, nginx, reverse proxy, install swag proxy, nginx proxy manager docker, nginx tutorial, reverse proxy tutorial, unraid docker, docker, nginx reverse proxy, traefik, traefik v2 tutorial, reverse proxy setup, nginx proxy, unraid tutorial, linuxserver swag, swag setup, swag unraid, unraid letsencrypt, linux server, linux, esxi
Id: N7FlsvhpVGE
Channel Id: undefined
Length: 23min 28sec (1408 seconds)
Published: Sun Oct 24 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.