lscr.io/linuxserver/swag:latest
should retrieve the correct image for your arch, but you can also pull specific arch images via tags.http
validation, port 80 on the internet side of the router should be forwarded to this container's port 80dns
validation, make sure to enter your credentials into the corresponding ini (or json for some plugins) file under /config/dns-conf
duckdns
validation, either leave the SUBDOMAINS
variable empty or set it to wildcard
, and set the DUCKDNSTOKEN
variable with your duckdns token. Due to a limitation of duckdns, the resulting cert will only cover either main subdomain (ie. yoursubdomain.duckdns.org
), or sub-subdomains (ie. *.yoursubdomain.duckdns.org
), but will not both at the same time. You can use our duckdns image to update your IP on duckdns.org.--cap-add=NET_ADMIN
is required for fail2ban to modify iptablesURL
will be yoursubdomain.duckdns.org
and the SUBDOMAINS
can be www,ftp,cloud
with http validation, or wildcard
with dns validation.https://yourdomain.url
to access the default homepage (http access through port 80 is disabled by default, you can enable it by editing the default site config at /config/nginx/site-confs/default
)./config/log/letsencrypt
to see why the renewals have been failing. It is recommended to input your e-mail in docker parameters so you receive expiration notices from Let's Encrypt in those circumstances.docker exec -it swag htpasswd -c /config/nginx/.htpasswd <username>
.htpasswd
. For the first user, use the above command, for others, use the above command without the -c
flag, as it will force deletion of the existing .htpasswd
and creation of a new one/config/nginx/site-confs/default
. Feel free to modify this file, and you can add other conf files to this directory. However, if you delete the default
file, a new default will be created on container start.README.md
file under /config/nginx/proxy_confs
for instructions on how to enable them. The preset confs reside in and get imported from this repo.add_header X-Robots-Tag "noindex, nofollow, nosnippet, noarchive";
This will ask Google et al not to index and list your site. Be careful with this, as you will eventually be de-listed if you leave this line in on a site you wish to be present on search engines-v /path-to-swag-config:/swag-ssl
) and in the other containers, use the cert location /swag-ssl/keys/letsencrypt/
etc
that resides under /config
in other containers (ie. -v /path-to-swag-config/etc:/swag-ssl
) and in the other containers, use the cert location /swag-ssl/letsencrypt/live/<your.domain.url>/
(This is more secure because the first method shares the entire SWAG config folder with other containers, including the www files, whereas the second method only shares the ssl certs)cert.pem
, chain.pem
, fullchain.pem
and privkey.pem
, which are generated by Certbot and used by nginx and various other appsprivkey.pfx
, a format supported by Microsoft and commonly used by dotnet apps such as Emby Server (no password)priv-fullchain-bundle.pem
, a pem cert that bundles the private key and the fullchain, used by apps like ZNC/config/fail2ban/jail.local
.conf
files, create .local
files with the same name and edit those because .conf files get overwritten when the actions and filters are updated. .local
files will append whatever's in the .conf
files (ie. nginx-http-auth.conf
--> nginx-http-auth.local
)docker exec -it swag fail2ban-client status
docker exec -it swag fail2ban-client status <jail name>
docker exec -it swag fail2ban-client set <jail name> unbanip <IP>
linuxserver/letsencrypt
image<external>:<internal>
respectively. For example, -p 8080:80
would expose port 80
from inside the container to be accessible from the host's IP on port 8080
outside the container.-p
)443
80
-e
)PUID=1000
PGID=1000
TZ=Europe/London
URL=yourdomain.url
customdomain.com
if you own it, or customsubdomain.ddnsprovider.com
if dynamic dns).VALIDATION=http
http
, dns
or duckdns
(dns
method also requires DNSPLUGIN
variable set) (duckdns
method requires DUCKDNSTOKEN
variable set, and the SUBDOMAINS
variable must be either empty or set to wildcard
).SUBDOMAINS=www,
www,ftp,cloud
. For a wildcard cert, set this exactly to wildcard
(wildcard cert is available via dns
and duckdns
validation only)CERTPROVIDER=
zerossl
for ZeroSSL certs (requires existing ZeroSSL account and the e-mail address entered in EMAIL
env var). Otherwise defaults to Let's Encrypt.DNSPLUGIN=cloudflare
VALIDATION
is set to dns
. Options are aliyun
, azure
, cloudflare
, cloudxns
, cpanel
, desec
, digitalocean
, directadmin
, dnsimple
, dnsmadeeasy
, dnspod
, domeneshop
, dynu
, gandi
, gehirn
, google
, he
, hetzner
, infomaniak
, inwx
, ionos
, linode
, loopia
, luadns
, netcup
, njalla
, nsone
, ovh
, rfc2136
, route53
, sakuracloud
, standalone
, transip
and vultr
. Also need to enter the credentials into the corresponding ini (or json for some plugins) file under /config/dns-conf
.PROPAGATION=
DUCKDNSTOKEN=
VALIDATION
is set to duckdns
. Retrieve your token from https://www.duckdns.orgEMAIL=
ONLY_SUBDOMAINS=false
true
EXTRA_DOMAINS=
extradomain.com,subdomain.anotherdomain.org,*.anotherdomain.org
STAGING=false
true
to retrieve certs in staging mode. Rate limits will be much higher, but the resulting cert will not pass the browser's security test. Only to be used for testing purposes.-v
)/config
cap_add
or sysctl
to work properly. This is not implemented properly in some versions of Portainer, thus this image may not work if deployed through Portainer.FILE__
.PASSWORD
based on the contents of the /run/secrets/mysecretpassword
file.-e UMASK=022
setting. Keep in mind umask is not chmod it subtracts from permissions based on it's value it does not add. Please read up here before asking for support.-v
flags), permissions issues can arise between the host OS and the container, we avoid this issue by allowing you to specify the user PUID
and group PGID
.PUID=1000
and PGID=1000
, to find yours use id user
as below:docker exec -it swag /bin/bash
docker logs -f swag
docker inspect -f '{{ index .Config.Labels "build_version" }}' swag
docker inspect -f '{{ index .Config.Labels "build_version" }}' lscr.io/linuxserver/swag:latest
STAGING=true
, and failures in revoking.ssl.conf
.SUBDOMAINS
var as optional.resolver.conf
and patch for CVE-2021-32637
.dhparams.pem
per RFC7919. Added worker_processes.conf
, which sets the number of nginx workers, and resolver.conf
, which sets the dns resolver. Both conf files are auto-generated only on first start and can be user modified later.CERTPROVIDER
env var. Update aliyun, domeneshop, inwx and transip dns plugins with the new plugin names. Hide donoteditthisfile.conf
because users were editing it despite its name. Suppress harmless error when no proxy confs are enabled.