--- navigation: true title: SWAG main: fluid: false --- :ellipsis{left=0px width=40rem top=10rem blur=140px} # SWAG ::alert{type="info"} 🎯 __Goals:__ - Install Swag - Enable SSL - Access the dashboard - Configure regional blocking - Expose Dockge :: [Swag](https://docs.linuxserver.io/general/swag/) is the core of this homelab. It is a powerful reverse proxy that allows you to expose services on the internet via domain names, handling SSL certificates, request routing, and access security. Full documentation is [available here](https://docs.linuxserver.io/general/swag). ::alert{type="warning"} :::list{type="warning"} - SWAG is only useful if you plan to expose your services on the internet (e.g., `https://service.mydomain.com`). If you prefer to use a VPN instead, skip to [this section](/serveex/securite/wireguard). ::: :: Below is an example for exposing Dockge. We'll install SWAG, the dbip mod for geo-blocking, and the dashboard mod for managing SWAG, fail2ban, and geolocation. **What is a reverse proxy and how it works for us:** ![Picture](/img/serveex/reverse-proxy.svg) ## Installation --- ::alert{type="info" icon="exclamation-circle"} :::list{type="info"} - This tutorial assumes you have a domain name pointing to your server, and a NAT rule forwarding port `443` to your server. Example domain: `mydomain.com`. ::: :: File structure we'll edit: ```console root └── docker └── swag β”œβ”€β”€ config β”‚ β”œβ”€β”€ dns-conf β”‚ β”‚ └── ovh.ini β”‚ └── nginx β”‚ β”œβ”€β”€ dbip.conf β”‚ β”œβ”€β”€ nginx.conf β”‚ └── proxy-confs β”‚ └── dockge.subdomain.conf β”œβ”€β”€ compose.yml └── .env ``` Open Dockge, click `compose`, name the stack `swag`, and paste this config: ```yaml services: swag: image: lscr.io/linuxserver/swag:latest container_name: swag cap_add: - NET_ADMIN env_file: - .env environment: - TZ=Europe/Paris - URL=${DOMAIN} - EXTRA_DOMAINS=${DOMAINS} - SUBDOMAINS=wildcard # couvre les sous-domaines - VALIDATION=dns - DNSPLUGIN=${PLUGIN} - EMAIL=${EMAIL} - DOCKER_MODS=linuxserver/mods:swag-dbip|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-reload volumes: - /docker/swag/config:/config ports: - 80:80 - 443:443 - 81:81 # NΓ©cessaire pour le dashboard restart: unless-stopped networks: - swag networks: swag: name: swag_default ``` ::alert{type="success"} ✨ __Tip:__ Add a watchtower label to auto-update containers: ```yaml services: swag: #... labels: - com.centurylinklabs.watchtower.enable=true ``` :: In your `.env`: ```properties DOMAIN= DOMAINS= EMAIL= PLUGIN= ``` Fill in the values: | Property | Value | Examples | |-----------|-------|----------| | DOMAIN | Your main domain | mydomain.com | | DOMAINS | Other domains (if any) | seconddomain.com | | EMAIL | Your email for SSL | you@email.com | | PLUGIN | Your DNS provider's plugin | ovh, cloudflare | Edit `ovh.ini`: ```shell sudo vi /docker/swag/config/dns-conf/ovh.ini ``` ```properties dns_ovh_endpoint = ovh-eu dns_ovh_application_key = dns_ovh_application_secret = dns_ovh_consumer_key = ``` Generate your token [here](https://www.ovh.com/auth/?onsuccess=https%3A%2F%2Fwww.ovh.com%2Fauth%2Fapi%2FcreateToken). Required permissions: * GET /domain/zone/* * PUT /domain/zone/* * POST /domain/zone/* * DELETE /domain/zone/* Now configure dbip: ```shell sudo vi /docker/swag/config/nginx/nginx.conf ``` Add this under `http`: ```nginx include /config/nginx/dbip.conf ``` Restart the stack. ## Dashboard --- Access the dashboard at `http://yourserverip:81`. Details [here](https://www.linuxserver.io/blog/introducing-swag-dashboard). ## DBIP --- Geo-block config example: ```nginx # ... (Same geo-block nginx example as before) ``` ## Exposing Dockge --- ::alert{type="info"} πŸ“‹ __Prerequisites:__ A subdomain `dockge.mydomain.com` with CNAME pointing to `mydomain.com`, and NAT port 443 properly configured. :: ::alert{type="warning"} :::list{type="warning"} - Dockge lacks MFA. Only expose it with MFA (e.g., Authentik). Otherwise, use VPN. ::: :: Configure `dockge.subdomain.conf` as: ```nginx # ... (Same nginx reverse proxy config) ``` Edit SWAG’s `compose.yml` to add Dockge's network: ```yaml services: swag: # ... networks: - dockge networks: dockge: name: dockge_default external: true ``` Redeploy SWAG. Access Dockge via `https://dockge.mydomain.com`. ## Exposing Other Services --- SWAG includes many sample confs: `service.subdomain.conf.sample`. Duplicate and configure them: ```shell cd /docker/swag/config/proxy-confs sudo cp service.subdomain.conf.sample service.subdomain.conf ``` ::alert{type="danger"} :::list{type="danger"} - __If subdomain isn’t routing correctly:__ ::: - Check container name in `set $upstream_app ...;` - Ensure the service’s network is added to SWAG’s `compose.yml` ::