5.0 KiB
navigation, title, main
| navigation | title | main | ||
|---|---|---|---|---|
| true | SWAG |
|
:ellipsis{left=0px width=40rem top=10rem blur=140px}
SWAG
::alert{type="info"} 🎯 Goals:
- Install Swag
- Enable SSL
- Access the dashboard
- Configure regional blocking
- Expose Dockge ::
Swag is the core of this homelab. It is a powerful reverse proxy that allows you to expose services on the internet via domain names, handling SSL certificates, request routing, and access security. Full documentation is available here.
::alert{type="warning"} :::list{type="warning"}
- SWAG is only useful if you plan to expose your services on the internet (e.g.,
https://service.mydomain.com). If you prefer to use a VPN instead, skip to this section. ::: ::
Below is an example for exposing Dockge. We'll install SWAG, the dbip mod for geo-blocking, and the dashboard mod for managing SWAG, fail2ban, and geolocation.
What is a reverse proxy and how it works for us:
Installation
::alert{type="info" icon="exclamation-circle"} :::list{type="info"}
- This tutorial assumes you have a domain name pointing to your server, and a NAT rule forwarding port
443to your server. Example domain:mydomain.com. ::: ::
File structure we'll edit:
root
└── docker
└── swag
├── config
│ ├── dns-conf
│ │ └── ovh.ini
│ └── nginx
│ ├── dbip.conf
│ ├── nginx.conf
│ └── proxy-confs
│ └── dockge.subdomain.conf
├── compose.yml
└── .env
Open Dockge, click compose, name the stack swag, and paste this config:
services:
swag:
image: lscr.io/linuxserver/swag:latest
container_name: swag
cap_add:
- NET_ADMIN
env_file:
- .env
environment:
- TZ=Europe/Paris
- URL=${DOMAIN}
- EXTRA_DOMAINS=${DOMAINS}
- SUBDOMAINS=wildcard # couvre les sous-domaines
- VALIDATION=dns
- DNSPLUGIN=${PLUGIN}
- EMAIL=${EMAIL}
- DOCKER_MODS=linuxserver/mods:swag-dbip|linuxserver/mods:swag-dashboard|linuxserver/mods:swag-auto-reload
volumes:
- /docker/swag/config:/config
ports:
- 80:80
- 443:443
- 81:81 # Nécessaire pour le dashboard
restart: unless-stopped
networks:
- swag
networks:
swag:
name: swag_default
::alert{type="success"} ✨ Tip: Add a watchtower label to auto-update containers:
services:
swag:
#...
labels:
- com.centurylinklabs.watchtower.enable=true
::
In your .env:
DOMAIN=
DOMAINS=
EMAIL=
PLUGIN=
Fill in the values:
| Property | Value | Examples |
|---|---|---|
| DOMAIN | Your main domain | mydomain.com |
| DOMAINS | Other domains (if any) | seconddomain.com |
| Your email for SSL | you@email.com | |
| PLUGIN | Your DNS provider's plugin | ovh, cloudflare |
Edit ovh.ini:
sudo vi /docker/swag/config/dns-conf/ovh.ini
dns_ovh_endpoint = ovh-eu
dns_ovh_application_key =
dns_ovh_application_secret =
dns_ovh_consumer_key =
Generate your token here. Required permissions:
- GET /domain/zone/*
- PUT /domain/zone/*
- POST /domain/zone/*
- DELETE /domain/zone/*
Now configure dbip:
sudo vi /docker/swag/config/nginx/nginx.conf
Add this under http:
include /config/nginx/dbip.conf
Restart the stack.
Dashboard
Access the dashboard at http://yourserverip:81. Details here.
DBIP
Geo-block config example:
# ... (Same geo-block nginx example as before)
Exposing Dockge
::alert{type="info"}
📋 Prerequisites: A subdomain dockge.mydomain.com with CNAME pointing to mydomain.com, and NAT port 443 properly configured.
::
::alert{type="warning"} :::list{type="warning"}
- Dockge lacks MFA. Only expose it with MFA (e.g., Authentik). Otherwise, use VPN. ::: ::
Configure dockge.subdomain.conf as:
# ... (Same nginx reverse proxy config)
Edit SWAG’s compose.yml to add Dockge's network:
services:
swag:
# ...
networks:
- dockge
networks:
dockge:
name: dockge_default
external: true
Redeploy SWAG. Access Dockge via https://dockge.mydomain.com.
Exposing Other Services
SWAG includes many sample confs: service.subdomain.conf.sample. Duplicate and configure them:
cd /docker/swag/config/proxy-confs
sudo cp service.subdomain.conf.sample service.subdomain.conf
::alert{type="danger"} :::list{type="danger"}
- If subdomain isn’t routing correctly: :::
- Check container name in
set $upstream_app ...; - Ensure the service’s network is added to SWAG’s
compose.yml::