Skip to content

Instantly share code, notes, and snippets.

@quietsy
Last active October 8, 2024 11:00
Show Gist options
  • Save quietsy/58590a640dd4f7a89696c68b0e6a8691 to your computer and use it in GitHub Desktop.
Save quietsy/58590a640dd4f7a89696c68b0e6a8691 to your computer and use it in GitHub Desktop.
Securing SWAG
@quietsy
Copy link
Author

quietsy commented Oct 15, 2020

Thanks!
More changes:

  • Changed conf to local based on gilbN's comment
  • Changed internal applications and phrasing based on driz's comments on discord
  • Changed formatting and phrasing

@SteaceP
Copy link

SteaceP commented Feb 24, 2021

You said "uncomment" the X-Robots-Tag, but it's not there or not there anymore.
Do the LinuxServer guys removed it?
I know I can just add it but I still want to know if there's a reason that they may have removed it.
Thanks for this guide, very much appreciated!

@nemchik
Copy link

nemchik commented Feb 24, 2021

You said "uncomment" the X-Robots-Tag, but it's not there or not there anymore.
Do the LinuxServer guys removed it?
I know I can just add it but I still want to know if there's a reason that they may have removed it.
Thanks for this guide, very much appreciated!

I actually don't think it was ever in the config (it's not in the repo history). You can simply add it to the ssl.conf file though.

@quietsy
Copy link
Author

quietsy commented Feb 24, 2021

You said "uncomment" the X-Robots-Tag, but it's not there or not there anymore.
Do the LinuxServer guys removed it?
I know I can just add it but I still want to know if there's a reason that they may have removed it.
Thanks for this guide, very much appreciated!

I guess it was removed, or it was never there! :)
Though you can still find it in the Readme if you search "X-Robots-Tag".

@viper306
Copy link

viper306 commented Mar 3, 2021

If I use: curl -I https://example.com

It displays all my header info.
I am new to this, but is there any way to hide/reduce that info?

@thickconfusion
Copy link

@GilbN fail2ban is now included with SWAG. Here are their default filters.

Do you have any generic suggestions for NGINX publicly hosted sites for the nginx-deny.conf filter?

@behnam-io
Copy link

Thanks for this great gist @quietsy. I see you also used cloudflare for dns. I'm trying to use swag + cloudflare but with cloudflare's proxy on; actually what I want is to hide my server's IP. Is there any possiblity to do this? I have swag setup with cloudflare, but If I ping my dockers' url I get my server IP :/; want to have this hidden by cloudflare

@drizuid
Copy link

drizuid commented Dec 6, 2021

just turn cf proxy on; you may need our cloudflare-real-ip swag mod, but generally it just works. If you need support from us though, turn it off before asking. We dont support it being on (though it works fine)

@behnam-io
Copy link

behnam-io commented Dec 6, 2021

@drizuid thanks for the guide. I turned it on, but it doesn't hide my server's IP. I ping my docker image's domain and I get my server's IP.

UPDATE:
I tested your mod. But didn't understand what it does, precisely (for my case).

I think i'm getting close to some clues. Found this on cloudflare's website:

Yes. Cloudflare supports the wildcard '*' record for DNS management in all customer plans.
Free, Pro, and Business plans
Non-enterprise customers can create but not proxy wildcard records.

I had used wildcard CNAME record. that's why my subdomain was getting exposed.

Now, idealistically I want something to overcome this issue, cause I have more than handful of sudbomains, but otherwise it's still possible to hide my server's IP by adding A records in CF manually.

@agingorange
Copy link

That was a good read, @quietsy. I'm using lscr.io/linuxserver/swag and I want to do geo blocking, but there is no geoip2.conf and no mention of it in nginx.conf? Should I look for another image?

@quietsy
Copy link
Author

quietsy commented Jan 10, 2022

Hey @agingorange , please use the updated guide at https://virtualize.link/secure/

@agingorange
Copy link

@quietsy Fantastic. Thanks much!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment