Using SWAG as Reverse Proxy¶
Should you experience problems with Swag, we recommend that you ask the Swag community for advice, as we cannot provide support for third-party software and services.
To simplify the setup of a reverse HTTPS proxy, Linuxserver.io developed SWAG.
SWAG - Secure Web Application Gateway (formerly known as letsencrypt, no relation to Let's Encrypt™) sets up a Nginx web server and reverse proxy with PHP support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let's Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.
Setup¶
Step 1: Get a domain¶
The first step is to grab a dynamic DNS if you don't have your own subdomain already. You can get this from for example DuckDNS.
Step 2: Set-up SWAG¶
Then you will need to set up SWAG, the variables of the docker compose are explained on the Github page of SWAG. This is an example of how to set it up using duckdns and docker-compose.
compose.yaml
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
restart: unless-stopped
ports:
- 443:443
cap_add:
- NET_ADMIN
environment:
- PUID=1000
- PGID=1000
- TZ=Europe/Brussels
- URL=<mydomain.duckdns>
- SUBDOMAINS=wildcard
- VALIDATION=duckdns
- CERTPROVIDER= #optional
- DNSPLUGIN= #optional
- DUCKDNSTOKEN=<duckdnstoken>
- EMAIL=<e-mail> #optional
- ONLY_SUBDOMAINS=false #optional
- EXTRA_DOMAINS=<extradomains> #optional
- STAGING=false #optional
volumes:
- /etc/config/swag:/config
Don't forget to change the mydomain.duckdns into your personal domain and the duckdnstoken into your token and remove the brackets.
Step 3: Change the config files¶
Navigate to the config folder of SWAG and head to proxy-confs. If you used the example above, you should navigate to: /etc/config/swag/nginx/proxy-confs/ .
There are a lot of preconfigured files to use for different apps such as radarr,sonarr,overseerr,...
To use the bundled configuration file, simply rename photoprism.subdomain.conf.sample in the proxy-confs folder to photoprism.subdomain.conf.
Alternatively, you can create a new file photoprism.subdomain.conf in proxy-confs with the following configuration:
photoprism.subdomain.conf
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name photoprism.*;
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
include /config/nginx/proxy.conf;
resolver 127.0.0.11 valid=30s;
set $upstream_app photoprism;
set $upstream_port 2342;
set $upstream_proto http;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
Step 4: Port-forward port 443¶
Since SWAG allows you to set up a secure connection, you will need to open port 443 on your router for encrypted traffic. This is way more secure than port 80 for http.
Step 5: Restart SWAG¶
When you change anything in the config of Nginx, you will need to restart the container using docker restart swag.
If everything went well, you can now access photoprism on the subdomain you configured: photoprism.mydomain.duckdns.org
Attention
PhotoPrism's container name will by default be prefixed with the directory name e.g. "photoprism-photoprism-1", so that it is not just "photoprism". To check this, run docker ps and see if it is "photoprism". If not, go to your compose.yaml file and add the following line to photoprism under image: container_name: photoprism. Then restart swag. Note, however, that you may not have two containers with the same name. If you are running multiple instances, you can change the container name in the swag config file in the proxy-confs directory.
Why Use a Proxy?¶
If you install PhotoPrism on a public server outside your home network, always run it behind a secure HTTPS reverse proxy. Your files and passwords will otherwise be transmitted in clear text and can be intercepted by anyone, including your provider, hackers, and governments. Backup tools and file sync apps may refuse to connect as well.
Help improve these docs! You can contribute by clicking to send a pull request with your changes.