SWAG vs Nginx Proxy Manager for Docker?

SWAG is more feature-rich with built-in fail2ban, PHP support, and automated SSL renewal, while Nginx Proxy Manager offers a web UI for easier management. SWAG is better for those needing advanced security and automation without a graphical interface.

How to enable HTTP/3 in SWAG?

Expose UDP port 443, uncomment QUIC listeners in all active proxy configs and the default.conf, and enable the Alt-Svc header in ssl.conf, then restart the container. The README also recommends adjusting UDP buffer sizes on the host for optimal performance.

Can SWAG handle wildcard SSL certificates?

Yes, SWAG supports wildcard certificates via DNS validation by setting the SUBDOMAINS variable to 'wildcard' and configuring a DNS plugin like Cloudflare with credentials in /config/dns-conf, as detailed in the validation setup section.

How to troubleshoot certificate renewal failures in SWAG?

Check logs under /config/log/letsencrypt for errors, ensure port forwarding is correct for HTTP validation or DNS credentials are valid, and use STAGING=true for testing. The README recommends setting an email in docker parameters for expiration notices.

Is SWAG suitable for production use?

Yes, SWAG is designed for production with automated certificate renewal, security hardening like fail2ban, and regular updates. However, ensure proper configuration, monitoring, and backup of /config volume to avoid downtime during updates.

How to add a custom Certbot plugin to SWAG?

Use the Universal Package Install Docker Mod by setting DOCKER_MODS=linuxserver/mods:universal-package-install and INSTALL_PIP_PACKAGES=certbot-dns- , then configure credentials in /config/dns-conf, as per the Certbot Plugins section in the README.

SWAG (Secure Web Application Gateway) — Secure Nginx Docker Container

What is SWAG (Secure Web Application Gateway)?

SWAG is a Docker container that bundles Nginx, PHP, Certbot, and fail2ban into a single image to serve as a secure web application gateway. It automates the setup of HTTPS with free SSL certificates, acts as a reverse proxy for routing traffic to backend services, and provides intrusion prevention to protect web applications. The project solves the complexity of manually configuring and maintaining a secure web server stack.

Target Audience

System administrators, DevOps engineers, and self-hosting enthusiasts who need a pre-configured, secure web server and reverse proxy for deploying web applications, especially in containerized environments.

Value Proposition

Developers choose SWAG because it combines multiple essential tools (Nginx, Certbot, fail2ban) into one easy-to-deploy Docker container, drastically reducing setup time and configuration errors. Its included reverse proxy configurations and automated certificate renewal make it a turnkey solution for securing web services.

Nginx webserver and reverse proxy with php support and a built-in Certbot (Let's Encrypt) client. It also contains fail2ban for intrusion prevention.

Use Cases

Best For

Self-hosting multiple web applications behind a single reverse proxy with HTTPS
Automating SSL certificate issuance and renewal for personal projects or internal services
Securing web servers with fail2ban to block brute-force attacks and malicious traffic
Deploying a pre-configured Nginx and PHP stack for development or production environments
Routing traffic to backend containers or services using pre-built reverse proxy configurations
Setting up a secure gateway for home lab services with minimal manual configuration

Not Ideal For

Enterprises requiring custom Nginx optimizations for high-traffic load balancing beyond pre-built configs
Teams using Kubernetes who prefer native Ingress controllers over a Docker-based reverse proxy
Projects needing real-time, dynamic configuration changes without container restarts, as SWAG's auto-reload is optional and filesystem-dependent

Pros & Cons

Pros

Automated SSL Certificates

Integrates Certbot to automatically obtain and renew free SSL certificates from Let's Encrypt or ZeroSSL, supporting both HTTP and DNS validation methods, with nightly renewal checks as per the setup instructions.

Pre-built Reverse Proxy Configs

Includes a collection of pre-configured reverse proxy configurations for popular applications in /config/nginx/proxy_confs, drastically reducing setup time for routing traffic to backend services.

Built-in Security Features

Comes with fail2ban pre-configured with multiple jails like nginx-http-auth to block malicious IPs, and ships with strong Diffie-Hellman parameters (ffdhe4096) and security headers for enhanced protection.

PHP and Modern Protocol Support

Provides PHP-FPM for running PHP-based web applications and optional QUIC/HTTP/3 support, configurable by exposing UDP port 443 and editing configuration files for improved performance.

Cons

Manual Configuration Updates

Config updates noted in the changelog are not automatically applied; users must manually update files or delete and regenerate them, which can lead to errors or missed security patches.

Complex DNS Validation Setup

DNS-based certificate validation requires setting up credentials in specific files under /config/dns-conf, with varying processes per provider like Cloudflare or DuckDNS, increasing setup complexity and potential for misconfiguration.

Read-Only Operation Limitations

Running the container in read-only mode disables fail2ban as it needs to modify iptables, limiting intrusion prevention features in security-restricted environments, as noted in the caveats section.

What is SWAG (Secure Web Application Gateway)?

Target Audience

Value Proposition

Use Cases

Best For

Self-hosting multiple web applications behind a single reverse proxy with HTTPS
Automating SSL certificate issuance and renewal for personal projects or internal services
Securing web servers with fail2ban to block brute-force attacks and malicious traffic
Deploying a pre-configured Nginx and PHP stack for development or production environments
Routing traffic to backend containers or services using pre-built reverse proxy configurations
Setting up a secure gateway for home lab services with minimal manual configuration

Not Ideal For

Enterprises requiring custom Nginx optimizations for high-traffic load balancing beyond pre-built configs
Teams using Kubernetes who prefer native Ingress controllers over a Docker-based reverse proxy
Projects needing real-time, dynamic configuration changes without container restarts, as SWAG's auto-reload is optional and filesystem-dependent

Pros & Cons

Pros

Automated SSL Certificates

Pre-built Reverse Proxy Configs

Includes a collection of pre-configured reverse proxy configurations for popular applications in /config/nginx/proxy_confs, drastically reducing setup time for routing traffic to backend services.

Built-in Security Features

PHP and Modern Protocol Support

Provides PHP-FPM for running PHP-based web applications and optional QUIC/HTTP/3 support, configurable by exposing UDP port 443 and editing configuration files for improved performance.

Cons

Manual Configuration Updates

Config updates noted in the changelog are not automatically applied; users must manually update files or delete and regenerate them, which can lead to errors or missed security patches.

Complex DNS Validation Setup

Read-Only Operation Limitations

Running the container in read-only mode disables fail2ban as it needs to modify iptables, limiting intrusion prevention features in security-restricted environments, as noted in the caveats section.

SWAG (Secure Web Application Gateway)

What is SWAG (Secure Web Application Gateway)?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?

SWAG (Secure Web Application Gateway)

What is SWAG (Secure Web Application Gateway)?

Overview

Use Cases

Best For

Not Ideal For

Pros & Cons

Pros

Cons

Frequently Asked Questions

Related Projects

Found a gem we're missing?