Allow site access in SWAG NGINX using Dynamic DNS instead of Static IP in Unraid

There are many reasons why you may want to allow your own public IP address access to your hosted resources but block any other IP address, whether its convenience, lack of a local DNS on your local network, or inability to configure a local DNS due to the setup of your network, this guide will show you the steps needed to resolve your public IP address and integrate it into your SWAG configurations.

Please note that the instructions in this guide are specifically designed for the linuxserver SWAG container, if you are using a different container there is not guarantee these exact steps will work but you may be able to modify them as needed.

Installing crontab mod for SWAG in Unraid

If you are using the SWAG docker image provided by linuxserver then you can add the universal cron mod which will allow you to run scheduled tasks, we will use this ability to run commands that refresh the public IP address in nginx in later steps.

1. Install the universal cron mod by editing the SWAG docker container in unraid
   
   
   
   
   
   
   
2. Next, set an environment variable DOCKER_MODS=linuxserver/mods:universal-cron

   
   

   If adding multiple mods, enter them in an array separated by |, such as DOCKER_MODS=linuxserver/mods:universal-cron|linuxserver/mods:universal-mod2
   
   

   

   
   
3. Save the edits and start the SWAG container, you will noticed in the directory you have configured as the SWAG /config folder, a crontabs folder will appear with two files:
   
   This mod will ensure you have /config/crontabs/root and /config/crontabs/abc files where you can add cron jobs to run inside the container as root or as the abc user (associated with the PUID/PGID environment variables).
   
   
   
   
   
4. To test that the crontab mod is working you can add the following line to one of the crontab files, after restarting the container and waiting 5 minutes you should then see a tmp.txt file appear in the config directory.
   */5 * * * *    /bin/echo test >> /config/tmp.txt
   In the file will look like this:
   
   
   
   
   
5. Once you have tested that is all working you are free to remove that line from the file.

Implementing a custom script to save the current public ip

Now that the cron mod for SWAG is enabled we can now look to create the script and schedule it to run on a regular basis to update the public IP address.

1. In the previous steps you may have noticed that there are a couple other entries that were pre-populated automatically when you edited that file, these run maintenance tasks for the container.
   
   The run-parts command noted on most of these runs all of the scripts in the specified path at the interval specified in the crontab, we can use these to run script files that could have multiple lines of commands as long as we place the script in the correct folder structure.
   
   NOTE: We have need to make some changes to these folder paths as the linuxserver SWAG container goes by /config as a top level, so here I have copied the hourly line and added the /config at the start
   
   
   
   
2. Next you will need to create the folder structure as per the referenced path, /config/etc/periodic/hourly maps to  /appdata/swag/etc/periodic/hourly on unraid so just make sure the folders exist.
   
   
   
   
   
3. Create a new file in the directory called daily.bash or alternatively download a copy from my GitHub
   
   #!/bin/bash
getent hosts my.ddnsdomain.com | awk '{print "allow\t\t" $1 ";\t\t# DDNS IP" }' > /config/nginx/homeip.inc
nginx -c /config/nginx/nginx.conf -s reload
   
   
4. If saving the script from Windows be sure to use UNIX line endings (EOL), heres how to check it in Notepad++
   
   
   
   
   
5. You may need to make the file executable so to do this, open a console in Unraid and run the following command with the appropriate file path
   chmod +x /mnt/user/appdata/swag/etc/periodic/hourly/daily.bash
6. Restart the SWAG docker container and wait to see if the homeip.inc file appears in the /swag/nginx directory.

Updating your configuration to allow your public IP and deny all else

In the previous steps we created the process for resolving the current public IP and saving it to a file in a format that we can reference in our nginx configuration files, next we will call that file and add it to a configuration.

1. In your desired proxyconf file, you will want to paste in the following line referencing the file being created by our script
   include /config/nginx/homeip.inc;
   You may then follow that line with the following if you have an internal.conf file configured with your local IP range
   include /config/nginx/internal.conf;
   
   Since my internal.conf is configured an has a deny all; statement at the end that is all I need to configure.
   
   
   
   
   
   
2. By default the nginx will return a 403 page however in this instance I don't want to send any response, I want it to act like the site doesn't exist so I will further customize my config by adding the following location block:
   
   
           location @errors {
     return 444;
   }
   error_page
     301 302 303 304 307 308
     400 401 402 403 404 405 406 408 409 410 411 412 413 414 415 416 421 429
     500 501 502 503 504 505 507
     @errors;

Reference Links:

Github repository for this article: https://github.com/lukegackle/SWAG-Dynamic-DNS-IP-Updater

Base steps I modified to support SWAG on unraid: https://mangolassi.it/topic/15267/how-to-allow-site-access-in-nginx-by-ddns-instead-of-by-ip

https://github.com/linuxserver/docker-mods/tree/universal-cron

https://stackoverflow.com/questions/13621915/one-location-block-for-all-nginx-error-codes