Skip to content


Docker Pulls GitHub Stars


SWAG (Secure Web-server And Gateway) sets up an NGINX webserver and reverse proxy with PHP support and a built-in swag client that automates free SSL server certificate generation and renewal processes. It also contains fail2ban for intrusion prevention.

LinuxServer's SWAG Starter Guide

Official Guide

If this is your first time learning about NGINX, proxies, or and Let's Encrypt, we highly recommend you read over the official guide for the container.

General Setup

Out of the box, the SWAG container created by performs reverse proxy functions using NGINX and automatic https encrypted connections using certificates provided by Let's Encrypt.

To configure your reverse proxy, consider if you want to use subfolders (ie. or subdomains (ie. Subdomains will take more configuration, as DNS entries and certificate subject alternate names are required.

The first thing to setup is your domain and email settings in .docker/compose/.env under SWAG. Set the SWAG_EMAIL and SWAG_URL. If using subdomains ensure to add each subdomain to SWAG_SUBDOMAINS as each subdomain prefix (e.g. SWAG_SUBDOMAINS=portainer,deluge,pihole.

There are a number of sample proxy configuration files found in ~/.config/appdata/swag/nginx/proxy-confs/ and in most cases will just need the .sample removed from the filename. Currently not every applicable app has an example configuration and are still being tested.

Subfolder Example:

cp ~/.config/appdata/swag/nginx/proxy-confs/portainer.subfolder.conf.sample ~/.config/appdata/swag/nginx/proxy-confs/portainer.subfolder.conf

This will make Portainer available at

Subdomain Example:

cp ~/.config/appdata/swag/nginx/proxy-confs/portainer.subdomain.conf.sample ~/.config/appdata/swag/nginx/proxy-confs/portainer.subdomain.conf

and will enable the service at

Each time you change a proxy conf file you will need to restart the Swag container:

docker restart swag

Redirect HTTP to HTTPS

This change will make it so that if you type http://blahblah it will redirect to https://blahblah

  1. Edit ~/.config/appdata/swag/nginx/site-confs/default

  2. Uncomment the relevant part of the file (see below)

# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
server {
    listen 80;
    listen [::]:80;
    server_name _;
    return 301 https://$host$request_uri;
  1. Restart the swag container
docker restart swag

Ports in proxy_pass

By default, any ports listed inside any of the .conf files under proxy_pass will point to the internal port of the container. If the application you are trying to put behind the reverse proxy is hosted on another system, or on the host and it is using a different port, you can change the port. Remember to restart afterwards.