SWAG (Secure Web Application Gateway)

Nginx, SSL certificates, and intrusion prevention in one Docker container. Honestly reviewed.

TL;DR

• What it is: A LinuxServer.io-maintained Docker container that bundles nginx, Certbot (Let’s Encrypt/ZeroSSL), PHP, and fail2ban into a single self-hosted reverse proxy with automatic SSL [README][docs].
• Who it’s for: Home lab runners and small-team self-hosters who want a battle-tested, configuration-file-based reverse proxy without stitching three separate tools together.
• Cost: Free (GPL-3.0 licensed). You pay for a VPS or run it on your own hardware. A $6 Hetzner server handles most home lab setups comfortably [README].
• Key strength: Ships with pre-built nginx proxy configuration samples for dozens of popular self-hosted apps. You’re rarely starting from scratch [docs].
• Key weakness: Config-file-based setup has a learning curve that will feel steep if you’re coming from a GUI like Nginx Proxy Manager. There is no web interface.

---

What is SWAG (Secure Web Application Gateway)

SWAG is a Docker container published and maintained by the LinuxServer.io team. Its GitHub description is blunt and accurate: “Nginx webserver and reverse proxy with php support and a built-in Certbot (Let’s Encrypt) client. It also contains fail2ban for intrusion prevention.” [README]

Before you hit a single config file, that sentence tells you three decisions have already been made for you: nginx handles traffic, Certbot handles certificates, and fail2ban watches for malicious actors. That’s a meaningful chunk of the self-hosted reverse proxy stack assembled, versioned together, and maintained by a team with a long track record in the Docker self-hosting community.

The project was formerly known as the “letsencrypt” container — a confusing name it shared with the unrelated Let’s Encrypt certificate authority. The rename to SWAG makes the broader scope clearer. It isn’t just a certificate tool; it’s a complete gateway layer for your self-hosted services [docs].

LinuxServer.io maintains a sprawling catalog of Docker images (Jellyfin, Nextcloud, Sonarr, Radarr, and hundreds more). SWAG sits at the front of most of those deployments. That tight integration with the LinuxServer ecosystem is part of what makes SWAG the default reverse proxy recommendation across home lab forums, Reddit threads, and Unraid community guides. As of this review, the Docker image has accumulated 3,630 GitHub stars [README].

---

Why people choose it

SWAG fills a specific gap in the self-hosting landscape: you need a reverse proxy that handles HTTPS termination, and you don’t want to separately manage nginx, certbot renewals, and an intrusion prevention layer on a cron schedule.

The alternative assembly tax is real. If you deploy bare nginx and add Certbot manually, you’re responsible for the renewal hooks, the nginx reload after renewal, the version compatibility between packages, and the fail2ban rules on top. SWAG absorbs that maintenance surface into a single container with a single update operation. LinuxServer commits to regular and timely application updates, weekly base OS updates, and common layers across their ecosystem to minimize bandwidth and downtime [README].

DNS-validated wildcard certificates change the game. SWAG supports both HTTP and DNS validation. HTTP validation (port 80) is fine for a basic setup, but DNS validation — via a list of supported DNS provider plugins configured in /config/dns-conf/ — lets you issue wildcard certificates (e.g. *.yourdomain.com) without exposing port 80 at all [docs]. That matters when you’re running internal services you don’t want publicly routed but still want HTTPS.

Two cert providers, not one. As of January 2021, SWAG supports both Let’s Encrypt and ZeroSSL [docs]. Let’s Encrypt rate limits new users who make multiple failed validation attempts — a common frustration during initial setup. ZeroSSL has no such throttling and adds a web dashboard for cert management. SWAG defaults to Let’s Encrypt to preserve backward compatibility, but switching is one environment variable: CERTPROVIDER=zerossl [docs].

The proxy config sample library. This is the underrated reason experienced self-hosters reach for SWAG first. The container ships with pre-written nginx server block templates for common applications — Nextcloud, Jellyfin, Bitwarden, Plex, Authelia, and dozens more. You copy the sample, uncomment the right lines, and you’re done. The alternative is writing nginx location blocks from scratch, which is a documentation rabbit hole most non-technical users do not survive.

---

Features

SSL certificate management:

• Automated certificate generation via Certbot on first container start [docs]
• Auto-renewal: certs checked nightly, renewed automatically if expiry is within 30 days [docs]
• HTTP validation (ACME, requires port 80) and DNS validation (no port 80 required, supports wildcards) [docs]
• Cert providers: Let’s Encrypt (default) or ZeroSSL [docs]
• 90-day certificate validity with zero manual intervention after initial setup [docs]

Reverse proxy:

• Full nginx web server with PHP support [README]
• Pre-built proxy configuration samples for popular self-hosted apps
• Wildcard subdomain routing
• Custom subdomain and multi-domain configurations via SUBDOMAINS and EXTRA_DOMAINS environment variables [docs]
• Port 443 required; port 80 optional (used for HTTP validation and redirect) [docs]

Security:

• fail2ban for intrusion prevention, bundled and pre-configured [README]
• Supports NET_ADMIN capability for fail2ban’s iptables rules [docs]

Deployment:

• Docker CLI and Docker Compose support [docs]
• PUID/PGID mapping for file permission management [docs]
• Configuration persisted under /config volume mount [docs]
• Compatible with Unraid, Proxmox, NAS environments, and standard Linux VPS

Optional add-ons:

• PHP support for hosting WordPress and PHP-based apps directly
• MariaDB pairing for a near-complete LEMP stack [docs]
• LDAP integration available (listed in feature flags)

---

Pricing: SaaS vs self-hosted math

SWAG is free software under the GPL-3.0 license. There is no paid tier, no cloud edition, no enterprise license [README]. You run it, you own it.

What you actually pay:

• The software: $0
• A VPS to run it: $5–10/month (Hetzner, Contabo, DigitalOcean)
• A domain name: $10–15/year
• Your time to configure it initially

What the commercial alternatives cost:

If you need HTTPS termination with automatic certificates and don’t want to self-host, the managed options include Cloudflare Tunnel (free tier exists but routes traffic through Cloudflare’s network, with data privacy implications), Nginx Plus (commercial nginx with support, pricing starts around $2,500/year for production deployments), and various CDN/WAF products that bundle TLS termination.

For a typical home lab or small startup running 5–15 self-hosted services, the math is straightforward: a $6/month VPS running SWAG handles everything a $100+/month managed reverse proxy service would, with full traffic sovereignty. Over a year, that’s the difference between $72 and $1,200+.

The caveat: managed services include support. If SWAG breaks at 2am before a client demo, you’re on your own — which is the honest trade-off every self-hosting decision involves.

---

Deployment reality check

SWAG’s Docker Compose setup is four environment variables away from a working container in straightforward scenarios [docs]:

services:
  swag:
    image: lscr.io/linuxserver/swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Europe/London
      - URL=yourdomain.url
      - SUBDOMAINS=www,
      - VALIDATION=http
    volumes:
      - /path/to/config:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

What can slow you down:

Port forwarding. HTTP validation requires port 80 open on your router pointing to the SWAG host. DNS validation skips this but requires configuring a DNS provider API key in /config/dns-conf/. Neither is difficult, but both require understanding your network topology. If you’re behind CGNAT (common with mobile broadband or some ISPs), HTTP validation simply won’t work — DNS validation is your only path [docs].

Initial certificate generation blocks nginx startup. Nginx won’t serve traffic until Certbot successfully issues a certificate. If your domain isn’t pointed at your IP yet, or your port 80 isn’t open, SWAG will sit idle with no web server running. Check /config/log/letsencrypt/ for the reason [docs].

Let’s Encrypt rate limits. New users who misconfigure and retry quickly can hit Let’s Encrypt’s rate limits (5 failed validations per hour, 50 certificates per domain per week). The fix is switching to STAGING=true for test runs before going live — or using ZeroSSL which has no such limits [docs].

fail2ban needs NET_ADMIN. The cap_add: NET_ADMIN capability in the compose file isn’t optional if you want fail2ban to work. Running SWAG without it silently disables intrusion prevention. Some hardened environments restrict this capability.

Realistic time estimates:

• Technical user with Docker experience: 30–60 minutes to a working HTTPS reverse proxy
• Non-technical user following a guide: 2–4 hours, including domain DNS propagation wait time
• Users running DNS validation with a new provider API key: add 30 minutes

The LinuxServer.io documentation is genuinely good — the SWAG guide covers SSL basics, container setup, authorization methods, cert providers, and common examples in a single page [docs]. If you get stuck, the Discord and Discourse forum are active.

---

Pros and Cons

Pros

• Batteries included. nginx + Certbot + fail2ban + PHP in one container, maintained together. You update one image, not three separately managed services [README].
• Auto-renewing SSL certificates. Nightly checks, automatic 30-day-ahead renewal, zero cron jobs to write [docs].
• Wildcard cert support via DNS validation. Secure internal services without exposing port 80 to the internet [docs].
• ZeroSSL fallback. No more hitting Let’s Encrypt rate limits during initial setup fumbling [docs].
• Pre-built proxy config samples. Most popular self-hosted apps have a template included. You copy and uncomment, not write from scratch.
• LinuxServer.io maintenance cadence. Regular image updates, common base layers, active community — this isn’t an abandoned side project [README].
• GPL-3.0 license. Fully open source, no feature gating, no commercial upsell [README].
• Proven in production. 3,630 GitHub stars and dominant presence in self-hosting forums signal real-world adoption [README].

Cons

• No web UI. Everything is config files. Nginx Proxy Manager exists specifically because SWAG’s approach is too raw for non-technical users.
• Nginx configuration knowledge required. Adding a new service means editing nginx server block files. Basic misconfigurations produce cryptic 502 errors. There’s no guided workflow.
• NET_ADMIN capability requirement. Hardened environments that restrict Linux capabilities will either disable fail2ban or require workarounds.
• Single container for multiple concerns. Bundling nginx, Certbot, and fail2ban means a bug or upstream change in any of them requires waiting for LinuxServer to cut a new image.
• PHP bundling you may not need. If you’re using SWAG purely as a reverse proxy, you’re carrying PHP overhead with no benefit.
• No built-in dashboard or monitoring. Unlike Traefik’s web UI or NPM’s interface, there’s no visibility into request routing, certificate status, or blocked IPs beyond log files.
• CGNAT users are blocked from HTTP validation. A growing issue as ISPs move residential customers behind shared IPs.

---

Who should use this / who shouldn’t

Use SWAG if:

• You’re comfortable editing text configuration files and you’ve used nginx before, even briefly.
• You run multiple self-hosted services (Nextcloud, Jellyfin, Vaultwarden, etc.) and want them all behind HTTPS on a single IP.
• You want wildcard certificates for a whole subdomain namespace.
• You’re using other LinuxServer.io containers and want a reverse proxy that fits naturally alongside them.
• You want intrusion prevention included without setting it up separately.

Skip it (use Nginx Proxy Manager instead) if:

• You want a web GUI to add and manage proxy hosts without touching config files.
• You’re onboarding non-technical teammates or clients who need to manage the proxy themselves.
• You want to see certificate status and access logs through a browser dashboard.

Skip it (use Traefik instead) if:

• You’re running a Kubernetes or Docker Swarm environment where service discovery via labels is more natural than per-service config files.
• You want automatic service detection — Traefik reads container labels and configures itself; SWAG requires a config file edit per service.
• You prioritize a robust middleware ecosystem (Traefik’s middleware chain is more composable).

Skip it (use Caddy instead) if:

• You want a simpler configuration language than nginx’s. Caddy’s Caddyfile is significantly more readable for common reverse proxy patterns.
• You want automatic HTTPS that requires zero configuration for basic cases — Caddy handles certificate issuance more transparently.

Not appropriate if:

• You need a web application firewall (WAF) with OWASP rule sets. fail2ban does IP banning on failed logins; it is not a WAF. For that, look at ModSecurity or Cloudflare.
• You’re running at any meaningful scale (dozens of services, high traffic). SWAG is a home lab and small-team tool, not production infrastructure for a SaaS product.

---

Alternatives worth considering

• Nginx Proxy Manager (NPM) — Also Docker-based, also handles Let’s Encrypt certificates, but adds a web GUI that makes proxy host management point-and-click. The go-to recommendation for non-technical users. Fewer power features than SWAG but dramatically lower barrier to entry.

• Traefik — The label-driven reverse proxy. Better suited for dynamic environments where services come and go (Docker Compose, Swarm, Kubernetes). Configuration is more scattered (labels on each service container) rather than centralized (SWAG’s config files). Has a built-in dashboard. More complex to debug when something goes wrong.

• Caddy — Modern web server with automatic HTTPS as a first-class feature. Caddyfile syntax is more concise than nginx for common patterns. No fail2ban equivalent bundled, no PHP bundled. Lighter than SWAG for pure reverse proxy use cases.

• Cloudflare Tunnel — Zero-port-forwarding option that routes traffic through Cloudflare’s network. Free tier covers basic use. Eliminates the VPS requirement but routes your traffic through a third party — relevant if data sovereignty matters to you.

• HAProxy — High-performance load balancer with SSL termination. Steeper learning curve than any of the above. Justified at scale, overkill for a home lab.

For the core audience — a self-hoster running five to fifteen services on a VPS or home server who understands what a config file is — the realistic shortlist is SWAG vs NPM vs Caddy. Pick SWAG if you want the full bundle and don’t mind nginx configs. Pick NPM if you want the GUI. Pick Caddy if you want cleaner config syntax and don’t need PHP or fail2ban included.

---

Bottom line

SWAG earns its place as the default LinuxServer.io-ecosystem reverse proxy by doing something specific well: it assembles the components you’d build yourself anyway — nginx, Certbot, fail2ban — into a single maintained image with a sensible update cadence and solid documentation. The pre-built proxy config samples for popular self-hosted apps are the hidden selling point; they save hours of nginx trial-and-error for every new service you add.

The honest trade-off is that SWAG asks you to meet it halfway. You need to understand what a server block is, what a volume mount does, and how DNS records work. If you’re past that threshold, SWAG is a proven tool that will quietly do its job for years. If you’re not, Nginx Proxy Manager gives you the same certificates and reverse proxy functionality behind a browser interface.

If setup complexity is the real barrier, deploying SWAG (and the services behind it) is exactly the kind of one-time infrastructure work that upready.dev handles for clients — you describe what you need running, and it gets deployed correctly the first time.

---

Sources

Primary sources:

• LinuxServer.io SWAG Documentation — docs.linuxserver.io. https://docs.linuxserver.io/general/swag
• GitHub: linuxserver/docker-swag (3,630 stars, GPL-3.0 license) — github.com. https://github.com/linuxserver/docker-swag

Note: Third-party review articles provided for this tool were unrelated to SWAG (Secure Web Application Gateway). All claims above are sourced from the official LinuxServer.io documentation, GitHub README, and Docker image metadata.