SWAG

SWAG (Secure Web Application Gateway) is a LinuxServer.io-maintained container image that provides an Nginx web server and reverse proxy with automated TLS certificate issuance and renewal via an embedded ACME client. It is commonly used as a front door for self-hosted applications, handling HTTPS termination and reusable proxy configurations.

Key Features

• Nginx web server and reverse proxy for routing multiple apps behind one domain
• Automated certificate issuance and renewal using Certbot (ACME) with Let’s Encrypt or ZeroSSL
• Supports HTTP and DNS-based validation, including wildcard certificates (via DNS plugins)
• Includes preset reverse proxy configuration templates for many popular services
• Optional PHP support for serving dynamic web content
• Built-in fail2ban for intrusion prevention (with optional firewall rule integration)

Use Cases

• Expose multiple self-hosted services securely over HTTPS with subdomains
• Terminate TLS centrally and share generated certificates with other containers
• Host a small web site or landing page alongside reverse-proxied applications

Limitations and Considerations

• Certificate issuance depends on correct inbound port forwarding (HTTP validation) or supported DNS provider credentials (DNS validation)
• Some Certbot DNS plugins may require additional packages/mods if not included in the base image

SWAG is a practical choice when you want a repeatable, containerized Nginx reverse proxy setup with integrated ACME automation and extra security tooling. It fits especially well in Docker-based homelabs that rely on subdomains and standardized proxy templates.