Reconsider multi certificate setup

[DatAres37]

Hi, coming from nginx-proxy I'm currently looking for a new and simple reverse proxy with more features and Swag would pretty much exactly meet all requirements. The only thing that bugs me is that using Swag would mean I have to dox all my panels, services and subdomains through a single certificate. I know security through obscurity is not a lasting defense mechanism, and yes, there are other ways to get that info, but why make it so easy with just two clicks. I found almost a dozen similar requests or questions in Github issues, on Reddit and on the Discourse forum, most of which were dismissed as “niche topics.” The number of inquiries however gives a rather different impression. [1] [2] [3] [4] [5] [6] [7] [8] [9]
I would have accepted the tradeoff by using wildcard certificates (which is also bad security practice with it's own issues), but Swag reaches its limits here as well, since I can only use a single DNS plugin. I’m currently hosting a handful of free open-source services on several domains for the general public, not all of which are with the same registrar. I also have reservations about entrusting my entire DNS resolution to a single company like Cloudflare. Their centralization and influence on the internet is, in my opinion, incompatible with the values of a sovereign open source community.
As soon as it's no longer just a simple self-hosting setup for yourself or you're running more than one domain, Swag quickly reaches its limits, which I find a shame because the number of features and plugins suggests a lot of potential. Especially because the various security features and enhancements actually suggest that there is a high level of awareness of security issues. Revoking just a single certificate for a service is also not possible in practice.

So I'd appreciate if you'd reconsider supporting multiple certificates. Maybe not as the default, but as an advanced option. Thanks.

[j0nnymoe]

The conclusion we came to when discussing this internally in the past has always come back to how we can handle this the automation of this within swag without it getting extremely complicated. Because if we supported 2 certs, users would want 3 and so on (we see this with our Wireguard container - that can support 254 peers, people want to support 508 peers and so on).

There is also the support aspect of this as while yes it could be an advanced option, after years of doing support for our containers, a small percentage of users actually read our documentation, everyone else seems to either 1) get it setup by someone else 2) copy/pasta some guide that's years out of date 3) Get some AI platform to spit out a "working" compose.

We're always open for new features/suggestions for our containers but I feel multi cert would probably create more overheard with maintenance & support. Note, @aptalca is the maintainer of this container, it's his baby but I suspect he'd echo my thoughts on this. (Or say I'm just wrong 😅)

Perhaps it could be a docker-mod rather than built into the image directly? Specially if someone outside of the team wanted to take the work on.

[aptalca]

I echo the above comments and would like to add that changing the current logic to support multiple certs using multiple dns plugins would:

• increase the complexity of the current init logic exponentially, which significantly increases the maintenance burden
• increase the complexity of setup by users and reduce or negate the works out of the box aspects (users would then have to determine which cert to use with which proxy conf, etc., auto-proxy would no longer work without more complicated logic, etc.)
• add a lot of confusion to new setup, thus increase the barrier of entry and significantly increase the support burden.

My philosophy when it comes to our containers is to keep it as simple as possible to set up while covering the majority's needs. For any niche need, we have mods and customization options.

Currently, you can add as many certs as you like to SWAG as long as you maintain the renewals of those certs yourself outside of SWAG, which is quite doable with certbot/acme.sh and cron.

Or, easier yet, you can point the nameservers of your domains to a single provider like Cloudflare and use an api key that has access to all those domains. That's what I do with my multi-domain setups.

[DatAres37]

Or, easier yet, you can point the nameservers of your domains to a single provider like Cloudflare and use an api key that has access to all those domains. That's what I do with my multi-domain setups.

Yeah, I mentioned in my post why I don't want to use this option. I deliberately linked to nginx-proxy in my post, to maybe get some ideas on how to implement it. With their implementation of the acme companion you only need a environment variable on a container (+ networking) to get a individual certificate for that service. But I also understand that a rewrite is probably very effortful and unrealistic.

Is it possible to completely disable TLS in Swag and handle all certificates yourself? Or will one certificate always have to be created by it?

[drizuid]

Making changes to how SWAG works isn't something we are currently considering.

[DatAres37]

So after some digging I think it should just be possible to run the certbot command once manually for each (new) certificate in the Swag container and the autorenew will just renew all certificates in the certificate folder? This would probably be sufficient for my needs.