How to install Bookstack and reverse proxy it using linuxserver letsencrypt/swag on Unraid

Bookstack is a really cool and simple opensource wiki system that can be of  great use either in a team or by yourself if you want to document and organize information. This guide will show you how to do it on an Unraid system, but it can applied to any OS that is running docker.

MariaDB Installation

Installing MariaDB is very straight forward. Go to the “Apps” tab and search for mariadb and click install.  If you already have mariadb installed you can just skip to the create database part.

Choose your host port and your MYSQL Root password. I changed the default name and the host port as I already have a MariaDB container running and this container will only be for demonstration purposes.

Create the Bookstack database

  1. Open terminal and exec into the container with docker exec -it mariadb bash
  2. Log into mysql with user root and the password you chose. mysql -uroot -p enter your password.

The output will look like this:

[email protected]:~# docker exec -it mariadb bash
[email protected]:/# mysql -uroot -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 10.1.30-MariaDB-1~xenial binary distribution

Copyright (c) 2000, 2017, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]

Next up is creating the database. (Remember to end all queries with a semicolon)

  1. Start with creating a user for the database. CREATE USER 'user' IDENTIFIED by 'password'; Where ‘user’ is your username and ‘password’ is the password you want for the new user. The ouput will be like this.
    MariaDB [(none)]> CREATE USER 'gilbn' IDENTIFIED by 'mypassword';
    Query OK, 0 rows affected (0.01 sec)
  2. Create the database with CREATE DATABASE IF NOT EXISTS bookstack;
    MariaDB [(none)]> CREATE DATABASE IF NOT EXISTS bookstack;
    Query OK, 1 row affected (0.00 sec)
  3. Give the user permissions to the database with GRANT ALL PRIVILEGES ON bookstack.* TO 'gilbn' IDENTIFIED BY 'mypassword';
    MariaDB [(none)]> GRANT ALL PRIVILEGES ON bookstack.* TO 'gilbn' IDENTIFIED BY 'mypassword';
    Query OK, 0 rows affected (0.00 sec)

Then quit mysql with quit and exit from the container by issuing the command exit



If you already have swag setup you can just skip down to the nginx part.
Go to the “Apps” tab and search for swag and install the linuxserver swag container.

Forward your domain to your public IP address. After you’ve done that add your different ANAME/CNAME records e.g or

  1. Container Port: 80 – Choose your desired host port. e.g 81 (You can’t set this to 80 as the unRAID web GUI uses that. )
  2. Container Port: 443 – Set this to 444 or something else (On update 6.4 unraid will use port 443 and it’s better to be ahead of time so it won’t cause any issues)
  3. Enter you email
  4. Add you domain e.g
  5. Add your different sub domains e.g www,blog,plex ect
  6. Container Path: /config Install the container config to your desired location.

Next is portforwarding. This is done on your router and you need to forward port 80 to the port you chose in step 1. You also need to forward port 443 to 444 or the one you chose. So if your servers ip is and you have chosen that the container is on port 81, you need to forward all traffic on port 80 to port 81 on ip And do the same for port 443.
If you’re unsure how to do this on your router check out: Next go to https://yourserverip:444 or http://yourserverip:81 If you now see the Nginx welcome page, it works. Also test if redirects you to the nginx welcome page.

[eckosc_quote quote=”Note: TTL differs from each provider, some has a minimum 60 minutes before DNS propagates and others have 1 minute. So it might take a while before works.” source=”” url=”” pull=”false”] If you already have swag setup and working with a domain and want to use another domain for your wordpress site you can do that by using the EXTRA_DOMAINS variable.

  1. Click on + Add another Path, Port or Variable
  2. Add these values. Config Type: Variable Name: Extra domain Key: EXTRA_DOMAINS Value:,


Go to the swag appdata location. Find the nginx folder and then edit the file called “default” in the “site-conf” folder. I recommend using notepad++ if you are editing the files on a windows machine.

If you want to Geo block your site read more here
Replace/add the contents of the default file with the server block below. Modifying it to use your domain of course.

If you are already using the default file I recommend creating another file in the site-confs folder. It’s much easier to work with separate config files than one huge one. You can call it wiki.conf or domain.conf etc. your choice.

server {
    listen 80;
    return 301 https://$server_name$request_uri;

server {
 listen 443 ssl http2;

## Source:
## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.DOMAIN.COM https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on
add_header X-Frame-Options "allow-from https://DOMAIN.COM https://$server_name"; #Add your domains you want to enable iframing on. https://$server_name = in this server block
add_header Referrer-Policy "strict-origin-when-cross-origin";

add_header Feature-Policy "geolocation none;midi none;notifications none;push none;sync-xhr none;microphone none;camera none;magnetometer none;gyroscope none;speaker self;vibrate none;fullscreen self;payment none;";

proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';
 client_max_body_size 0; 
location / {
    include /config/nginx/proxy.conf;   

[eckosc_quote quote=”Note: see the comments on the Content-Security-Policy , X-Frame-Options!!” source=”” url=”” pull=”false”]

Installing Bookstack

Go to the “Apps” tab and search for Bookstack and install the container.
On the installation page add your database host, user, password and database name and app_url.

Fill out the different parts, it should look something like this:

Hit apply and let the container start up.
If you see nc: getaddrinfo: Name does not resolve in the logs, don’t worry. If I understand correctly the container spins up from a compose file and tries to connect to an sql database from that compose file. It will try for 30 seconds, and after that the container is accessible.  See:

Next you can go to your domain and Bookstack should load.

The default username and password of Bookstack is:
[email protected]

If you want to add email, ldap ect you will need to follow these instructions:

Changing the default upload file size

If you want to be able to upload bigger files you will need to update the php-local.ini file in /config/php

Add the following two lines:

upload_max_filesize = 25M
post_max_size = 25M

25M = 25MB, change it to what you want.


For any questions you can find me here:


Visualizing Nginx geo data metrics  with Python, InfluxDB and Grafana on the linuxserver letsencrypt/swag container How to setup Grafana, InfluxDB and Telegraf to monitor your unRAID system. Banning with basic auth and Fail2Ban