Vista2003 Posted January 29, 2022 Share Posted January 29, 2022 (edited) I've tried to disable IPv6 on unRAID but it still has the same issue EDIT: I've just nuked the Docker and config files and started over again, seems to work now, not sure if it will continue to work after an update though. EDIT 2: Turns out rebooting it, killed it again. Edited January 29, 2022 by Vista2003 Quote Link to comment
mgutt Posted January 30, 2022 Author Share Posted January 30, 2022 1 hour ago, Vista2003 said: I'm not entirely sure what I'm looking for here Docker to No and then you should be able to disable IPv6 custom.... 8 minutes ago, Vista2003 said: I've tried to disable IPv6 on unRAID but it still has the same issue Ok, hmmm. EDIT: One moment. The error appears after reading stream/2.conf. Please open the NPM console and execute the following: su cat /data/nginx/stream/2.conf Does this stream host use port 80 and/or 443? You can not setup a stream host with this ports as they are used by NPM itself. Quote Link to comment
Camnomis Posted January 30, 2022 Share Posted January 30, 2022 Hello! trying to debug an issue I’m having. I have NPM installed, my DNS is sorted, I have a host configured and the SSL certificate has been registered. So I’m preset sure every part of the chain to NPM is working, however when I try to connect to the URL I have configure it times out as unreachable. im guessing it’s an issue between the container and the rest of my UNRAID ecosystem, I’ve tried connecting to other continents and VM hosted applications with no luck. But the logs are not really helpful, is there a way to turn on debug logging to see what js happening within NPM and why it’s not finding the endpoint specified? One thing I’ve noticed is every guide I’ve seen has the container on a custom network type, where as mine is set for bridge. When I switch to something else the SSL service can’t renew certificates so breaks that part of the chain. all advice or suggestions welcome. thanks in advance Quote Link to comment
mgutt Posted January 30, 2022 Author Share Posted January 30, 2022 3 hours ago, Camnomis said: however when I try to connect to the URL I have configure it times out as unreachable. Follow the "Debug Errors" steps: https://forums.unraid.net/topic/110245-support-nginx-proxy-manager-npm-official/#comments Quote Link to comment
Camnomis Posted February 3, 2022 Share Posted February 3, 2022 On 1/30/2022 at 4:36 PM, mgutt said: Follow the "Debug Errors" steps: https://forums.unraid.net/topic/110245-support-nginx-proxy-manager-npm-official/#comments Thanks, if I run the curl from the console I get "HTTP/1.1 200 OK" which is good, however when I try to connect on the url I get chromes "ERR_CONNECTION_TIMED_OUT" As it stands I have: dns for subdomain.domain.com to my public IP two port forwarding rules on my router for port 80 and 443 to the IP of the NPM container (i have changed the IP on unraid from port 80 to allow NPM to have it) When I connect to the NPM with both http and https I get the correct splash page Within NPM I have a Proxy Host Details Domain Name: subdomain.domain.com Scheme: http Forward Hostname / IP: 172.16.1.1 Forward Port: 8181 Cache Assets: Off Block Common Exploits: On Websockets Support: Off Access List: Publicly Accessible Custom Locations None SSL SSL Certificate: subdomain.domain.com Force SSL: On HTTP/2 Support: On HSTS Enabled: Off HSTS Subdomains: Off Advanced None When I run curl -sSL -D - http://172.16.1.1:8181 -o /dev/null I get the following response HTTP/1.1 303 See Other Content-Type: text/html;charset=utf-8 Server: CherryPy/unknown Date: Thu, 03 Feb 2022 15:58:50 GMT Location: http://172.16.1.1:8181/home Vary: Accept-Encoding Content-Length: 100 HTTP/1.1 200 OK Content-Type: text/html;charset=utf-8 Server: CherryPy/unknown Date: Thu, 03 Feb 2022 15:58:50 GMT Vary: Accept-Encoding Content-Length: 68695 I thought maybe its a port issue, so I have added a port forward rule on the router for 8181 but this doesn't fix it (I assume the port number is handled by NPM but was running out of ideas!) Quote Link to comment
mgutt Posted February 3, 2022 Author Share Posted February 3, 2022 1 hour ago, Camnomis said: When I connect to the NPM with both http and https I get the correct splash page What happens if you open http://yourpublicip ? Quote Link to comment
Camnomis Posted February 3, 2022 Share Posted February 3, 2022 4 minutes ago, mgutt said: What happens if you open http://yourpublicip ? This site can’t be reached xxx.xxx.xxx.xxx took too long to respond. Try: Checking the connection Checking the proxy and the firewall ERR_CONNECTION_TIMED_OUT Quote Link to comment
Camnomis Posted February 3, 2022 Share Posted February 3, 2022 Scrap that! It seems to work from when I am accessing the urls from outside my network, but just not while I am at home. Quote Link to comment
mgutt Posted February 3, 2022 Author Share Posted February 3, 2022 24 minutes ago, Camnomis said: It seems to work from when I am accessing the urls from outside my network, but just not while I am at home. Hmm that's strange. And it's the same for the public ip url? Quote Link to comment
Camnomis Posted February 4, 2022 Share Posted February 4, 2022 18 hours ago, mgutt said: Hmm that's strange. And it's the same for the public ip url? It brings up the splash page, when I update my local host file to the NPM it works, so I am guessing the problem lies with my router, I have a pfSense one on order so that might fix it, but I think I can say NPM Is configured and working as it should Quote Link to comment
Camnomis Posted February 4, 2022 Share Posted February 4, 2022 As an aside, how secure is the access lists feature? Obviously if I use user name / password it's only as strong as the password I provide, but is IP restriction enough? Is there any way to improve on the basic security of NPM with 2FA? Quote Link to comment
JonathanM Posted February 4, 2022 Share Posted February 4, 2022 22 hours ago, Camnomis said: Scrap that! It seems to work from when I am accessing the urls from outside my network, but just not while I am at home. Research NAT Loopback, hairpinning, etc. Quote Link to comment
ProphetSe7en Posted February 10, 2022 Share Posted February 10, 2022 Is there anyway to backup and restore the stuff I set up in reverse proxy and migrate to a new system? Quote Link to comment
mgutt Posted February 10, 2022 Author Share Posted February 10, 2022 22 minutes ago, ProphetSe7en said: Is there anyway to backup and restore the stuff Only by copying the complete appdata dir. Quote Link to comment
REllU Posted February 11, 2022 Share Posted February 11, 2022 Hey there, I've set up an Nginx proxy to an FileBrowser docker (and previously NextCloud) about a year ago, and so far everything has been working like a dream. Until yesterday >.< Not sure what happened, and when, but Nginx wasn't able to auto-renew the SSL certificate for my domain. I only noticed this yesterday, when I wasn't able to connect to the FileBrowser from the net anymore. I've tried to "manually" (as in, from the Nginx GUI) renew the certificate, but it keeps failing. On certain browsers (like Samsung's own web app, which doesn't seem to give two hoots about secure connections) I can connect to the FileBrowser docker just fine. I also created a new domain, and new Nginx proxy host to my FileBrowser docker, without the SSL certificates, just to test if the connection is good. It is. This is what I'm getting from the Docker log (inside of UnRaid) when I try to renew the certificate: Internal Error Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-6" --agree-tos --authenticator webroot --email "[EMAIL HERE]" --preferred-challenges "dns,http" --domains "[EMAIL HERE]" Saving debug log to /var/log/letsencrypt/letsencrypt.log Some challenges have failed. Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details. at ChildProcess.exithandler (node:child_process:397:12) at ChildProcess.emit (node:events:390:28) at maybeClose (node:internal/child_process:1064:16) at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5) The external log files I can't seem to find anywhere 🤔 Trying to test the server reachability, I get: Any help would be appreciated! Quote Link to comment
mgutt Posted February 11, 2022 Author Share Posted February 11, 2022 27 minutes ago, REllU said: This is what I'm getting from the Docker log Open the containers console and check the last entries: tail -n200 /var/log/letsencrypt/letsencrypt.log Quote Link to comment
REllU Posted February 11, 2022 Share Posted February 11, 2022 (edited) 45 minutes ago, mgutt said: Open the containers console and check the last entries: tail -n200 /var/log/letsencrypt/letsencrypt.log Here's what I've got: Spoiler # tail -n200 /var/log/letsencrypt/letsencrypt.log 2022-02-11 19:02:40,778:DEBUG:certbot._internal.main:certbot version: 1.22.0 2022-02-11 19:02:40,779:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot 2022-02-11 19:02:40,779:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--quiet', '--config', '/etc/letsencrypt.ini', '--preferred-challenges', 'dns,http', '--disable-hook-validation'] 2022-02-11 19:02:40,779:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot) 2022-02-11 19:02:40,789:DEBUG:certbot._internal.log:Root logging level set at 40 2022-02-11 19:02:40,791:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-8.conf 2022-02-11 19:02:40,804:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x14e5136e0b38> and installer <certbot._internal.cli.cli_utils._Default object at 0x14e5136e0b38> 2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var pref_challs=dns,http (set by user). 2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var preferred_chain=ISRG Root X1 (set by user). 2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var key_type=ecdsa (set by user). 2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var elliptic_curve=secp384r1 (set by user). 2022-02-11 19:02:40,805:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user). 2022-02-11 19:02:40,805:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user). 2022-02-11 19:02:40,805:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user). 2022-02-11 19:02:40,823:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80 2022-02-11 19:02:40,890:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503 2022-02-11 19:02:40,892:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-8/cert1.pem is signed by the certificate's issuer. 2022-02-11 19:02:40,893:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-8/cert1.pem is: OCSPCertStatus.GOOD 2022-02-11 19:02:40,897:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal 2022-02-11 19:02:40,898:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None 2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet: 2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: /etc/letsencrypt/live/npm-8/fullchain.pem expires on 2022-05-12 (skipped) 2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted. 2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2022-02-11 19:02:40,899:DEBUG:certbot._internal.renewal:no renewal failures However, I'm not exactly in the same spot anymore, as I was with the previous message. I got the certificate to renew itself by changing the port-forward rules, so that from port 80, instead of it being directed to FileBrowser, it was instead directed at Nginx docker. This, however, created a "Bad gateway" error, which I'm now struggling with. I've since changed the port forward rules back to what they were, so port 80 is now directed to FileBrowser again. But the result is the same. I'm also getting the same result with the reachability test. Thank you for the quick response! Appreciate it Edited February 11, 2022 by REllU Quote Link to comment
Camnomis Posted February 11, 2022 Share Posted February 11, 2022 On 2/4/2022 at 12:11 PM, Camnomis said: As an aside, how secure is the access lists feature? Obviously if I use user name / password it's only as strong as the password I provide, but is IP restriction enough? Is there any way to improve on the basic security of NPM with 2FA? Thanks for the help in this thread, I’ve got NPM with Authelia for 2FA and I’m really happy with the set up, only a small niggle is that when I try to access the UNRAID host via an NPM address it’s coming up with a 502 bad gateway, I can access via IP so I’m guessing it’s something in NPM which is causing the issue. Quote Link to comment
Tucubanito07 Posted February 11, 2022 Share Posted February 11, 2022 Hello. Does anyone know if this container is able to display html websites? I know it has nginx and it can be used to making your own website. i tried placing the index.html in the nginx/default_www folder but it did not work. Has anyone tried it before? i don’t want to use Wordpress. I want to learn html and making website and I have been searching and I don’t see anything. All I see is how to use Wordpress with it and I already have that. i want to drop the files in a folder location inside nginx and makes changes to the file to update my own website. thanks in advance. Quote Link to comment
mgutt Posted February 11, 2022 Author Share Posted February 11, 2022 17 minutes ago, Tucubanito07 said: i want to drop the files in a folder location inside nginx and makes changes to the file to update my own website. Use a different container: https://hub.docker.com/_/nginx Quote Link to comment
mgutt Posted February 11, 2022 Author Share Posted February 11, 2022 1 hour ago, REllU said: This, however, created a "Bad gateway" error, which I'm now struggling with. First page, read the 5xx error paragraph. Quote Link to comment
Tucubanito07 Posted February 11, 2022 Share Posted February 11, 2022 2 hours ago, mgutt said: Use a different container: https://hub.docker.com/_/nginx That is what I thought. Thank you. Quote Link to comment
REllU Posted February 12, 2022 Share Posted February 12, 2022 (edited) 13 hours ago, mgutt said: First page, read the 5xx error paragraph. Rightyo! Let's see.. 4.) Does NPM reach your target container? Nope. Nginx container is in br0, and wasn't able to connect to FileBrowser, since that was in Bridge mode. Changing FileBrowser into br0 as well, allows Nginx to connect to it succesfully. I've then changed the port forward rule to reflect this change, which seems to work fine. However, the situation is still very much the same: ✔️ http://[my-public-ip] (Skipping Nginx entirely) ✔️[FileBrowser_ip]:[FileBrowser_port] (Skipping Nginx entirely) ✔️Connection between Nginx and FileBrowser (with br0 network) ✔️http:// domain . com ❌https:// domain . com (results in bad gateway) ❌Server reachability test (Within Nginx) I've only now jumped to the official docker image of the Nginx Proxy Manager, previously, I was rocking the jlesage's docker image, which has server me well up until the issue yesterday with renewing certificates. It was also using Bridge-network mode. I read somewhere about potential issues with that particular docker image, and I figured I'd try this one out, just in case 🤷♂️ I feel like I'm just missing something obvious here. Edited February 12, 2022 by REllU Quote Link to comment
mgutt Posted February 12, 2022 Author Share Posted February 12, 2022 6 minutes ago, REllU said: ❌https:// domain . com (results in bad gateway) That's really strange as http is working. Do you have any advanced rules which cover https/443 traffic? What happens if you open https://your.public.ip ? It should return "ERR_HTTP2_PROTOCOL_ERROR" as no SSL certificate is provided by NPM. Quote Link to comment
REllU Posted February 12, 2022 Share Posted February 12, 2022 (edited) 30 minutes ago, mgutt said: That's really strange as http is working. Do you have any advanced rules which cover https/443 traffic? What happens if you open https://your.public.ip ? It should return "ERR_HTTP2_PROTOCOL_ERROR" as no SSL certificate is provided by NPM. Spoiler The only rule I have for 443 port in Ubiquiti, is this: Just tried to shut down Nginx completely, and even then http:// mydomain . com - works fine, so it seems to skip Nginx entirely. I do have a rule for port 80 within my router, currently pointing to FileBrowser, so that makes sense. Trying to open https:// public_ip - Just results in a timeout. If there's a log file somewhere that you'd like to see about this, just point me into the right direction, and I'll dig it up for you (apologies, networking isn't my strongest suit) EDIT: I had Nginx stopped when I tried to access https:// public_ip With Nginx running, I'm getting the (original issue from yesterday) potential security risk, which would point out for an invalid certificate. Trying to continue from here gives me an "Secure connection failed" Apologies for the amount of edits. There's so many variables with testing these things. Edit 3: I've now tried to change the protocol to HTTP instead of HTTPS within Nginx, as I'm not really sure what protocol FileBrowser want's to use. Turns out, this seems to work from quick on/off testing. I'm a bit confused as to why HTTPS worked just fine with the last Nginx container I had, but not here? Going to the certificates tab within Nginx, and testing the reachability of the server seems to still give me the same error as before. So I'm guessing renewing the certificates will still be an issue. Edit 4: Disabling the port-forward rule for port 80 within my router seems to still work. Doing this however, does give me a different result in reachability test, which is now stating that there is no server. Edited February 12, 2022 by REllU Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.