[Support] Nginx Proxy Manager (NPM) Official


Recommended Posts

Overview: Support for the Nginx Proxy Manager (NPM) Official docker container

Docker: https://hub.docker.com/r/jc21/nginx-proxy-manager

Github: https://github.com/jc21/nginx-proxy-manager

 

This is the official Nginx Proxy Manager container. Its advantage compared to the version of jlesage / Djoss is the support of IPv6 on ports 80 and 443.*

 

Donate? 🤗

 

*jlesage's docker has an open issue regarding this.

 

 

FAQ

 

Solving SSL Certificate issues

To obtain valid Let's Encrypt certificates, you need to forward / open the port 80 in your router. Port 80 is used for loading "http://" URLs from your server. So if you are suffering from errors while generating a new certificate, try to open the following URL through a mobile device which is NOT in your local Wi-Fi (like cellular mobile data):

http://unraid.yourdomain.com/.well-known/acme-challenge/

 

This must return the following 404 error of NPM:

image.png.3b13467f875eac1c8cd48320cc07ab58.png

 

If you instead receive a 5xx / timeout error, your domain could have a wrong IP in the DNS/DDNS database or your internet provider does not provide a real IPv4. You can test this by opening your public IPv4 with the same mobile device outside of your Wi-Fi:

http://11.22.33.44/

 

This must return the welcome page of NPM:

721522783_2021-10-2818_28_44.png.753ba9b5b0c5ba6c916b06790f75386d.png.6e2b8ed924fafc2d13ac59aeedfb9d8f.png

 

If not, then port 80 is probably closed or your IPv4 is not public reachable.

 

Only if this requirements are met, Let's Encrypt is able to reach your NPM container and verify the SSL certificate. Note: This is automatically repeated every 90 days to re-verify the certificate, so port 80 must stay open!

Link to comment
  • 2 weeks later...

Debug Server Errors 5xx

 

Sometimes you get an 5xx error after loading your domain and now you wonder how to solve this issue. Follow these steps to find the problem:

 

1.) Does the NPM container work?

If you can not open NPM's WebUI, then your container is not properly setup. Check your container's logs to find out what's wrong.

1116844238_2021-10-2818_38_18.png.2c79826a38b6b9c57648e6a3bc0ef158.png

 

2.) Is NPM online?

Obtain your public IPv4/IPv6 through a website like https://www.top10vpn.com/tools/what-is-my-ip/. If you have a public IPv4, you can now enter it in your browser starting with "http://" (not "https://"!). For example "http://80.70.60.50". Now you must see a status page of NPM:

721522783_2021-10-2818_28_44.png.753ba9b5b0c5ba6c916b06790f75386d.png

 

For IPv6 you need to obtain the Public IPv6 of your NPM container. Open the Unraid WebTerminal and execute the following command:

docker inspect "Nginx-Proxy-Manager-Official" --format='{{range .NetworkSettings.Networks}}{{.GlobalIPv6Address}}{{end}}'

 

This time you need to enter "http://[8888:7777:6666:5555]" (the square brackets are important and again do not use "https://"!).

 

If this works for you, then your NPM container can be reached through the internet through Port 80. If not, then you have a problem with your port release / forwarding on your router or your container is not running properly.

 

You could even try "https://<ip>", but you won't see a status page. Instead it will ask you (depending on your browser) if you like to accept an invalid SSL certificate and finally it shows an HTTP protocol error. This is correct as NPM has no valid SSL certificate for direct IP access. So even if you get this error, this means your router does forward Port 443 correctly to NPM:

image.png.1ae42aaed72e37839b9e9a342ddcd6b5.png

 

Only if you get an connection time out error, then you have a problem with your port release:

314531274_2021-10-2818_47_34.png.5ee69b98d74e59a308e04715b4cb30a0.png

 

3.) Does your target container work?

Let's say you added the container "plex" with the scheme "http" and the IP address "192.168.178.8" and the port "32400":

image.png.424354a5a94fb3c9fbece3442f59741e.png

 

Are you able to open this container through your browser? Open http://<container-ip>:<port>/ to test it. As long your container does not work stand-alone, it won't work with NPM in front, of course.

 

4.) Does NPM reach your target container?

Maybe you get an 5xx error if you open "http://plex.example.com". This happens usually if NPM is not able to reach the target container. You can verify this by NPM's container's console and entering the following commands:

curl -sS http://<container_ip>:<port>/ >/dev/null && echo "Container is reachable"

 

As you can see in my example, NPM is not able to reach the target IP:Port

image.png.f4f9870835558eb20c4aff7f5d5f029e.png

 

This could be because of your selected networks. For example a container which uses the br0 network, is not able to reach a container which uses the bridge network:

image.thumb.png.1d9231ab31679e48b173d03a493889c9.png.97885877b66a2da2004e003b043e6179.png

 

Another reason could be, that you selected the wrong scheme. For example you used "http", but your target container only supports incoming connections through the scheme "https". Or you used the wrong ports. So double check your proxy host settings!

 

There could be other reasons as well. Feel free to post your test results in this thread and I try to help you to find the problem. But please add screenshots, so I can retrace which steps you already tried.

 

 

IPv6 Setup

 

This is the only reliable way to use NPM through IPv6:

 

1.) Change Unraid's HTTP and HTTPS ports to 5000 and 5001:

image.png.89a8393a04b9714bf0f7bb037039bd04.png

 

2.) Install NPM by using the host network:

image.png.07640b0119c802cec55785cce13fc7f8.png

 

3.) Open the ports 80 and 443 in your router:

image.png.7ab2f7dda73482bfffd45c4e8f0dd433.png

 

4.) Open the NPM WebGUI and after changing the login, you can add a proxy host (see next post for Plex as an example).

 

5.) If you only want to type "tower" in your browser to reach your Unraid WebGUI, add this Redirection Host in NPM:

image.png.21c9cd7d6619a7d1b4a618c079f6e02e.png

 

Further explanation:

IPv6 does not need port forwarding and many routers don't support it. So it's often not possible to forward internet traffic from port 443 (http) to a custom port like 8443. By that we have two options: Run NPM in the br0/custom network with a fixed ip address or run it in the host network (bridge has IPv6 disabled). I tried everything, but br0/custom isn't reliable as its not possible to define a fixed IPv6 without passing the IPv6 prefix and if your provider assigns a new IPv6 prefix, the container is offline and stays offline until we manually change the containers IPv6. And changing the IPv6 alone does not work as the "old" IPv4/IPv6 combination is internally reserved from the docker service. So its not only needed to change the IPv6 of the container, we additionally need to restart to entire Docker service itself.

Link to comment

Single Minecraft Server (or other Gaming Servers)

 

If you host a single Minecraft Server (MCS) you need to add a Stream Host, which listens to port 25565 (default Minecraft Port) and forwards all traffic to your MCS container's IP and Port. In my case the Minecraft Server Container uses the bridge network and listens to port 25575:

724337290_2021-09-0417_34_45.png.6a715c591ecb5be8ca368575beaf4a3f.png

 

In NPM add a stream host with the incoming Port 25565 and the containers IP and Port 25575 as its target:

image.png.b912b4b912b6f7cf024b675548dac916.png

 

Open the TCP Port 25565 in your router:

image.png.f6faafac83f2b5afc269b2111347edd3.png

 

Now setup a domain with your public IP address (DDNS).

 

Note: No container is allowed to listen to a Port which is defined as an incoming Stream port in NPM.

 

 

Multiple Minecraft Servers (or other Gaming Servers which support SRV records)

 

If you host multiple Minecraft Servers (MCS) you need to add multiple Stream Hosts which listen on different ports. For two servers it could be 25565 and 25566 while the MCS containers listen to 25575 and 25576:

108448541_2021-09-0417_15_00.png.ab2dbc97dcbca106e0871574d7c84279.png

 

In NPM add two stream hosts which listen to 25565 and 25566 and forward the traffic to the container's IPs and Ports accordingly:

image.png.87c5e5a72f8310979280394dfb819f3e.png

 

Open both ports in your router:

image.png.6209128dd90e4e98ceb28c7bb710607c.png

 

Now the most important step:

You need a domain or DDNS (dynu.com, noip.com, etc) provider which supports custom SRV records. After you registered your domain, you add an SRV record as follows:

Type: SRV
Service: minecraft
Protocol: tcp
TTL: 120
Priority: 0
Weight: 5
Target: minecraft.example.com (your DDNS address)

 

Especially for dynu.com you need to enter "_minecraft._tcp" in the "Node Name" field (the Dot is important!):

image.thumb.png.1e9b23e3aa18a5ec6ea1474122ac38f2.png

 

Finally you should check the entry as follows (set your DDNS address):

https://mxtoolbox.com/SuperTool.aspx?action=srv%3a_minecraft._tcp.minecraft.example.com&run=toolpage

image.png.109878f51cda46c56a74f8aa6f608073.png

 

If you now connect to your minecraft server through minecraft.example.com, your client will automatically check for the existence of this SRV record and use the different Port 25566 instead of the default 25565.

 

The same method is support by:

 

Note: No container is allowed to listen to a Port which is defined as an incoming Stream port in NPM.

 

 

Plex

 

1.) Choose "bridge" as network:

image.png.3a6a85197370c565bf6873c49e3a35dc.png

 

2.) Plex Settings > Remote Access > Disable Remote Access (this forces Plex to use https://plex.example.com/ instead of https://49-243-220-22.48abf8487edc9d743c.plex.direct:32400/ )

image.png.5276cd5421ea0ed78c0a0ea2306a629b.png

 

3.) Plex Settings > Network > Set your domain and your unraid server IP as your "Own URLs" (use https and http as needed!):

image.png.50a2f9d9690020313898603b058018a1.png

 

By that your own domain is used for external access and your unraid server ip is used for local access (and https://local-ip.xxx.plex.direct/ of course).

 

4.) Add a new proxy host in Nginx Proxy Manager for your domain which targets the fixed IP of your Plex container and enable Websockets:

image.png.4fc3e37c14b40e6a8e8c92d6e8926fb3.png

 

5.) Request an SSL certificate and force SSL:

image.png.36724d476fba68b7541bfb65c67a1464.png

 

 

A nginx.conf generated by Nginx Proxy Manager

 

Some people are maybe interested in how a nginx.conf looks like, that was generated from Nginx Proxy Manager. If you add a proxy host with the following settings:

  • domain unifi.example.com
  • scheme https
  • IP 192.168.178.8
  • port 8443
  • enable Websocket Support
  • select Let's Encrypt SSL
  • force SSL
  • add something to the Advanced Config

 

the final config would look like this:

# ------------------------------------------------------------
# unifi.example.com
# ------------------------------------------------------------

server {
  set $forward_scheme https;
  set $server         "192.168.178.8";
  set $port           8443;
  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443;
  server_name unifi.example.com;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-2/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-2/privkey.pem;

  # Force SSL
  include conf.d/include/force-ssl.conf;

  # Websockets Support
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_http_version 1.1;

  # Logs
  access_log /data/logs/proxy-host-3_access.log proxy;
  error_log /data/logs/proxy-host-3_error.log warn;

  # Rules added through the Advanced Tab
  listen 8080;
  server_name *.example.net;

  location / {

    # Websockets Support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy
    add_header       X-Served-By $host;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_pass       $forward_scheme://$server:$port;

  }
}

 

Maybe this is helpful to decide which rules could be missing for your use case.

Link to comment
16 hours ago, Mentox said:

what is the reason for using MariaDB instead of SQLite?

No joke: I missed this part in the docs:

Quote

 

# If you would rather use Sqlite uncomment this

      # and remove all DB_MYSQL_* lines above

      # DB_SQLITE_FILE: "/data/database.sqlite"

 

 

I will update the container and remove the external DB. SQLite is the easier option for the user.

  • Like 2
Link to comment

Ty for creating this!

 

I attempted to migrate from previous docker, expected my custom nginx configuration to work (not overly custom).  One aspect is geoip2 but I am getting error in logs saying geoip directive is not recognized.  Thought it was for the most part all using the same source?

 

UPDATE: Decided to look at the dockerfile and can see they both use different repositories and docker build files.  

Edited by Wingede
Update
Link to comment

Very interested in this..

 

does this do the same as Swagg but using a UI?

 

if so how hard would it be migrating from swagg to this docker? I already have a custom network set-up and have 6-7 sub domains set-up that point to various containers on my server.

Edited by enigma27
Link to comment

If you wanted to use the MariaDB option still, you can remove the `DB_SQLITE_FILE` variable and re-add the variables: `DB_MYSQL_HOST`,  `DB_MYSQL_PORT`, `DB_MYSQL_USER`, `DB_MYSQL_PASSWORD`, `DB_MYSQL_NAME`. I just set this up (I already had MariaDB setup for other things and wanted to keep everything in one place) and so far it's working.

Link to comment
  • 2 weeks later...

Can you update the instructions without the MariaDB piece?

Not getting this to actually work with my hosts, getting a 502 Bad Gateway openresty error. Had it working fine previously with the other NPM Docker.

 

edit: Fixed it, for some reason my dockers were not talking to each other, had to disable then reenable the setting under Docker.

Edited by Candle
Link to comment

Reverse Proxy Docker container (Bitwarden) in network bridge on port 8080 not working. 

 

Dear friends, I finally was able to migrate. I was having a huge problem with Bitwarden (from: vaultwarden/server). 

I still don't know if it is something on my system or on NPMO.

 

My Docker in BW is set on bridge and NPMO is in network br0.

NPMO is using SQLite

 

image.png.138459c86cd5dd442ebb49a307a25172.png

 

When I added my proxy settings, as below, however it did not work. (it used to work with jlesage version). (I changed my real domain to mydomain.com for the screenshots).

 

image.png.0d5aa95be3e8abc481d709ee44e10352.pngimage.png.b8c94f017c7e37b414d2194981f57cb2.png

image.png.9cec0f0756e0141f62e241f408965359.png

 

 

 

 

 

To make it work, I had to add "bridge" network as Post Arguments in the advanced view of NMPO. And  had to use the internal IP of BW and port 80.

 

image.png.2b6ff4e646b7f528fdeded94171f8708.png

 

image.png.298bfd28d0668455cef30ed0700e5432.pngimage.png.2bee92c90142413637e6b588c7acd874.png

 

 

My question is:

 

Am I missing some somthing on my UNRAID server to make NMPO in br0 to have access to the 192.168.100.250:8080 or is something wrong with NPMO that it does not accept port 8080 as the Forward Port? 

 

Thank you in advance,

 

Lucas

 

 

 

 

 

 

Link to comment
26 minutes ago, DrLucasMendes said:

Reverse Proxy Docker container (Bitwarden) in network bridge on port 8080 not working. 

 

Dear friends, I finally was able to migrate. I was having a huge problem with Bitwarden (from: vaultwarden/server). 

I still don't know if it is something on my system or on NPMO.

 

My Docker in BW is set on bridge and NPMO is in network br0.

NPMO is using SQLite

 

image.png.138459c86cd5dd442ebb49a307a25172.png

 

When I added my proxy settings, as below, however it did not work. (it used to work with jlesage version). (I changed my real domain to mydomain.com for the screenshots).

 

image.png.0d5aa95be3e8abc481d709ee44e10352.pngimage.png.b8c94f017c7e37b414d2194981f57cb2.png

image.png.9cec0f0756e0141f62e241f408965359.png

 

 

 

 

 

To make it work, I had to add "bridge" network as Post Arguments in the advanced view of NMPO. And  had to use the internal IP of BW and port 80.

 

image.png.2b6ff4e646b7f528fdeded94171f8708.png

 

image.png.298bfd28d0668455cef30ed0700e5432.pngimage.png.2bee92c90142413637e6b588c7acd874.png

 

 

My question is:

 

Am I missing some somthing on my UNRAID server to make NMPO in br0 to have access to the 192.168.100.250:8080 or is something wrong with NPMO that it does not accept port 8080 as the Forward Port? 

 

Thank you in advance,

 

Lucas

 

 

 

 

 

 

This is the fix (I had the same issue).

 

Stop all your dockers.


Go to settings > dockers > enable "no"

 

Wait for that to turn off

 

Change "Host access to custom networks:" to off. Apply

Change "Host access to custom networks:" to On. Apply

 

Turn docker back on, try again.

 

 

 

  • Like 1
Link to comment

Hello,

I hope I am on the right thread, if not, free to move me around.

I am new to NPM, however, I have made 7 proxy hosts already and most of them are working including all web server redirects using "A" or "CNAME".

I have a problem to set up proxy for camera streaming.

I was successful streaming an old Foscam camera by simply set the IP and port XXX. For all newer cameras or nvrs where http webserver and the image streaming (in onvif or rtsp format), I am not getting it. I am using an app called "IP CAM Viewer" and in that, I could easily view the camera by defining the http port(port forwarding and ddns), id and password to view the cameras. With the reverse proxy server, I can define the dn and port 80 to be redirected for the Foscam Camera, however, when I tried to do the same for others, I do not get the steams. 

 

Any help is appreciated.

Edited by jackwan1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.