[Support] Nginx Proxy Manager (NPM) Official


Recommended Posts

22 minutes ago, Kopernikus said:

Whats the difference between this docker container and the one from "jlesage"

This official container is IPv6 compatible as mentioned in my first post. Note: jc21 is working on Version 3.

 

22 minutes ago, Kopernikus said:

what's the reason for this?

Bridge uses NAT and IPv6 does not NAT (usually) and IPv6 is not enabled for Bridge Networks in Unraid. Note: I suggest to use "Host" if you need IPv6 as mentioned in my manual.

 

22 minutes ago, Kopernikus said:

will the docker work if I only forwared port 443 to this docker container?

Depends on how your wildcard certificate is validated. Usually port 80 is needed to (re-)validate Let's Encrypt certificates. But if you use for example a DNS based verification than you don't need port 80.

Link to comment
57 minutes ago, mgutt said:

This official container is IPv6 compatible as mentioned in my first post. Note: jc21 is working on Version 3.

 

Bridge uses NAT and IPv6 does not NAT (usually) and IPv6 is not enabled for Bridge Networks in Unraid. Note: I suggest to use "Host" if you need IPv6 as mentioned in my manual.

 

Depends on how your wildcard certificate is validated. Usually port 80 is needed to (re-)validate Let's Encrypt certificates. But if you use for example a DNS based verification than you don't need port 80.

 

Thx for the fast reply.

I won't be using IPv6 so I can use custom Bridge in this case.

My wildcard uses DNS based/manual verification, so then I'll only use port 443.

 

I have two more questions:

 

Is there any advantage of using MariaDB instead of the default SQLite?

Is there a way to access the WebUI of NPM with https?

 

Thx!

Link to comment
1 hour ago, Kopernikus said:

Is there any advantage of using MariaDB instead of the default SQLite?

No. MariaDB will be removed in Version 3.

 

1 hour ago, Kopernikus said:

Is there a way to access the WebUI of NPM with https?

  • Create a new subdomain "npm"
  • use your wildcard certificate
  • Add the following to the advanced tab to disallow access from public (change your IP range accordingly):
    # allow anyone in 192.168.178.0/24
    allow 192.168.178.0/24;
    # drop rest of the world
    deny all;
  • open https://npm.example.com
  • Optional: Try to set your local IP in your subdomains DNS, so 99.99% of all "attacks" never reach your server (but its still possible to access the NPM WebUI if the attacker knows your public IP, so never remove the allow/disallow rules!)

 

Link to comment

Hi,

 

I am running into some issues with the HTTP redirect. I set everything up and got it configured and it works well except for the HTTP redirect when using the non fully quantified name. So I have request.mydomain.com setup as a proxy host to redirect to an internal app

My app that I am trying to target is at 192.168.68.100:5000. My Nginx proxy manager is at 192.168.114:7818

My issue is the HTTPs requests correctly get routed, but any HTTP request gets through to the NGINX Proxy Manager login page. My ports are forwarded correctly, the second http request with the "." at the end to make it fully qualified domain works, but any http request or request which defaults to http are incorrectly going to the login page for NGINX proxy manager.

 

 

 

Link to comment
6 hours ago, 97WaterPolo said:

My Nginx proxy manager is at 192.168.114:7818

And 7818 is forwarded by your router's public port 443? And what about 80? It points to which port?

 

Quote

HTTP request gets through to the NGINX Proxy Manager login page

This sounds you forwarded your public port 80 to NPMs Port 81, which is of course wrong. NPM has three ports. 80 (http), 443 (https) and 81 (http GUI). GUI is only for local admin access.

Link to comment
On 8/20/2021 at 12:08 PM, mgutt said:

No. MariaDB will be removed in Version 3.

 

  • Create a new subdomain "npm"
  • use your wildcard certificate
  • Add the following to the advanced tab to disallow access from public (change your IP range accordingly):
    # allow anyone in 192.168.178.0/24
    allow 192.168.178.0/24;
    # drop rest of the world
    deny all;
  • open https://npm.example.com
  • Optional: Try to set your local IP in your subdomains DNS, so 99.99% of all "attacks" never reach your server (but its still possible to access the NPM WebUI if the attacker knows your public IP, so never remove the allow/disallow rules!)

 

 

Hi,

 

I got it working (remote) however, if I want to access https://npm.example.com locally then I need to set the docker to a custom ip and not bridge because otherwise my unraid webui opens instead of npm. I could ofcourse set npm to listen to port 443 but then I would need to change the Unraid WebUI to another port.

 

What would be best practice?

Edited by Kopernikus
Link to comment
26 minutes ago, Kopernikus said:

What would be best practice?

There is no "best practice". I changed Unraid's ports as described here, but everyone can do it as they want.

 

30 minutes ago, Kopernikus said:

not bridge because otherwise my unraid webui opens instead of npm

 

I do not really understand why this happens. If NPM runs as bridge with for example port 8443 and you forward port 443 in your router to 8443, then the complete traffic is forwarded to NPM. Now you create a new proxy host for npm.example.com and its target is the server ip + port 81, which is the UI port of NPM. So the traffic goes this way:

 

publicIP:443 > unraidIP:8443 > dockerBridge:8443 > npm:443 > npm:81

 

Or did you change the port 81 through the bridge? Then use your changed port.

 

 

Link to comment
1 hour ago, mgutt said:

There is no "best practice". I changed Unraid's ports as described here, but everyone can do it as they want.

 

 

I do not really understand why this happens. If NPM runs as bridge with for example port 8443 and you forward port 443 in your router to 8443, then the complete traffic is forwarded to NPM. Now you create a new proxy host for npm.example.com and its target is the server ip + port 81, which is the UI port of NPM. So the traffic goes this way:

 

publicIP:443 > unraidIP:8443 > dockerBridge:8443 > npm:443 > npm:81

 

Or did you change the port 81 through the bridge? Then use your changed port.

 

 

 

It works like you discribe if I access it outside my network.

 

But local:

https://npm.example.com resolves to unraidIP:443 is doens't now it has to go to 8443 to reach nginx

So I need to change the ports of Unraid of use a seperate IP for nginx

 

Or is their a better solution?

 

Link to comment
41 minutes ago, Kopernikus said:

But local:

Ah ok.

 

Yes, br0 with fixed IP would be a solution. Or changing Unraid's default ports. Or you set your public IP for the domain. By that your local traffic is "hairpinned" back through your router. 

 

I prefer changing Unraid's port. By that it would be even possible to use an additional domain for the unRAID GUI.

Link to comment
23 minutes ago, mgutt said:

By that your local traffic is "hairpinned" back through your router. 

 

may i missunderstand, but custom:br0 wont automatically hairpin when you use macvlan

 

from left to right, VM with virtio (10G) and unraid to docker, receiver on custom:br0

 

image.thumb.png.bdbe4b9ebd95e3d0c98187f1d7ef39a1.png

 

same speeds vice vers ... name or ip ... just as note, so its not a disadvantage using custom:br0 as long you dont get crashes etc (some have issues using macvlan).

Link to comment
25 minutes ago, alturismo said:

may i missunderstand, but custom:br0 wont automatically hairpin when you use macvlan

 

Hairpinning is a technique where you can access a local client by an other local client through the public ip of the internet connection. But this works only if the router supports this feature. This should work for any docker network type, as the traffic is coming from "outside" of the network (the router routes it back through its firewall, that's why even the routers port forwarding works).

 

But br0 (and using the local IP in the DNS) should be the better method. Regarding crashes: Did anyone tested to set a mac address? As my router gets really confused about clients (containers) having only an IP, I thought this could be a reason for this problem?!

Link to comment
7 hours ago, mgutt said:

through the public ip of the internet connection.

ok, then i missed your point here, i thought you mean when using custom:br0 ALL traffic is going through the router, sorry

 

7 hours ago, mgutt said:

As my router gets really confused about clients (containers) having only an IP

here, im fine using macvlan (each container on its own ip, each on its own mac's), using br0 with ipvlan on 6.10 (each container on its own ip, all on the SAME mac) im in trouble as my router gets confused and nameserver/routing gets rubbish ... ;)

Link to comment
21 hours ago, mgutt said:

And 7818 is forwarded by your router's public port 443? And what about 80? It points to which port?

 

This sounds you forwarded your public port 80 to NPMs Port 81, which is of course wrong. NPM has three ports. 80 (http), 443 (https) and 81 (http GUI). GUI is only for local admin access.

On my router

  • External: 80    ->   Internal: 1880
  • External: 443  ->   Internal: 18443

Port 7818 is exposed by my docker container, it is NOT port forwarded at my router. My NPM docker container's network is set to bridge on port 7818. I don't have anything touching port 81 on my router or on my docker.

Link to comment
3 hours ago, 97WaterPolo said:

Port 7818 is exposed by my docker container

Your are not using NPM official. You are using the other container.

 

On 8/23/2021 at 11:56 AM, 97WaterPolo said:
  • http://request.mydomain.com -> 192.168.114:7818 (notice the lack of "." at the end)
  • request.mydomain.com -> 192.168.114:7818 (defaults to http request)

This should never happen. The traffic of port 80 is forwarded by your router to 1880. So it must display:

A) the npm welcome message if no proxy host is present for this domain

B) an error If the target of the proxy host can't be reached by Nginx

C) the target containr's website if everything is setup properly

 

Please open http://<yourPublicIP>

 

Still login page or welcome message?

 

 

 

Link to comment
On 8/24/2021 at 4:37 AM, mgutt said:

Your are not using NPM official. You are using the other container.

 

This should never happen. The traffic of port 80 is forwarded by your router to 1880. So it must display:

A) the npm welcome message if no proxy host is present for this domain

B) an error If the target of the proxy host can't be reached by Nginx

C) the target containr's website if everything is setup properly

 

Please open http://<yourPublicIP>

 

Still login page or welcome message?

 

 

 

In regards to the above question, navigating to http://[public ip] gets me a page that says "Wrong site from NginxProxyManager"

 

I'm not sure what happened as I haven't touched this container in a few days, but now all redirects are working as specified. I can no longer get to the NPM login page from any HTTP request.

Thanks for the help trying to fix, much appreciated!!!

Link to comment
23 minutes ago, Spritzup said:

/mnt/cache/appdata vs /mnt/user/appdata?

/mnt/user has a much higher CPU load, but as NPM does not write so much, it shouldn't be as relevant as with MariaDB. So you're right, I will change this default path to /mnt/user and let the user decide which one he prefers.

 

 

Link to comment

Hello and thanks for the container.

I have a question I'm not able to answer.

 

Actually I have my NPM container working as expected with multiple proxy hosts. NPM is listening on port 443 et 80 (redirected from my router)

 

I'm trying to configure a stream to my OpenVPN server (on TCP port 1194) : if I configure the stream on NPM with forward host as my openvpn server, with forward port 1194 and with incoming port different than 443 or 80, it works.

But as soon as I put 443 as incoming port it doesn't work anymore.

 

I want to do this because I need my OpenVPN server to be on TCP 443 from an external of my network point of view to bypass firewall where I use my VPN.

 

Is there a solution for this ? Is it possible ?

 

Many thanks

Link to comment

Port 80 and 443 are HTTP ports. OpenVPN can use these ports, but it does not "speak" HTTP.

 

The problem is that Nginx listens to the ports 80 and 443 and expects HTTP. So Nginx does not understand the incoming traffic.

 

Optional it would be possible to add a "stream host" in Nginx. By that Nginx supports any "language" and it would be possible to forward the incoming traffic on port 443 to any target you like. But by that it ignores HTTP and domain names completely and any traffic on port 443 is forwarded to one single target. This means you can't distinguish through the domain name and forward the traffic to different targets. But if only OpenVPN should listen to port 443 this would be a solution.

 

There is a very special method available which scans for the domain name by encrypting the SSL traffic in advance, but I don't know if it works with Nginx Proxy Manager as it needs a specific Nginx SNI extension which adds "SSL preread":

https://stackoverflow.com/a/40135151/318765

 

And it isn't guaranteed that it will work. As an example someone mentions in the link's comments, that it does not work for SSH as it does not forward the domain name. Not sure about OpenVPN.

  • Thanks 1
Link to comment
3 hours ago, mgutt said:

Port 80 and 443 are HTTP ports. OpenVPN can use these ports, but it does not "speak" HTTP.

 

The problem is that Nginx listens to the ports 80 and 443 and expects HTTP. So Nginx does not understand the incoming traffic.

 

Optional it would be possible to add a "stream host" in Nginx. By that Nginx supports any "language" and it would be possible to forward the incoming traffic on port 443 to any target you like. But by that it ignores HTTP and domain names completely and any traffic on port 443 is forwarded to one single target. This means you can't distinguish through the domain name and forward the traffic to different targets. But if only OpenVPN should listen to port 443 this would be a solution.

 

There is a very special method available which scans for the domain name by encrypting the SSL traffic in advance, but I don't know if it works with Nginx Proxy Manager as it needs a specific Nginx SNI extension which adds "SSL preread":

https://stackoverflow.com/a/40135151/318765

 

And it isn't guaranteed that it will work. As an example someone mentions in the link's comments, that it does not work for SSH as it does not forward the domain name. Not sure about OpenVPN.

Thanks fo the very precise answer. If I manage to make SSL preread to work I'll do a follow up here

Link to comment

Hi,

 

If I look into the log I get this error:

 

[9/8/2021] [11:47:25 AM] [Setup ] › ⚠ warning Error: Command failed: logrotate /etc/logrotate.d/nginx-proxy-manager
error: skipping "/data/logs/fallback_access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/letsencrypt-requests_access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-1_access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-2_access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-3_access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-4_access.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/fallback_error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/letsencrypt-requests_error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-1_error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-2_error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-3_error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.
error: skipping "/data/logs/proxy-host-4_error.log" because parent directory has insecure permissions (It's world writable or writable by group which is not "root") Set "su" directive in config file to tell logrotate which user/group should be used for rotation.

 

How can I fix this?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.