[Support] Nginx Proxy Manager (NPM) Official

mgutt

By mgutt
in Docker Containers

Recommended Posts

  • Replies 969
  • Created
  • Last Reply

Top Posters In This Topic

Popular Days

Top Posters In This Topic

Popular Days

Popular Posts

mgutt
mgutt

No joke: I missed this part in the docs:   I will update the container and remove the external DB. SQLite is the easier option for the user.

mgutt
mgutt

Correct. You can not reach unRAID through port 8080 or you explicitly changed Unraid to this port in the settings.   Note: you could change UNRAID to 5000/5001 and let NPM listen to 80/443.

Mentox
Mentox

Hi @mgutt, what is the reason for using MariaDB instead of SQLite? I am running jc21 and SQLite works great.

Posted Images

jafi Rookie

jafi

Posted
Posted

Sorry if the problem is not with NPN.

 

I have problem with nextcloud & NPN. I get this warning with nextcloud:

 

Quote

The "Strict-Transport-Security" HTTP header is not set to at least "15552000" seconds. For enhanced security, it is recommended to enable HSTS as described in the security tips ↗.

 

My config file for nextcloud for NPN:

  

server {
  set $forward_scheme https;
  set $server         "192.168.1.10";
  set $port           2443;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name cloud.myserver.com;

  ssl_certificate /data/custom_ssl/npm-1/fullchain.pem;
  ssl_certificate_key /data/custom_ssl/npm-1/privkey.pem;
  include conf.d/include/assets.conf;
  include conf.d/include/block-exploits.conf;
  add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
  include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-1_access.log proxy;
  error_log /data/logs/proxy-host-1_error.log warn;

location / {


    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    

    include conf.d/include/proxy.conf;
  }

  include /data/nginx/custom/server_proxy[.]conf;
}

 

But this does not work.

Link to comment
braydination Noob

braydination

Posted
Posted

I'm really pulling my hair out here.

 

I had NGINX Proxy Manager setup months ago, but something happened and I needed to reset my router, and ever since then it stopped working.

After trying to fix it for a while, I never managed to, so I decided to remove the docker and start all over again.

I followed the guides by Ibracorp on YouTube to the T and just have not been able to get it working again.

  • I made sure that I disabled my ISP port blocking
  • I forwarded the ports 80 and 443 in my router
  • I created a certificate from Cloudflare directly and imported into NGINX

I keep getting 522 Errors now and I honestly don't even know where to try and troubleshoot this from. I really need to get it fixed as by Bitwarden and Nextcloud services can no longer be updated with this down.

I don't know if there is a problem with Cloudflare, my router, unRAID, or NGINX.

 

 

I did get the following errors/warnings in the NGINX logs:

  • Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0

 

  • [10/28/2021] [7:45:48 PM] [Express ] › ⚠ warning Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-6" --agree-tos --authenticator webroot --email "*****@gmail.com" --preferred-challenges "dns,http" --domains "sonarr.*****.com"

 

 

Link to comment
mgutt Veteran

mgutt

Posted
  • Author
Posted
On 10/22/2021 at 5:49 PM, azkall said:

those are for mysql with external database. but NPM use sql lite I dont know how to access the database.

Ok, then you have an SQLite file at /mnt/user/appdata/Nginx-Proxy-Manager-Official/data/database.sqlite

 

You can open this file through https://sqlitebrowser.org/. Simply stop the container, download the file, edit the relevant lines and overwrite the file again. Of course you should create a backup first.

Link to comment
mgutt Veteran

mgutt

Posted
  • Author
Posted
6 hours ago, braydination said:

I honestly don't even know where to try and troubleshoot this from

Check this new how-to, to debug connection problems:

https://forums.unraid.net/topic/110245-support-nginx-proxy-manager-npm-official/#:~:text=Debug Server Errors 5xx

 

7 hours ago, braydination said:

Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0

Please show your access list rules. Maybe you should remove them temporarily.

 

7 hours ago, braydination said:

[10/28/2021] [7:45:48 PM] [Express ] › ⚠ warning Command failed: certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-6" --agree-tos --authenticator webroot --email "*****@gmail.com" --preferred-challenges "dns,http" --domains "sonarr.*****.com"

Your subdomain "sonarr" uses an lets encrypt ssl certificate which couldn't be validated. This could mean that lets encrypt was not able to reach NPM through "http://sonarr.example.com" (maybe because of your access list rule?!), which is a requirement to validate that your domain is controlled by you. You could try to re-new the certificate manually through the SSL Certificates tab, but at first check the above mentioned how-to, to validate, that NPM can be reached through the internet.

image.png.017c6c5e757a008fb5757c9421eb8f2e.png

 

 

Link to comment
  • 3 weeks later...
rcjk Noob

rcjk

Posted
Posted

Hello all, 

 

I have an ongoing issue for sometime and hoping I can get some help to see if NPM is the source of the issue or if I should look else where. 

 

I set up a reverse proxy for Nextcloud and Vaultwarden, following all the steps with port forwarding, hairpin NAT enabled etc. When I access the domain names via my cell phone network (outside server network), I can connect to both applications with the domain name perfectly fine. My issue comes to when I try to connect inside my network via these domain names, it will hang up and give this site can not be reach, took to long to respond.

 

I can connect to the two applications if I type the IP address of the server with port into my browser not using https. 

 

While I am not versed in networking, I used wireshark to see if I can get a clue to what exactly is going on. Port 4443 is what I use for NPM and what my router forwards 443 to. Reading this in RST error image, it appears the request is sent to my public IP which my router then sends back to 192.168.7.5:4443. The source IP (192.168.7.5) replies back with the reset flag raised. I wonder if this is related to NPM due to the port being 4443, is that a correct assumption? 

 

2084612566_RSTerror.thumb.png.3c488efaaea550b50aedd6b3359e1ed3.png

 

I took a look at the logs for NPM and saw the error attached although I am not sure what it means and if this is root cause to my issue. 

 

1662990086_NPMerror.png.92dfe873141f990213e271e3110de926.png

 

Any help in isolating issue to NPM or eliminating NPM as source is appreciated, thanks!

Link to comment
mgutt Veteran

mgutt

Posted
  • Author
Posted
3 hours ago, rcjk said:

My issue comes to when I try to connect inside my network via these domain names, it will hang up and give this site can not be reach, took to long to respond.

Is this only valid for your smartphone or all local clients? It would be much easier to find the reason with a usual client. At first you should try to ping the domain to find out if it returns the correct public IP: 

ping -c1 example.com

 

The next step would be to overwrite the domains IP through your client's host file against the local IP of NPM. Example: 

<local_ip_of_npm> example.com

 

At first repeat the ping command. Does it now return the local IP? If yes, open the domain in your browser. Do you see Nextcloud? If yes, then your hairpinning does not work. If no, then you shouldn't be able to open NPM's status page (not the WebGUI) through "http://<local_ip_of_npm>:<npm_port_for_incoming_http_traffic>", or?

Link to comment
rcjk Noob

rcjk

Posted
Posted

Thanks for the reply Mgutt,

 

Quote

Is this only valid for your smartphone or all local clients? 

 

This error is valid for anything connected to my network including the smartphone. If I disconnect WIFI and use the T-Mobile connection and IP address, I can access all domains fine without issue. 

 

I think I found another clue that is now leading me to my ISP. My mother-in-law, who lives next door has same company for internet but a different public IP then mine. Interestingly when I connect to her WIFI with my smart phone, I get the hang up error. If I switch back to T-Mobile, I can access the domains fine. I also called my friend in a different state who was able to access both nextcloud and bitwarden fine with the domain names. 

 

For the pings following your steps:

1. First ping (from computer on my network) returns public IP

2. I assumed it was the host IP I needed to add to my hosts file on my computer (not UNRAID server) which I added as your notation. 

npm.png.5b933605081fe4f3c6281892f5a9bbde.png

3. I pinged domain and get 192.168.7.5

4. When I open the domain in my browser, it takes me to the login for UNRAID server not nextcloud

 

I am leaning towards my ISP and may have to research if there is something in the router (they gave me the password for it) set up wrong/not set up or call them directly.

 

Does this sound like the cause, my ISP/their router?

 

 

Link to comment
mgutt Veteran

mgutt

Posted
  • Author
Posted
4 hours ago, rcjk said:

When I open the domain in my browser, it takes me to the login for UNRAID server not nextcloud

Did you forgot to add the port 8080 (for http)?

 

6 hours ago, rcjk said:

My mother-in-law, who lives next door has same company for internet but a different public IP then mine. Interestingly when I connect to her WIFI with my smart phone, I get the hang up error

Does your router really have a public IPv4 or does it start with 10, 172 or 192?

Link to comment
rcjk Noob

rcjk

Posted
Posted

I tried both mydomain.duckdns.org and mydomain.duckdns.org:8080 if that syntax is right, do not understand why that is. If I revert back to IP address with port then it works fine.

 

Yes I am sure it is a public IP, it is in the 200's. 

 

I think it is safe to say that NPM is working as expected and it is an issue with the ISP or how they set up the router. I turned on a VPN this morning and was able to access all sites fine from the same PC I have been using. I think I will have to look into that direction now.

Link to comment
mgutt Veteran

mgutt

Posted
  • Author
Posted
25 minutes ago, rcjk said:

I tried both mydomain.duckdns.org and mydomain.duckdns.org:8080

When you set your local unRAID IP through your hosts file, then the first variant without port must show unRAID and the second must show NPM. It's absolutely impossible to see unRAID on Port 80 and 8080.

 

Repeat your test. It has nothing to do with your ISP. This is a direct connection through your local network.

 

 

Link to comment
rcjk Noob

rcjk

Posted
Posted

I tried again with both nextcloud and vaultwarden domain added to my hosts file, here are the results:

 

Valutwarden:

vault.duckdns.org - Unraid login screen

vault.duckdns.org:8080 Valutwarden login screen

 

Nextcloud:

cloud.duckdns.org - Unraid login screen

cloud.duckdns.org:8080 Unraid login screen

cloud.duckdns.org:4443 Unraid login screen

cloud.duckdns.org:444 Nextcloud login screen

 

 

It appears that if I try to go through NPM, I am re-directed to the Unraid login screen

 

Link to comment
mgutt Veteran

mgutt

Posted
  • Author
Posted
14 minutes ago, rcjk said:

Nextcloud:

cloud.duckdns.org - Unraid login screen

cloud.duckdns.org:8080 Unraid login screen

cloud.duckdns.org:4443 Unraid login screen

cloud.duckdns.org:444 Nextcloud login screen

 

Did you add two entries to your hosts file? You must add cloud.duckdns.org and vault.duckdns.org as separate entries. One entry for duckdns.org does not work (which would be verified through the ping).

 

Does ping to cloud.duckdns.org return your local unRAID IP?

 

cloud.duckdns.org:8080 should never return the unRAID WebGUI. If you open it, are you forwarded to cloud.duckdns.org:8080/Dashboard or does the Port disappear? If it disappears, then it's a redirect, if not, then your proxy host is not properly setup.

Link to comment
rcjk Noob

rcjk

Posted
Posted
Quote

Did you add two entries to your hosts file?

Yes like this 
192.168.7.5    vault.duckdns.org cloud.duckdns.org

 

Quote

Does ping to cloud.duckdns.org return your local unRAID IP?

When I ping could.duckdns.org, it returns

from vault.duckdns.org (192.168.7.5)

 

Quote

are you forwarded to cloud.duckdns.org:8080/Dashboard or does the Port disappear? 

The port disappears and the new url looks like this:

https://cloud.duckdns.org/login (line through https)

Link to comment
imyourdaddy Noob

imyourdaddy

Posted
Posted

Hello,

 

Sorry for the newb question(s), but I'm running into issues getting what I need to work, working.

 

Here's the run down:

  1. Group of Splunk search heads (SH) (each has own IP on LAN) that I want load balanced (basically same application running on multiple server instances
  2. Access above Splunk SHs (sticky session) via a single IP (no DNS setup right now)
  3. Have the load balancer (LB) randomly select one of the Splunk SHs when the above IP is entered in a web browser
    1. Sticky session(s) as this is recommended by Splunk

I was able to get the stream working, but that only pushes to a single IP (Splunk SH) from a single port (8000, which is same on each Splunk SH), and not rotate between them all. 

 

Am I going about this all wrong, and/or is this not able to do what I'm attempting to accomplish? 

 

Any and all help is greatly appreciated!!

Link to comment
rcjk Noob

rcjk

Posted
Posted
Quote

Did you use HSTS in the past?

I may have, I have tried many things over the last 4 months on and off. I followed the instructions but when I query for cloud.duckdns.org or just duckdns.org nothing came up. I went ahead and inputted both in the delete anyway. Normally I use brave but I tried the could.duckdns.org:8080 on konqueror and got the same result. 

 

I changed in my hosts file from cloud.duckdns.org to testing.home and inputted testing.home:8080 and get

 

Congratulations!

You've successfully started the Nginx Proxy Manager.

If you're seeing this site then you're trying to access a host that isn't set up yet.

Log in to the Admin panel to get started.

 

So it seems something is redirecting that specific domain to unraid login and saves it? The difference between vaultwarden and nextcloud is http verse https; should I still have no issues in network using https? 

Link to comment
mgutt Veteran

mgutt

Posted
  • Author
Posted
31 minutes ago, rcjk said:

changed in my hosts file from cloud.duckdns.org to testing.home and inputted testing.home:8080 and get

 

Congratulations!

That's what we want. Now add a proxy host with Nextcloud as target (without SSL certificate). You should see Nextcloud loading (probably the forbidden page, as you use an unallowed Domain, but it works).

 

If this works, then you probably have the problem of a still active HSTS rule. Maybe you try it with a new DuckDNS Subdomain (and not enabling HSTS). I don't know how long the HSTS rule is active.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing