[Support] Nginx Proxy Manager (NPM) Official


Recommended Posts

image.thumb.png.8028b6ea252f3b3cbd359d452b5d4437.png

 

I've tried to disable IPv6 on unRAID but it still has the same issue

 

EDIT: I've just nuked the Docker and config files and started over again, seems to work now, not sure if it will continue to work after an update though.

 

EDIT 2: Turns out rebooting it, killed it again.

Edited by Vista2003
Link to comment
1 hour ago, Vista2003 said:

I'm not entirely sure what I'm looking for here

Docker to No and then you should be able to disable IPv6 custom....

 

8 minutes ago, Vista2003 said:

I've tried to disable IPv6 on unRAID but it still has the same issue

Ok, hmmm.

 

EDIT: One moment. The error appears after reading stream/2.conf. Please open the NPM console and execute the following:

su
cat /data/nginx/stream/2.conf

 

Does this stream host use port 80 and/or 443?

 

You can not setup a stream host with this ports as they are used by NPM itself.

Link to comment

Hello!

 

trying to debug an issue I’m having. I have NPM installed, my DNS is sorted, I have a host configured and the SSL certificate has been registered. So I’m preset sure every part of the chain to NPM is working, however when I try to connect to the URL I have configure it times out as unreachable.

 

im guessing it’s an issue between the container and the rest of my UNRAID ecosystem, I’ve tried connecting to other continents and VM hosted applications with no luck. But the logs are not really helpful, is there a way to turn on debug logging to see what js happening within NPM and why it’s not finding the endpoint specified?

 

One thing I’ve noticed is every guide I’ve seen has the container on a custom network type, where as mine is set for bridge. When I switch to something else the SSL service can’t renew certificates so breaks that part of the chain.

 

all advice or suggestions welcome.

 

thanks in advance

Link to comment
On 1/30/2022 at 4:36 PM, mgutt said:

 

Thanks, if I run the curl from the console I get "HTTP/1.1 200 OK" which is good, however when I try to connect on the url I get chromes "ERR_CONNECTION_TIMED_OUT"

 

As it stands I have:

  • dns for subdomain.domain.com to my public IP
  • two port forwarding rules on my router for port 80 and 443 to the IP of the NPM container (i have changed the IP on unraid from port 80 to allow NPM to have it)
  • When I connect to the NPM with both http and https I get the correct splash page
  • Within NPM I have a Proxy Host
    • Details
      • Domain Name: subdomain.domain.com
      • Scheme: http
      • Forward Hostname / IP: 172.16.1.1
      • Forward Port: 8181
      • Cache Assets: Off
      • Block Common Exploits: On
      • Websockets Support: Off
      • Access List: Publicly Accessible
    • Custom Locations
      • None
    • SSL
      • SSL Certificate: subdomain.domain.com
      • Force SSL: On
      • HTTP/2 Support: On
      • HSTS Enabled: Off
      • HSTS Subdomains: Off
    • Advanced
      • None
         

When I run 

curl -sSL -D - http://172.16.1.1:8181 -o /dev/null

 

I get the following response

 

HTTP/1.1 303 See Other
Content-Type: text/html;charset=utf-8
Server: CherryPy/unknown
Date: Thu, 03 Feb 2022 15:58:50 GMT
Location: http://172.16.1.1:8181/home
Vary: Accept-Encoding
Content-Length: 100

HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Server: CherryPy/unknown
Date: Thu, 03 Feb 2022 15:58:50 GMT
Vary: Accept-Encoding
Content-Length: 68695

 

I thought maybe its a port issue, so I have added a port forward rule on the router for 8181 but this doesn't fix it (I assume the port number is handled by NPM but was running out of ideas!)

Link to comment
18 hours ago, mgutt said:

Hmm that's strange. And it's the same for the public ip url?

 

It brings up the splash page, when I update my local host file to the NPM it works, so I am guessing the problem lies with my router, I have a pfSense one on order so that might fix it, but I think I can say NPM Is configured and working as it should

Link to comment

Hey there,

 

I've set up an Nginx proxy to an FileBrowser docker (and previously NextCloud) about a year ago, and so far everything has been working like a dream.

 

Until yesterday >.<

 

Not sure what happened, and when, but Nginx wasn't able to auto-renew the SSL certificate for my domain. I only noticed this yesterday, when I wasn't able to connect to the FileBrowser from the net anymore.

 

I've tried to "manually" (as in, from the Nginx GUI) renew the certificate, but it keeps failing.

 

On certain browsers (like Samsung's own web app, which doesn't seem to give two hoots about secure connections) I can connect to the FileBrowser docker just fine.

I also created a new domain, and new Nginx proxy host to my FileBrowser docker, without the SSL certificates, just to test if the connection is good. It is.

 

This is what I'm getting from the Docker log (inside of UnRaid) when I try to renew the certificate:

Internal Error

Error: Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-6" --agree-tos --authenticator webroot --email "[EMAIL HERE]" --preferred-challenges "dns,http" --domains "[EMAIL HERE]" 
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Some challenges have failed.
Ask for help or search for solutions at https://community.letsencrypt.org. See the logfile /var/log/letsencrypt/letsencrypt.log or re-run Certbot with -v for more details.

    at ChildProcess.exithandler (node:child_process:397:12)
    at ChildProcess.emit (node:events:390:28)
    at maybeClose (node:internal/child_process:1064:16)
    at Process.ChildProcess._handle.onexit (node:internal/child_process:301:5)

 

The external log files I can't seem to find anywhere 🤔

 

Trying to test the server reachability, I get:

1069190336_TestReachability.PNG.2a7d85d852e03cbe468e2a98aa0e7d07.PNG

 

 

Any help would be appreciated! :)

Link to comment
45 minutes ago, mgutt said:

Open the containers console and check the last entries:

tail -n200 /var/log/letsencrypt/letsencrypt.log

 


Here's what I've got:

Spoiler

 

# tail -n200 /var/log/letsencrypt/letsencrypt.log
2022-02-11 19:02:40,778:DEBUG:certbot._internal.main:certbot version: 1.22.0
2022-02-11 19:02:40,779:DEBUG:certbot._internal.main:Location of certbot entry point: /usr/bin/certbot
2022-02-11 19:02:40,779:DEBUG:certbot._internal.main:Arguments: ['--non-interactive', '--quiet', '--config', '/etc/letsencrypt.ini', '--preferred-challenges', 'dns,http', '--disable-hook-validation']
2022-02-11 19:02:40,779:DEBUG:certbot._internal.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2022-02-11 19:02:40,789:DEBUG:certbot._internal.log:Root logging level set at 40
2022-02-11 19:02:40,791:DEBUG:certbot._internal.display.obj:Notifying user: Processing /etc/letsencrypt/renewal/npm-8.conf
2022-02-11 19:02:40,804:DEBUG:certbot._internal.plugins.selection:Requested authenticator <certbot._internal.cli.cli_utils._Default object at 0x14e5136e0b38> and installer <certbot._internal.cli.cli_utils._Default object at 0x14e5136e0b38>
2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var pref_challs=dns,http (set by user).
2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var preferred_chain=ISRG Root X1 (set by user).
2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var key_type=ecdsa (set by user).
2022-02-11 19:02:40,804:DEBUG:certbot._internal.cli:Var elliptic_curve=secp384r1 (set by user).
2022-02-11 19:02:40,805:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2022-02-11 19:02:40,805:DEBUG:certbot._internal.cli:Var webroot_map={'webroot_path'} (set by user).
2022-02-11 19:02:40,805:DEBUG:certbot._internal.cli:Var webroot_path=/data/letsencrypt-acme-challenge (set by user).
2022-02-11 19:02:40,823:DEBUG:urllib3.connectionpool:Starting new HTTP connection (1): r3.o.lencr.org:80
2022-02-11 19:02:40,890:DEBUG:urllib3.connectionpool:http://r3.o.lencr.org:80 "POST / HTTP/1.1" 200 503
2022-02-11 19:02:40,892:DEBUG:certbot.ocsp:OCSP response for certificate /etc/letsencrypt/archive/npm-8/cert1.pem is signed by the certificate's issuer.
2022-02-11 19:02:40,893:DEBUG:certbot.ocsp:OCSP certificate status for /etc/letsencrypt/archive/npm-8/cert1.pem is: OCSPCertStatus.GOOD
2022-02-11 19:02:40,897:DEBUG:certbot._internal.display.obj:Notifying user: Certificate not yet due for renewal
2022-02-11 19:02:40,898:DEBUG:certbot._internal.plugins.selection:Requested authenticator webroot and installer None
2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: 
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: The following certificates are not due for renewal yet:
2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user:   /etc/letsencrypt/live/npm-8/fullchain.pem expires on 2022-05-12 (skipped)
2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: No renewals were attempted.
2022-02-11 19:02:40,898:DEBUG:certbot._internal.display.obj:Notifying user: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2022-02-11 19:02:40,899:DEBUG:certbot._internal.renewal:no renewal failures

 

However, I'm not exactly in the same spot anymore, as I was with the previous message.

 

I got the certificate to renew itself by changing the port-forward rules, so that from port 80, instead of it being directed to FileBrowser, it was instead directed at Nginx docker.

 

This, however, created a "Bad gateway" error, which I'm now struggling with.

 

BadGateway.PNG.eb4481d9571303793f8b5838078decbb.PNG

 

I've since changed the port forward rules back to what they were, so port 80 is now directed to FileBrowser again. But the result is the same.

 

I'm also getting the same result with the reachability test.

 

Thank you for the quick response! Appreciate it :)

Edited by REllU
Link to comment
On 2/4/2022 at 12:11 PM, Camnomis said:

As an aside, how secure is the access lists feature?

Obviously if I use user name / password it's only as strong as the password I provide, but is IP restriction enough? Is there any way to improve on the basic security of NPM with 2FA?


Thanks for the help in this thread, I’ve got NPM with Authelia for 2FA and I’m really happy with the set up, only a small niggle is that when I try to access the UNRAID host via an NPM address it’s coming up with a 502 bad gateway, I can access via IP so I’m guessing it’s something in NPM which is causing the issue.

Link to comment

Hello. Does anyone know if this container is able to display html websites? I know it has nginx and it can be used to making your own website. 
 

i tried placing the index.html in the nginx/default_www folder but it did not work. Has anyone tried it before? 
 

i don’t want to use Wordpress. I want to learn html and making website and I have been searching and I don’t see anything. All I see is how to use Wordpress with it and I already have that. 
 

i want to drop the files in a folder location inside nginx and makes changes to the file to update my own website. 
 

thanks in advance. 

Link to comment
13 hours ago, mgutt said:

First page, read the 5xx error paragraph.

 

Rightyo! Let's see..

 

4.) Does NPM reach your target container?

Nope. Nginx container is in br0, and wasn't able to connect to FileBrowser, since that was in Bridge mode.

Changing FileBrowser into br0 as well, allows Nginx to connect to it succesfully.

 

I've then changed the port forward rule to reflect this change, which seems to work fine.

 

However, the situation is still very much the same:

 

✔️ http://[my-public-ip] (Skipping Nginx entirely)

✔️[FileBrowser_ip]:[FileBrowser_port] (Skipping Nginx entirely)

✔️Connection between Nginx and FileBrowser (with br0 network)

✔️http:// domain . com

https:// domain . com (results in bad gateway)

Server reachability test (Within Nginx)

 

I've only now jumped to the official docker image of the Nginx Proxy Manager, previously, I was rocking the jlesage's docker image, which has server me well up until the issue yesterday with renewing certificates. It was also using Bridge-network mode.

I read somewhere about potential issues with that particular docker image, and I figured I'd try this one out, just in case 🤷‍♂️

 

I feel like I'm just missing something obvious here.

 

 

Edited by REllU
Link to comment
30 minutes ago, mgutt said:

That's really strange as http is working. Do you have any advanced rules which cover https/443 traffic?

 

What happens if you open https://your.public.ip ? It should return "ERR_HTTP2_PROTOCOL_ERROR" as no SSL certificate is provided by NPM.

Spoiler

 

The only rule I have for 443 port in Ubiquiti, is this:

443_Rule.PNG.c92b6c26553cb4503d51ffc49937edd7.PNG

 

Just tried to shut down Nginx completely, and even then http:// mydomain . com - works fine, so it seems to skip Nginx entirely.

I do have a rule for port 80 within my router, currently pointing to FileBrowser, so that makes sense.

 

Trying to open https:// public_ip - Just results in a timeout. If there's a log file somewhere that you'd like to see about this, just point me into the right direction, and I'll dig it up for you (apologies, networking isn't my strongest suit)

 

EDIT:

I had Nginx stopped when I tried to access https:// public_ip

With Nginx running, I'm getting the (original issue from yesterday) potential security risk, which would point out for an invalid certificate.

 

risk.thumb.PNG.cc97e08f8bee7088339746b4e8c92ebc.PNG

 

Trying to continue from here gives me an "Secure connection failed"

 

Apologies for the amount of edits. There's so many variables with testing these things.

 

Edit 3:

I've now tried to change the protocol to HTTP instead of HTTPS within Nginx, as I'm not really sure what protocol FileBrowser want's to use.

 

Turns out, this seems to work from quick on/off testing. I'm a bit confused as to why HTTPS worked just fine with the last Nginx container I had, but not here?

 

Going to the certificates tab within Nginx, and testing the reachability of the server seems to still give me the same error as before. So I'm guessing renewing the certificates will still be an issue.

 

Edit 4:

Disabling the port-forward rule for port 80 within my router seems to still work.

Doing this however, does give me a different result in reachability test, which is now stating that there is no server.

Edited by REllU
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.