[Support] Nginx Proxy Manager (NPM) Official


Recommended Posts

23 hours ago, blaine07 said:

I’ll try just removing it and see what happens. Since not referring to any containers by “name” and instead using all IP:PORT I don’t think I even need the syntax/be on specific network too?

@mgutt I removed the post arguments as we discussed and it’s “back at it again”. Any last ditch efforts? It’s network related I just am unsure what else at this point to do?

 

B64D5829-54B8-4C6F-B065-41250E078E48.jpeg

Link to comment

So my certificate expired and everything stopped working.. I've just been ignoring NPM because it's just been.. working.

 

I'm getting this error in the log:

 

[12/16/2022] [11:23:54 PM] [Express  ] › ⚠  warning   Command failed: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-7" --agree-tos --authenticator webroot --email "xxxx" --preferred-challenges "dns,http" --domains "xxxx" 
Another instance of Certbot is already running.
 

When attempting to request a new cert. "Internal error" in the webinterface. 

I'm unsure if I screwed something up when my server crashed and I had to restore from backup, shortly after which my ubiquiti setup imploded and I had to redo it from memory. 

Just found I had forwarded port 80 to the internal port 3000 for some reason. It's now this:

image.png.8146b22ef1063443c07f95a4bc122b00.png

image.thumb.png.d090e732fb411eb9935c9a9bf7ad2e9f.png

 

image.thumb.png.f687a030213211d19d3ae3834de72550.png

 

I feel like I'm missing something glaringly obvious here, probably network related or docker-setting related, but the entire household is down with the plague so I'd greatly appreciate a helping hand so I can get access to my audiobooks back 😃

 

Thank you and appreciate it. 

 

Link to comment
7 hours ago, mgutt said:

Do you have many hosts? Else I would delete NPM incl it's appdata dir and start from the beginning.

 

Or you need to find follow the debug 5xx errors on the first page.

 

Yeah that did it. As a side effect I got dedicated IP working again so a better setup than before. 

Now it'll probably just run without problems for years again. 🙂

 

Edit: 

Spoke too soon. LetsEncrypt worked, but it seems not all is well. 

image.png.e22760e58451fded84e421fa34f15f9e.png

Favicon downloads, but yeah.. Guess I have some work left still :) 

 

Edit2: Forgot the docker network restrictions. All good now. Cheers. 

Edited by Froberg
Link to comment
  • 3 weeks later...

Hello everyone,

 

I'm a noob and trying to learn about setting up nextcloud on unraid. I've followed Spaceinvader's "Installing Nextcloud on Unraid 2022 pt1" to a tee and cannot get it to work. All the steps worked just fine except for setting up a CNAME in cloudflare - I am instead setting up a type A record and plugging in my static IP address. In my simple mind that should work. I've opened port 443 so I don't think that is the issue (I may be wrong though).

 

image.png.a4677316570e622c9b7e6922b875ccab.png

 

My bigger question is this: I've been reading all the issues folks are running into regarding setup and nextcloud breaking after updates, etc. I would like to understand the need for cloudflare, what is going on in the background, what we actually need to set up remote access securely, etc. I know there are different methods of setting up nextcloud but what are the pros and cons with each? Are there any videos that describe this? Are there descriptions/recommendations on the unraid forums? I appreciate everyones support on this stuff, I have been using unraid for years and have been very happy, this forum has been very helpful.

Link to comment
2 hours ago, gnickdog said:

I would like to understand the need for cloudflare

It depends. If you use cloudflare only as DNS without proxy, you don't have any advantages as it is the same as using the DNS functionality of any other domain registrar.

 

If you instead use the proxy feature, the complete traffic hits the Cloudflare servers, before it is forwarded to your server. This has pros and cons:

+ Cloudflare checks all visitors (captcha etc)

+ Cloudflare filters attacks

+ Cloduflare modifies the content, so it's more compressed or minified as the original content

+ Cloudflare hosts some of the static files in their own servers, so for example website icons are only loaded once from your server

+ Your public IP is hidden, so theoretically nobody can attack your server directly

- The security depends fully in hiding your public IP, but nearly nobody has a firewall which allows only cloudflare IPs to access your server, so finally an attacker will reach your server by simply testing every available IPv4 in the world (thousands of bots are doing this 24/7)

- If Cloudflare is down, your website is down, too. And it happens: https://www.zdnet.com/article/cloudflare-service-hit-by-widespread-issues/

- If you route all your visitors through Cloudflare, this means Cloudflare has full control of your visitors activities. That's why I think it's not legal to use it the EU (GDPR), although Cloudflare claims the opposite

- Cloudflare blocks every account that proxifies non-html content. That's why it is not allowed to host Plex / Jellyfin through Cloudflare AND I think this covers Nextcloud, too, as uploading and downloading non-html files is the main purpose of Nextcloud

 

All cons are the reason why I don't use Cloudflare. But if you only want to use Clodflare as a domain registrar and use it as a simply DNS server for your domain without any proxy feature, there should be no reason against it.

Link to comment

I have a Security Camera NVR and an associated phone app using a data format called "mobile data" format to access the NVR on port XXXX. This data format is not in http format. But the proxy manager only have http and https format. How can I override this? a search of the net indicate that since Nginx 1.9.0 your can put the following in the config:

stream { upstream backend { server backend1.example.com:12345; } server { listen 12345; proxy_pass backend; } }

 

Is this I am supposed to put that in the "advanced" section?

Edited by jackwan1
Link to comment
7 hours ago, mgutt said:

No, but the stream host section in NPM is what you need. But this works domain independent. So every traffic on port X is forwarded to IP+Port Y.

Thanks

in other words, I have to open an unique port on the router for each steaming service. And thus there is no difference between ddns and npm. 

Link to comment
4 hours ago, jackwan1 said:

in other words, I have to open an unique port on the router for each steaming service. And thus there is no difference between ddns and npm.

Correct. I had the same situation with Minecraft servers. Finally I forwarded the ports directly to the specific containers instead of using stream hosts.

 

There is a third party Module available which allows SNI based forwarding with Nginx, but it's not part of NPM:

https://serverfault.com/questions/628147/nginx-proxy-based-on-sni-without-decryption

 

 

Link to comment
4 hours ago, mgutt said:

Correct. I had the same situation with Minecraft servers. Finally I forwarded the ports directly to the specific containers instead of using stream hosts.

 

There is a third party Module available which allows SNI based forwarding with Nginx, but it's not part of NPM:

https://serverfault.com/questions/628147/nginx-proxy-based-on-sni-without-decryption

 

 

I read the installation instruction of that third party module and found the following note:

 

“Note, You can't use the same listening port with HTTP modules.“

 

it looks like with that module you still need to open an unique port for each streaming service, same as mpn, which defeats the purpose. I will keep my port forwarding ddns

Link to comment

You do need to open/forward that port anyway since that's where the device will try to connect to. Passing it through nginx gains you nothing compared to passing it to the destination directly.

 

This would only be useful if you had multiple separate things for which the clients used the same port (the whole point of reverse proxying).

Edited by Kilrah
Link to comment

Hi! Perhaps this is a question already answered, but I can’t find it and perhaps I’m not searching for the right words.

 

Anyway, thank you for this container!

I’ve setup NPM and Cloudflare Tunnel with my own Cloudflare SSL certificate. This now work perfectly for all my different containers, but took some time to troubleshoot (mostly because of my lack of knowledge in the area).

 

Now I was thinking, instead of every time I’m on my local LAN and I go to https://myservicename.mydomain.com all traffic has to outside of my network and out to Cloudflare and then back, I’d like to set it up so when I’m on my LAN that URL points directly to that services local IP without leaving the network. 
 

How do I manage this best? 
Do I use Pihole local DNS and point to NPM somehow? Or can this be handled directly in NPM?

 

Sure, I can use the IPs when I’m at home, but it would be nice to just use the same URLs everywhere. 👍

Edited by kim_sv
Spelling
Link to comment
4 hours ago, kim_sv said:

I’ve setup NPM and Cloudflare Tunnel with my own Cloudflare SSL certificate

Note: This is not allowed for Nextcloud, Plex, etc.

 

4 hours ago, kim_sv said:

How do I manage this best? 

The easiest method is not to use Cloudflare and use your public IP for your domains. As your public IP is the IP of your router, the traffic would not leave your LAN. This is called NAT Loopback or Hairpinning.

 

5 hours ago, kim_sv said:

Do I use Pihole local DNS and point to NPM somehow?

Yes. You need a local DNS server which should not be hosted on your unRAID server, else your complete DNS resolution is dead if your DNS server container isn't running (server reboot etc). This has a very low WAF 😉 In Pi-Hole it's called Local DNS Records, in Adguard Home it's called Filter DNS Rewrites.

 

 

Link to comment
3 hours ago, mgutt said:

Note: This is not allowed for Nextcloud, Plex, etc.

 

The easiest method is not to use Cloudflare and use your public IP for your domains. As your public IP is the IP of your router, the traffic would not leave your LAN. This is called NAT Loopback or Hairpinning.

 

Yes. You need a local DNS server which should not be hosted on your unRAID server, else your complete DNS resolution is dead if your DNS server container isn't running (server reboot etc). This has a very low WAF 😉 In Pi-Hole it's called Local DNS Records, in Adguard Home it's called Filter DNS Rewrites.

 

 

Thank you for the answer!

 

I’m aware of the ToS prohibiting non-HTML content. Don’t use Nextcloud and for Plex I don’t see the need.

 

I’m running my Pihole on the server at the moment, but I’m looking into building/setting up a PFsense or OPNsense router. That would also host the Pihole (or similar service).
 

But that’s some time away, and right now I only have my ASUS router.

 

When setting it up on Pihole, how exactly would that be done? My NPM (and all my services) has the same IP as my server and I don’t see a way to point Local DNS to a specific port, only IP.  

EDIT: Right now I do have a public IP, but my ISP is finicky about it and looks like they might start charge for it. That was why I wanted to setup CF tunnel to not be dependent of that.

Edited by kim_sv
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.