[Support] Nginx Proxy Manager (NPM) Official


Recommended Posts

Overview: Support for the Nginx Proxy Manager (NPM) Official docker container

Docker: https://hub.docker.com/r/jc21/nginx-proxy-manager

Github: https://github.com/jc21/nginx-proxy-manager

 

This is the official Nginx Proxy Manager container which needs an external database like MariaDB. Its advantage compared to the version of jlesage / Djoss is the support of IPv6 on ports 80 and 443.*

 

Donate? 🤗

 

*jlesage's docker has an open issue regarding this.

Link to comment
  • 2 weeks later...

This is the only reliable way to use NPM through IPv6:

 

1.) Change Unraid's HTTP and HTTPS ports to 5000 and 5001:

image.png.89a8393a04b9714bf0f7bb037039bd04.png

 

2.) Install NPM by using the host network:

image.png.07640b0119c802cec55785cce13fc7f8.png

 

3.) Open the ports 80 and 443 in your router:

image.png.7ab2f7dda73482bfffd45c4e8f0dd433.png

 

4.) Open the NPM WebGUI and after changing the login, you can add a proxy host (see next post for Plex as an example).

 

5.) If you only want to type "tower" in your browser to reach your Unraid WebGUI, add this Redirection Host in NPM:

image.png.21c9cd7d6619a7d1b4a618c079f6e02e.png

 

Further explanation:

IPv6 does not need port forwarding and many routers don't support it. So it's often not possible to forward internet traffic from port 443 (http) to a custom port like 8443. By that we have two options: Run NPM in the br0/custom network with a fixed ip address or run it in the host network (bridge has IPv6 disabled). I tried everything, but br0/custom isn't reliable as its not possible to define a fixed IPv6 without passing the IPv6 prefix and if your provider assigns a new IPv6 prefix, the container is offline and stays offline until we manually change the containers IPv6. And changing the IPv6 alone does not work as the "old" IPv4/IPv6 combination is internally reserved from the docker service. So its not only needed to change the IPv6 of the container, we additionally need to restart to entire Docker service itself.

Link to comment

Single Minecraft Server (or other Gaming Servers)

 

If you host a single Minecraft Server (MCS) you need to add a Stream Host, which listens to port 25565 (default Minecraft Port) and forwards all traffic to your MCS container's IP and Port. In my case the Minecraft Server Container uses the bridge network and listens to port 25575:

724337290_2021-09-0417_34_45.png.6a715c591ecb5be8ca368575beaf4a3f.png

 

In NPM add a stream host with the incoming Port 25565 and the containers IP and Port 25575 as its target:

image.png.b912b4b912b6f7cf024b675548dac916.png

 

Open the TCP Port 25565 in your router:

image.png.f6faafac83f2b5afc269b2111347edd3.png

 

Now setup a domain with your public IP address (DDNS).

 

Note: No container is allowed to listen to a Port which is defined as an incoming Stream port in NPM.

 

 

Multiple Minecraft Servers (or other Gaming Servers which support SRV records)

 

If you host multiple Minecraft Servers (MCS) you need to add multiple Stream Hosts which listen on different ports. For two servers it could be 25565 and 25566 while the MCS containers listen to 25575 and 25576:

108448541_2021-09-0417_15_00.png.ab2dbc97dcbca106e0871574d7c84279.png

 

In NPM add two stream hosts which listen to 25565 and 25566 and forward the traffic to the container's IPs and Ports accordingly:

image.png.87c5e5a72f8310979280394dfb819f3e.png

 

Open both ports in your router:

image.png.6209128dd90e4e98ceb28c7bb710607c.png

 

Now the most important step:

You need a domain or DDNS (dynu.com, noip.com, etc) provider which supports custom SRV records. After you registered your domain, you add an SRV record as follows:

Type: SRV
Service: minecraft
Protocol: tcp
TTL: 120
Priority: 0
Weight: 5
Target: minecraft.example.com (your DDNS address)

 

Especially for dynu.com you need to enter "_minecraft._tcp" in the "Node Name" field (the Dot is important!):

image.thumb.png.1e9b23e3aa18a5ec6ea1474122ac38f2.png

 

Finally you should check the entry as follows (set your DDNS address):

https://mxtoolbox.com/SuperTool.aspx?action=srv%3a_minecraft._tcp.minecraft.example.com&run=toolpage

image.png.109878f51cda46c56a74f8aa6f608073.png

 

If you now connect to your minecraft server through minecraft.example.com, your client will automatically check for the existence of this SRV record and use the different Port 25566 instead of the default 25565.

 

The same method is support by:

 

Note: No container is allowed to listen to a Port which is defined as an incoming Stream port in NPM.

 

 

Plex

 

1.) Choose "bridge" as network:

image.png.3a6a85197370c565bf6873c49e3a35dc.png

 

2.) Plex Settings > Remote Access > Disable Remote Access (this forces Plex to use https://plex.example.com/ instead of https://49-243-220-22.48abf8487edc9d743c.plex.direct:32400/ )

image.png.5276cd5421ea0ed78c0a0ea2306a629b.png

 

3.) Plex Settings > Network > Set your domain and your unraid server IP as your "Own URLs" (use https and http as needed!):

image.png.50a2f9d9690020313898603b058018a1.png

 

By that your own domain is used for external access and your unraid server ip is used for local access (and https://local-ip.xxx.plex.direct/ of course).

 

4.) Add a new proxy host in Nginx Proxy Manager for your domain which targets the fixed IP of your Plex container and enable Websockets:

image.png.4fc3e37c14b40e6a8e8c92d6e8926fb3.png

 

5.) Request an SSL certificate and force SSL:

image.png.36724d476fba68b7541bfb65c67a1464.png

 

 

A nginx.conf generated by Nginx Proxy Manager

 

Some people are maybe interested in how a nginx.conf looks like, that was generated from Nginx Proxy Manager. If you add a proxy host with the following settings:

  • domain unifi.example.com
  • scheme https
  • IP 192.168.178.8
  • port 8443
  • enable Websocket Support
  • select Let's Encrypt SSL
  • force SSL
  • add something to the Advanced Config

 

the final config would look like this:

# ------------------------------------------------------------
# unifi.example.com
# ------------------------------------------------------------

server {
  set $forward_scheme https;
  set $server         "192.168.178.8";
  set $port           8443;
  listen 80;
  listen [::]:80;
  listen 443 ssl http2;
  listen [::]:443;
  server_name unifi.example.com;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-2/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-2/privkey.pem;

  # Force SSL
  include conf.d/include/force-ssl.conf;

  # Websockets Support
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_http_version 1.1;

  # Logs
  access_log /data/logs/proxy-host-3_access.log proxy;
  error_log /data/logs/proxy-host-3_error.log warn;

  # Rules added through the Advanced Tab
  listen 8080;
  server_name *.example.net;

  location / {

    # Websockets Support
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;

    # Proxy
    add_header       X-Served-By $host;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_set_header X-Real-IP          $remote_addr;
    proxy_pass       $forward_scheme://$server:$port;

  }
}

 

Maybe this is helpful to decide which rules could be missing for your use case.

Link to comment
16 hours ago, Mentox said:

what is the reason for using MariaDB instead of SQLite?

No joke: I missed this part in the docs:

Quote

 

# If you would rather use Sqlite uncomment this

      # and remove all DB_MYSQL_* lines above

      # DB_SQLITE_FILE: "/data/database.sqlite"

 

 

I will update the container and remove the external DB. SQLite is the easier option for the user.

  • Like 2
Link to comment
Posted (edited)
On 7/5/2021 at 2:38 AM, mgutt said:

will update the container and remove the external DB. SQLite is the easier option for the user.

 

Looking forward to have the SQLITE as default in your NPM Docker.

 

All the best,

 

Lucas

 

 

 

 

 

Edited by DrLucasMendes
Link to comment
Posted (edited)

Ty for creating this!

 

I attempted to migrate from previous docker, expected my custom nginx configuration to work (not overly custom).  One aspect is geoip2 but I am getting error in logs saying geoip directive is not recognized.  Thought it was for the most part all using the same source?

 

UPDATE: Decided to look at the dockerfile and can see they both use different repositories and docker build files.  

Edited by Wingede
Update
Link to comment

Very interested in this..

 

does this do the same as Swagg but using a UI?

 

if so how hard would it be migrating from swagg to this docker? I already have a custom network set-up and have 6-7 sub domains set-up that point to various containers on my server.

Edited by enigma27
Link to comment

If you wanted to use the MariaDB option still, you can remove the `DB_SQLITE_FILE` variable and re-add the variables: `DB_MYSQL_HOST`,  `DB_MYSQL_PORT`, `DB_MYSQL_USER`, `DB_MYSQL_PASSWORD`, `DB_MYSQL_NAME`. I just set this up (I already had MariaDB setup for other things and wanted to keep everything in one place) and so far it's working.

Link to comment
  • 2 weeks later...

Can you update the instructions without the MariaDB piece?

Not getting this to actually work with my hosts, getting a 502 Bad Gateway openresty error. Had it working fine previously with the other NPM Docker.

 

edit: Fixed it, for some reason my dockers were not talking to each other, had to disable then reenable the setting under Docker.

Edited by Candle
Link to comment

Reverse Proxy Docker container (Bitwarden) in network bridge on port 8080 not working. 

 

Dear friends, I finally was able to migrate. I was having a huge problem with Bitwarden (from: vaultwarden/server). 

I still don't know if it is something on my system or on NPMO.

 

My Docker in BW is set on bridge and NPMO is in network br0.

NPMO is using SQLite

 

image.png.138459c86cd5dd442ebb49a307a25172.png

 

When I added my proxy settings, as below, however it did not work. (it used to work with jlesage version). (I changed my real domain to mydomain.com for the screenshots).

 

image.png.0d5aa95be3e8abc481d709ee44e10352.pngimage.png.b8c94f017c7e37b414d2194981f57cb2.png

image.png.9cec0f0756e0141f62e241f408965359.png

 

 

 

 

 

To make it work, I had to add "bridge" network as Post Arguments in the advanced view of NMPO. And  had to use the internal IP of BW and port 80.

 

image.png.2b6ff4e646b7f528fdeded94171f8708.png

 

image.png.298bfd28d0668455cef30ed0700e5432.pngimage.png.2bee92c90142413637e6b588c7acd874.png

 

 

My question is:

 

Am I missing some somthing on my UNRAID server to make NMPO in br0 to have access to the 192.168.100.250:8080 or is something wrong with NPMO that it does not accept port 8080 as the Forward Port? 

 

Thank you in advance,

 

Lucas

 

 

 

 

 

 

Link to comment
26 minutes ago, DrLucasMendes said:

Reverse Proxy Docker container (Bitwarden) in network bridge on port 8080 not working. 

 

Dear friends, I finally was able to migrate. I was having a huge problem with Bitwarden (from: vaultwarden/server). 

I still don't know if it is something on my system or on NPMO.

 

My Docker in BW is set on bridge and NPMO is in network br0.

NPMO is using SQLite

 

image.png.138459c86cd5dd442ebb49a307a25172.png

 

When I added my proxy settings, as below, however it did not work. (it used to work with jlesage version). (I changed my real domain to mydomain.com for the screenshots).

 

image.png.0d5aa95be3e8abc481d709ee44e10352.pngimage.png.b8c94f017c7e37b414d2194981f57cb2.png

image.png.9cec0f0756e0141f62e241f408965359.png

 

 

 

 

 

To make it work, I had to add "bridge" network as Post Arguments in the advanced view of NMPO. And  had to use the internal IP of BW and port 80.

 

image.png.2b6ff4e646b7f528fdeded94171f8708.png

 

image.png.298bfd28d0668455cef30ed0700e5432.pngimage.png.2bee92c90142413637e6b588c7acd874.png

 

 

My question is:

 

Am I missing some somthing on my UNRAID server to make NMPO in br0 to have access to the 192.168.100.250:8080 or is something wrong with NPMO that it does not accept port 8080 as the Forward Port? 

 

Thank you in advance,

 

Lucas

 

 

 

 

 

 

This is the fix (I had the same issue).

 

Stop all your dockers.


Go to settings > dockers > enable "no"

 

Wait for that to turn off

 

Change "Host access to custom networks:" to off. Apply

Change "Host access to custom networks:" to On. Apply

 

Turn docker back on, try again.

 

 

 

Link to comment
2 hours ago, Candle said:

Change "Host access to custom networks:" to On. Apply

This is something which will be removed in future Unraid versions. My suggestion: Run NPM as host and run all other containers as bridge.

 

Link to comment
3 minutes ago, mgutt said:

This is something which will be removed in future Unraid versions. My suggestion: Run NPM as host and run all other containers as bridge.

 

Why? Why don't you guys just fix it instead of making it more difficult?

Link to comment

Hello,

I hope I am on the right thread, if not, free to move me around.

I am new to NPM, however, I have made 7 proxy hosts already and most of them are working including all web server redirects using "A" or "CNAME".

I have a problem to set up proxy for camera streaming.

I was successful streaming an old Foscam camera by simply set the IP and port XXX. For all newer cameras or nvrs where http webserver and the image streaming (in onvif or rtsp format), I am not getting it. I am using an app called "IP CAM Viewer" and in that, I could easily view the camera by defining the http port(port forwarding and ddns), id and password to view the cameras. With the reverse proxy server, I can define the dn and port 80 to be redirected for the Foscam Camera, however, when I tried to do the same for others, I do not get the steams. 

 

Any help is appreciated.

Edited by jackwan1
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.