[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

Hi,

first of all this is an amazing docker container. I've been using it for about a half year without facing any problems.

 

But now, when updating certificates of certain domains I'll get an internal error. Also removed an tried to make a new certificate without success. Here is the docker log:

 

[5/31/2021] [9:03:20 PM] [SSL ] › ℹ info Renew Complete
[5/31/2021] [10:03:16 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[5/31/2021] [10:03:20 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:03:20 PM] [SSL ] › ℹ info Renew Complete
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[5/31/2021] [10:50:38 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:50:39 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #22: my-domainname.domain.org
[5/31/2021] [10:50:39 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #22: my-domainname.domain.org
[5/31/2021] [10:50:53 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:50:53 PM] [Express ] › ⚠ warning Command failed: /opt/certbot/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-22" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "my-domainname.domain.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for my-domainname.domain.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain my-domainname.domain.org
http-01 challenge for my-domainname.domain.org
Cleaning up challenges
Some challenges have failed.

[5/31/2021] [10:50:53 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:50:53 PM] [Express ] › ⚠ warning Command failed: /opt/certbot/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-22" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "my-domainname.domain.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for my-domainname.domain.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain my-domainname.domain.org
http-01 challenge for my-domainname.domain.org
Cleaning up challenges
Some challenges have failed.

 

It worked a few months ago and is still working with other domains so I ran out of solutions. Unfortunately, it is not an option to make a clean reinstall of NPM, as there are too many dependencies on it. Every help is welcome :)

 

Link to comment
9 hours ago, Voss said:

Hi,

first of all this is an amazing docker container. I've been using it for about a half year without facing any problems.

 

But now, when updating certificates of certain domains I'll get an internal error. Also removed an tried to make a new certificate without success. Here is the docker log:

 


[5/31/2021] [9:03:20 PM] [SSL ] › ℹ info Renew Complete
[5/31/2021] [10:03:16 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[5/31/2021] [10:03:20 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:03:20 PM] [SSL ] › ℹ info Renew Complete
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[5/31/2021] [10:50:38 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:50:39 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #22: my-domainname.domain.org
[5/31/2021] [10:50:39 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #22: my-domainname.domain.org
[5/31/2021] [10:50:53 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:50:53 PM] [Express ] › ⚠ warning Command failed: /opt/certbot/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-22" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "my-domainname.domain.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for my-domainname.domain.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain my-domainname.domain.org
http-01 challenge for my-domainname.domain.org
Cleaning up challenges
Some challenges have failed.

[5/31/2021] [10:50:53 PM] [Nginx ] › ℹ info Reloading Nginx
[5/31/2021] [10:50:53 PM] [Express ] › ⚠ warning Command failed: /opt/certbot/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-22" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "my-domainname.domain.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Performing the following challenges:
http-01 challenge for my-domainname.domain.org
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Challenge failed for domain my-domainname.domain.org
http-01 challenge for my-domainname.domain.org
Cleaning up challenges
Some challenges have failed.

 

It worked a few months ago and is still working with other domains so I ran out of solutions. Unfortunately, it is not an option to make a clean reinstall of NPM, as there are too many dependencies on it. Every help is welcome :)

 

 

Please confirm that you can access yourdomain over UNENCRYPTED port 80. Try it from your phone 4G or from an other network then the one your server is in.

Link to comment
On 5/27/2021 at 4:20 PM, Nanobug said:

Hello,

I'm getting a "502 Bad Gateway" error.

used 
docker exec -it NginxProxyManager bash
And pinged the container I'm trying to reach, with this result:
64 bytes from 192.168.100.99: seq=0 ttl=64 time=0.103 ms
64 bytes from 192.168.100.99: seq=1 ttl=64 time=0.117 ms
64 bytes from 192.168.100.99: seq=2 ttl=64 time=0.098 ms
64 bytes from 192.168.100.99: seq=3 ttl=64 time=0.099 ms
64 bytes from 192.168.100.99: seq=4 ttl=64 time=0.070 ms
64 bytes from 192.168.100.99: seq=5 ttl=64 time=0.080 ms
64 bytes from 192.168.100.99: seq=6 ttl=64 time=0.097 ms
64 bytes from 192.168.100.99: seq=7 ttl=64 time=0.060 ms
64 bytes from 192.168.100.99: seq=8 ttl=64 time=0.098 ms
64 bytes from 192.168.100.99: seq=9 ttl=64 time=0.096 ms

 

I've also done this:
nc 192.168.100.99 8888 GET /

And got this result:
 

BusyBox v1.31.1 () multi-call binary.

Usage: nc [OPTIONS] HOST PORT  - connect
nc [OPTIONS] -l -p PORT [HOST] [PORT]  - listen

        -e PROG Run PROG after connect (must be last)
        -l      Listen mode, for inbound connects
        -lk     With -e, provides persistent server
        -p PORT Local port
        -s ADDR Local address
        -w SEC  Timeout for connects and final net reads
        -i SEC  Delay interval for lines sent
        -n      Don't do DNS resolution
        -u      UDP mode
        -v      Verbose
        -o FILE Hex dump traffic
        -z      Zero-I/O mode (scanning)

 

From what I'm reading, I can connect to it.

It works on LAN, just not on the subdomain.

Any ideas on how to fix this?

 

Does anyone have an idea about how to fix this?

Link to comment
11 hours ago, mattie112 said:

 

Please confirm that you can access yourdomain over UNENCRYPTED port 80. Try it from your phone 4G or from an other network then the one your server is in.

Thx for your fast reply. One of the affected domains is a searx search engine. I can reach it normally via http over 4G.

 

Quote

[6/1/2021] [9:05:42 PM] [Nginx ] › ℹ info Reloading Nginx
[6/1/2021] [9:05:42 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #26: searx.domain.org
[6/1/2021] [9:05:48 PM] [Nginx ] › ℹ info Reloading Nginx
[6/1/2021] [9:05:48 PM] [Express ] › ⚠ warning Command failed: /opt/certbot/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-26" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "searx.domain.org"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
An unexpected error occurred:
requests.exceptions.ConnectionError: HTTPSConnectionPool(host='acme-v02.api.letsencrypt.org', port=443): Max retries exceeded with url: /directory (Caused by NewConnectionError('<urllib3.connection.HTTPSConnection object at 0x14eb23f20bb0>: Failed to establish a new connection: [Errno -3] Try again'))

Please see the logfiles in /var/log/letsencrypt for more details.

I changed the email adress and the domain name.

 

If you need further logs, I can deliver them asap.

Link to comment
1 hour ago, mattie112 said:

Try:

nc 192.168.100.99 8888

<enter>

and then the commands to fetch a webpage


(or use curl http://192.168.100.99:8888 to 'download' the page)

I assume you wnat me to bash into it first?
the nc command just goes to the next line, like I've pressed ENTER:
image.png.64ebc966b27526a32e94bf039da059d4.png
 

The curl command gives me this:
image.png.0e33f2c5fe3d75bd3010d82bfd8ef48b.png

 

I can reach the page locally:
image.png.b5038e20ada2381737981cc27e609200.png

It just doens't work because of the HTTPS thing, but it worked with NPM before, but out of a sudden, it stopped working. And now, I can't even reach the page.

This is the configuration in NPM:

image.png.4173acf54af593c65d19bda3ec7eb064.png

image.png.a7367fe855b4452c43584b9994973111.png

"Custom location" and "Advnaced" has nothing in it.

Link to comment
11 hours ago, Voss said:

Thx for your fast reply. One of the affected domains is a searx search engine. I can reach it normally via http over 4G.

 

I changed the email adress and the domain name.

 

If you need further logs, I can deliver them asap.

You can try it manually:

 

docker exec -it NginxProxyManager bash

 

And then something like:

certbot renew --dry-run
or
certbot renew --force-renewal

Run
certbot --help renew
to see all options available

 

  • Like 2
Link to comment
11 hours ago, Nanobug said:

I assume you wnat me to bash into it first?
the nc command just goes to the next line, like I've pressed ENTER:
image.png.64ebc966b27526a32e94bf039da059d4.png
 

The curl command gives me this:
image.png.0e33f2c5fe3d75bd3010d82bfd8ef48b.png

 

I can reach the page locally:
image.png.b5038e20ada2381737981cc27e609200.png

It just doens't work because of the HTTPS thing, but it worked with NPM before, but out of a sudden, it stopped working. And now, I can't even reach the page.

This is the configuration in NPM:

image.png.4173acf54af593c65d19bda3ec7eb064.png

image.png.a7367fe855b4452c43584b9994973111.png

"Custom location" and "Advnaced" has nothing in it.

 

So your bitwarden is on 182.168.100.99 right? In your browser I don't see a port appended so it is running on port 80? Then why are you using port 8888? Or am I missing something?

  • Like 1
  • Thanks 1
Link to comment
1 hour ago, mattie112 said:

So your bitwarden is on 182.168.100.99 right? In your browser I don't see a port appended so it is running on port 80? Then why are you using port 8888? Or am I missing something?

Omg.... You're right.... I needed to change it to 80 on NPM. I'm such an idiot....
Thank you!

  • Like 1
Link to comment

Hi Everyone!

 

So far I'm loving the UI of this docker but I have a couple of problems.

 

  • When forwarding a WordPress docker no CSS will load, but it works perfect locally
  • When forwarding a Owncloud docker no files will load on the webpage, but it does work with the Windows Sync client/ locally on a webpage

Cloudflare -> XGINX docker on unraid -> Wordpress/ Owncloud docker

 

Hope you guys can help!

 

 

 

Link to comment

Hi Everyone!

I have on and off been trying to get a reverse proxy to work on my machine for properly 3 year with no luck.

 

Setup is right now:

- Cloudflare: (https Redirect, Full strict encryption mode) CNAME -> A RECORD -> static public ip.

- router: port 80 & 443 external redirected to 1880 & 18443 internal

- Unraid: custom docker network and Origin Certificates added to NPM.

I have also tried disable all encryption and trying only http.

In both instances I get Error 522 Connection timed out between Cloudflare and server.

Any good ideas on where to start trouble shooting.

for reference the latest tutorial I have tried to follow is this.

 

  

Link to comment

I am using the default npm from the community store on Unraid.. All my docker containers are on bridge. I have port forwarded ports 80 and 443 at my router to ports 188443 and 1880. I also have Cloudflare proxied to my IP as well.

I'm a bit of a noob, so it may be very simple. No matter what i do in NPM, i cannot get an ssl cert to work for me. I'm wondering what i have done wrong. Any help would be appreciated.

NPM

NPM SSL

Unifi Portforward

Cloudflare

 

[6/2/2021] [10:25:46 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...

[6/2/2021] [10:25:46 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json

[6/2/2021] [10:25:46 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v4

[6/2/2021] [10:25:46 PM] [IP Ranges] › ℹ info Fetching https://www.cloudflare.com/ips-v6

[6/2/2021] [10:25:46 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized

[6/2/2021] [10:25:46 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...

[6/2/2021] [10:25:46 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized

[6/2/2021] [10:25:46 PM] [Global ] › ℹ info Backend PID 677 listening on port 3000 ...

[6/2/2021] [10:25:47 PM] [Nginx ] › ℹ info Reloading Nginx

[6/2/2021] [10:25:47 PM] [SSL ] › ℹ info Renew Complete

`QueryBuilder#allowEager` method is deprecated. You should use `allowGraph` instead. `allowEager` method will be removed in 3.0

`QueryBuilder#eager` method is deprecated. You should use the `withGraphFetched` method instead. `eager` method will be removed in 3.0

QueryBuilder#omit is deprecated. This method will be removed in version 3.0

Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0

[6/2/2021] [10:31:17 PM] [Nginx ] › ℹ info Reloading Nginx

[6/2/2021] [10:31:17 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #3: photos.website.com

[6/2/2021] [10:31:22 PM] [Nginx ] › ℹ info Reloading Nginx

[6/2/2021] [10:31:22 PM] [Express ] › ⚠ warning Command failed: /opt/certbot/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-3" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "photos.website.com"

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Plugins selected: Authenticator webroot, Installer None

Performing the following challenges:

http-01 challenge for website.com

Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.

Waiting for verification...

Challenge failed for domain photos.website.com

http-01 challenge for photos.website.com

Cleaning up challenges

Some challenges have failed.

 

 

Edited by Jauhso
Link to comment
On 6/2/2021 at 8:44 AM, mattie112 said:

You can try it manually:

 


docker exec -it NginxProxyManager bash

 

And then something like:


certbot renew --dry-run
or
certbot renew --force-renewal

Run
certbot --help renew
to see all options available

 

Fortunately, I have put off troubleshooting long enough. The problem has solved itself. Since I had not changed anything, I suspect some update or something similar. Thanks for your efforts anyway :)

Link to comment

Let me start off by saying that I have looked at almost all the 55+ pages of this thread and I may have missed my exact problem but I am having troubles.

 

I have been using Letsencrypt setup for two years, now I have setup NPM with Cloudflare, and I am having issues.

I started off setting up nextcloud with an SSL cert from Cloudflare, after a bunch of tinkering for a few days I finally got it working with the SSL certificate so it displays as https. BTW using a custom proxy a la Spaceinvaders setup, using port 444.

 

Now I have setup vaultwarden exactly the way I setup my nextcloud, though using port 8086, the same Cloudflare SSL cert and so on. I can get into the site as 192.168.1.90:8086 (no https). My biggest problem is that if I go into the unraid docker and click the vaultwarden WEB UI it takes me to my nextcloud instance.

 

I do not understand why and I have no idea of what to look for.

Any help is very much appreciated.

Link to comment
4 hours ago, carltonwb said:

Let me start off by saying that I have looked at almost all the 55+ pages of this thread and I may have missed my exact problem but I am having troubles.

 

I have been using Letsencrypt setup for two years, now I have setup NPM with Cloudflare, and I am having issues.

I started off setting up nextcloud with an SSL cert from Cloudflare, after a bunch of tinkering for a few days I finally got it working with the SSL certificate so it displays as https. BTW using a custom proxy a la Spaceinvaders setup, using port 444.

 

Now I have setup vaultwarden exactly the way I setup my nextcloud, though using port 8086, the same Cloudflare SSL cert and so on. I can get into the site as 192.168.1.90:8086 (no https). My biggest problem is that if I go into the unraid docker and click the vaultwarden WEB UI it takes me to my nextcloud instance.

 

I do not understand why and I have no idea of what to look for.

Any help is very much appreciated.

 

I have a very similar setup.  Nextcloud and Vaultwarden behind Cloudflare proxy using NPM.   I believe the only difference is that you are using custom proxy where I am using bridge for both containers.     Are both containers on custom proxy?  Is either container working via NPM?  What are the IP:Port# of each? So if you go to Nextcloud or Vaultwarden and go to WEB UI it opens the exact same page with the exact same address in the address bar?

Link to comment

Thank you dtctechs.

I am using a the same custom proxy on both nextcloud and vaultwarden.

The only one that is working (meaning that it takes me to my https instance of nextcloud) if I click the source in the proxy hosts is nextcloud.

 

If I click the WebUI in nextcloud it takes me to the site (https://nextcloud.micah5123.com/apps/dashboard/) (IP is 192.168.1.90:444).

If I click the vaultwarden WebUI it takes me to (http://192.168.1.90:8086/#/).

 

If I click the nextcloud source (nextcloud.micah5123.com) in NPM it takes me to my https page.

If I click the vaultwarden source (vaultwarden.micah5123.com) in NPM it takes me to my nextcloud https page. 

 

Both nextcloud and vaultwarden have the exact cname setup in cloudflare, as well as the same setup and ssl cert.

In NPM Nextcloud having port 444 and vaultwarden 8086 in share the same ssl cert.

 

Please let me know if you need more info and what I might be able to try. I have not changed to both using bridge. I will wait for your response before doing that.

Link to comment
On 5/30/2021 at 3:59 PM, riddler0815 said:

NPM is filling up the docker image

 

I have a problem with NPM in combination with the nextcloud container. I set up everything and it works fine. But when I connect from outside via my (dynamiy duckdns) domain and download a file with several gigabytes (somewhere >2GB) the docker image fills up (/loop2) and I get warnings from unraid. Then some containers crashes (eg jDownloader). The crashed container won't start anymore until I restart the docker engine in unraid. When I download a file via web gui of nextcloud in the LAN, everything works fine. So, the problem is caused by NPM and some sort of caching procedure. I had the same problem with SWAG in the first place, so I changed over to NPM.

 

I searched the net and there are some users encountering the same problem, but no solution yet. Some suggest to check the container directories, because they could point into the docker image. But all directories are set up correctly (in my opinion).

 

I have no idea what to check/adapt.

 

Thanks in advance.

I'm facing a similar issue. I have FileBrowser behind a reverse proxy with NPM. When uploading a file accessing through the reverse proxy, my docker image starts filling up, however if I use the IP to access FileBrowser instead of the reverse proxy, no problem at all. So its clearly NPM that is causing this issue. Have you found any solution?

Link to comment

Can I ask a paranoid question - when I set this up original I could swear there was some message about needing to move the default passwords file location from www folder or something? For the life of me, I can't find any mention or reference to this elsewhere so not sure if was just hallucinating or not...

 

Point is - I have nginx working great with a mix of externally accessible and lan-only sub-domains but want to ensure I haven't left some silly gaping security hole.. I have of course set up a strong password for nginx itself and all the hosts have their own login access controls

 

Thanks

Link to comment

For the people using my fork, (the port 80/443 one): I have just merged the latest v1.16.1 into my branch and pushed a new version. I'm doing this manually so I don't really push every version (as I have to notice it). But if there is any major issue of a fix that you'd like just send me a message and I will push it :)

  • Like 1
Link to comment
On 6/12/2021 at 1:36 PM, mattie112 said:

You could check the location of the .htpasswd file (if you use one). That should not be readable by the web.

 

Some generic pointers:

https://stackoverflow.com/questions/6441578/how-secure-is-htaccess-password-protection/6442113

 

Not sure if NPM has somekind of bruteforce protection.

Thanks - that is just if I want to provide basic login authentication to hosts myself, right? In which case, I do not use that.

 

Link to comment

Hej, first off all, thats a really nice container, worked perfectly for tha last year ;)

 

Right now (after reinstalling my unraid server) I am facing a Problem i can't really solve:

I got CGNat from my Provider, so I cant access my router via IPv4 (i'm fine with IPv6 only though).

My URL has a CNAME-Record to a 'myfritz' adress and my server is set as exposed in my Fritzbox. With standard settings on Unraid I'm able to get on the Unraid Login-Page using my URL, since it is available on port 80. I changed this, so NPM is using port 80/443 right now, and it looks like I am redirected to the Proxy (if I am visiting non-exisiting pages I am redirected to the Congratulations-Page).

 

The destination for my NPM is a Nextcloud Docker so far and i am getting results i cannot really interpret well:

 

I always get "ERR_Empty_Response" in Chrome when opening "myurl.com" , but if i try "https://myurl.com" the site does show up (login is not possible tho, i guess its because it isnt encrypted yet. If I try to create an SSL certificate I get an "internal error" (obviously).

 

I hope i havent forgotten anything really dumb... Thanks for your help!

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.