[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

47 minutes ago, garydapogi said:

Hi, newbie here and I need help with the port setting.

 

I tried using custom br0 (used my local subnet), and assigned port 80/443, but when I fire up the container, it changes to another port numbers. See screenshot please

 

npm.chubbable.com_setting_4.png.2dbf370576e4ed4cb8a43404df8c4b20.png

I see your nextcloud also uses port 80. Every container/app needs a unique port. 

Also, you have to forward the WAN ports to your lan ports in your router 😉 port 80 directs to assigned npm port for http, 443 directs to assigned npm port for http

Edited by XisoP
Link to comment

Nextcloud is on a different IP so that should work.

 

Did you set the port mapping correctly? So 80 on your 'host' and 8080 in the NginxProxyManager for example. Can you show a screenshot of your ports?

 

(If you need NPM to listen on 80/443 for IPv6 for example and you don't use IPv6NAT you can use my fork: https://github.com/Mattie112/docker-nginx-proxy-manager / https://hub.docker.com/repository/docker/mattie112/docker-nginx-proxy-manager)

Link to comment

OK so i'm pulling my hair out here.

I'm trying to expose a Wordpress docker to the internet via Nginx Reverse Proxy (NPM).

I currently own a domain, use cloudflare, and have a NPM docker handling the proxying. For example, currently have mydomain.com going to overseerr (serverip:5055), and nextcloud.mydomain.com going to nextcloud (serverip:444). Router fwds port 443 to npm. I have 'force SSL' on cloudflare enabled, so haven't even opened port 80. Working fine, no problem. Have used the ibracorp tutorial for this process here.

Decided to try and host a site using Wordpress (complete noob with wordpress btw), set it up the same as I had with nextcloud using these steps:

  1. Cloudflare: add CNAME 'wp'
  2. NPM: add wp.mydomain.com to docker container webui (i'm using cloudflare SSL certs)

image.thumb.png.f07f448bfa591865f837bcffe1a303e3.png

image.png.d35620934b40cffc8a0c475fbc91bb50.png

Not working! I'm just getting a timeout when attempting to access wp.mydomain.com. Via LAN accessing 192.168.1.4:8282 shows the WP test page perfectly, but no idea why this isn't working via proxy.

I've tried recreating my SSL certificates, forwarding to a different docker (heimdall for example), with same result.

I'm not sure what i'm doing wrong, particularly because I already have 2 working proxies, but if anyone could point me in the right direction i'd be forever grateful. TIA

Edited by Boo-urns
Link to comment

Why isn't the nginx_basic_auth pop-up working on my device? I had to re-install this container and for some reason it's no longer working.

 

Here's my access list settings:

 

image.png.8e367b9a73a09f6d01cbd5b5d3cd9555.png

 

 

image.png.09b0bb58988716df2db99c022c3eb725.png

 

image.png.6823086aefafe6f7604937b42fce5c59.png

 

 

When I attempt to go to the proxied URL eg. https://mysite.com

 

I just get this error:

 

image.png.839b220730cb09ecead5a72e6c07b49e.png

 

 

I never get the browser popup asking me to authenticate like I used to.

 

What am I doing wrong here?

Edited by plantsandbinary
Link to comment

Figured it out I think.

 

I have HSTS enabled on Cloudfare. So I was passing proxy http and http port to Nginx which was trying to redirect from http to https (which used to be my setting in Cloudfare). This was giving instant 403 error because after enabling HSTS support, only https requests are parsed and no transport upgrade happens.

 

Proxied https to https port in Heimdall and voilá, it works fine. I get the basic auth popup and failure to enter gives 401 error. Putting it in correctly gives a proper page load.

 

Looks like this now: https > to https port


image.png.b71cfaebc0f80763639f2a471b8c6324.png

Edited by plantsandbinary
Link to comment
  • 2 weeks later...

I recently updated my tautulli config to add the location block. Now a couple days later my container wont start. Logs repeat this message.

 

nginx: [emerg] "proxy_pass" directive is duplicate in /etc/nginx/conf.d/include/proxy.conf:7

 

I editted the offending file and i was able to login to webui. But after the edit, proxying was broke. Removed the docker container and reinstalled and my proxy is down again with the offending log entry. Im stumped.


EDIT - When the container starts this is the error it spits before spamming the log with the proxy_pass error

 

nginx: configuration file /etc/nginx/nginx.conf test failed

    at ChildProcess.exithandler (node:child_process:399:12)
    at ChildProcess.emit (node:events:520:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Socket.<anonymous> (node:internal/child_process:451:11)
    at Socket.emit (node:events:520:28)
    at Pipe.<anonymous> (node:net:687:12)

Edited by qw3r7yju4n
Link to comment

Hello!

I am using NPM and it works great. I have 1 question:

 

If I want to create a virtual ubuntu machine with different internal IP and I want to open ports 80 and 443 for it too, will my router be able to open another pair of the same ports for it?

Link to comment

Externally you only have 1 IP so you can only 'open' 80/443 once.

 

You don't really 'open'  a port btw, you 'forward' it to a different IP. So for example:

1.1.1.1 -> your external IP

192.1.1.1 -> unraid

192.1.1.2 -> VM

 

1.1.1.1:80 -> 192.1.1.1:8080

1.1.1.1:443 -> 192.1.1.1:443

If you have this you can NOT have

1.1.1.1:80 -> 192.1.1.2:8080

But you CAN do

1.1.1.1:81 -> 192.1.2.8080

 

But why do you want to do that? The whole idea of NPM (or a reverse proxy) is that you have a single entry point. And that within that proxy you can send 'domainA.com' to server A port B and 'domainB.com' to server C port D

Link to comment
  • 2 weeks later...
  • 2 weeks later...

Let me preface the following by stating that I am woefully limited in my knowledge of the inner
workings of SSL certificates. I've read some basic tutorials and have a very rudimentary understanding.

 

Having said that, I have a somewhat convoluted setup and I'm hitting walls with everything I try.
I'm suspecting I may be unable to actually establish a working infrastructure.

 

My company website is hosted on HostGator where I have established a subdomain (transfer.mydomain.com) with an HTML meta redirect that points to a specific port (4443) on my fixed WAN IP.

 

At the WAN IP there is a firewall that manages my incoming traffic with numerous and various port mappings.

Inside our firewall is an existing mail server that lives at 10.0.26.10 that MUST use ports 80 and 443 and as such, I MUST redirect all incoming WAN port 80 and 443 traffic to that mail server LAN IP (10.0.26.10) where it is managed by the mail server.

 

I am running an unRAID server on another box within the LAN at IP (10.0.26.15) and I have NPM running in a docker container on a separate network (called "proxynet" - shoutout to SpaveInvaderOne!) on that unRAID server.

 

I also run an instance of NextCloud on the same unRAID "proxynet" network.

On my firewall, I have established a port forward so that any traffic coming from the HostGator redirect to the specific port (4443) is mapped to the unRAID server at 10.0.26.15.

 

The issue I have is that I can't establish a Lets Encrypt SSL cert via NPM due to the appropriation of WAN ports 80 and 443 by the mail server. Further, because 80 and 443 are used by the mail server, I can't use NPM for any Docker containers.

 

I could - as a last resort - just forward the HostGator redirect from the firewall to port 444 where the NextCloud docker lives but again, I don't think I can authenticate an SSL cert against that due to the re-direction from HostGator. HostGator does NOT allow for masked redirection like (I think!) CloudFlare does.

 

Basically, because HTTP and HTTP are being redirect to the mail server, there will be no way to use NPM or get SSL certificates for any of my docker containers.

Edited by jimdaway
Link to comment
7 hours ago, jimdaway said:

I MUST redirect all incoming WAN port 80 and 443 traffic to that mail server LAN IP (10.0.26.10) where it is managed by the mail server.

i assume you talk about the webgui from this mailserver, if it is only http/s ...

 

did you try to put the mailserver also behind the NPM ? as long its using http protocol and its not some weird ...

 

then NPM would route the traffic like

 

mail.yourdoman.com -> your mailserver

cloud.yourdomain.com -> your Nextcloud instance

...

 

im not using NPM anymore (was just playing around with it) but that would be the way to go for all http/s traffic from outside then ...

Link to comment
14 hours ago, alturismo said:

i assume you talk about the webgui from this mailserver, if it is only http/s ...

 

did you try to put the mailserver also behind the NPM ? as long its using http protocol and its not some weird ...

 

Hi @alturismo

 

Thank you for the response and insight. So, if I redirect ports 80 and 443 to the unRAID server (10.0.26.15) and then within NPM setup a Host Proxy titled mail.mydomain.com with a redirect to my mail server (10.0.26.10) that may work?

 

The question then is how do I deal with the redirection of both port 80 and 443? I tried creating a Host Proxy titled "mail.mydomain.com" for HTTP pointed to 10.0.26.10 port 80 and when I tried to create a second Host Proxy "mail.mydomain.com" for HTTPS to 10.0.26.10 port 443 (with a Lets Encrypt SSL), it threw an error of "mail.mydomain.com is already in use".

 

Or, should I use a Redirection Host or a Stream? I'm so newb...

Link to comment
8 hours ago, jimdaway said:

it threw an error of "mail.mydomain.com is already in use".

im a swag user, just played a while ago with NPM ... but yes, you just setup 1 rule for a domain and it should automatically redirect http -> https, sample, when i connect to http://mail.... NPM will (force) redirect auto to https://mail.... 

 

8 hours ago, jimdaway said:

if I redirect ports 80 and 443 to the unRAID server (10.0.26.15) and then within NPM setup a Host Proxy titled mail.mydomain.com with a redirect to my mail server (10.0.26.10) that may work?

exactly

 

8 hours ago, jimdaway said:

Or, should I use a Redirection Host or a Stream? I'm so newb...

prolly host, stream in nginx means tcp streams and no http/s proxy, as mentioned, im no NPM user, sorry.

 

read into the manual so you understand the triggers etc ... NPM is nice as it has a GUI to handle these proxy rules and you dont have to edit config files and so on ...

Link to comment

Has anyone managed to get external non-standard ports working, specifically with Nextcloud?

 

I've managed to get it working with standard 443 https but if I try to use a non-standard external port everything gets borked.

 

I've added this to the advanced nginx config section as I read in a post

listen 8585 ssl http2;

 

didn't seem to work out right. From what I've seen in the logs that config is not getting added to the conf file.

[6/3/2022] [2:03:52 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/3/2022] [2:03:57 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #9: domain.domain.com
[6/3/2022] [2:03:57 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-9" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "domain.domain.com" 
[6/3/2022] [2:04:00 AM] [SSL      ] › ✔  success   Requesting a certificate for domain.domain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/npm-9/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/npm-9/privkey.pem
This certificate expires on 2022-09-01.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[6/3/2022] [2:04:01 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/3/2022] [2:04:01 AM] [Express  ] › ⚠  warning   Command failed: /usr/sbin/nginx -t -g "error_log off;"
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /data/nginx/proxy_host/5.conf:6
nginx: configuration file /etc/nginx/nginx.conf test failed

[6/3/2022] [2:04:33 AM] [SSL      ] › ℹ  info      Testing http challenge for domain.domain.com
[6/3/2022] [2:04:48 AM] [SSL      ] › ℹ  info      HTTP challenge test failed for domain domain.domain.com the host was not found

 

 

5.conf

# ------------------------------------------------------------
# domain.domain.com
# ------------------------------------------------------------


server {
  set $forward_scheme https;
  set $server         "192.168.200.88";
  set $port           444;

  listen 80;
listen [::]:80;


  server_name domain.domain.com;

 

Link to comment
17 hours ago, jimdaway said:

Hi @alturismo

 

Thank you for the response and insight. So, if I redirect ports 80 and 443 to the unRAID server (10.0.26.15) and then within NPM setup a Host Proxy titled mail.mydomain.com with a redirect to my mail server (10.0.26.10) that may work?

 

The question then is how do I deal with the redirection of both port 80 and 443? I tried creating a Host Proxy titled "mail.mydomain.com" for HTTP pointed to 10.0.26.10 port 80 and when I tried to create a second Host Proxy "mail.mydomain.com" for HTTPS to 10.0.26.10 port 443 (with a Lets Encrypt SSL), it threw an error of "mail.mydomain.com is already in use".

 

Or, should I use a Redirection Host or a Stream? I'm so newb...

 

What exactly are you trying to do?

 

Your NPM (= proxy server) is listening on 80/443, you can add a host for anything within that.

 

domainA.com -> 1.2.3.4:80

domainB.com -> 1.2.3.4:81

something.domainC.com -> 1.2.3.5:443

 

If you have an internal 'service' listening on both 80/443 choose one. Usually internally your services are terminated in 80 (as you don't have a ssl cert for them) but 443 should work just fine (as long as the cert is valid)

Link to comment
50 minutes ago, mattie112 said:

You should be able to do that through the UI:

 

image.thumb.png.da58fac4e6f474fa502ecd9860bea2a4.png

 

Yes, you should but reading the NPM forum post, I should be putting a TXT value as such;

image.thumb.png.ca4d523f56517737781f06e9394e4398.png

 

But the UI, when I choose my DNS provider, Google. I am presented with this and I have no idea what to do with it.

image.png.c562a6786ff6bd1a21de5a9bc04fd844.png

 

There is no simple TXT value choice in the dropdown.

Link to comment
8 minutes ago, aglyons said:

 

Yes, you should but reading the NPM forum post, I should be putting a TXT value as such;

image.thumb.png.ca4d523f56517737781f06e9394e4398.png

 

But the UI, when I choose my DNS provider, Google. I am presented with this and I have no idea what to do with it.

image.png.c562a6786ff6bd1a21de5a9bc04fd844.png

 

There is no simple TXT value choice in the dropdown.

 

No you should not do this manually (as it changes every time you'll need certificates).

 

So: you should input your google credentials and then NPM (or really certbot in this case) will do an API call to update the TXT record and then letsencrypt can verify that.

(also see: https://certbot-dns-google.readthedocs.io/en/stable/)

 

Is there any reason why you want your webserver on non-80/443

Link to comment
22 minutes ago, mattie112 said:

Is there any reason why you want your webserver on non-80/443

 

Most consumer ISP's do not allow servers to be used on residential connections. Some block 80 and 443 by default. While I know that a hacker could do a port scan and attempt entry, I would prefer to not have standard ports exposed. For both reasons.

 

I am not confident enough in ensuring everything is locked down properly. I have a good firewall but opening ports on servers bypass that security and literally opens your network up. I'm just getting started with UnRaid and homelabs. We gotta start somewhere.

 

PS: If the plugin author is reading this, it would be great if the link to the docs was presented in the UI.

Edited by aglyons
Link to comment

Yeah, I can understand that, however the downside is that you then have an usecase that is not used a lot and that it can be hard to find a good tutorial.

 

What you can do (as you are just experimenting now): first set it to port 80 so letsencrypt can just give you a certificate. And then change it back to an other port. Your certificate will just work but never renew. Might be a bit easier to set up and give you enough time to try it out.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.