aglyons Posted September 19, 2022 Share Posted September 19, 2022 Yes and No, I am getting the idea that you want to create some kind of redundancy. The only way to accomplish this, as far as I am aware, is to setup some kind of load balancer that can be configured to redirect traffic when one source is down. I am not aware of how PFSense works, I'm a Unifi guy. But, there may be something built into PFSense that can provide this functionality (https://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers). If you are going for redundancy, you then get into the challenges of making sure that box1 and box2 containers/VM's are sync'd in real-time in some way. If they are not then you won't have redundancy. If the two servers don't have the exact same services configured then it won't matter about having a redundant NPM as the services on the server that is down won't respond anyway. Also, in a load balance situation, each NPM is going to have different domain/IP mappings so you can't just duplicate the second NPM with the settings on the first NPM. Getting load balancing running os not a simple feat and requires a lot of planning. Why do you need this kind of set up? 1 Quote Link to comment
mattie112 Posted September 19, 2022 Share Posted September 19, 2022 Or (if you just have 2 Unraid servers) run NPM on 1 and add your hosts for unraid #2 in there so: service hosted on unraid 1 example.com -> localhost:1234 service hosted on unraid 2 otherexample.com -> ip.of.other.unraid:2345 1 Quote Link to comment
Vesko Posted September 19, 2022 Share Posted September 19, 2022 57 minutes ago, mattie112 said: Or (if you just have 2 Unraid servers) run NPM on 1 and add your hosts for unraid #2 in there so: service hosted on unraid 1 example.com -> localhost:1234 service hosted on unraid 2 otherexample.com -> ip.of.other.unraid:2345 I have box 1 i7 4770 ,32gb ram box 2 Celeron N3150 4gb ram I try to use Celeron box only for Photoprism because is fanless and very low power use.The other box i turn off somethimes.I have 3 of this boxes on one is Opnsense firewall and 1 wanted to use just for Google photos replacement.Then i need to transfer all Npm to be on Celeron box and run it 24/7 and everything is gonna be ok.I think this is the most easy solution how you said also. Thank you very much for your help. Quote Link to comment
Vesko Posted September 19, 2022 Share Posted September 19, 2022 3 hours ago, aglyons said: You can't forward the same port to two different IP's on your LAN. I'm surprised your router allowed you to even enter this config. Just do all the NPM forwarding on box1 to all the services that are on box2 with the appropriate IP's/ports. So what I read from this is you are double NAT'ed. That's a nightmare. There should be a way you can configure your providers modem/router to operate in bridge mode. That essentially disables the built in router and allows your PFSense to act as the primary (and only) firewall/router. This should simplify managing the system and clear up a lot of port forward/conflict issues. Hi,i am not double nat i think nat should be disabled on the modem its some optic box i don't know what exactly is. Quote Link to comment
mattie112 Posted September 19, 2022 Share Posted September 19, 2022 You can still have multiple servers, however as you just have 1 port 80 available (externally) you can only have 1 NPM running (on that port). Either: run other NPM on other port or Have just 1 NPM and have that also proxy the traffic for the other servers 1 Quote Link to comment
s1oz Posted September 21, 2022 Share Posted September 21, 2022 In addition to manually viewing the proxy-host-1_error.log file, is there any other more convenient way to query the real ip of each successful login? Quote Link to comment
itlists Posted October 6, 2022 Share Posted October 6, 2022 Hello, need help to figure out problem with renewing certificates. Below are the error messages: Quote Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Failed to renew certificate npm-1 with error: Some challenges have failed. Failed to renew certificate npm-2 with error: Some challenges have failed. Failed to renew certificate npm-3 with error: Some challenges have failed. Failed to renew certificate npm-32 with error: Some challenges have failed. Failed to renew certificate npm-6 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-1/fullchain.pem (failure) /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-3/fullchain.pem (failure) /etc/letsencrypt/live/npm-32/fullchain.pem (failure) /etc/letsencrypt/live/npm-6/fullchain.pem (failure) 5 renew failure(s), 0 parse failure(s) I'm not too familiar with how renewals occur or what's needed to fix this. It was working few months ago, but that doesn't really help for now. What should I look at for troubleshooting? Thanks Quote Link to comment
mattie112 Posted October 6, 2022 Share Posted October 6, 2022 18 minutes ago, itlists said: Hello, need help to figure out problem with renewing certificates. Below are the error messages: I'm not too familiar with how renewals occur or what's needed to fix this. It was working few months ago, but that doesn't really help for now. What should I look at for troubleshooting? Thanks Try to manually call certbot, see: 1 Quote Link to comment
itlists Posted October 6, 2022 Share Posted October 6, 2022 14 minutes ago, mattie112 said: Try to manually call certbot, see: Hi, thanks for the quick reply. So attempted the dry-run command and here's the output: (replaced my domain name with 'domain') Quote Simulating renewal of an existing certificate for rss.domain.net Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: rss.domain.net Type: unauthorized Detail: 2606:4700:3032::ac43:b94a: Invalid response from http://rss.domain.net/.well-known/acme-challenge/7MEfa4hphYwq5O9FuT9-1gX4TowDBDljM6GhdMAKLx8: 522 Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet. Failed to renew certificate npm-3 with error: Some challenges have failed. Quote Link to comment
mattie112 Posted October 6, 2022 Share Posted October 6, 2022 A HTTP 522 error is a CloudFlare connection timeout it seems: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors#522error https://www.ionos.com/digitalguide/hosting/technical-matters/error-522-explanation-and-solutions/ I don't use CF myself buy I would double-check the settings there. 1 Quote Link to comment
itlists Posted October 6, 2022 Share Posted October 6, 2022 26 minutes ago, mattie112 said: A HTTP 522 error is a CloudFlare connection timeout it seems: https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors#522error https://www.ionos.com/digitalguide/hosting/technical-matters/error-522-explanation-and-solutions/ I don't use CF myself buy I would double-check the settings there. I see. Seems something amiss on my side then... firewall, server, IP/DNS... hmmm Thanks for finding this! 1 Quote Link to comment
itlists Posted October 6, 2022 Share Posted October 6, 2022 2 hours ago, itlists said: I see. Seems something amiss on my side then... firewall, server, IP/DNS... hmmm Thanks for finding this! DNS record looks good, server is reachable as well when browsing to rss.domain.com So something specifically tied to this challenge/response. Any ideas on what else I can look at? Do I need particular port forwarding, etc? Quote Link to comment
mattie112 Posted October 6, 2022 Share Posted October 6, 2022 I don't use CF myself. But in general: The .well-known directory MUST be reachable through unsecured HTTP on port 80. As letsencrypt must be able to verify the challenge even before the encryption has been set-up. 1 Quote Link to comment
itlists Posted October 6, 2022 Share Posted October 6, 2022 (edited) 2 hours ago, mattie112 said: I don't use CF myself. But in general: The .well-known directory MUST be reachable through unsecured HTTP on port 80. As letsencrypt must be able to verify the challenge even before the encryption has been set-up. Looks like there may be an issue on the fw blocking inbound port 80. All CL IPs are allowed inbound but still being blocked... investigating this Edited October 6, 2022 by itlists Quote Link to comment
itlists Posted October 6, 2022 Share Posted October 6, 2022 55 minutes ago, itlists said: Looks like there may be an issue on the fw blocking inbound port 80. All CL IPs are allowed inbound but still being blocked... investigating this Got it fixed now. Was missing a port forward rule. Somehow it was missing after a recent fw upgrade. Another question: how to remove this cert from the renew list? The 'vault' service doesn't exist anymore. Quote Processing /etc/letsencrypt/renewal/npm-2.conf - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Renewing an existing certificate for vault.domain.net Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems: Domain: vault.domain.net Type: dns Detail: no valid A records found for vault.domain.net; no valid AAAA records found for vault.domain.net Quote Link to comment
mattie112 Posted October 7, 2022 Share Posted October 7, 2022 Is it not listed in the UI? Perhaps manually delete `/etc/letsencrypt/renewal/npm-2.conf` 1 Quote Link to comment
itlists Posted October 7, 2022 Share Posted October 7, 2022 4 hours ago, mattie112 said: Is it not listed in the UI? Perhaps manually delete `/etc/letsencrypt/renewal/npm-2.conf` No, not in the UI. Deleting the file seems to have worked. Thanks 1 Quote Link to comment
ars92 Posted October 8, 2022 Share Posted October 8, 2022 Thanking the existence of this docker. Was about to get down and dirty on either trying to enable secured connection to Emby and Jellyfin which has been unsecured and accessible through WAN for a long time (crazy, I know!), saw it was kinda complicated, went and looked into reverse proxy as I am a network engineer by day, so I deal with this on a daily basis but with enterprise solutions. Nginx and others still seemed pretty involved and then this popped up through CA Settled both services through separate DDNS entries which sync to the CNAME of my router DNS so manual update of IP isn't needed, may still need to refresh my hostname every 30 days though due to it being a free account. This barely took a few minutes to set up, thanks again!!! Quote Link to comment
JnthnWJ Posted October 28, 2022 Share Posted October 28, 2022 Just went through the setup process for nginex, but when I go to my domain, it redirects to my Unraid server login rather than the container/port that I have it configured to. My domain is managed with cloudflare and I have CNAME subdomain pointing to duckdns. Any help would be greatly appreciated! Quote Link to comment
mattie112 Posted October 28, 2022 Share Posted October 28, 2022 Are you sure the port forwarding is correct? A 'start' and 'ends would indicate you are forwarding (allowing) that range to go to your server (or container). I do not see a 443 to 18443 forward for example. You could try NPM on 80/443 (if it has its own IP) to verify this. Or try to access port 18443 remotely then you can be sure. Quote Link to comment
JnthnWJ Posted November 1, 2022 Share Posted November 1, 2022 (edited) On 10/28/2022 at 12:00 PM, mattie112 said: Are you sure the port forwarding is correct? A 'start' and 'ends would indicate you are forwarding (allowing) that range to go to your server (or container). I do not see a 443 to 18443 forward for example. You could try NPM on 80/443 (if it has its own IP) to verify this. Or try to access port 18443 remotely then you can be sure. You were right! I just assumed 'start' meant incoming and 'end' meant out going. Just keeping it simple by forwarding 80 and 443 worked. Thank you for your help! Edited November 1, 2022 by JnthnWJ forgot to add thanks 1 Quote Link to comment
cpthook Posted November 2, 2022 Share Posted November 2, 2022 On 9/19/2022 at 9:53 AM, mattie112 said: You can still have multiple servers, however as you just have 1 port 80 available (externally) you can only have 1 NPM running (on that port). Hello Forum. I have two unRAID servers running docker containers. I have a custom docker network interface created called 'reverseproxy' on my main unRAID server. Containers that I have reverseproxied are communicating on this interface and working well. My question is there a way to configure the containers on my second server(on same LAN) to comminicate on the custom docker network located on my main server? Thanks Quote Link to comment
alturismo Posted November 3, 2022 Share Posted November 3, 2022 11 hours ago, cpthook said: My question is there a way to configure the containers on my second server(on same LAN) to comminicate on the custom docker network located on my main server? if your intention is to use NPM for services on the 2nd unraid server, lets say plex is located on unraid server 2, then just set the ip from plex on server 2 in NPM (from server 1),which then is either the unraid host ip if plex is runninng in bridge or host mode on server 2 using the mapped ports. if you really want them in the bridge you created on server 1, i would say no and also not necessary for reverse proxying ... Quote Link to comment
mattie112 Posted November 3, 2022 Share Posted November 3, 2022 What exactly do you want? containers on B to be able to access containers on A (behind the proxy) -> then why not access them through the proxy? NPM on A to be able to forward traffic to containers on B -> then why not expose a port (and/or IP) on B? But with some iptables magic you should be able to "bridge" networks I think but I can't really help you with that config. Quote Link to comment
cpthook Posted November 3, 2022 Share Posted November 3, 2022 (edited) 1 hour ago, mattie112 said: What exactly do you want? containers on B to be able to access containers on A (behind the proxy) -> then why not access them through the proxy? NPM on A to be able to forward traffic to containers on B -> then why not expose a port (and/or IP) on B? But with some iptables magic you should be able to "bridge" networks I think but I can't really help you with that config. Hello guys. Thanks for the responses. So this is server 'A' (ports 443/80 redirected/forwarded to 192.168.1.25) my main server. These containers in the screenshot here have all been configure for reverseproxy and communicate on the custom network interface I created called 'reverseproxy' (172.19.0.0/16). These here containers below are on server 'B' (192.168.1.11) and I would like to reversproxy these also using the SWAG proxy manager from server 'A' and possibly the same custom docker interface from server 'A'. Is this possible? Again... thanks for the help and hope I'm making sense to you all considering I'm a basic user. FYI... I tried to create a seperate SWAG proxy manager on server 'B' until I realized I cannot redirect/ forward ports 443/80 to server 'B' as I only have one public address to work with. Edited November 3, 2022 by cpthook Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.