[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

Yes and No,

 

I am getting the idea that you want to create some kind of redundancy. The only way to accomplish this, as far as I am aware, is to setup some kind of load balancer that can be configured to redirect traffic when one source is down. I am not aware of how PFSense works, I'm a Unifi guy. But, there may be something built into PFSense that can provide this functionality (https://www.howtoforge.com/how-to-use-pfsense-to-load-balance-your-web-servers).

 

If you are going for redundancy, you then get into the challenges of making sure that box1 and box2 containers/VM's are sync'd in real-time in some way. If they are not then you won't have redundancy. If the two servers don't have the exact same services configured then it won't matter about having a redundant NPM as the services on the server that is down won't respond anyway. Also, in a load balance situation, each NPM is going to have different domain/IP mappings so you can't just duplicate the second NPM with the settings on the first NPM.

 

Getting load balancing running os not a simple feat and requires a lot of planning.

 

Why do you need this kind of set up?

  • Thanks 1
Link to comment
57 minutes ago, mattie112 said:

Or (if you just have 2 Unraid servers) run NPM on 1 and add your hosts for unraid #2 in there

 

so:

service hosted on unraid 1

example.com -> localhost:1234

 

service hosted on unraid 2

otherexample.com -> ip.of.other.unraid:2345

I have box 1  i7 4770 ,32gb ram

          box 2 Celeron N3150 4gb ram 

I try to use Celeron box only for Photoprism because is fanless and very low power use.The other box i turn off somethimes.I have 3 of this boxes on one is Opnsense firewall and  1 wanted to use just for Google photos replacement.Then i need to transfer all Npm to be on Celeron box and run it 24/7 and everything is gonna be ok.I think this is the most easy solution how you said also.

Thank you very much for your help.

 

 

 

Screenshot_20220919-171401_Chrome.jpg

Screenshot_20220919-171338_Chrome.jpg

Link to comment
3 hours ago, aglyons said:

 

You can't forward the same port to two different IP's on your LAN. I'm surprised your router allowed you to even enter this config.

 

Just do all the NPM forwarding on box1 to all the services that are on box2 with the appropriate IP's/ports.

 

 

So what I read from this is you are double NAT'ed. That's a nightmare. There should be a way you can configure your providers modem/router to operate in bridge mode. That essentially disables the built in router and allows your PFSense to act as the primary (and only) firewall/router. This should simplify managing the system and clear up a lot of port forward/conflict issues.

Hi,i am not double nat i think nat should be disabled on the modem its some optic box i don't know what exactly is.

Link to comment
  • 3 weeks later...

Hello, need help to figure out problem with renewing certificates. Below are the error messages:

 

Quote

Error: Command failed: certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation  
Failed to renew certificate npm-1 with error: Some challenges have failed.
Failed to renew certificate npm-2 with error: Some challenges have failed.
Failed to renew certificate npm-3 with error: Some challenges have failed.
Failed to renew certificate npm-32 with error: Some challenges have failed.
Failed to renew certificate npm-6 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
  /etc/letsencrypt/live/npm-1/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-2/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-3/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-32/fullchain.pem (failure)
  /etc/letsencrypt/live/npm-6/fullchain.pem (failure)
5 renew failure(s), 0 parse failure(s)

 

I'm not too familiar with how renewals occur or what's needed to fix this.
It was working few months ago, but that doesn't really help for now.

 

What should I look at for troubleshooting?

 

Thanks

Link to comment
18 minutes ago, itlists said:

Hello, need help to figure out problem with renewing certificates. Below are the error messages:

 

 

I'm not too familiar with how renewals occur or what's needed to fix this.
It was working few months ago, but that doesn't really help for now.

 

What should I look at for troubleshooting?

 

Thanks

Try to manually call certbot, see:

 

 

  • Thanks 1
Link to comment
14 minutes ago, mattie112 said:

Try to manually call certbot, see:

 

 

 

Hi, thanks for the quick reply. So attempted the dry-run command and here's the output:
(replaced my domain name with 'domain')
 

Quote

Simulating renewal of an existing certificate for rss.domain.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: rss.domain.net
  Type:   unauthorized
  Detail: 2606:4700:3032::ac43:b94a: Invalid response from http://rss.domain.net/.well-known/acme-challenge/7MEfa4hphYwq5O9FuT9-1gX4TowDBDljM6GhdMAKLx8: 522

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

Failed to renew certificate npm-3 with error: Some challenges have failed.

 

Link to comment
26 minutes ago, mattie112 said:

A HTTP 522 error is a CloudFlare connection timeout it seems:

 

https://support.cloudflare.com/hc/en-us/articles/115003011431-Troubleshooting-Cloudflare-5XX-errors#522error

https://www.ionos.com/digitalguide/hosting/technical-matters/error-522-explanation-and-solutions/

 

I don't use CF myself buy I would double-check the settings there.

I see. Seems something amiss on my side then... firewall, server, IP/DNS... hmmm

Thanks for finding this!

  • Like 1
Link to comment
2 hours ago, itlists said:

I see. Seems something amiss on my side then... firewall, server, IP/DNS... hmmm

Thanks for finding this!

DNS record looks good, server is reachable as well when browsing to rss.domain.com

So something specifically tied to this challenge/response.

Any ideas on what else I can look at? Do I need particular port forwarding, etc?

Link to comment
2 hours ago, mattie112 said:

I don't use CF myself.

 

But in general:

The .well-known directory MUST be reachable through unsecured HTTP on port 80. As letsencrypt must be able to verify the challenge even before the encryption has been set-up.

 

Looks like there may be an issue on the fw blocking inbound port 80. All CL IPs are allowed inbound but still being blocked... investigating this

Edited by itlists
Link to comment
55 minutes ago, itlists said:

 

Looks like there may be an issue on the fw blocking inbound port 80. All CL IPs are allowed inbound but still being blocked... investigating this

Got it fixed now. Was missing a port forward rule. Somehow it was missing after a recent fw upgrade.

 

Another question: how to remove this cert from the renew list? The 'vault' service doesn't exist anymore.
 

Quote

 

Processing /etc/letsencrypt/renewal/npm-2.conf
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Renewing an existing certificate for vault.domain.net

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: vault.domain.net
  Type:   dns
  Detail: no valid A records found for vault.domain.net; no valid AAAA records found for vault.domain.net

 

 

Link to comment

Thanking the existence of this docker. Was about to get down and dirty on either trying to enable secured connection to Emby and Jellyfin which has been unsecured and accessible through WAN for a long time (crazy, I know!), saw it was kinda complicated, went and looked into reverse proxy as I am a network engineer by day, so I deal with this on a daily basis but with enterprise solutions. Nginx and others still seemed pretty involved and then this popped up through CA :D

 

Settled both services through separate DDNS entries which sync to the CNAME of my router DNS so manual update of IP isn't needed, may still need to refresh my hostname every 30 days though due to it being a free account.  This barely took a few minutes to set up, thanks again!!!

Link to comment
  • 3 weeks later...

Just went through the setup process for nginex, but when I go to my domain, it redirects to my Unraid server login rather than the container/port that I have it configured to. My domain is managed with cloudflare and I have CNAME subdomain pointing to duckdns.  

Any help would be greatly appreciated! 

SCR-20221028-eqd.png

SCR-20221028-esl.png

SCR-20221028-esx.png

SCR-20221028-etn.png

Link to comment

Are you sure the port forwarding is correct? A 'start' and 'ends would indicate you are forwarding (allowing) that range to go to your server (or container). I do not see a 443 to 18443 forward for example.

 

You could try NPM on 80/443 (if it has its own IP) to verify this. Or try to access port 18443 remotely then you can be sure.

Link to comment
On 10/28/2022 at 12:00 PM, mattie112 said:

Are you sure the port forwarding is correct? A 'start' and 'ends would indicate you are forwarding (allowing) that range to go to your server (or container). I do not see a 443 to 18443 forward for example.

 

You could try NPM on 80/443 (if it has its own IP) to verify this. Or try to access port 18443 remotely then you can be sure.

You were right! I just assumed 'start' meant incoming and 'end' meant out going. Just keeping it simple by forwarding 80 and 443 worked. 

Thank you for your help!

Edited by JnthnWJ
forgot to add thanks
  • Haha 1
Link to comment
On 9/19/2022 at 9:53 AM, mattie112 said:

You can still have multiple servers, however as you just have 1 port 80 available (externally) you can only have 1 NPM running (on that port).

 

 

 

Hello Forum.  I have two unRAID servers running docker containers.  I have a custom docker network interface created called 'reverseproxy' on my main unRAID server.  Containers that I have reverseproxied are communicating on this interface and working well.  My question is there a way to configure the containers on my second server(on same LAN) to comminicate on the custom docker network located on my main server?   

 

Thanks   

 

Link to comment
11 hours ago, cpthook said:

My question is there a way to configure the containers on my second server(on same LAN) to comminicate on the custom docker network located on my main server?

if your intention is to use NPM for services on the 2nd unraid server, lets say plex is located on unraid server 2, then just set the ip from plex on server 2 in NPM (from server 1),which then is either the unraid host ip if plex is runninng in bridge or host mode on server 2 using the mapped ports.

 

if you really want them in the bridge you created on server 1, i would say no and also not necessary for reverse proxying ...

Link to comment

What exactly do you want?

 

containers on B to be able to access containers on A (behind the proxy)

-> then why not access them through the proxy?

 

NPM on A to be able to forward traffic to containers on B

-> then why not expose a port (and/or IP) on B?

 

But with some iptables magic you should be able to "bridge" networks I think but I can't really help you with that config.

Link to comment
1 hour ago, mattie112 said:

What exactly do you want?

 

containers on B to be able to access containers on A (behind the proxy)

-> then why not access them through the proxy?

 

NPM on A to be able to forward traffic to containers on B

-> then why not expose a port (and/or IP) on B?

 

But with some iptables magic you should be able to "bridge" networks I think but I can't really help you with that config.

 

Hello guys.  Thanks for the responses.    So this is server 'A' (ports 443/80 redirected/forwarded to 192.168.1.25) my main server.  These containers in the screenshot here have all been configure for reverseproxy and communicate on the custom network interface I created called 'reverseproxy' (172.19.0.0/16).  

 

image.png.206702fda9f7da1f90ca5509ab5e9f73.png

 

These here containers below are on server 'B' (192.168.1.11) and I would like to reversproxy these also using the SWAG proxy manager from server 'A' and possibly the same custom docker interface from server 'A'.  Is this possible?  

 

image.png.a0117b8608b84a41abe3c8e9ed18fcfa.png

 

Again...  thanks for the help and hope I'm making sense to you all :) considering I'm a basic user.  FYI...  I tried to create a seperate SWAG proxy manager on server 'B' until I realized I cannot redirect/ forward ports 443/80 to server 'B' as I only have one public address to work with.  

 

Edited by cpthook
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.