[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

First and foremost,  Thank you for this!  

This looks amazing and while I love CLI for most configurations,  nginx can get annoying.

 

With that said,  is there a way to "import" previously configured services from say, letsencrypt docker, to speed up the transition to nginx proxy manager?

 

Secondly, is there a way to support "wildcard" ssl certs?  *.domain.com in this docker?

Sadly self-answered, no.  https://github.com/jc21/nginx-proxy-manager/issues/36

Edited by fmp4m
Link to comment

I like this docker.  Question about this, in context of unraid and hardening.  What suggestions are available regarding securing the let's encrypt requirement of having 80 and 443 open on the firewall and this docker?  Does the docker have a lockout function, anti-brute force, yubikey or 2fa functions (or will it eventually)?

Edited by repomanz
Link to comment

Trying to get this to work with gitlab-ce. Having basically zero luck. I'm super new to nginx and proxying different services to the web using it, was hoping a GUI would ease the learning curve.

So, for configuration in Nginx-Proxy-Manager I have this:
image.png.1fe938ff76290169bc096f2b3611f0f9.png

And I have it set to generate a new SSL certificate using LE, and force SSL.

From there, I've set gitlab-ce docker with the following extra options:
 


external_url 'https://git.mydomain.com/';
gitlab_rails['gitlab_ssh_host']='git.mydomain.com';
nginx['hsts_max_age'] = 0;
nginx['listen_port'] = 4080;
nginx['listen_https'] = false;

(I've taken the liberty of placing these on newlines for readability)

First I receive the same error as the above user - but refreshing the page shows that the entry was created, and the SSL certificate is shown on the certs tab. But when I attempt to reach gitlab via git.mydomain.com I get nothing. I can see that gitlab is running by checking the docker log.

I've got other services forwarded fine - but gitlab seems to be a PITA.


EDIT:

Figured it out. Other services weren't using a subdomain.

First, make sure you have your ports forwarded to this docker (or getting the certificates *will* fail)

Second, if you wish to use subdomains and are using a REAL domain name (not a dyndns style one) make sure you set up a catch-all entry for subdomains (CNAME * yourdomain.com)

Finally, create the entry using the GUI.

 

Scratch that - it doesn't seem to persist reboots very well, neither of my two SSL certificates continue to work following a reboot, and I'm getting this spammed in the log:

[nginx] starting...
nginx: [emerg] BIO_new_file("/etc/letsencrypt/live/npm-9/fullchain.pem") failed (SSL: error:02FFF002:system library:func(4095):No such file or directory:fopen('/etc/letsencrypt/live/npm-9/fullchain.pem', 'r') error:20FFF080:BIO routines:CRYPTO_internal:no such file)

Edit:
Deleted the appdata folder, recreated entries and all is working again.

 

Edited by Xaero
Link to comment
6 hours ago, gacpac said:

Hey, 

 

I'm a little bit excited about this new app. I might migrate from let's encrypt to this one but need some help setting up the proxy host. Is there some guide somewhere here or the GitHub. 

IMHO, this is such an easy app to use and set up that you don't need any guide.  I'd never sat down and used Let'sEncrypt (as I could never clear off something like a week to read the thread and play with setting it up), but I got this all going within 5 minutes, with no thought involved.  But, if you need subfolders and not subdomains then you've got to manually edit the nginx configs.  Myself, I'm just using subdomains.  But, for advanced features that you may or may not require (I don't for my use case), then this may not be for you.

 

That, and if you've already spent the time and aggravation setting up LE, why switch?

Edited by Squid
Link to comment
1 hour ago, Squid said:

IMHO, this is such an easy app to use and set up that you don't need any guide.  I'd never sat down and used Let'sEncrypt (as I could never clear off something like a week to read the thread and play with setting it up), but I got this all going within 5 minutes, with no thought involved.  But, if you need subfolders and not subdomains then you've got to manually edit the nginx configs.  Myself, I'm just using subdomains.  But, for advanced features that you may or may not require (I don't for my use case), then this may not be for you.

 

That, and if you've already spent the time and aggravation setting up LE, why switch?

1

I like the UI and how you can do the changes. I see the web app seems easy, but I need to put my customizations again, then there's no point.

Link to comment

I get the follow when I try to start the container

 

[mysqld] starting...
2018-12-27 9:57:55 23424764251016 [Note] /usr/bin/mysqld (mysqld 10.2.15-MariaDB) starting as process 1998 ...
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Mutexes and rw_locks use GCC atomic builtins
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Uses event mutexes
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Compressed tables use zlib 1.2.11
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Using Linux native AIO
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Number of pools: 1
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Using SSE2 crc32 instructions
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Initializing buffer pool, total size = 128M, instances = 1, chunk size = 128M
2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Completed initialization of buffer pool
2018-12-27 9:57:55 23424421186280 [Note] InnoDB: If the mysqld execution user is authorized, page cleaner thread priority can be changed. See the man page of setpriority().
2018-12-27 9:57:55 23424764251016 [ERROR] InnoDB: The Auto-extending innodb_system data file './ibdata1' is of a different size 0 pages than specified in the .cnf file: initial 768 pages, max 0 (relevant if non-zero) pages!
2018-12-27 9:57:55 23424764251016 [ERROR] InnoDB: Plugin initialization aborted with error Generic error

[2018-12-27] [09:57:55] [Global ] › ✖ error connect ECONNREFUSED 127.0.0.1:3306

2018-12-27 9:57:55 23424764251016 [Note] InnoDB: Starting shutdown...
2018-12-27 9:57:55 23424764251016 [ERROR] Plugin 'InnoDB' init function returned error.
2018-12-27 9:57:55 23424764251016 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
2018-12-27 9:57:55 23424764251016 [Note] Plugin 'FEEDBACK' is disabled.
2018-12-27 9:57:55 23424764251016 [ERROR] Could not open mysql.plugin table. Some plugins may be not loaded
2018-12-27 9:57:55 23424764251016 [ERROR] Unknown/unsupported storage engine: InnoDB
2018-12-27 9:57:55 23424764251016 [ERROR] Aborting

 

Edited by drkpeezy
Link to comment

My Install never gets past this point:

 

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-app-niceness.sh: executing...
[cont-init.d] 00-app-niceness.sh: exited 0.
[cont-init.d] 00-app-script.sh: executing...
[cont-init.d] 00-app-script.sh: exited 0.
[cont-init.d] 00-app-user-map.sh: executing...
[cont-init.d] 00-app-user-map.sh: exited 0.
[cont-init.d] 00-clean-logmonitor-states.sh: executing...
[cont-init.d] 00-clean-logmonitor-states.sh: exited 0.
[cont-init.d] 00-clean-tmp-dir.sh: executing...
[cont-init.d] 00-clean-tmp-dir.sh: exited 0.
[cont-init.d] 00-set-app-deps.sh: executing...
[cont-init.d] 00-set-app-deps.sh: exited 0.
[cont-init.d] 00-set-home.sh: executing...
[cont-init.d] 00-set-home.sh: exited 0.
[cont-init.d] 00-take-config-ownership.sh: executing...
[cont-init.d] 00-take-config-ownership.sh: exited 0.
[cont-init.d] 00-xdg-runtime-dir.sh: executing...
[cont-init.d] 00-xdg-runtime-dir.sh: exited 0.
[cont-init.d] nginx-proxy-manager.sh: executing...
[cont-init.d] nginx-proxy-manager.sh: Initializing database data directory...
[cont-init.d] nginx-proxy-manager.sh: Database data directory initialized.
[cont-init.d] nginx-proxy-manager.sh: Starting database to perform its intialization...
[cont-init.d] nginx-proxy-manager.sh: Securing database installation...

 

Link to comment

I see this error in the init_db.log 

/mnt/user/appdata/NginxProxyManager/log# more init_db.log
Installing MariaDB/MySQL system tables in '/config/mysql' ...
2018-12-27 14:32:02 22714951916424 [ERROR] InnoDB: preallocating 12582912 bytes for file ./ibdata1 failed with error 95
2018-12-27 14:32:02 22714951916424 [ERROR] InnoDB: Could not set the file size of './ibdata1'. Probably out of disk space
2018-12-27 14:32:02 22714951916424 [ERROR] InnoDB: Database creation was aborted with error Generic error. You may need to delete the ibdata1 file before trying to start
 up again.
2018-12-27 14:32:03 22714951916424 [ERROR] Plugin 'InnoDB' init function returned error.
2018-12-27 14:32:03 22714951916424 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
2018-12-27 14:32:03 22714951916424 [ERROR] Unknown/unsupported storage engine: InnoDB
2018-12-27 14:32:03 22714951916424 [ERROR] Aborting

 

Link to comment
2 hours ago, bigdave said:

I see this error in the init_db.log 


/mnt/user/appdata/NginxProxyManager/log# more init_db.log
Installing MariaDB/MySQL system tables in '/config/mysql' ...
2018-12-27 14:32:02 22714951916424 [ERROR] InnoDB: preallocating 12582912 bytes for file ./ibdata1 failed with error 95
2018-12-27 14:32:02 22714951916424 [ERROR] InnoDB: Could not set the file size of './ibdata1'. Probably out of disk space
2018-12-27 14:32:02 22714951916424 [ERROR] InnoDB: Database creation was aborted with error Generic error. You may need to delete the ibdata1 file before trying to start
 up again.
2018-12-27 14:32:03 22714951916424 [ERROR] Plugin 'InnoDB' init function returned error.
2018-12-27 14:32:03 22714951916424 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
2018-12-27 14:32:03 22714951916424 [ERROR] Unknown/unsupported storage engine: InnoDB
2018-12-27 14:32:03 22714951916424 [ERROR] Aborting

 

What are you using for umask? My logs are the same...

Link to comment

Terrific work, djoss. I predict this will soon be the go-to certificate manager in unraid.

 

Questions: How would a wildcard certificate be assembled through the proxy manager? How would we go about making the LetsEncrypt cert self-renewing?

 

Edit: Just found that Lets Encrypt wild cards don't work yet. Hope that comes soon.

Edited by madaroda
added clarification
Link to comment
4 hours ago, hernandito said:

Quick question please.... if I host a personal web site, that I access from outside.... where do I place all my www files and folders, the html files.

 

Thank you.

 

H.

If you already have a web server hosting those files inside your network, then exactly where they are is fine, just point the reverse proxy at that server.
If you don't have a web server running already, there are plenty of web server docker containers in Community Applications that will fit your needs.

 

I'd suggest getting familiar with how your web server is configured and making sure it's secure before giving the outside world access to it.

Link to comment

Thank you Saldash. I have been running my web server for years.... from a docker I cobbled together from LS... using Apache and LetsEncrypt. I was able to get all the reverse proxies figured out (thanks to my friend Neil). I was never able to get PHP, LE and Nginx working in their LE docker.

 

With my Docker, I can get to reverse proxy like this:

https://MyDomain.com/sonarr

https://MyDomain.com/radarr

https://MyDomain.com/www (a folder with my php files for web serving)

etc.

 

With this Docker, I can only reverse proxy

https://radarr.MyDomain.com...

I can set LE certificates for each of the prefixes. But I cannot secure the pages using the .htpassword method.

 

If anyone can provide some examples how to do this with this Docker, it would be greatly appreciated.

 

And I can certainly have it point to my Apache docker for php.

 

Thanks again,

 

H.

 

 

Link to comment
6 minutes ago, hernandito said:

I can set LE certificates for each of the prefixes. But I cannot secure the pages using the .htpassword method.

If anyone can provide some examples how to do this with this Docker, it would be greatly appreciated.

This docker allows you to create user access lists and assign them to specific proxy hosts.

From the main dashboard, click Access Lists in the menu. Create a new list and specify a username and password (up to five distinct users).

Once created, go to the proxy host you want to secure, click edit to open the modal and at the bottom of the modal, select your access list from the dropdown and save.

 

From the help text:

Quote

Access Lists provide authentication for the Proxy Hosts via Basic HTTP Authentication.

You can configure multiple usernames and passwords for a single Access List and then apply that to a Proxy Host.

This is most useful for forwarded web services that do not have authentication mechanisms built in.

 

Edited by Saldash
Link to comment
On 12/22/2018 at 1:46 PM, repomanz said:

I like this docker.  Question about this, in context of unraid and hardening.  What suggestions are available regarding securing the let's encrypt requirement of having 80 and 443 open on the firewall and this docker?  Does the docker have a lockout function, anti-brute force, yubikey or 2fa functions (or will it eventually)?

Things like 2fa are usually implemented by the application this container is proxying to.  Nginx itself has some way to limit the number of requests that are done.  I can check if there is anything configured by default for this.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.