[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

2 hours ago, oicydwa said:

I know how macvlan works. I just had esxi installed with docker running on fedora and all my containers were setup for macvlan. Everything was working fine, once I figured out how to do what I wanted it to do. Even had NginxProxyManager setup. However, I don't understand why the external port cannot be changed on a macvlan connection with some containers like this one on unraid. In order to run this proxy manager, I am forced to use non standard http and https ports or risk port conflicts, and standard http and https ports on this one container are the most crucial because everything else I can just proxy. However when I was running it in docker on fedora I was able to adjust the external ports just fine. I don't understand how that functionality is lost simply because of the platform I'm running it on?!

<edit>

As for changing the ports means changing the container, i disagree. I only want to change the external ports.

Can you provide more details on how you were adjusting external ports on fedora?  Were you creating containers manually using the "docker run" command?

Link to comment
7 minutes ago, Djoss said:

Can you provide more details on how you were adjusting external ports on fedora?  Were you creating containers manually using the "docker run" command?

Yes. I did everything commandline, as docker cannot assign macvlan IP's and ports through portainer at all. Seems almost like docker doesn't want people using macvlan, and that doesn't make sense to me. I don't understand how 'bridge' can be called that, when it doesn't bridge to an actual device. I don't understand what benefit there is to virtualizing, if everything is only going to be accessible through that one IP. It boggles my mind. The more I research how to overcome this issue, the more I want to ditch unraid. It's go so much going for it that I love, but this one issue is a big one for me. Don't worry about it anymore. I think I'm going to just put fedora on a VM and put docker in it. Just irritates me. Thanks for your help though. NPM is a great software, I'm just frustrated with the lack of configuration for macvlan.

Link to comment
6 minutes ago, oicydwa said:

I don't understand how 'bridge' can be called that, when it doesn't bridge to an actual device.

Agree on this, the name is confusing!

7 minutes ago, oicydwa said:

I don't understand what benefit there is to virtualizing, if everything is only going to be accessible through that one IP. It boggles my mind.

I think it's not a virtualization benefit, but an isolation benefit.  A container can have multiple services running and you don't want/need to expose them to the whole network.  This way, you reduce the attack surface.  Also, I see a docker container as an application running on the host, not as a mini VM.  I have almost 40 containers running on unRAID and I'm happy they don't take each an IP.

14 minutes ago, oicydwa said:

I think I'm going to just put fedora on a VM and put docker in it

I would still be interested to see the docker command you use on fedora to create a container with macvlan and "external" ports adjusted.  Unless the container itself offer a way to configure ports it uses, I don't see how this is possible.  But maybe I miss something :)

 

Finally, the docker command you use on fedora should also runs on unRAID.  unRAID is just a Linux distro with docker installed.  There is no magic.

Link to comment
1 minute ago, Djoss said:

Agree on this, the name is confusing!

I think it's not a virtualization benefit, but an isolation benefit.  A container can have multiple services running and you don't want/need to expose them to the whole network.  This way, you reduce the attack surface.  Also, I see a docker container as an application running on the host, not as a mini VM.  I have almost 40 containers running on unRAID and I'm happy they don't take each an IP.

I would still be interested to see the docker command you use on fedora to create a container with macvlan and "external" ports adjusted.  Unless the container itself offer a way to configure ports it uses, I don't see how this is possible.  But maybe I miss something :)

 

Finally, the docker command you use on fedora should also runs on unRAID.  unRAID is just a Linux distro with docker installed.  There is no magic.

After I configure the macvlan interface, which took me almost 4 hours to figure out (I have a youtube video to prove it under this same name) all I do is run
And I just realized why this one looks differently. Apparently someone else has a docker image of this project and I used it on my fedora docker. Yours is the only one in Unraid apps.

 

docker run -d --network br0 --ip=10.1.0.7 -p 80:80 -p 81:81 -p 443:443 -v /home/user/npm/config.json:/app/config/production.json -v /home/user/npm/data:/data -v /home/user/npm/letsencrypt:/etc/letsencrypt --name NginxProxyManager jc21/nginx-proxy-manager:2

 

Regardless, It won't work either because of Unraid's limitation on configuring ports for macvlan. I have done some testing and apparently if I change the adapter to br0, I completely lose the ability to configure the ports. Which seems really dumb to me! I don't understand why they would even have macvlan as an option if you can't even configure the container at that point?!

Link to comment

As a point of fact though.... whenever I put in the above command it spun up the container and everything worked as expected (except I didn't  install mariadb yet) I did the same for your container 

docker run -d --network br0 --ip=10.1.0.7 -p 80:8080 -p 81:8181 -p 443:4443 -v /docker/appdata/nginx-proxy-manager:/config --name NginxProxy jlesage/nginx-proxy-manager

and your container forces 8080, 8181, and 4443.... So in the end, my biggest beef is with unraid's diminished support for macvlan, but also in part your container forcing those ports externally

Link to comment

I don't think there is any limitation with macvlan and unRAID.  The "-p" parameter in the docker run command is not used when using macvlan.

Try to change the mapping of a port.  For example, you could try the following command on fedora, with the jc21's container:

docker run -d --network br0 --ip=10.1.0.7 -p 80:80 -p 8181:81 -p 443:443 -v /home/user/npm/config.json:/app/config/production.json -v /home/user/npm/data:/data -v /home/user/npm/letsencrypt:/etc/letsencrypt --name NginxProxyManager jc21/nginx-proxy-manager:2

I'm pretty sure the management interface will still be reachable on port 81, not 8181 as indicated by the "-p" parameter.  You could also remove all "-p" parameters and all ports will still be accessible.

 

But I agree with you: since my container is not using ports 80 and 443, macvlan is not an option if you cannot configure port forwarding.

Note that I choose to use unprivileged ports so that nothing inside the container needs to be run as root, which is again a better security practice.

 

Link to comment

Just a quick thank you Djoss -- I'm loving the ease of setting up reverse proxies for all the ridiculous stuff I previously had port-forwarded through my router. Using a DDNS integration between my router directly (AsusWrt Merlin firmware) to Google Domains, once I had the awareness to generate CNAME entries for the services I wanted access to -- and pointing those CNAMEs back to the synthetic DNS address -- using this proxy manager worked flawlessly. Really impressed with the ease and simplicity of this setup - especially since it's allowed someone like myself with little to no understanding of the complexities involved in manually creating a reverse proxy into a simple 10 minute affair. Thank you very, very much!

  • Like 1
Link to comment

Well, i just set this up for testing and i really like the WebUi.

 

I just setup a new SSl Certificate via the UI and accourding to the UI and the Logs everything should be running.

 

After that i tried to setup my first reverse proxy to my speedtest docker

 

sadly no matter what i choose i get a

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Error message in Chrome...any ideas?

if i try to connect from my phone (mobile connection) i geht 

ERR_SSL_PROTOCOL_ERROR

 

any ideas?

Link to comment
On 1/12/2019 at 12:34 PM, Random.Name said:

Well, i just set this up for testing and i really like the WebUi.

 

I just setup a new SSl Certificate via the UI and accourding to the UI and the Logs everything should be running.

 

After that i tried to setup my first reverse proxy to my speedtest docker

 

sadly no matter what i choose i get a


ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Error message in Chrome...any ideas?

if i try to connect from my phone (mobile connection) i geht 


ERR_SSL_PROTOCOL_ERROR

 

any ideas?

Are you accessing the site via its DNS name? What https://www.ssllabs.com/ssltest/analyze.html is saying?

Link to comment

Hello I am new here and uses Unraid for the first time.
I would like to test the proxy manager and forward it to the Unraid GUI. If everything works, then Nextcloud, etc.

I put the Unraid GUI on port 8008. The ports for the proxy manager are set as in the picture.

 

1.thumb.png.0c9ff3be4a2feb16d5a6f74e43d8fe48.png

 

In the router (FritzBox) I forwarded the ports 80 and 443 to the ports of the proxy manager. 80 -> 8080/443 -> 4443

In duckdns I have created a subdomain. What should I specify in the proxy manager? Which IP? The ones from Unraid or from the router?

2.thumb.png.cde705718edcaf97d274fc8cea446d1d.png

Would be nice if someone could help me there. Many Thanks.

Link to comment
30 minutes ago, OOmatrixOO said:

Hello I am new here and uses Unraid for the first time.
I would like to test the proxy manager and forward it to the Unraid GUI. If everything works, then Nextcloud, etc.

I put the Unraid GUI on port 8008. The ports for the proxy manager are set as in the picture.

 

1.thumb.png.0c9ff3be4a2feb16d5a6f74e43d8fe48.png

 

In the router (FritzBox) I forwarded the ports 80 and 443 to the ports of the proxy manager. 80 -> 8080/443 -> 4443

In duckdns I have created a subdomain. What should I specify in the proxy manager? Which IP? The ones from Unraid or from the router?

2.thumb.png.cde705718edcaf97d274fc8cea446d1d.png

Would be nice if someone could help me there. Many Thanks.

You put the IP/port of the service you want to forward to on your local network.

So in your case, if you want to forward to unRAID UI, your put the local IP of unRAID and port 8008.

Link to comment
9 minutes ago, OOmatrixOO said:

Thanks i changed this. Now i have the message 502 Bad Gateway.

This is usually shown when the forward IP/port is incorrect.  Is your unraid UI accessible via http or https?

 

You can also check /mnt/user/appdata/NginxProxyManager/log/nginx/error.log.  You should see messages about about the failure.

Link to comment
10 hours ago, Djoss said:

This is usually shown when the forward IP/port is incorrect.  Is your unraid UI accessible via http or https?

 

You can also check /mnt/user/appdata/NginxProxyManager/log/nginx/error.log.  You should see messages about about the failure.

Yes, you were right. 8008 is the http port. I have changed the Scheme to http and now the access works. Thank you for your help.

Link to comment

Thanks for this, works great and has saved me a ton of time!

 

I'm having an issue though. When I have my pihole running, I can't add ssl certs. I receive the error "Internal Error". I've disabled all blacklists in pihole yet something is still stopping it. Once I remove pihole from the equation everything works. I've watched the query log and not ever shows as blocked.

 

Any ideas?

Link to comment

If I go to the homepage listed in the OP, https://nginxproxymanager.jc21.com, and then click on the githublink on that page, I get a different github repository than listed in the OP, https://github.com/jlesage/docker-nginx-proxy-manager. So which one is the correct one? It appears that the Unraid template is using the jlesage repository, but in a previous post here, someone requested feature requests and bugs be reported to the jc21 repository. So, what's the difference and which one should we be using? If I'm using jlesage version on Unraid, why report bugs to jc21?

 

buzz 

Link to comment
11 hours ago, buzzra said:

So which one is the correct one?

They're both correct.  Depends upon what you want.  jc21 is the author of the app itself and maintains the github for the app.  DJoss is the author of the container (which includes the app) and maintains it.

 

11 hours ago, buzzra said:

why report bugs to jc21?

Because 99% of the time, any bug is with the app itself, and not with the container.

 

It's kinda akin to getting food poisoning from eating cereal.  Is the cereal itself bad (the app), or is it the box (djoss' container) that then transferred something to the cereal?

Edited by Squid
Link to comment
11 hours ago, Squid said:

They're both correct.  Depends upon what you want.  jc21 is the author of the app itself and maintains the github for the app.  DJoss is the author of the container (which includes the app) and maintains it.

 

Because 99% of the time, any bug is with the app itself, and not with the container.

 

It's kinda akin to getting food poisoning from eating cereal.  Is the cereal itself bad (the app), or is it the box (djoss' container) that then transferred something to the cereal?

Thanks for the explanation. Makes complete sense. And thanks Djoss for packaging this up in an Unraid container. I hope no one was offended by my questions. I just saw both and had not seen an explanation of the relationship. 

I will be installing this and moving my other containers to it. It looks to be VERY easy to manage. I have been using a sort of 'automatic' reverse proxy named nginx-proxy (https://hub.docker.com/r/jwilder/nginx-proxy/~/dockerfile/) but it took a lot to get it working in Unraid. 

 

Thanks again to everyone supporting this project.

 

buzz

Link to comment
On 1/18/2019 at 3:20 PM, Fiala06 said:

Thanks for this, works great and has saved me a ton of time!

 

I'm having an issue though. When I have my pihole running, I can't add ssl certs. I receive the error "Internal Error". I've disabled all blacklists in pihole yet something is still stopping it. Once I remove pihole from the equation everything works. I've watched the query log and not ever shows as blocked.

 

Any ideas?

Sorry I never used pihole, but it is possible that it forces some http to https redirection?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.