[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

10 hours ago, flippedcracker said:

Tunable is set to Auto. File system is reiserfs. I've had this server for many many years.

The problem is the filesystem.  Mariadb uses an operation (fallocate) which is not supported by reiserfs...

Link to comment
4 hours ago, Kaizac said:

I have the NginxProxyManager docker on it's own IP in the same VLAN as my other dockers. All other dockers also have their own IP in this VLAN. So I put the NginxProxyManager on ports 80 and 443 and I opened and forwarded these ports on my router to the IP of the NginxProxyManager.

 

Then when I add my proxy hosts and request the certificates I always get the error "Internal Error". When I look in my log it says the following:


Failed authorization procedure. bitwarden.mydomain.com (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://bitwarden.mydomain.com/.well-known/acme-challenge/As3xDn2mZgCJzRpsFyGtlXKog3UZBRzrsHVaActeN6s: Connection refused

 

The container is not reachable from the Internet.  Note that when assigning an IP to the container, you cannot choose the ports used by the container.   So you need to forward to the container HTTPs port 4443 and HTTP port 8080.

Link to comment
14 minutes ago, Djoss said:

The container is not reachable from the Internet.  Note that when assigning an IP to the container, you cannot choose the ports used by the container.   So you need to forward to the container HTTPs port 4443 and HTTP port 8080.

Ok so I changed this and it give the error below. So then I disabled the Cloudflare CDN protection. And it works. So is it possible to get this working with the Cloudflare CDN/protection on you think?

Failed authorization procedure. bitwarden.mydomain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://bitwarden.mydomain/.well-known/acme-challenge/Z6vJRYrurz18JbcCPEeexbC1IhmWJoxfOFIY3jVRatw [2606:4700:30::681b:80cc]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "

 

Link to comment
15 minutes ago, Kaizac said:

Ok so I changed this and it give the error below. So then I disabled the Cloudflare CDN protection. And it works. So is it possible to get this working with the Cloudflare CDN/protection on you think?


Failed authorization procedure. bitwarden.mydomain (http-01): urn:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://bitwarden.mydomain/.well-known/acme-challenge/Z6vJRYrurz18JbcCPEeexbC1IhmWJoxfOFIY3jVRatw [2606:4700:30::681b:80cc]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "

 

What the protection is doing?  If it forces redirection to HTTPs, then I guess it won't work.  Unless you can disable the protection for specific URLs...

Link to comment
6 minutes ago, Djoss said:

What the protection is doing?  If it forces redirection to HTTPs, then I guess it won't work.  Unless you can disable the protection for specific URLs...

You made me remember, it's not the IP/CDN protection it's a setting in Cloudflare. Someone else in this topic mentioned it. You have to disable the HTTPS rewrites. So I got most of my subdomains working. Two aren't though or not as desired (Nextcloud and OnlyOffice). Both which require a more specific configuration. So what I can do is put my older NGINX config in, but then it has includes which it can't find.

I see that the standard configs are including files like block-exploits.conf. Are those accessible and editable somewhere? I can't find them, so I wonder if they are hardcoded/somewhere hidden.

Link to comment
10 hours ago, Kaizac said:

I see that the standard configs are including files like block-exploits.conf. Are those accessible and editable somewhere? I can't find them, so I wonder if they are hardcoded/somewhere hidden.

Yes they are hard-coded files.  They are located under /etc/nginx in the container.

Link to comment
2 hours ago, Jclendineng said:

Just a heads up, the latest build does not respect custom ports.  Default right back to the stock ports :)

What do you mean exactly by "does not respect custom ports"?  You mean the port mappings between the host and the container?

Link to comment
16 minutes ago, Raz said:

If you don't have a static public IP, you need something like DuckDNS point your domain/subdomains to your unRaid Server :)

have static ip....but then need to remember my IP for each "subdomain"? sonarr.##.##.##.## etc?

Edited by Nyghthawk
Link to comment
Just now, Nyghthawk said:

have static ip....but then need to remember my IP for each "subdomain"? sonarr.##.##.##.## etc?

Don't you have a domain name? You still need a domain name! If you don't have it, you have to use Duck DNS

Link to comment
3 minutes ago, Raz said:

Don't you have a domain name? You still need a domain name! If you don't have it, you have to use Duck DNS

so if i just buy a domain name from <insert provider> I just create subdomains there and nameserver it to my static ip? or

sonarr.mydomain.com points to 111.222.333.444:1234 ? or should i still use this to hide the ports?

so then its sonarr.mydomain points to sonarr.mypublicip

Edited by Nyghthawk
Link to comment
6 minutes ago, Nyghthawk said:

so if i just buy a domain name from <insert provider> I just create subdomains there and nameserver it to my static ip? or

sonarr.mydomain.com points to 111.222.333.444:1234 ? or should i still use this to hide the ports?

so then its sonarr.mydomain points to sonarr.mypublicip

If you buy your domain, you have to change the dns records to point it to your public ip. So something like "sonarr.mydomain.com" points to "yourpublicip" and on nginx proxy manager you setup everything according to your configurations :)

Link to comment
4 minutes ago, Raz said:

If you buy your domain, you have to change the dns records to point it to your public ip. So something like "sonarr.mydomain.com" points to "yourpublicip" and on nginx proxy manager you setup everything according to your configurations :)

thank you, will get on that!

Link to comment
On 3/2/2019 at 7:38 PM, Djoss said:

So if you have specific domain names, can't you block the ones you don't want by adding "404 Hosts"?

 

Btw, the ability to customize/disable the default page is a feature that as been requested on the project.

I can add 404 hosts, have have add the IP address as one as a temporary bandaid, but that works until my dynamic IP changes.  Then I have to know that and manually change the 404 host.  Ideally, anything other than requests from mysubdomain.mydomain.com would just gets dropped.  Even with 404 I see foreign bad guys trying to run exploits in the dead-hosts log.

Link to comment
On 3/2/2019 at 7:38 PM, Djoss said:

So if you have specific domain names, can't you block the ones you don't want by adding "404 Hosts"?

 

Btw, the ability to customize/disable the default page is a feature that as been requested on the project.

I just saw in the new version of the container that updated while I was back at the day job that there is a settings open to change the default site.  Well done, thanks!  My next question would be which is the best option for deterring bad guys?  404, 444, or maybe redirect?  Or do they all say enough to the prying eyes that the server is responding to reqeuests so they keep at it?

 

Also, is fail2ban implementation forthcoming?  That would help solve the problem.

Edited by KG_NV
Link to comment

First of all, I would like to thank you for developing this docker. This is a fantastic tool for users with limited understanding of networking (like myself).

 

Now, on to the problem:

  • I configured Nginx Proxy Manager for 5 different proxy hosts - Sabnzbd, Sonarr, Radarr, Lidarr and Ombi
  • Everything else seems to work flawlessly except Ombi.
  • With Ombi, although I am able to get to the login page, it keeps looping back to the same page, when I click on the login button.
  • i.e. Instead of logging me into Ombi, it open a new tab / window and goes back to the login screen.
  • Also, the same behavior is persistent on both Ombi native login and plex authorization. Have even tried the option to log a user based on just the username, but even that does not work.
  • I have checked the configuration file for Ombi and the options selected on that file are exactly the same as other proxy host config files.
  • I have included my config file below for your assistance:

# ------------------------------------------------------------
# ombi.mydomain.com
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "x.x.x.x";
  set $port           3579;

  listen 8080;
listen 4443 ssl http2;

  server_name ombi.mydomain.com;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem;


# Asset Caching
  include conf.d/include/assets.conf;


  # Block Exploits
  include conf.d/include/block-exploits.conf;


  access_log /data/logs/proxy_host-5.log proxy;

  location / {


    # Force SSL
    include conf.d/include/force-ssl.conf;

    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_http_version 1.1;
    

    # Proxy!
    include conf.d/include/proxy.conf;
  }
}

 

---------------------------

 

Any help would be much appreciated.

 

Edit : Managed to fix the issue by disabling the support websockets option. 

Edited by Dragnoballz
Link to comment
20 hours ago, KG_NV said:

Also, is fail2ban implementation forthcoming?  That would help solve the problem.

 

24 minutes ago, malac said:

Is fail2ban also in place?

 

This container doesn't have fail2ban.  I'm not sure this is the right place to implement it.  Doing so will probably cause issues if another container also implements it.  I think the best way would be to have one container (or the host) implementing fail2ban.  This instance could be used to monitor multiple log files from multiple containers.

Link to comment

So i had this long post about things not working. And I got it working.

 

However, need a bit of help on this last one.

 

Trying to get my unifi controller accessible. When I am local and i type http://localip:port to access the login, it lets me log in, then gives me an error on the certificate, etc. When I type in http://unifi.domain it asks to log in like normal, but then does not log in giving me an error. 

ASKuMq5.png

 

is this a setting I am missing, do i need to customize my commands for this one?

So far I think everything else is working. (crosses fingers)

 

 

also, I did a blanket wildcard record on my domain, so all subdomains will point to "proxy manager has not been setup yet" is this ok?

 

also tried to add SSL, and i get an "internal error", and nothing works, any help with that? apparently creates an SSL but then i get a cipher mismatch or something like that error.

Edited by Nyghthawk
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.