dalben Posted August 22, 2019 Share Posted August 22, 2019 On 8/19/2019 at 8:00 PM, Djoss said: You need to add a proxy host, where the forward ip and port point to your Unifi docker. OK, after more reading I see because I have unifi on its own IP address that this won't work. 17 hours ago, dalben said: I'm sure this is a very basic question but I can't seem to find the answerr. Is the nginx install of this docker geared/configured purely for remote proxy, or can it be used as a webserver as well? After that more reading this is answered as well. Quote Link to comment
dalben Posted August 23, 2019 Share Posted August 23, 2019 (edited) On 8/19/2019 at 8:00 PM, Djoss said: You need to add a proxy host, where the forward ip and port point to your Unifi docker. OK, I moved the unifi container into bridge mode. Set everything up. I get to the unfi login prompt. enter login and password, that gets in but I end up with a 400 error when it tries to load the controller. Has anyone got this working and if so, what are your settings ? EDIT: All sorted now. Needed to set the Force SSL option on Edited August 23, 2019 by dalben Quote Link to comment
BurntOC Posted September 1, 2019 Share Posted September 1, 2019 Hey all - this thread got me to register and I'm making my way through it now to catch up, but after spening tons of hours trying to get traefik to work well for me and never quite getting there I thought I'd try something different. As a reverse proxy, does this handle when containers or the server get restarted so that it doesn't require any manual intervention to reverse proxy for the containers again? Are HTTPS backend containers supported yet? TLS 1.3? Thank you for any updates. Quote Link to comment
Djoss Posted September 3, 2019 Author Share Posted September 3, 2019 On 9/1/2019 at 7:01 PM, BurntOC said: As a reverse proxy, does this handle when containers or the server get restarted so that it doesn't require any manual intervention to reverse proxy for the containers again? Since there is no automatic configuration involved like Traefik, this doesn't apply. On 9/1/2019 at 7:01 PM, BurntOC said: Are HTTPS backend containers supported yet? Yes. On 9/1/2019 at 7:01 PM, BurntOC said: TLS 1.3? Yes. Quote Link to comment
InfInIty Posted September 9, 2019 Share Posted September 9, 2019 So not sure if this is place to ask this, but going to ask anyway. I work for an MSP and we use OpenDNS at our office and for most of our clients. While my domain is not explictly blocked, it appears that OpenDNS seems that they are malware and by policy in openDNS that just redirects to a different page. Edge will just straight to the redirect. Firefox said is was a potential security issue, and if you advance then you get the redirect. I can try chrome, but curious if anyone else runs into this. It could be due to my domain redirection. My top level domain points to a duckdns instead of straight back to my IP as i do not have a static ip from my ISP. Quote Link to comment
beverage Posted September 17, 2019 Share Posted September 17, 2019 This app really piqued my interest, so I set things up last night, but ran into a snag. Setup: DuckDNS subdomain entry pointing to my public IP. Router ports forwarded to NPM. NPM proxy host pointing to a docker app. Connecting from an external address, it works fine and responsiveness is good. When I connect from within my LAN using the same DuckDNS subdomain it's extremely slow (as in 15+ minutes just to see the app login screen). It seems to eventually get through, but it's unusable. From the LAN, if I just use the internal IP and port for the app directly, it's good. I'm a bit out of my element, but I think I'm experiencing a NAT issue. I've scoured my router (Hitron CODA-4589 - provided by ISP) settings for anything resembling NAT reflection/redirection/etc., but I cannot find anything. Any guidance would be greatly appreciated! Quote Link to comment
Djoss Posted September 19, 2019 Author Share Posted September 19, 2019 On 9/17/2019 at 2:38 PM, beverage said: This app really piqued my interest, so I set things up last night, but ran into a snag. Setup: DuckDNS subdomain entry pointing to my public IP. Router ports forwarded to NPM. NPM proxy host pointing to a docker app. Connecting from an external address, it works fine and responsiveness is good. When I connect from within my LAN using the same DuckDNS subdomain it's extremely slow (as in 15+ minutes just to see the app login screen). It seems to eventually get through, but it's unusable. From the LAN, if I just use the internal IP and port for the app directly, it's good. I'm a bit out of my element, but I think I'm experiencing a NAT issue. I've scoured my router (Hitron CODA-4589 - provided by ISP) settings for anything resembling NAT reflection/redirection/etc., but I cannot find anything. Any guidance would be greatly appreciated! Yes this look like a NAT/routing issue. Do you have a way to override DNS names on your router? If yes, you could try to map your DuckDNS name to your local IP address. Quote Link to comment
BurntOC Posted September 22, 2019 Share Posted September 22, 2019 Is there any chance you can set this up, or help me set this up, to work with something like tecnativa/docker-socket-proxy? I imagine someone with the skills can make this adjustment pretty easily and the security benefit of talking to the socket-proxy as a sidecar vs exposing it directly to containers that could through individual exploits jeopardize the entire container stack could be huge. Especially for those of us with a lot of important media at risk (though I'm using a temporary solution for that part until I stand Unraid up). I've been working to do it with either traefik or jc21/nginx-proxy-manager but your approach may be the most straightforward. Quote Link to comment
Djoss Posted September 23, 2019 Author Share Posted September 23, 2019 17 hours ago, BurntOC said: Is there any chance you can set this up, or help me set this up, to work with something like tecnativa/docker-socket-proxy? I imagine someone with the skills can make this adjustment pretty easily and the security benefit of talking to the socket-proxy as a sidecar vs exposing it directly to containers that could through individual exploits jeopardize the entire container stack could be huge. Especially for those of us with a lot of important media at risk (though I'm using a temporary solution for that part until I stand Unraid up). I've been working to do it with either traefik or jc21/nginx-proxy-manager but your approach may be the most straightforward. Not sure why you need tecnativa/docker-socket-proxy, since Nginx Proxy Manager container doesn't need and doesn't expose the docker socket. Quote Link to comment
BurntOC Posted September 23, 2019 Share Posted September 23, 2019 8 hours ago, Djoss said: Not sure why you need tecnativa/docker-socket-proxy, since Nginx Proxy Manager container doesn't need and doesn't expose the docker socket. So I think my understanding of this is evolving, thankfully. Unlike traefik, there's no automatic configuration so using nginx as a proxy you're specifying virtual hosts manually, right? I've heard comments about nginx not handling restarts as well, with some of those comments implying it's due to the random IP assignment, but they're so few and far between I'm guessing that if you define the virtual hosts in your compose you'd be fine even after restarts? If that's all right then so far so good. I guess I'm still unclear on how nginx-proxy-manager doesn't need the socket. Is it because they use docker-gen and that doesn't need it the same way traefik or haproxy do? Sorry for all the questions, but I'm easily 40 hours into my attempts to get a basic setup working that can reverse proxy requests from my semi-protected IOT/DMZ network to local containers and some others via SSL to a media server in my guest network in a way that isn't unsat from the start due to accessing docker-socket in a way (e.g. traefik mounting docker.sock) that exposes the entire stack to RCE if the proxy is exploited. I need a super secure reverse proxy to docker containers and maybe it will all have to live on that host because I'm too early in my journey, but I can't even get that fundamental necessity running properly. So frustrating... Quote Link to comment
GreenEyedMonster Posted September 24, 2019 Share Posted September 24, 2019 I can't seem to get Nextcloud to work. I keep getting this error. "400 Bad Request The plain HTTP request was sent to HTTPS port nginx/1.16.1" Any ideas? I'm a bit at a loss. Quote Link to comment
beverage Posted September 24, 2019 Share Posted September 24, 2019 I have NPM working using the LetsEncrypt certificates, however, I'd like to eliminate the port 80 forwarding in my firewall. Has anyone setup NPM to work with Cloudflare DNS verification and their universal certificate? I saw SpaceInvader One's LetsEncrypt video here: How to Use DNS Verification with your Reverse Proxy & use a Wildcard SSL Certificate but I haven't been able to figure out how to translate it to NPM . Quote Link to comment
Djoss Posted September 25, 2019 Author Share Posted September 25, 2019 On 9/23/2019 at 2:31 PM, BurntOC said: So I think my understanding of this is evolving, thankfully. Unlike traefik, there's no automatic configuration so using nginx as a proxy you're specifying virtual hosts manually, right? I've heard comments about nginx not handling restarts as well, with some of those comments implying it's due to the random IP assignment, but they're so few and far between I'm guessing that if you define the virtual hosts in your compose you'd be fine even after restarts? If that's all right then so far so good. I guess I'm still unclear on how nginx-proxy-manager doesn't need the socket. Is it because they use docker-gen and that doesn't need it the same way traefik or haproxy do? Sorry for all the questions, but I'm easily 40 hours into my attempts to get a basic setup working that can reverse proxy requests from my semi-protected IOT/DMZ network to local containers and some others via SSL to a media server in my guest network in a way that isn't unsat from the start due to accessing docker-socket in a way (e.g. traefik mounting docker.sock) that exposes the entire stack to RCE if the proxy is exploited. I need a super secure reverse proxy to docker containers and maybe it will all have to live on that host because I'm too early in my journey, but I can't even get that fundamental necessity running properly. So frustrating... traefik requires access to the docker socket to perform automatic configuration of containers running on the host. But this is not a usual case and most containers don't need access to the docker socket. Nginx Proxy Manager does not perform automatic configuration: you need to configure yourself the services you want to proxy. Configuration is persistent across restarts. Quote Link to comment
Djoss Posted September 25, 2019 Author Share Posted September 25, 2019 18 hours ago, GreenEyedMonster said: I can't seem to get Nextcloud to work. I keep getting this error. "400 Bad Request The plain HTTP request was sent to HTTPS port nginx/1.16.1" Any ideas? I'm a bit at a loss. How did you configure your proxy host? Quote Link to comment
Djoss Posted September 25, 2019 Author Share Posted September 25, 2019 9 hours ago, beverage said: I have NPM working using the LetsEncrypt certificates, however, I'd like to eliminate the port 80 forwarding in my firewall. Has anyone setup NPM to work with Cloudflare DNS verification and their universal certificate? I saw SpaceInvader One's LetsEncrypt video here: How to Use DNS Verification with your Reverse Proxy & use a Wildcard SSL Certificate but I haven't been able to figure out how to translate it to NPM . To handle the HTTPs connection between NPM and Cloudflare, you basically need to manually import certificates in NPM. Depending on the SSL mode you choose, this cert must be the one from Cloudflare or a self-signed one. To import a certificate, under the "SSL Certificates" page, click the "Add SSL Certificate" button, then choose "Custom". Quote Link to comment
BurntOC Posted September 25, 2019 Share Posted September 25, 2019 6 hours ago, Djoss said: traefik requires access to the docker socket to perform automatic configuration of containers running on the host. But this is not a usual case and most containers don't need access to the docker socket. Nginx Proxy Manager does not perform automatic configuration: you need to configure yourself the services you want to proxy. Configuration is persistent across restarts. Thank you. I'm clear on it now, and I'm happy to report I was able to get a basic setup working this way with traefik and another with NPM and dockergen. Quote Link to comment
beverage Posted September 25, 2019 Share Posted September 25, 2019 16 hours ago, Djoss said: To handle the HTTPs connection between NPM and Cloudflare, you basically need to manually import certificates in NPM. Depending on the SSL mode you choose, this cert must be the one from Cloudflare or a self-signed one. To import a certificate, under the "SSL Certificates" page, click the "Add SSL Certificate" button, then choose "Custom". Okay. Thanks. Was hoping there was a way to use my Cloudflare API key to somehow automatically pick up their universal certificate. Manually importing means I'll have to manually update it periodically. Not the end of the world, and no rush anyway, since the LetsEncrypt approach is working. Quote Link to comment
GreenEyedMonster Posted September 26, 2019 Share Posted September 26, 2019 (edited) On 9/24/2019 at 8:04 PM, Djoss said: How did you configure your proxy host? I'm an idiot figured it out! Just incase anyone else is going through this same issue. I had the website as HTTP not HTTPS on the first setup page. Changed it to HTTPS and now it works. Edited September 26, 2019 by GreenEyedMonster Quote Link to comment
jj_uk Posted October 7, 2019 Share Posted October 7, 2019 (edited) On 4/1/2019 at 12:57 PM, Lebowski said: anyone have this going with Home Assistant? I have it working fine, but on some occasions I have to hit the "retry" button to login. After clicking retry its fine. It can cause the IOS app to be blocked for a short period but it also comes good if you force close the app and re-open. I figure I might need to add extra settings for 100% compatibility? Did you figure this out? I am trying to use this for Home assistant, but after I enter credentials on the HA login page, I get the error with a "retry" link. Edited October 7, 2019 by jj_uk Quote Link to comment
Brydezen Posted October 10, 2019 Share Posted October 10, 2019 anyone know how or if this awesome docker support htaccess password protection? Quote Link to comment
Djoss Posted October 10, 2019 Author Share Posted October 10, 2019 1 hour ago, Brydezen said: anyone know how or if this awesome docker support htaccess password protection? Yes, you can create an "Access List" and then assign it to a "Proxy Host". Quote Link to comment
Brydezen Posted October 10, 2019 Share Posted October 10, 2019 1 minute ago, Djoss said: Yes, you can create an "Access List" and then assign it to a "Proxy Host". Still can't get it to work. Quote Link to comment
Brydezen Posted October 10, 2019 Share Posted October 10, 2019 (edited) - the error log says password mismatch and that is no way I typed "lol" wrong four times. And it also keeps saying that "admin" was not found. 2019/10/10 19:00:46 [notice] 1022#1022: signal process started 2019/10/10 19:01:00 [notice] 1031#1031: signal process started 2019/10/10 19:01:02 [error] 1032#1032: *115 user "admin" was not found in "/data/access/2", client: 176.XXX.XXX.X, server: portainer.domain.tld, request: "GET / HTTP/2.0", host: "portainer.domain.tld", referrer: "https://proxy.domain.tld/nginx/proxy" Edited October 10, 2019 by Brydezen some log provided Quote Link to comment
Djoss Posted October 10, 2019 Author Share Posted October 10, 2019 13 minutes ago, Brydezen said: - the error log says password mismatch and that is no way I typed "lol" wrong four times. And it also keeps saying that "admin" was not found. 2019/10/10 19:00:46 [notice] 1022#1022: signal process started 2019/10/10 19:01:00 [notice] 1031#1031: signal process started 2019/10/10 19:01:02 [error] 1032#1032: *115 user "admin" was not found in "/data/access/2", client: 176.XXX.XXX.X, server: portainer.domain.tld, request: "GET / HTTP/2.0", host: "portainer.domain.tld", referrer: "https://proxy.domain.tld/nginx/proxy" Do you have the "admin" user in your access list ? Try: cat /mnt/user/appdata/NginxProxyManager/access/2 Quote Link to comment
Brydezen Posted October 10, 2019 Share Posted October 10, 2019 (edited) 32 minutes ago, Djoss said: Do you have the "admin" user in your access list ? Try: cat /mnt/user/appdata/NginxProxyManager/access/2 I only have one user named lol and the password is also lol. Does it only work if the username is admin? EDIT: I just tried doing the auth in a new browser (firefox) and it worked flawlessly. But chrome seems to mess me up. Edited October 10, 2019 by Brydezen edits Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.