[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

On 8/19/2019 at 8:00 PM, Djoss said:

You need to add a proxy host, where the forward ip and port point to your Unifi docker.

OK, after more reading I see because I have unifi on its own IP address that this won't work. 

17 hours ago, dalben said:

I'm sure this is a very basic question but I can't seem to find the answerr.  Is the nginx install of this docker geared/configured purely for remote proxy, or can it be used as a webserver as well?

After that more reading this is answered as well. 

Link to comment
On 8/19/2019 at 8:00 PM, Djoss said:

You need to add a proxy host, where the forward ip and port point to your Unifi docker.

OK, I moved the unifi container into bridge mode.  Set everything up.  I get to the unfi login prompt.  enter login and password, that gets in but I end up with a 400 error when it tries to load the controller.

 

ngle-unifi.PNG.14c1c22bbbc0e6dc4d8b44c17551a0ca.PNG

 

Has anyone got this working and if so, what are your settings ?

 

EDIT: All sorted now.  Needed to set the Force SSL option on

Edited by dalben
Link to comment
  • 2 weeks later...

Hey all - this thread got me to register and I'm making my way through it now to catch up, but after spening tons of hours trying to get traefik to work well for me and never quite getting there I thought I'd try something different.

 

As a reverse proxy, does this handle when containers or the server get restarted so that it doesn't require any manual intervention to reverse proxy for the containers again?  Are HTTPS backend containers supported yet?  TLS 1.3?  

 

Thank you for any updates.

Link to comment
On 9/1/2019 at 7:01 PM, BurntOC said:

As a reverse proxy, does this handle when containers or the server get restarted so that it doesn't require any manual intervention to reverse proxy for the containers again?

Since there is no automatic configuration involved like Traefik, this doesn't apply.

On 9/1/2019 at 7:01 PM, BurntOC said:

Are HTTPS backend containers supported yet?

Yes.

On 9/1/2019 at 7:01 PM, BurntOC said:

TLS 1.3?

Yes.

Link to comment

So not sure if this is place to ask this, but going to ask anyway.

 

I work for an MSP and we use OpenDNS at our office and for most of our clients.  While my domain is not explictly blocked, it appears that OpenDNS seems that they are malware and by policy in openDNS that just redirects to a different page.  Edge will just straight to the redirect.  Firefox said is was a potential security issue, and if you advance then you get the redirect.  I can try chrome, but curious if anyone else runs into this.

 

It could be due to my domain redirection.  My top level domain points to a duckdns instead of straight back to my IP as i do not have a static ip from my ISP.

Link to comment
  • 2 weeks later...

This app really piqued my interest, so I set things up last night, but ran into a snag.  Setup: DuckDNS subdomain entry pointing to my public IP.  Router ports forwarded to NPM.  NPM proxy host pointing to a docker app.

 

Connecting from an external address, it works fine and responsiveness is good.  When I connect from within my LAN using the same DuckDNS subdomain it's extremely slow (as in 15+ minutes just to see the app login screen).  It seems to eventually get through, but it's unusable.  From the LAN, if I just use the internal IP and port for the app directly, it's good.

 

I'm a bit out of my element, but I think I'm experiencing a NAT issue.  I've scoured my router (Hitron CODA-4589 - provided by ISP) settings for anything resembling NAT reflection/redirection/etc., but I cannot find anything.  Any guidance would be greatly appreciated!

Link to comment
On 9/17/2019 at 2:38 PM, beverage said:

This app really piqued my interest, so I set things up last night, but ran into a snag.  Setup: DuckDNS subdomain entry pointing to my public IP.  Router ports forwarded to NPM.  NPM proxy host pointing to a docker app.

 

Connecting from an external address, it works fine and responsiveness is good.  When I connect from within my LAN using the same DuckDNS subdomain it's extremely slow (as in 15+ minutes just to see the app login screen).  It seems to eventually get through, but it's unusable.  From the LAN, if I just use the internal IP and port for the app directly, it's good.

 

I'm a bit out of my element, but I think I'm experiencing a NAT issue.  I've scoured my router (Hitron CODA-4589 - provided by ISP) settings for anything resembling NAT reflection/redirection/etc., but I cannot find anything.  Any guidance would be greatly appreciated!

Yes this look like a NAT/routing issue.  Do you have a way to override DNS names on your router?   If yes, you could try to map your DuckDNS name to your local IP address.

Link to comment

Is there any chance you can set this up, or help me set this up, to work with something like tecnativa/docker-socket-proxy?  I imagine someone with the skills can make this adjustment pretty easily and the security benefit of talking to the socket-proxy as a sidecar vs exposing it directly to containers that could through individual exploits jeopardize the entire container stack could be huge.  Especially for those of us with a lot of important media at risk (though I'm using a temporary solution for that part until I stand Unraid up). 

 

I've been working to do it with either traefik or jc21/nginx-proxy-manager but your approach may be the most straightforward. 

Link to comment
17 hours ago, BurntOC said:

Is there any chance you can set this up, or help me set this up, to work with something like tecnativa/docker-socket-proxy?  I imagine someone with the skills can make this adjustment pretty easily and the security benefit of talking to the socket-proxy as a sidecar vs exposing it directly to containers that could through individual exploits jeopardize the entire container stack could be huge.  Especially for those of us with a lot of important media at risk (though I'm using a temporary solution for that part until I stand Unraid up). 

 

I've been working to do it with either traefik or jc21/nginx-proxy-manager but your approach may be the most straightforward. 

Not sure why you need tecnativa/docker-socket-proxy, since Nginx Proxy Manager container doesn't need and doesn't expose the docker socket.

Link to comment
8 hours ago, Djoss said:

Not sure why you need tecnativa/docker-socket-proxy, since Nginx Proxy Manager container doesn't need and doesn't expose the docker socket.

So I think my understanding of this is evolving, thankfully.  Unlike traefik, there's no automatic configuration so using nginx as a proxy you're specifying virtual hosts manually, right?  I've heard comments about nginx not handling restarts as well, with some of those comments implying it's due to the random IP assignment, but they're so few and far between I'm guessing that if you define the virtual hosts in your compose you'd be fine even after restarts? 

 

If that's all right then so far so good.  I guess I'm still unclear on how nginx-proxy-manager doesn't need the socket.  Is it because they use docker-gen and that doesn't need it the same way traefik or haproxy do? 

 

Sorry for all the questions, but I'm easily 40 hours into my attempts to get a basic setup working that can reverse proxy requests from my semi-protected IOT/DMZ network to local containers and some others via SSL to a media server in my guest network in a way that isn't unsat from the start due to accessing docker-socket in a way (e.g. traefik mounting docker.sock) that exposes the entire stack to RCE if the proxy is exploited.

 

I need a super secure reverse proxy to docker containers and maybe it will all have to live on that host because I'm too early in my journey, but I can't even get that fundamental necessity running properly.  So frustrating...

Link to comment

I have NPM working using the LetsEncrypt certificates, however, I'd like to eliminate the port 80 forwarding in my firewall.  Has anyone setup NPM to work with Cloudflare DNS verification and their universal certificate?

 

I saw SpaceInvader One's LetsEncrypt video here: How to Use DNS Verification with your Reverse Proxy & use a Wildcard SSL Certificate but I haven't been able to figure out how to translate it to NPM .

 

Link to comment
On 9/23/2019 at 2:31 PM, BurntOC said:

So I think my understanding of this is evolving, thankfully.  Unlike traefik, there's no automatic configuration so using nginx as a proxy you're specifying virtual hosts manually, right?  I've heard comments about nginx not handling restarts as well, with some of those comments implying it's due to the random IP assignment, but they're so few and far between I'm guessing that if you define the virtual hosts in your compose you'd be fine even after restarts? 

 

If that's all right then so far so good.  I guess I'm still unclear on how nginx-proxy-manager doesn't need the socket.  Is it because they use docker-gen and that doesn't need it the same way traefik or haproxy do? 

 

Sorry for all the questions, but I'm easily 40 hours into my attempts to get a basic setup working that can reverse proxy requests from my semi-protected IOT/DMZ network to local containers and some others via SSL to a media server in my guest network in a way that isn't unsat from the start due to accessing docker-socket in a way (e.g. traefik mounting docker.sock) that exposes the entire stack to RCE if the proxy is exploited.

 

I need a super secure reverse proxy to docker containers and maybe it will all have to live on that host because I'm too early in my journey, but I can't even get that fundamental necessity running properly.  So frustrating...

traefik requires access to the docker socket to perform automatic configuration of containers running on the host.  But this is not a usual case and most containers don't need access to the docker socket.  Nginx Proxy Manager does not perform automatic configuration: you need to configure yourself the services you want to proxy.  Configuration is persistent across restarts.

Link to comment
9 hours ago, beverage said:

I have NPM working using the LetsEncrypt certificates, however, I'd like to eliminate the port 80 forwarding in my firewall.  Has anyone setup NPM to work with Cloudflare DNS verification and their universal certificate?

 

I saw SpaceInvader One's LetsEncrypt video here: How to Use DNS Verification with your Reverse Proxy & use a Wildcard SSL Certificate but I haven't been able to figure out how to translate it to NPM .

 

To handle the HTTPs connection between NPM and Cloudflare, you basically need to manually import certificates in NPM.  Depending on the SSL mode you choose, this cert must be the one from Cloudflare or a self-signed one.

 

To import a certificate, under the "SSL Certificates" page, click the "Add SSL Certificate" button, then choose "Custom".

Link to comment
6 hours ago, Djoss said:

traefik requires access to the docker socket to perform automatic configuration of containers running on the host.  But this is not a usual case and most containers don't need access to the docker socket.  Nginx Proxy Manager does not perform automatic configuration: you need to configure yourself the services you want to proxy.  Configuration is persistent across restarts.

Thank you.  I'm clear on it now, and I'm happy to report I was able to get a basic setup working this way with traefik and another with NPM and dockergen.

Link to comment
16 hours ago, Djoss said:

To handle the HTTPs connection between NPM and Cloudflare, you basically need to manually import certificates in NPM.  Depending on the SSL mode you choose, this cert must be the one from Cloudflare or a self-signed one.

 

To import a certificate, under the "SSL Certificates" page, click the "Add SSL Certificate" button, then choose "Custom".

Okay.  Thanks.  Was hoping there was a way to use my Cloudflare API key to somehow automatically pick up their universal certificate.  Manually importing means I'll have to manually update it periodically.  Not the end of the world, and no rush anyway, since the LetsEncrypt approach is working.

Link to comment
  • 2 weeks later...
On 4/1/2019 at 12:57 PM, Lebowski said:

anyone have this going with Home Assistant? I have it working fine, but on some occasions I have to hit the "retry" button to login. After clicking retry its fine. It can cause the IOS app to be blocked for a short period but it also comes good if you force close the app and re-open.

 

I figure I might need to add extra settings for 100% compatibility?

Did you figure this out?

 

I am trying to use this for Home assistant, but after I enter credentials on the HA login page, I get the error with a "retry" link.

 

 

 

Edited by jj_uk
Link to comment

- the error log says password mismatch and that is no way I typed "lol" wrong four times. And it also keeps saying that "admin" was not found.

 

2019/10/10 19:00:46 [notice] 1022#1022: signal process started
2019/10/10 19:01:00 [notice] 1031#1031: signal process started
2019/10/10 19:01:02 [error] 1032#1032: *115 user "admin" was not found in "/data/access/2", client: 176.XXX.XXX.X, server: portainer.domain.tld, request: "GET / HTTP/2.0", host: "portainer.domain.tld", referrer: "https://proxy.domain.tld/nginx/proxy"

 

Edited by Brydezen
some log provided
Link to comment
13 minutes ago, Brydezen said:

- the error log says password mismatch and that is no way I typed "lol" wrong four times. And it also keeps saying that "admin" was not found.

 


2019/10/10 19:00:46 [notice] 1022#1022: signal process started
2019/10/10 19:01:00 [notice] 1031#1031: signal process started
2019/10/10 19:01:02 [error] 1032#1032: *115 user "admin" was not found in "/data/access/2", client: 176.XXX.XXX.X, server: portainer.domain.tld, request: "GET / HTTP/2.0", host: "portainer.domain.tld", referrer: "https://proxy.domain.tld/nginx/proxy"

 

 

Do you have the "admin" user in your access list ?  Try:

cat /mnt/user/appdata/NginxProxyManager/access/2

 

Link to comment
32 minutes ago, Djoss said:

 

Do you have the "admin" user in your access list ?  Try:


cat /mnt/user/appdata/NginxProxyManager/access/2

 

I only have one user named lol and the password is also lol. Does it only work if the username is admin?

EDIT: I just tried doing the auth in a new browser (firefox) and it worked flawlessly. But chrome seems to mess me up.

Edited by Brydezen
edits
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.