[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

Just now, Djoss said:

The Force SSL option redirects users connecting to the non-secure HTTP port (80) to the secure HTTPs port (443).  Since NPM is mainly used to access services over the Internet, having an encrypted connection is always better.

I understand the SSL is better, but when you can force it when connecting to the non-SSL port, is there a point of using the SSL port? If I never opened the SSL port on my firewall or connected to NPM using the SSL port, but I ultimately get redirected there, is opening SSL port/connecting directly to it have any real benefit?

Link to comment
11 minutes ago, Iceman24 said:

I understand the SSL is better, but when you can force it when connecting to the non-SSL port, is there a point of using the SSL port? If I never opened the SSL port on my firewall or connected to NPM using the SSL port, but I ultimately get redirected there, is opening SSL port/connecting directly to it have any real benefit?

Humm the SSL port is normally used.  For example, on the Internet side, when someone connects to port 80 (non-ssl), it gets redirected to the SSL port 443.  An SSL connection is never done on port 80.

Link to comment
18 minutes ago, Djoss said:

Humm the SSL port is normally used.  For example, on the Internet side, when someone connects to port 80 (non-ssl), it gets redirected to the SSL port 443.  An SSL connection is never done on port 80.

Does that redirect happen outside the firewall or after it gets through firewall, hitting port 80 and then getting redirected internally to SSL port?

Link to comment
42 minutes ago, Iceman24 said:

Does that redirect happen outside the firewall or after it gets through firewall, hitting port 80 and then getting redirected internally to SSL port?

This is done by the client (browser).  So the browser connects to port 80, then the web server (NPM) sends a redirect to the client and finally the browser follow the redirect and connects to port 443.

 

Link to comment
4 minutes ago, Djoss said:

This is done by the client (browser).  So the browser connects to port 80, then the web server (NPM) sends a redirect to the client and finally the browser follow the redirect and connects to port 443.

 

Okay, so if I understand that correctly, it is happening outside the firewall, so I would have to have the SSL port open on the firewall? I was wondering if I could just keep that port closed and use port 80 and just force it over to port 443, but it sounds like regardless of whether I force SSL and use port 80 and or go straight to port 443, I'm still having to penetrate port 443 on the firewall. Do I have this right? Thanks.

Link to comment
5 minutes ago, Iceman24 said:

Okay, so if I understand that correctly, it is happening outside the firewall, so I would have to have the SSL port open on the firewall? I was wondering if I could just keep that port closed and use port 80 and just force it over to port 443, but it sounds like regardless of whether I force SSL and use port 80 and or go straight to port 443, I'm still having to penetrate port 443 on the firewall. Do I have this right? Thanks.

Correct, port 443 is needed.

  • Like 1
Link to comment
13 hours ago, Djoss said:

Correct, port 443 is needed.

Got it, thanks. Follow up question. Being that I can force SSL for connecting to apps that don't have SSL by using it on NPM, is it redundant to enable SSL for apps that actually do support it? If I just turned off SSL for all apps and relied on NPM for it, it'd be simpler and consistent for everything. Would that make sense to do or am I missing something?

Link to comment
8 minutes ago, Iceman24 said:

Got it, thanks. Follow up question. Being that I can force SSL for connecting to apps that don't have SSL by using it on NPM, is it redundant to enable SSL for apps that actually do support it? If I just turned off SSL for all apps and relied on NPM for it, it'd be simpler and consistent for everything. Would that make sense to do or am I missing something?

If you trust your local network, then it make sense.  Enabling SSL for apps allow traffic between NPM and the apps to be encrypted.

Link to comment

I am getting a couple security warnings on nextcloud, same as I've seen on here.  

Quote

The "X-Frame-Options" HTTP header is not set to "SAMEORIGIN". This is a potential security or privacy risk, as it is recommended to adjust this setting accordingly.

The "Referrer-Policy" HTTP header is not set to "no-referrer", "no-referrer-when-downgrade", "strict-origin", "strict-origin-when-cross-origin" or "same-origin". This can leak referer information.

The project instructions at:

Quote

say to set the variables thusly:

Quote

You can configure the X-FRAME-OPTIONS header value by specifying it as a Docker environment variable. The default if not specified is deny.

... environment: X_FRAME_OPTIONS: "sameorigin" ...

... -e "X_FRAME_OPTIONS=sameorigin" ...

After doing this the security headers scan shows the same result, that x_frame_options and referrer policy are still not set.

 

Is the attached screen shot the way to accomplish this?  Because it didn't work.  How should I do this?

 

Screen Shot 2020-01-06 at 5.42.16 PM.png

Link to comment
On 1/6/2020 at 6:44 PM, lewispm said:

I am getting a couple security warnings on nextcloud, same as I've seen on here.  

The project instructions at:

say to set the variables thusly:

After doing this the security headers scan shows the same result, that x_frame_options and referrer policy are still not set.

 

Is the attached screen shot the way to accomplish this?  Because it didn't work.  How should I do this?

 

Screen Shot 2020-01-06 at 5.42.16 PM.png

Check the few last posts, @Karatekid had the same issue.

 

But you probably need to add the following under the Advanced tab of your proxy host:

 

add_header X-Frame-Options "SAMEORIGIN";

 

Then environment variable is only for the NginxProxyManager UI itself.

Link to comment
14 hours ago, Djoss said:

Check the few last posts, @Karatekid had the same issue.

 

But you probably need to add the following under the Advanced tab of your proxy host:

 


add_header X-Frame-Options "SAMEORIGIN";

 

Then environment variable is only for the NginxProxyManager UI itself.

This didn't work.  Here's my advanced tab.  The warning remains.

I restarted npm docker (not sure if that needs to be done or not) and it still persists.  Do I need to restart nextcloud?

Screen Shot 2020-01-08 at 9.47.21 AM.png

Link to comment

I've noticed an issue that I mostly resolved, but I wanted some clarity on what was happening so that I understand it.

 

Things were fine until I changed my firewall GUI port back to 443 from a custom port I had been using the whole time. I realized that after I closed off remote management access to my firewall, that I didn't really need the custom port # I had been using, so for simplicity, I put it back to the default of 443. Then I was testing my public IP in the address bar and noticed that if I go to default ports (80/443) with just my IP, I was taken straight to the firewall login page! I definitely didn't want that. I put my firewall GUI back to a custom port #, problem solved. I was then being redirected to the specified webpage that I told NPM to do when trying to access a proxy host on NPM that didn't exist. Problem solved, although I want to understand why this happened. Can you not have firewall GUI and NPM using same port without this conflict? Also, the redirect only happen if I use port 80. If I use port 443, it gives certificate error. Certificate is a dummy one from NPM, but even clicking through it, you just get error. It doesn't redirect to webpage I told NPM to use. How do I get that working properly on port 443? Thanks.

Link to comment

OMG, I just discovered this and wow.

Thanks Djoss!

 

I had the let's encrypt, nextcloud setup working for almost 2 years now, but I could never figure out how to add a second site/webapp to reverse proxy using let's encrypt docker.

 

With this I figured it out in about 10 min. And the first 5min I spent on finding the defaults credentials to log into the web UI :)

I want to read the whole discussion here but it's 26 pages.

I am also wanting the sub folder functionality, it is there yet?

 

One question,

Let's encrypt docker couldn't renew license, if 80 and 443 aren't used by the let's encrypt docker. Is this also going to be an issue here?

Edited by nextgenpotato
Link to comment
OMG, I just discovered this and wow.
Thanks Djoss!
 
I had the let's encrypt, nextcloud setup working for almost 2 years now, but I could never figure out how to add a second site/webapp to reverse proxy using let's encrypt docker.
 
With this I figured it out in about 10 min. And the first 5min I spent on finding the defaults credentials to log into the web UI
I want to read the whole discussion here but it's 26 pages.
I am also wanting the sub folder functionality, it is there yet?
 
One question,
Let's encrypt docker couldn't renew license, if 80 and 443 aren't used by the let's encrypt docker. Is this also going to be an issue here?
Port 80 needs to be open in your firewall and it needs to direct into NPM, whether NPM uses 1880/80/whatever. You just need to setup firewall rule that allows external port 80 access into NPM.
Link to comment
On 1/8/2020 at 10:49 AM, lewispm said:

This didn't work.  Here's my advanced tab.  The warning remains.

I restarted npm docker (not sure if that needs to be done or not) and it still persists.  Do I need to restart nextcloud?

Screen Shot 2020-01-08 at 9.47.21 AM.png

Did you check your site with https://securityheaders.com to see if the header is correctly set?

 

Link to comment
On 1/10/2020 at 6:29 PM, Iceman24 said:

Problem solved, although I want to understand why this happened. Can you not have firewall GUI and NPM using same port without this conflict?

Yeah the same port can't be used by 2 different services.

 

On 1/10/2020 at 6:29 PM, Iceman24 said:

Also, the redirect only happen if I use port 80. If I use port 443, it gives certificate error. Certificate is a dummy one from NPM, but even clicking through it, you just get error. It doesn't redirect to webpage I told NPM to use. How do I get that working properly on port 443?

Which error are you getting exactly?

Link to comment
3 hours ago, Djoss said:

Yeah the same port can't be used by 2 different services.

 

Which error are you getting exactly?

I understand that 2 different services can't use the same port (on the same device). The firewall and unRAID server are 2 different devices, but I realize that connecting externally when they both have the same 443 port that there could possibly be a conflict and there is, but only when I have NPM trying to forward me somewhere for unknown domain used. Something about the firewall being on the same port had it redirecting me there even though I have no rule setup to allow outside access to firewall GUI. No big deal though, I had the port different like I mentioned, so I switched firewall port back. I just wanted to understand the technical reason for why that would happen.

 

Errors for using SSL port for unknown domain on NPM are just like when you visit site with invalid certificate. FIrst, "NET::ERR_CERT_AUTHORITY_INVALID, then "ERR_HTTP2_PROTOCOL_ERROR" once I click to allow me to access site anyways. When I looked at certificate, it just a dummy Nginx Proxy Manager one.

Link to comment

Hello everyone,

Does anyone know if NEXTCLOUD generates certificates automatically ?
Cause on my NGINX PROXY MANAGER console I see that the cert is expired ... but when I connect to the website the expiration date isn't the same as the one shown in NGINX PROXY MANAGER.

 

EDIT:
Iis there plan to implement DNS Authorization (for Wildcards) ?

Edited by TDA
Link to comment
On 1/12/2020 at 11:01 PM, Iceman24 said:

Errors for using SSL port for unknown domain on NPM are just like when you visit site with invalid certificate. FIrst, "NET::ERR_CERT_AUTHORITY_INVALID, then "ERR_HTTP2_PROTOCOL_ERROR" once I click to allow me to access site anyways. When I looked at certificate, it just a dummy Nginx Proxy Manager one.

This is the expected behaviour.  Since your are reaching an unknown domain, it's not possible to present a valid cert.  Thus, a dummy one is used.

Link to comment
On 1/15/2020 at 4:05 PM, TDA said:

Hello everyone,

Does anyone know if NEXTCLOUD generates certificates automatically ?
Cause on my NGINX PROXY MANAGER console I see that the cert is expired ... but when I connect to the website the expiration date isn't the same as the one shown in NGINX PROXY MANAGER.

Yeah it seems to have a bug in the UI where the certificates are wrongly shown as expired.

On 1/15/2020 at 4:05 PM, TDA said:

Iis there plan to implement DNS Authorization (for Wildcards) ?

To my knowledge the author of this project doesn't have plan to support this.

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.