[Support] Djoss - Nginx Proxy Manager

[huangtf]

Hi Guys,

I'm having some issues recently, so after going thru reinstalling trying to downgrade to v1.70 etc, i finally resolve the issue by restoring my backup for appdata, the proxy host works now.

However, i'm unable to log in to the gui it shows bad gateway

 

I'm getting lots of errors in the logs.

[4/20/2020] [5:49:29 PM] [Migrate ] › ℹ info Current database version: 20190227065017
[4/20/2020] [5:49:29 PM] [Migrate ] › ℹ info [access_list_client] Migrating Up...
migration file "20200410143839_access_list_client.js" failed
migration failed with error: create table `access_list_client` (`id` int unsigned not null auto_increment primary key, `created_on` datetime not null, `modified_on` datetime not null, `access_list_id` int unsigned not null, `address` varchar(255) not null, `directive` varchar(255) not null, `meta` json not null) - ER_TABLE_EXISTS_ERROR: Table 'access_list_client' already exists
[4/20/2020] [5:49:29 PM] [Global ] › ✖ error create table `access_list_client` (`id` int unsigned not null auto_increment primary key, `created_on` datetime not null, `modified_on` datetime not null, `access_list_id` int unsigned not null, `address` varchar(255) not null, `directive` varchar(255) not null, `meta` json not null) - ER_TABLE_EXISTS_ERROR: Table 'access_list_client' already exists
[4/20/2020] [5:49:30 PM] [Migrate ] › ℹ info Current database version: 20190227065017
[4/20/2020] [5:49:30 PM] [Migrate ] › ℹ info [access_list_client] Migrating Up...
migration file "20200410143839_access_list_client.js" failed
migration failed with error: create table `access_list_client` (`id` int unsigned not null auto_increment primary key, `created_on` datetime not null, `modified_on` datetime not null, `access_list_id` int unsigned not null, `address` varchar(255) not null, `directive` varchar(255) not null, `meta` json not null) - ER_TABLE_EXISTS_ERROR: Table 'access_list_client' already exists
 

looks like something to do with access list, but i've not setup anything wif access list, any help will be appreciated.

Sorry i'm kinda noob, i may need some help in collecting information for troubleshooting 

 

****Edit******

Hi, I've manage to resolve the problems......

 

Edited April 23, 2020 by huangtf

[windlok1010]

HELP!

ALL websites that require http auth are not accessible. They are, according to chrome, either ERR_HTTP2_PROTOCOL_ERROR or NET::ERR_CERT_AUTHORITY_INVALID. However those do not need a username and password are working perfectly fine. 

 

All the changes I made today was updating Unraid from 6.8.2 to 6.8.3 and add one more proxy host. Any idea what may have caused it? Thanks!

[tknx]

Anyone able to point to how to use this with Spaceinvaderone's recent jitsi guide? He uses nginx/LE with conf files and his sample nginx conf file is posted at the bottom here.

 

I am not sure how to point at containers the same way...

 

# make sure that your dns has a cname set for jitsi this file assumes the subdomain is meet.yourdomain.com

server {
	listen 80;
	listen 443 ssl http2;
        listen [::]:443 ssl http2;
	server_name meet.*;


	location / {
        # enable the next two lines for http auth
        # auth_basic "Ask for password from your organisation";
        # auth_basic_user_file /config/nginx/.htpasswd;


		ssi on;
		proxy_pass http://meet.jitsi;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header Host $http_host;
	}
	# BOSH
	location /http-bind {
		proxy_pass http://xmpp.meet.jitsi:5280/http-bind;
		proxy_set_header X-Forwarded-For $remote_addr;
		proxy_set_header Host $http_host;
	}

	# xmpp websockets
	location /xmpp-websocket {
		proxy_pass              http://xmpp.meet.jitsi:5280/xmpp-websocket;
		proxy_http_version      1.1;
		proxy_set_header        Upgrade $http_upgrade;
		proxy_set_header        Connection "upgrade";
		proxy_set_header        Host $host;
		tcp_nodelay             on;
	}
}

 

[Djoss]

On 4/13/2020 at 1:58 PM, License said:

I am currently getting a Cloud flare 502 Bad Gateway when attempting to access a subdomain that I set up through the proxy manager. I've watched the logs as I create the Proxy Hosts and do not see any errors in the logs. Any advice would be greatly appreciated! Will provide any additional information that is needed to help triage.

Is cloud flare reporting the 502 or Nginx Proxy Manger itself?

You can look at log files under /mnt/user/appdata/NginxProxyManager/log/nginx/proxy_host-* to see if NPM is actually reached or not.

[Djoss]

On 4/18/2020 at 10:25 AM, Nuke said:

How to see config? nginx -T inside docker says:

/tmp # nginx -T
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] getpwnam("nginx") failed
nginx: configuration file /etc/nginx/nginx.conf test failed

 

I try to find out why nginx shows me 403 when i ask url like http://xyz:8090/blablabla&tr=udp://lalala&tr=http://hohoho.com

If i delete "http" in URL then this URL is OK for nginx.  Why nginx does not like when more than two "http" persist in url ?

The view the nginx config, it's probably better to look directly at /etc/nginx/nginx.conf inside the container, along with the different included files.  You can also look at log files under /mnt/user/appdata/NginxProxyManager/log/nginx/proxy_host-* to maybe get more details on the error.

[Djoss]

On 4/18/2020 at 2:09 PM, rilles said:

just download this and trying to use this with bitwarden.  Issue is I cannot seem to get a LetsEncrypt cert - every time I try to create one I get an "internal error".

if I look at my proxy error its basically missing the .pem file (probably related to the error)

 

edit: read through the above now understanding it a bit better - no luck. giving its own unique IP has the same error.

 

Are you sure the container is reachable from the internet on port 80 ?

[Djoss]

On 4/20/2020 at 5:41 AM, Veuchez said:

Hello to all,
has the way to specify ssl_ciphers been implemented?
Is it possible to generate RSA 4096bits keys?
Thank you!

This is currently not something that can be customized.  You could try to manually edit files, but these changes would be lost every time the container is re-created/updated.

[Djoss]

On 4/21/2020 at 4:09 PM, windlok1010 said:

HELP!

ALL websites that require http auth are not accessible. They are, according to chrome, either ERR_HTTP2_PROTOCOL_ERROR or NET::ERR_CERT_AUTHORITY_INVALID. However those do not need a username and password are working perfectly fine. 

 

All the changes I made today was updating Unraid from 6.8.2 to 6.8.3 and add one more proxy host. Any idea what may have caused it? Thanks!

Did you try with another browser? If you disable the access list, does it work?

[Djoss]

On 4/22/2020 at 8:46 PM, tknx said:

Anyone able to point to how to use this with Spaceinvaderone's recent jitsi guide? He uses nginx/LE with conf files and his sample nginx conf file is posted at the bottom here.

 

I am not sure how to point at containers the same way...

In proxy_pass settings, you can use IP address (of containers) instead of dns names.

[Veuchez]

On 24/4/2020 at 04:02, Djoss said:

Questo non è attualmente qualcosa che può essere personalizzato. È possibile provare a modificare manualmente i file, ma queste modifiche andrebbero perse ogni volta che il contenitore viene ricreato / aggiornato.

Is it something that will be implemented in future releases?

[dalben]

I was changing some IPs and ran into all sorts of problems with ngix letsencrypt.

 

Without changing anything, if I request a new cert I get the following error message:

nginx: [emerg] unexpected ";" in /data/nginx/proxy_host/18.conf:46
[nginx] starting...

 

18.conf in this case is the proxy host I was trying to renew.

 

Line 46 has the following:

 

    # Access checks must...
    ;

 

It seems to be missing the 'satisfy any' string be foe the semi-colon.  If I manually add the satisy any, so it looks like this:

    # Access checks must...
    satisy any;

 

it start's the renewal, goes a fair bit further until it throws this error:

 

Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[4/25/2020] [10:18:33 PM] [Nginx ] › ℹ info Reloading Nginx
[4/25/2020] [10:18:33 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #61: nb.rdkl.me
[4/25/2020] [10:18:36 PM] [Express ] › ⚠ warning Command failed: /usr/sbin/nginx -t
nginx: [emerg] unexpected ";" in /data/nginx/proxy_host/18.conf:46
nginx: configuration file /etc/nginx/nginx.conf test failed

[4/25/2020] [10:18:36 PM] [Express ] › ⚠ warning Command failed: /usr/sbin/nginx -t
nginx: [emerg] unexpected ";" in /data/nginx/proxy_host/18.conf:46
nginx: configuration file /etc/nginx/nginx.conf test failed

 

At that point if I reload 18.conf, the satisfy any has been removed and the solitary semi-colon throws the error.  Any ideas?  At this point I can't touch any working proxy-host config as doing so will break it.

[Jaska]

Hi. How would you pass the ip info to the reverse proxied service? Everything shows the NPM IP instead of the true ip (it's proxied, I know). Otherwise NPM works butter smooth and does exactly what I need it to do.

[Djoss]

3 hours ago, Veuchez said:

Is it something that will be implemented in future releases?

I'm packaging the application into a Docker container, but I'm not the one developing features.  You could ask such requests to the project owner:

https://github.com/jc21/nginx-proxy-manager

[Djoss]

3 hours ago, dalben said:

I was changing some IPs and ran into all sorts of problems with ngix letsencrypt.

 

Without changing anything, if I request a new cert I get the following error message:

 

nginx: [emerg] unexpected ";" in /data/nginx/proxy_host/18.conf:46
[nginx] starting...

 

 

18.conf in this case is the proxy host I was trying to renew.

 

Line 46 has the following:

 

 

    # Access checks must...
    ;

 

 

It seems to be missing the 'satisfy any' string be foe the semi-colon.  If I manually add the satisy any, so it looks like this:

 

    # Access checks must...
    satisy any;

 

 

it start's the renewal, goes a fair bit further until it throws this error:

 

 

Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0
[4/25/2020] [10:18:33 PM] [Nginx ] › ℹ info Reloading Nginx
[4/25/2020] [10:18:33 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #61: nb.rdkl.me
[4/25/2020] [10:18:36 PM] [Express ] › ⚠ warning Command failed: /usr/sbin/nginx -t
nginx: [emerg] unexpected ";" in /data/nginx/proxy_host/18.conf:46
nginx: configuration file /etc/nginx/nginx.conf test failed

[4/25/2020] [10:18:36 PM] [Express ] › ⚠ warning Command failed: /usr/sbin/nginx -t
nginx: [emerg] unexpected ";" in /data/nginx/proxy_host/18.conf:46
nginx: configuration file /etc/nginx/nginx.conf test failed

 

 

At that point if I reload 18.conf, the satisfy any has been removed and the solitary semi-colon throws the error.  Any ideas?  At this point I can't touch any working proxy-host config as doing so will break it.

Is this proxy host mapped to an access list ?  Did you try to just edit the proxy host and save, to see if the config file is correctly re-generated ?

[Djoss]

3 hours ago, Jaska said:

Hi. How would you pass the ip info to the reverse proxied service? Everything shows the NPM IP instead of the true ip (it's proxied, I know). Otherwise NPM works butter smooth and does exactly what I need it to do.

The real IP is passed to the proxied service via HTTP headers (added by nginx).

[GreenEyedMonster]

I have a "dumb" question.  I have a Terraria docker setup for my niece and nephew to use.  I used NPM to pass the ip and port to a specific web page.  http://terraria.randomwebpage.com   When I use Terraria to log in and put the web address in it shows the correct Ip for my server but I can't connect.  I assumed that this would allow me not to have to port forward anything on my router as NPM would handle that.  Am I wrong? 

 

Update:

After more testing... once in a while it starts giving me NameCheaps (my provider - 192.64.119.194) IP address instead of my own servers IP address.  Any idea why??

Edited April 25, 2020 by GreenEyedMonster

[tknx]

On 4/23/2020 at 7:48 PM, Djoss said:

In proxy_pass settings, you can use IP address (of containers) instead of dns names.

So this?

[dalben]

13 hours ago, Djoss said:

Is this proxy host mapped to an access list ?  Did you try to just edit the proxy host and save, to see if the config file is correctly re-generated ?

Yeah, it was.  They all are.

 

After much fiddling and reinstalling etc, I got everything back up again.  I need to create the proxy hosts as publicly available and pull down the cert in that setup.  Once the cert is applied and all is running, I then change the security from Public to Access group.  Save that and all is good.

[Djoss]

17 hours ago, GreenEyedMonster said:

I have a "dumb" question.  I have a Terraria docker setup for my niece and nephew to use.  I used NPM to pass the ip and port to a specific web page.  http://terraria.randomwebpage.com   When I use Terraria to log in and put the web address in it shows the correct Ip for my server but I can't connect.  I assumed that this would allow me not to have to port forward anything on my router as NPM would handle that.  Am I wrong? 

 

Update:

After more testing... once in a while it starts giving me NameCheaps (my provider - 192.64.119.194) IP address instead of my own servers IP address.  Any idea why??

Sorry I'm not sure I follow you.  Who starts giving you wrong IP addresses ?  Terraria ?  I never tried this docker, so I'm not sure what we should expect.

[Djoss]

15 hours ago, tknx said:

So this?

 

You can look at the generated config file in the appdata folder to see if it looks like the example you provided earlier.

[rilles]

On 4/23/2020 at 9:57 PM, Djoss said:

Are you sure the container is reachable from the internet on port 80 ?

that was the issue.  when I first started dong this I did not realize that letsencrypt requires the rproxy to allow inbound access from the internet.

 

[GreenEyedMonster]

7 hours ago, Djoss said:

Sorry I'm not sure I follow you.  Who starts giving you wrong IP addresses ?  Terraria ?  I never tried this docker, so I'm not sure what we should expect.

No worries!  I'll try to make it a little bit more clear.  
 

So in Terraria when you search for a server you enter the IP address of that server and then the port number. 

• The first screen you enter the IP address of the server.  (In my case the web site I have the docker forwarded to.) 
• In the next screen you enter the port number of server. (I used my dockers port number.  This might be the issue.) 
• The last screen translate the website address to an IP address. 
• This sometimes translate to my servers IP address sometimes it translates it to the my website hosts provider IP address.  

So I think part of it is that I should be forwarding my port on my router.  The second part I don't understand why IP switches at times to NameCheap vs my servers IP.

 

Also, thank you for all you have done.  This docker is my favorite by far!!

 

 

Edited April 26, 2020 by GreenEyedMonster

[Djoss]

3 hours ago, GreenEyedMonster said:

No worries!  I'll try to make it a little bit more clear.  
 

So in Terraria when you search for a server you enter the IP address of that server and then the port number. 

• The first screen you enter the IP address of the server.  (In my case the web site I have the docker forwarded to.) 
• In the next screen you enter the port number of server. (I used my dockers port number.  This might be the issue.) 
• The last screen translate the website address to an IP address. 
• This sometimes translate to my servers IP address sometimes it translates it to the my website hosts provider IP address.  

So I think part of it is that I should be forwarding my port on my router.  The second part I don't understand why IP switches at times to NameCheap vs my servers IP.

 

Also, thank you for all you have done.  This docker is my favorite by far!!

Are you using the docker server available on the Community Apps ?  If yes, it seems that this server runs on a single port (7777) and is not a web application.  In this, case, I think you don't need NPM.  Just the DNS name pointing to your public IP and port forwarding like you did.

 

As for the IP, the problem could be a conflict about perceived IP of your server.  From the internet, your server appears to have your public IP.  But if the server also advertises/reports its own IP, it will probably be the internal one.

[tknx]

So oddly enough it started working with a simple https redirect to the appropriate IP and port without any of the location stuff.

 

Haven't thoroughly tested it yet though.

[xxsxx47]

I Solved it , for any having this trouble :

all i did is editing the file in " \appdata\NginxProxyManager\nginx\proxy_host " for proxy you went and add the following text after this line 

" location / {  "

 

add_header Content-Security-Policy "upgrade-insecure-requests";
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-UA-Compatible "IE=Edge" always;
add_header Cache-Control "no-transform" always;
add_header Referrer-Policy "same-origin" always;
add_header Feature-Policy "autoplay 'none'; camera 'none'" always;

 

and restart the docker for the Nginx Proxy Manager .

 

--------------------------------------------------

 

 

Docker : CalibreWeb from linuxserver 

if any could help me please , is there any danger if left alone because every thing is working we me 

i tired the https://securityheaders.com

to see if every thing is right in security Department but got red ones there any way to fix them ?

>i tried  adding "add_header X-Frame-Options "SAMEORIGIN";" but didn't do any.

 

 

 

 

 

Edited May 4, 2020 by xxsxx47
adding the answer for my problem