Kru-x Posted July 8, 2020 Share Posted July 8, 2020 On 7/5/2020 at 9:03 AM, Djoss said: I don't use this myself, but looking at the provided examples, it seem that web socket support may be needed. Did you enabled that ? I have tried to enable that but still wont work. I am not confident in Nginx and the configs but one setup is talking about that you have to add your .key file to the Document server, NPM uses .pem files. Config for just Nginx is looking like this, meybe you can make sense of it: # only office doc server server { listen 443 ssl; server_name documentserver.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_docs OnlyOfficeDocumentServer; proxy_pass https://$upstream_docs:443; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto $scheme; } } Quote Link to comment
shwa87 Posted July 8, 2020 Share Posted July 8, 2020 After running this for a good long while now, I started out having the same issue that many folks are posting about - Internal Server Error when trying to add a new proxy host and request a new SSL Cert. However, I deleted and recreated the docker and it's appdata and now that part works. However - the Access List functionality doesn't seem to be working - instead of prompting to enter a username / password, instead it just goes 403 forbidden. If I disable the access list on a host and change to publicly accessible it works. I don't show anything in the logs of the container - is there another place I can look to see why its just tossing me right to a 403 instead of prompting for credentials like it always had? Note that I am using Brave primarily for my browser, but the same thing occurs in Firefox, Chrome, Edge, and Safari. Thank You! Quote Link to comment
shwa87 Posted July 9, 2020 Share Posted July 9, 2020 22 hours ago, shwa87 said: After running this for a good long while now, I started out having the same issue that many folks are posting about - Internal Server Error when trying to add a new proxy host and request a new SSL Cert. However, I deleted and recreated the docker and it's appdata and now that part works. However - the Access List functionality doesn't seem to be working - instead of prompting to enter a username / password, instead it just goes 403 forbidden. If I disable the access list on a host and change to publicly accessible it works. I don't show anything in the logs of the container - is there another place I can look to see why its just tossing me right to a 403 instead of prompting for credentials like it always had? Note that I am using Brave primarily for my browser, but the same thing occurs in Firefox, Chrome, Edge, and Safari. Thank You! So now I'm back to npm presenting a locally signed cert instead of the LE cert and I can't proceed. This is making no sense to me. Anyone have any insight? Quote Link to comment
bdydrp Posted July 9, 2020 Share Posted July 9, 2020 (edited) I have a situation with one of my dockers on a vlan (.20 network) needing to write files to unraid (.1 network) Is this what Streams would be used for? Or could someone explain what they are? I have NodeRed on br0.20 and a my alexa pallete, needs access to read/write a file to my cache drive residing on host network When i disable my firewall rule to block VLAN 20 to Main Lan, the node works. I'm unsure if streams (or is correct application) would work, or i need to look at my firewall rules to only allow access to unraid Thanks Edited July 9, 2020 by bdydrp Quote Link to comment
Djoss Posted July 10, 2020 Author Share Posted July 10, 2020 On 7/7/2020 at 9:31 PM, Kru-x said: I have tried to enable that but still wont work. I am not confident in Nginx and the configs but one setup is talking about that you have to add your .key file to the Document server, NPM uses .pem files. Config for just Nginx is looking like this, meybe you can make sense of it: # only office doc server server { listen 443 ssl; server_name documentserver.*; include /config/nginx/ssl.conf; client_max_body_size 0; location / { include /config/nginx/proxy.conf; resolver 127.0.0.11 valid=30s; set $upstream_docs OnlyOfficeDocumentServer; proxy_pass https://$upstream_docs:443; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Forwarded-Proto $scheme; } } And how did you configured your proxy host in NPM ? Quote Link to comment
Djoss Posted July 10, 2020 Author Share Posted July 10, 2020 (edited) On 7/8/2020 at 9:34 PM, shwa87 said: So now I'm back to npm presenting a locally signed cert instead of the LE cert and I can't proceed. This is making no sense to me. Anyone have any insight? Try to upgrade to the latest image and do the following: In your access list, make sure Satisfy Any is selected if you have set nothing under the Access tab. In your proxy, remove usage of the access list and save. Finally, re-enable usage of your access list in the proxy host and save. Edited July 12, 2020 by Djoss 1 Quote Link to comment
Djoss Posted July 10, 2020 Author Share Posted July 10, 2020 19 hours ago, bdydrp said: I have a situation with one of my dockers on a vlan (.20 network) needing to write files to unraid (.1 network) Is this what Streams would be used for? Or could someone explain what they are? I have NodeRed on br0.20 and a my alexa pallete, needs access to read/write a file to my cache drive residing on host network When i disable my firewall rule to block VLAN 20 to Main Lan, the node works. I'm unsure if streams (or is correct application) would work, or i need to look at my firewall rules to only allow access to unraid Thanks Not sure I fully understand your issue, but streams allow you to forward tcp/udp traffic from the Internet to another device on the network. Quote Link to comment
bdydrp Posted July 10, 2020 Share Posted July 10, 2020 1 minute ago, Djoss said: Not sure I fully understand your issue, but streams allow you to forward tcp/udp traffic from the Internet to another device on the network. Thanks I've somewhat figured it out with a rule in pfsense to only allow my NodeRed Docker IP (192.168.20.10) to communicate to Unraid (192.168.1.4). All other traffic on VLAN 20 is blocked to main lan Quote Link to comment
cam217 Posted July 10, 2020 Share Posted July 10, 2020 (edited) Hi all, I am currently trying to configure access to my dockers (organizr, sonarr, radarr, jellyfin...) from outside my local network. I installed NginxProxyManager and made some tests. I have no problem connecting to organizr from outside my LAN, login through https works. But unfortunately I can't figure out how to access the dockers from there. I mean when I click on a tab it seems to try to load some content but the page doesn't load (I just have the left tabs and nothing appears next to it). I tried different things from there but I can't get it to work. Here's my conf file as it is now: # ------------------------------------------------------------ # xxx.duckdns.org # ------------------------------------------------------------ server { set $forward_scheme http; set $server "10.0.0.50"; set $port 89; #listen 8080; #listen [::]:8080; listen 4443 ssl http2; listen [::]:4443; server_name xxx.duckdns.org; # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem; # Asset Caching include conf.d/include/assets.conf; # Block Exploits include conf.d/include/block-exploits.conf; access_log /config/log/proxy_host-1.log proxy; ## To utilize the block drop "auth_request /auth-x;" within your location block, where x=OrgV2 group_id #auth_request /auth-0; #=Admin #auth_request /auth-1; #=Co-Admin #auth_request /auth-2; #=Super User #auth_request /auth-3; #=Power User #auth_request /auth-4; #=User #auth_request /auth-999; #=Guest location ~ ^/auth-(.*) { #set $upstream_home_address 10.0.0.50; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass http://$server:$port/api/?v1/auth&group=$1; internal; proxy_set_header Content-Length ""; } location / { # Force SSL include conf.d/include/force-ssl.conf; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; # Proxy include conf.d/include/proxy.conf; } # Bazarr Reverse Proxy - Subtitles # Be sure to set your URL-Base in Bazarr location /bazarr/ { auth_request /auth-0; add_header X-Frame-Options "SAMEORIGIN"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_pass http://$server:6767/bazarr/series; proxy_http_version 1.1; proxy_redirect off; } # Lidarr Reverse Proxy - Music # Be sure to set your URL-Base in Lidarr location /lidarr { auth_request /auth-0; add_header X-Frame-Options "SAMEORIGIN"; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_pass http://$server:8686/lidarr; proxy_http_version 1.1; proxy_no_cache $cookie_session; location /lidarr/api { auth_request off; proxy_pass http://$server:8686; } } # Custom include /data/nginx/custom/server_proxy[.]conf; } I only make changes to the bazarr and lidarr location blocks for my tests since the organizr page loads great. I did configure the Base_URL for bazarr and lidarr. It seems that it should not be that complicated, I'm trying hard... I think there are still things that should be done in NPM. Also is everyone able to configure everything through the GUI? It seems easier with the conf file. Any idea what is not configured properly? Sorry but I'm new to the reverse proxy thing and my knowledge is limited. Any help is welcome. Thanks EDIT: I should mention that all my dockers works through organizr locally (only organizr loads through NPM but no dockers from there). Edited August 31, 2021 by cam217 Quote Link to comment
Kru-x Posted July 12, 2020 Share Posted July 12, 2020 On 7/10/2020 at 12:16 PM, Djoss said: And how did you configured your proxy host in NPM ? Hi Djoss, Sorry to have bothered you, turns out that it is not NPM after all. The problem is strange, I have two servers with the exact same setup and if I have the onlyoffice on one server the other won't talk to it but the same will. And even more odd the one with NPM on it wont talk to to an instance of only office on the same server nor the other one. Don't know what happening! Kru-x Quote Link to comment
sdballer Posted July 23, 2020 Share Posted July 23, 2020 I modified this file: /mnt/cache/appdata/letsencrypt/www/index.html to have: <meta http-equiv="refresh" content="0; URL='http://www.google.com'" /> This just redirects to google.com since I don't use my root domain. On 7/14/2020 at 11:48 AM, Alex.b said: I use Cloudflare with my own domain and NPM. I opened port and everything seems works. For the moment I’ve only a subdomain. In NPM, I use let’s encrypt cert. How can enforce my security ? For example I can access directly to https://my.public.ip (warning ssl), is it a security issue ? I’m landing here : Quote Link to comment
Gershy13 Posted July 24, 2020 Share Posted July 24, 2020 (edited) Hi, So ive had NPM working for a while now, but today it suddenly stopped working... I tried a reinstall of the container and everything but no luck... These are my issues. When trying to get a new cert: Failed authorization procedure. *******duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://*******.duckdns.org/.well-known/acme-challenge/*******UGzIv7g******W9ke6k-_JTi5f2NNlb*********: Timeout during connect (likely firewall problem) (censored some of that as im not sure if its private) And more issues: [7/24/2020] [10:29:02 PM] [Nginx ] › ℹ info Reloading Nginx Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0 and this (in the GUI, proxy shows as offline (red) because of this) Edited July 24, 2020 by Gershy13 Quote Link to comment
Experiment626 Posted July 28, 2020 Share Posted July 28, 2020 On 6/8/2020 at 11:22 AM, Djoss said: Is the "Network Type" in container's setting set to "Bridge" ? This is the only type where these variables works. With other types, you need to use 8080 and 4443. Is there a technical reason why the variables don't work in Custom? I did experiment with this docker. In bridge it wouldn't start (obviously, unraid itself is already using 80/443). So I set custom, but that barfs horribly when it comes to ipv6. Works fine for v4 (because my router portforwards for 4), but because I have native v6, it goes straight to the docker, expects 443, and it's not there. Its open on 4443. I'd suggest opening up 80/443 for use in Custom networks as well. Quote Link to comment
MattFaz Posted August 5, 2020 Share Posted August 5, 2020 I have a static site that I can access through NPM perfectly, however I believe NPM has Access/Authentication capabilities built in correct? My understanding was I create an Access List, under Authorization I add the User/Pass that I want users to use, then block everything else. Assign that Access List to the Proxy and NPM would prompt for a login before displaying the page. However this doesn't seem to work? Is anyone able to explain how the Access List works? I can't seem to find a guide on it anywhere. Quote Link to comment
Djoss Posted August 5, 2020 Author Share Posted August 5, 2020 On 7/14/2020 at 2:48 PM, Alex.b said: I use Cloudflare with my own domain and NPM. I opened port and everything seems works. For the moment I’ve only a subdomain. In NPM, I use let’s encrypt cert. How can enforce my security ? For example I can access directly to https://my.public.ip (warning ssl), is it a security issue ? I’m landing here : Where this landing page is coming from ? If you get security warning, the request is probably not reaching NPM... Quote Link to comment
Djoss Posted August 5, 2020 Author Share Posted August 5, 2020 On 7/28/2020 at 7:09 AM, Experiment626 said: Is there a technical reason why the variables don't work in Custom? It's related to the different Docker networking mode. See https://docs.docker.com/network/ On 7/28/2020 at 7:09 AM, Experiment626 said: I did experiment with this docker. In bridge it wouldn't start (obviously, unraid itself is already using 80/443). So I set custom, but that barfs horribly when it comes to ipv6. Works fine for v4 (because my router portforwards for 4), but because I have native v6, it goes straight to the docker, expects 443, and it's not there. Its open on 4443. Not sure why in bridge mode the container is not starting. If you install the container with all default settings, it should not have any issue starting. Quote Link to comment
Djoss Posted August 5, 2020 Author Share Posted August 5, 2020 49 minutes ago, Mattyfaz said: I have a static site that I can access through NPM perfectly, however I believe NPM has Access/Authentication capabilities built in correct? My understanding was I create an Access List, under Authorization I add the User/Pass that I want users to use, then block everything else. Assign that Access List to the Proxy and NPM would prompt for a login before displaying the page. However this doesn't seem to work? Is anyone able to explain how the Access List works? I can't seem to find a guide on it anywhere. Try to enable "Satisfy Any" under the access list. When not enabled, it means that content of both the "Authorization" and "Access" tabs must be satisfied to allow access. Quote Link to comment
MattFaz Posted August 5, 2020 Share Posted August 5, 2020 21 minutes ago, Djoss said: Try to enable "Satisfy Any" under the access list. When not enabled, it means that content of both the "Authorization" and "Access" tabs must be satisfied to allow access. Hmm still no luck, it never prompts for a login and just loads the page. Should I be updating the Access section in the Access List with anything? Quote Link to comment
Djoss Posted August 5, 2020 Author Share Posted August 5, 2020 2 minutes ago, Mattyfaz said: Hmm still no luck, it never prompts for a login and just loads the page. Should I be updating the Access section in the Access List with anything? You may have encountered a glitch: Try to remove usage of any access list in your proxy host, then save. After that, re-assign your access list and save. The Access section is not required if you don't need it. Quote Link to comment
MattFaz Posted August 5, 2020 Share Posted August 5, 2020 (edited) 1 hour ago, Djoss said: You may have encountered a glitch: Try to remove usage of any access list in your proxy host, then save. After that, re-assign your access list and save. The Access section is not required if you don't need it. Thanks for the guidance Djoss, unfortunately still not luck. Tried removing and re-assigning, also tried just starting from scratch. I took a recording of what I am doing, it's all relatively simple so not sure what is going on. Create New Access List Create New Proxy, assign Access List Go to Proxy and it loads without any prompt Screen Recording 2020-08-05 at 2.07.50 pm.mov Edited August 5, 2020 by Mattyfaz Extra info Quote Link to comment
binhex Posted August 5, 2020 Share Posted August 5, 2020 4 hours ago, Mattyfaz said: Thanks for the guidance Djoss, unfortunately still not luck. Tried removing and re-assigning, also tried just starting from scratch. I took a recording of what I am doing, it's all relatively simple so not sure what is going on. Create New Access List Create New Proxy, assign Access List Go to Proxy and it loads without any prompt Screen Recording 2020-08-05 at 2.07.50 pm.mov 2.06 MB · 0 downloads that video looks like the correct way to do it, i cant see anything wrong there (i use access lists with success), i would suspect some cookie caching going on, try another browser, or better yet a different host, i would suspect you will then be prompted for credentials. Quote Link to comment
MattFaz Posted August 5, 2020 Share Posted August 5, 2020 (edited) 1 hour ago, binhex said: that video looks like the correct way to do it, i cant see anything wrong there (i use access lists with success), i would suspect some cookie caching going on, try another browser, or better yet a different host, i would suspect you will then be prompted for credentials. Just completely removed all the AppData for NPM, set it up again and setup Access List + Proxy just like shown in the video and still no luck. Tried on multiple devices, multiple browsers (including incognito). It always just loads the page instantly with no Auth prompt. No idea what is going wrong, would it have anything to do with the Advanced > Custom Nginx Config value the Proxy has? location / { root /websites/guide; } /website is mapped and inside /guide is the index.html file, which all loads correctly so I believe that is setup fine. Very lost at the moment... Edited August 5, 2020 by Mattyfaz Additional Info Quote Link to comment
binhex Posted August 5, 2020 Share Posted August 5, 2020 6 minutes ago, Mattyfaz said: would it have anything to do with the Advanced > Custom Nginx Config value the Proxy has? certainly worth not included any advanced custom nginx config if possible, just so you can identify the issue, i dont have anything defined in there and auth works correctly so its possible that its overriding the authentication, or its simply a bug in npm. 1 Quote Link to comment
Experiment626 Posted August 5, 2020 Share Posted August 5, 2020 8 hours ago, Djoss said: It's related to the different Docker networking mode. See https://docs.docker.com/network/ Not sure why in bridge mode the container is not starting. If you install the container with all default settings, it should not have any issue starting. Oh it does. But. (and this is a big but). This is the default: It'll start fine with the defaults on install. (1880, 18443). Now, if I change http/https to 80/443, it barfs. Because Unraid itself is already using those. It would be fine to live on the default ports, if I was using IPv4 only. The problem lies with ipv6. Because you don't forward ipv6 ports (at least I don't, native /56 network to play with).. then https (v6) = 18443, not the expected 443. There's no network translation, therefore no port forwarding. Therefore having ipv6 on anything *other* than 80/443 isn't an option. So, the way to get around that, is use something other than bridge. But the config won't do custom ports that way. It forces me to use the defined ports only. So I'm back to square 1. Can't use v6 with the docker. Quote Link to comment
MattFaz Posted August 5, 2020 Share Posted August 5, 2020 (edited) 14 hours ago, binhex said: certainly worth not included any advanced custom nginx config if possible, just so you can identify the issue, i dont have anything defined in there and auth works correctly so its possible that its overriding the authentication, or its simply a bug in npm. Boom! Okay I can confirm it does prompt for username and password if I remove the advanced config! So for some reason adding this to the advanced config kills the authentication: location / { root /websites/guide; } That is the only way I know how to host a static site with Auth though... Is this expected behavior? Is there another method of hosting a static site on my UnRaid Server with Auth that I am not across? Edited August 6, 2020 by Mattyfaz Added that Auth is a requirement of the Static Site. Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.