[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

On 7/5/2020 at 9:03 AM, Djoss said:

I don't use this myself, but looking at the provided examples, it seem that web socket support may be needed.  Did you enabled that ?

I have tried to enable that but still wont work. I am not confident in Nginx and the configs but one setup is talking about that you have to add your .key file to the Document server, NPM uses .pem files. 

 

Config for just Nginx is looking like this, meybe you can make sense of it:

# only office doc server

server {

listen 443 ssl;

server_name documentserver.*;

 

include /config/nginx/ssl.conf;

 

client_max_body_size 0;


 

location / {

include /config/nginx/proxy.conf;

resolver 127.0.0.11 valid=30s;

set $upstream_docs OnlyOfficeDocumentServer;

proxy_pass https://$upstream_docs:443;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Host $server_name;

proxy_set_header X-Forwarded-Proto $scheme;

}

}

Link to comment

After running this for a good long while now, I started out having the same issue that many folks are posting about - Internal Server Error when trying to add a new proxy host and request a new SSL Cert.  However, I deleted and recreated the docker and it's appdata and now that part works.

 

However - the Access List functionality doesn't seem to be working - instead of prompting to enter a username / password, instead it just goes 403 forbidden.  If I disable the access list on a host and change to publicly accessible it works.

 

I don't show anything in the logs of the container - is there another place I can look to see why its just tossing me right to a 403 instead of prompting for credentials like it always had?  Note that I am using Brave primarily for my browser, but the same thing occurs in Firefox, Chrome, Edge, and Safari.

 

Thank You!

Link to comment
22 hours ago, shwa87 said:

After running this for a good long while now, I started out having the same issue that many folks are posting about - Internal Server Error when trying to add a new proxy host and request a new SSL Cert.  However, I deleted and recreated the docker and it's appdata and now that part works.

 

However - the Access List functionality doesn't seem to be working - instead of prompting to enter a username / password, instead it just goes 403 forbidden.  If I disable the access list on a host and change to publicly accessible it works.

 

I don't show anything in the logs of the container - is there another place I can look to see why its just tossing me right to a 403 instead of prompting for credentials like it always had?  Note that I am using Brave primarily for my browser, but the same thing occurs in Firefox, Chrome, Edge, and Safari.

 

Thank You!

So now I'm back to npm presenting a locally signed cert instead of the LE cert and I can't proceed.  This is making no sense to me.  Anyone have any insight?

Link to comment

I have a situation with one of my dockers on a vlan (.20 network)  needing to write files to unraid (.1 network)

Is this what Streams would be used for? Or could someone explain what they are?

 

I have NodeRed on br0.20 and a my alexa pallete, needs access to read/write a file to my cache drive residing on host network

When i disable my firewall rule to block VLAN 20 to Main Lan, the node works.

 

I'm unsure if streams (or is correct application) would work, or i need to look at my firewall rules to only allow access to unraid

Thanks

Edited by bdydrp
Link to comment
On 7/7/2020 at 9:31 PM, Kru-x said:

I have tried to enable that but still wont work. I am not confident in Nginx and the configs but one setup is talking about that you have to add your .key file to the Document server, NPM uses .pem files. 

 

Config for just Nginx is looking like this, meybe you can make sense of it:

# only office doc server

server {

listen 443 ssl;

server_name documentserver.*;

 

include /config/nginx/ssl.conf;

 

client_max_body_size 0;


 

location / {

include /config/nginx/proxy.conf;

resolver 127.0.0.11 valid=30s;

set $upstream_docs OnlyOfficeDocumentServer;

proxy_pass https://$upstream_docs:443;

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_set_header X-Forwarded-Host $server_name;

proxy_set_header X-Forwarded-Proto $scheme;

}

}

And how did you configured your proxy host in NPM ?

Link to comment
On 7/8/2020 at 9:34 PM, shwa87 said:

So now I'm back to npm presenting a locally signed cert instead of the LE cert and I can't proceed.  This is making no sense to me.  Anyone have any insight?

Try to upgrade to the latest image and do the following:

  • In your access list, make sure Satisfy Any is selected if you have set nothing under the Access tab.
  • In your proxy, remove usage of the access list and save.
  • Finally, re-enable usage of your access list in the proxy host and save.
Edited by Djoss
  • Like 1
Link to comment
19 hours ago, bdydrp said:

I have a situation with one of my dockers on a vlan (.20 network)  needing to write files to unraid (.1 network)

Is this what Streams would be used for? Or could someone explain what they are?

 

I have NodeRed on br0.20 and a my alexa pallete, needs access to read/write a file to my cache drive residing on host network

When i disable my firewall rule to block VLAN 20 to Main Lan, the node works.

 

I'm unsure if streams (or is correct application) would work, or i need to look at my firewall rules to only allow access to unraid

Thanks

Not sure I fully understand your issue, but streams allow you to forward tcp/udp traffic from the Internet to another device on the network.

Link to comment
1 minute ago, Djoss said:

Not sure I fully understand your issue, but streams allow you to forward tcp/udp traffic from the Internet to another device on the network.

Thanks

I've somewhat figured it out with a rule in pfsense to only allow my NodeRed Docker IP (192.168.20.10)  to communicate to Unraid (192.168.1.4). All other traffic on VLAN 20 is blocked to main lan

Link to comment

Hi all,

 

I am currently trying to configure access to my dockers (organizr, sonarr, radarr, jellyfin...) from outside my local network.

I installed NginxProxyManager and made some tests. I have no problem connecting to organizr from outside my LAN, login through https works. But unfortunately I can't figure out how to access the dockers from there. I mean when I click on a tab it seems to try to load some content but the page doesn't load (I just have the left tabs and nothing appears next to it).

 

I tried different things from there but I can't get it to work. Here's my conf file as it is now:

# ------------------------------------------------------------
# xxx.duckdns.org
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "10.0.0.50";
  set $port           89;
  #listen 8080;
  #listen [::]:8080;
  listen 4443 ssl http2;
  listen [::]:4443;

  server_name xxx.duckdns.org;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;

  # Asset Caching
  include conf.d/include/assets.conf;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  access_log /config/log/proxy_host-1.log proxy;

  ## To utilize the block drop "auth_request /auth-x;" within your location block, where x=OrgV2 group_id
  #auth_request       /auth-0;   #=Admin
  #auth_request       /auth-1;   #=Co-Admin
  #auth_request       /auth-2;   #=Super User
  #auth_request       /auth-3;   #=Power User
  #auth_request       /auth-4;   #=User
  #auth_request       /auth-999; #=Guest

  location ~ ^/auth-(.*) {
    #set $upstream_home_address              10.0.0.50;
    proxy_set_header  Host                  $host;
    proxy_set_header  X-Forwarded-Scheme    $scheme;
    proxy_set_header  X-Forwarded-Proto     $scheme;
    proxy_set_header  X-Forwarded-For       $remote_addr;
    proxy_pass                              http://$server:$port/api/?v1/auth&group=$1;
    internal;
    proxy_set_header Content-Length "";
  }

  location / {
    # Force SSL
    include conf.d/include/force-ssl.conf;
    #Timeout if the real server is dead
    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
    # Advanced Proxy Config
    send_timeout                            5m;
    proxy_read_timeout                      240;
    proxy_send_timeout                      240;
    proxy_connect_timeout                   240;
    proxy_set_header Upgrade                $http_upgrade;
    proxy_set_header Connection             $http_connection;
    proxy_http_version                      1.1;
    # Proxy
    include conf.d/include/proxy.conf;
  }

    # Bazarr Reverse Proxy - Subtitles
    # Be sure to set your URL-Base in Bazarr
    location /bazarr/ {
      auth_request                          /auth-0;
      add_header        X-Frame-Options     "SAMEORIGIN";
      proxy_set_header  Host                $host;
      proxy_set_header  X-Real-IP           $remote_addr;
      proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto   $scheme;
      proxy_set_header  Upgrade             $http_upgrade;
      proxy_set_header  Connection          $http_connection;
      proxy_pass                            http://$server:6767/bazarr/series;
      proxy_http_version                    1.1;
      proxy_redirect                        off;
    }

    # Lidarr Reverse Proxy - Music
    # Be sure to set your URL-Base in Lidarr
    location /lidarr {
      auth_request                          /auth-0;
      add_header        X-Frame-Options     "SAMEORIGIN";
      proxy_set_header  X-Real-IP           $remote_addr;
      proxy_set_header  X-Forwarded-For     $proxy_add_x_forwarded_for;
      proxy_set_header  X-Forwarded-Proto   $scheme;
      proxy_pass                            http://$server:8686/lidarr;
      proxy_http_version                    1.1;
      proxy_no_cache                        $cookie_session;
      location /lidarr/api {
        auth_request                          off;
        proxy_pass                            http://$server:8686;
      }
    }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

I only make changes to the bazarr and lidarr location blocks for my tests since the organizr page loads great. I did configure the Base_URL for bazarr and lidarr.

 

It seems that it should not be that complicated, I'm trying hard... I think there are still things that should be done in NPM. Also is everyone able to configure everything through the GUI? It seems easier with the conf file.

 

Any idea what is not configured properly? Sorry but I'm new to the reverse proxy thing and my knowledge is limited.
Any help is welcome.

 

Thanks

 

EDIT: I should mention that all my dockers works through organizr locally (only organizr loads through NPM but no dockers from there).

Edited by cam217
Link to comment
On 7/10/2020 at 12:16 PM, Djoss said:

And how did you configured your proxy host in NPM ?

Hi Djoss,

Sorry to have bothered you, turns out that it is not NPM after all. The problem is strange, I have two servers with the exact same setup and if I have the onlyoffice on one server the other won't talk to it but the same will. And even more odd the one with NPM on it wont talk to to an instance of only office on the same server nor the other one. Don't know what happening!

Kru-x

Link to comment
  • 2 weeks later...

I modified this file:

/mnt/cache/appdata/letsencrypt/www/index.html

 

to have:

<meta http-equiv="refresh" content="0; URL='http://www.google.com'" />

 

This just redirects to google.com since I don't use my root domain.

 

 

 

 

On 7/14/2020 at 11:48 AM, Alex.b said:

I use Cloudflare with my own domain and NPM. I opened port and everything seems works. For the moment I’ve only a subdomain. In NPM, I use let’s encrypt cert. How can enforce my security ?

 

For example I can access directly to https://my.public.ip (warning ssl), is it a security issue ?

I’m landing here

image.png.572b1ec187b6883d98128f14839f9d92.png

Link to comment

Hi,

 

So ive had NPM working for a while now, but today it suddenly stopped working... I tried a reinstall of the container and everything but no luck... These are my issues.

 

When trying to get a new cert:

Failed authorization procedure. *******duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://*******.duckdns.org/.well-known/acme-challenge/*******UGzIv7g******W9ke6k-_JTi5f2NNlb*********: Timeout during connect (likely firewall problem)

 

(censored some of that as im not sure if its private)

 

 

And more issues:

[7/24/2020] [10:29:02 PM] [Nginx ] › ℹ info Reloading Nginx
Duplicate relation "access_list" in a relation expression. You should use "a.[b, c]" instead of "[a.b, a.c]". This will cause an error in objection 2.0

 

 

and this (in the GUI, proxy shows as offline (red) because of this)GTCXS2B.png

 

Edited by Gershy13
Link to comment
On 6/8/2020 at 11:22 AM, Djoss said:

Is the "Network Type" in container's setting set to "Bridge" ?  This is the only type where these variables works.  With other types, you need to use 8080 and 4443.

Is there a technical reason why the variables don't work in Custom?

I did experiment with this docker. In bridge it wouldn't start (obviously, unraid itself is already using 80/443). So I set custom, but that barfs horribly when it comes to ipv6. Works fine for v4 (because my router portforwards for 4), but because I have native v6, it goes straight to the docker, expects 443, and it's not there. Its open on 4443.

I'd suggest opening up 80/443 for use in Custom networks as well.

Link to comment

I have a static site that I can access through NPM perfectly, however I believe NPM has Access/Authentication capabilities built in correct?
My understanding was I create an Access List, under Authorization I add the User/Pass that I want users to use, then block everything else.

Assign that Access List to the Proxy and NPM would prompt for a login before displaying the page.
However this doesn't seem to work? Is anyone able to explain how the Access List works? I can't seem to find a guide on it anywhere.

 


1574086125_ScreenShot2020-08-05at11_16_11am.png.386aa4dafddff1435ecd205d74677efc.png 514535869_ScreenShot2020-08-05at11_16_21am.png.e022724c2f3a8a1225a24d7818056eaa.png 147499903_ScreenShot2020-08-05at11_16_28am.png.fc5c87399dbb0dd67c87d03f644cbcb1.png

560526986_ScreenShot2020-08-05at11_16_42am.png.7324857487ac1e1221ca543f6ddd241b.png

Link to comment
On 7/14/2020 at 2:48 PM, Alex.b said:

I use Cloudflare with my own domain and NPM. I opened port and everything seems works. For the moment I’ve only a subdomain. In NPM, I use let’s encrypt cert. How can enforce my security ?

 

For example I can access directly to https://my.public.ip (warning ssl), is it a security issue ?

I’m landing here

image.png.572b1ec187b6883d98128f14839f9d92.png

Where this landing page is coming from ? If you get security warning, the request is probably not reaching NPM...

Link to comment
On 7/28/2020 at 7:09 AM, Experiment626 said:

Is there a technical reason why the variables don't work in Custom?

It's related to the different Docker networking mode.  See https://docs.docker.com/network/

 

On 7/28/2020 at 7:09 AM, Experiment626 said:

I did experiment with this docker. In bridge it wouldn't start (obviously, unraid itself is already using 80/443). So I set custom, but that barfs horribly when it comes to ipv6. Works fine for v4 (because my router portforwards for 4), but because I have native v6, it goes straight to the docker, expects 443, and it's not there. Its open on 4443.

Not sure why in bridge mode the container is not starting.  If you install the container with all default settings, it should not have any issue starting.

Link to comment
49 minutes ago, Mattyfaz said:

I have a static site that I can access through NPM perfectly, however I believe NPM has Access/Authentication capabilities built in correct?
My understanding was I create an Access List, under Authorization I add the User/Pass that I want users to use, then block everything else.

Assign that Access List to the Proxy and NPM would prompt for a login before displaying the page.
However this doesn't seem to work? Is anyone able to explain how the Access List works? I can't seem to find a guide on it anywhere.

 


1574086125_ScreenShot2020-08-05at11_16_11am.png.386aa4dafddff1435ecd205d74677efc.png 514535869_ScreenShot2020-08-05at11_16_21am.png.e022724c2f3a8a1225a24d7818056eaa.png 147499903_ScreenShot2020-08-05at11_16_28am.png.fc5c87399dbb0dd67c87d03f644cbcb1.png

560526986_ScreenShot2020-08-05at11_16_42am.png.7324857487ac1e1221ca543f6ddd241b.png

Try to enable "Satisfy Any" under the access list.  When not enabled, it means that content of both the "Authorization" and "Access" tabs must be satisfied to allow access.

Link to comment
21 minutes ago, Djoss said:

Try to enable "Satisfy Any" under the access list.  When not enabled, it means that content of both the "Authorization" and "Access" tabs must be satisfied to allow access.

Hmm still no luck, it never prompts for a login and just loads the page.

Should I be updating the Access section in the Access List with anything?

Link to comment
2 minutes ago, Mattyfaz said:

Hmm still no luck, it never prompts for a login and just loads the page.

Should I be updating the Access section in the Access List with anything?

You may have encountered a glitch: Try to remove usage of any access list in your proxy host, then save.  After that, re-assign your access list and save.

 

The Access section is not required if you don't need it.

Link to comment
1 hour ago, Djoss said:

You may have encountered a glitch: Try to remove usage of any access list in your proxy host, then save.  After that, re-assign your access list and save.

 

The Access section is not required if you don't need it.

Thanks for the guidance Djoss, unfortunately still not luck. Tried removing and re-assigning, also tried just starting from scratch.

I took a recording of what I am doing, it's all relatively simple so not sure what is going on.

  • Create New Access List
  • Create New Proxy, assign Access List
  • Go to Proxy and it loads without any prompt

 

 

Edited by Mattyfaz
Extra info
Link to comment
4 hours ago, Mattyfaz said:

Thanks for the guidance Djoss, unfortunately still not luck. Tried removing and re-assigning, also tried just starting from scratch.

I took a recording of what I am doing, it's all relatively simple so not sure what is going on.

  • Create New Access List
  • Create New Proxy, assign Access List
  • Go to Proxy and it loads without any prompt

 

Screen Recording 2020-08-05 at 2.07.50 pm.mov 2.06 MB · 0 downloads

 

 

that video looks like the correct way to do it, i cant see anything wrong there (i use access lists with success), i would suspect some cookie caching going on, try another browser, or better yet a different host, i would suspect you will then be prompted for credentials.

Link to comment
1 hour ago, binhex said:

that video looks like the correct way to do it, i cant see anything wrong there (i use access lists with success), i would suspect some cookie caching going on, try another browser, or better yet a different host, i would suspect you will then be prompted for credentials.

Just completely removed all the AppData for NPM, set it up again and setup Access List + Proxy just like shown in the video and still no luck. Tried on multiple devices, multiple browsers (including incognito).

It always just loads the page instantly with no Auth prompt. No idea what is going wrong, would it have anything to do with the Advanced > Custom Nginx Config value the Proxy has?

location / {
root /websites/guide;
}

/website is mapped and inside /guide is the index.html file, which all loads correctly so I believe that is setup fine.
 

Very lost at the moment...

Edited by Mattyfaz
Additional Info
Link to comment
6 minutes ago, Mattyfaz said:

would it have anything to do with the Advanced > Custom Nginx Config value the Proxy has?

certainly worth not included any advanced custom nginx config if possible, just so you can identify the issue, i dont have anything defined in there and auth works correctly so its possible that its overriding the authentication, or its simply a bug in npm.

  • Like 1
Link to comment
8 hours ago, Djoss said:

It's related to the different Docker networking mode.  See https://docs.docker.com/network/

 

Not sure why in bridge mode the container is not starting.  If you install the container with all default settings, it should not have any issue starting.

Oh it does. But. (and this is a big but).

This is the default: image.thumb.png.da85a0d7c2ca105f08d7f2ce461a630d.png

 

It'll start fine with the defaults on install. (1880, 18443).


Now, if I change http/https to 80/443, it barfs. Because Unraid itself is already using those. It would be fine to live on the default ports, if I was using IPv4 only.
image.thumb.png.5bd82df3d4072f0c5e0cc939732ba17d.png

The problem lies with ipv6. Because you don't forward ipv6 ports (at least I don't, native /56 network to play with).. then https (v6) = 18443, not the expected 443. There's no network translation, therefore no port forwarding. Therefore having ipv6 on anything *other* than 80/443 isn't an option.

So, the way to get around that, is use something other than bridge. But the config won't do custom ports that way. It forces me to use the defined ports only. So I'm back to square 1. Can't use v6 with the docker.

Link to comment
14 hours ago, binhex said:

certainly worth not included any advanced custom nginx config if possible, just so you can identify the issue, i dont have anything defined in there and auth works correctly so its possible that its overriding the authentication, or its simply a bug in npm.

Boom! Okay I can confirm it does prompt for username and password if I remove the advanced config!

So for some reason adding this to the advanced config kills the authentication:

location / {
root /websites/guide;
}

That is the only way I know how to host a static site with Auth though... Is this expected behavior? Is there another method of hosting a static site on my UnRaid Server with Auth that I am not across?

Edited by Mattyfaz
Added that Auth is a requirement of the Static Site.
Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.