mattie112 Posted December 7, 2020 Share Posted December 7, 2020 As it basically is just Nginx you can look into: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ For example: location /some/path/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://localhost:8000; } I did not test it but I assume you can use this in the advanced config part Quote Link to comment
dbowerman Posted December 7, 2020 Share Posted December 7, 2020 5 hours ago, mattie112 said: As it basically is just Nginx you can look into: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/ For example: location /some/path/ { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_pass http://localhost:8000; } I did not test it but I assume you can use this in the advanced config part That is similar to what I have attempted. For the sake of sanity, I modified the path, address, and port and put it in. I can confirm that it is using the location under the advanced tab as I can break it. However, I am still only seeing the IP of the proxy when I connect to the webserver. If I connect to the webserver directly, I do see the IP of the host I am connecting from. Quote Link to comment
CorneliousJD Posted December 8, 2020 Share Posted December 8, 2020 Oh boy, 46 pages is a lot to go through. Just a few questions. 1. (My most important for now) is it possible to get mydomain.com/plex working as a custom location instead of a subdomain (This is for Organizr SSO with Plex, which requires a /plex location and NOT a subdomain. 2. What exactly is caching of assets doing. 3. When would you NOT want Websockets, blocking of common exploits, and HTTP/2 enabled? 4. HSTS Seems like overkill for a lot of services, am I wrong on this? Thank you in advance! Quote Link to comment
skois Posted December 8, 2020 Share Posted December 8, 2020 2 hours ago, CorneliousJD said: Oh boy, 46 pages is a lot to go through. Just a few questions. 1. (My most important for now) is it possible to get mydomain.com/plex working as a custom location instead of a subdomain (This is for Organizr SSO with Plex, which requires a /plex location and NOT a subdomain. 2. What exactly is caching of assets doing. 3. When would you NOT want Websockets, blocking of common exploits, and HTTP/2 enabled? 4. HSTS Seems like overkill for a lot of services, am I wrong on this? Thank you in advance! HSTS by itself it wont do anything, you need to use something like cloudflare which there you can enable HSTS. I dont know much about it. This is what i read somewhere. Caching assets i had it on on everything, but one day i had some problems with nextcloud. If you run NPM on the same machine as your services you reverse proxy. I don't think you will get any benefit by caching them. Also caching is only beneficial on static content. If you have much static content and you need more speed, I would create a cloudflare account and cache it there. This is all the info i could give, i'm sure the big brains here will help you more! Quote Link to comment
CorneliousJD Posted December 8, 2020 Share Posted December 8, 2020 14 hours ago, skois said: HSTS by itself it wont do anything, you need to use something like cloudflare which there you can enable HSTS. I dont know much about it. This is what i read somewhere. Caching assets i had it on on everything, but one day i had some problems with nextcloud. If you run NPM on the same machine as your services you reverse proxy. I don't think you will get any benefit by caching them. Also caching is only beneficial on static content. If you have much static content and you need more speed, I would create a cloudflare account and cache it there. This is all the info i could give, i'm sure the big brains here will help you more! This makes sense, especailly about caching, no real benefit to cache anything if I'm running nearly everything on this same unraid box. Only thing I need better performance on is Nextcloud and I don't know if anything can be done for that haha. Still would like to find answers to the following. 1. (My most important for now) is it possible to get mydomain.com/plex working as a custom location instead of a subdomain (This is for Organizr SSO with Plex, which requires a /plex location and NOT a subdomain. 2. When would you NOT want Websockets, blocking of common exploits, and HTTP/2 enabled? Quote Link to comment
mattie112 Posted December 9, 2020 Share Posted December 9, 2020 The 'custom locations' can be used for a /plex solution or do you run into trouble there? Quote Link to comment
CorneliousJD Posted December 9, 2020 Share Posted December 9, 2020 10 hours ago, mattie112 said: The 'custom locations' can be used for a /plex solution or do you run into trouble there? Do you have a working example? When I try it, it just.... Doesn't work unfortunately. I tried a few times but no luck. Quote Link to comment
DieFalse Posted December 11, 2020 Share Posted December 11, 2020 I have updated and found that the Webgui now supports DNS challenge. Has anyone successfully gotten this to work with Ionos? (1and1.com)? I would really like a wildcard to be able to load to local resources. Quote Link to comment
DieFalse Posted December 11, 2020 Share Posted December 11, 2020 On 12/9/2020 at 5:58 PM, CorneliousJD said: Do you have a working example? When I try it, it just.... Doesn't work unfortunately. I tried a few times but no luck. You can add your TLD example.com and under custom locations point it to /plex. Quote Link to comment
CorneliousJD Posted December 11, 2020 Share Posted December 11, 2020 1 hour ago, fmp4m said: You can add your TLD example.com and under custom locations point it to /plex. Ok so I have my TLD domain.com pointed to organizr, and then adding /plex like this doesn't work. And then under custom locations, plex is on 32400 for me FYI Then when I try to go to domain.com/plex I just get... Quote Link to comment
DieFalse Posted December 11, 2020 Share Posted December 11, 2020 I successfully have plex.domain.com setup and working. I also have plex.domain.com/plex working. 401 Unauthorized - is expected, IF you are not logged in for the /plex to work. However my /plex location is https not http, is yours? Quote Link to comment
njdowdy Posted December 13, 2020 Share Posted December 13, 2020 I recently moved and am now having problems renewing my certificates. My issues are similar to what others have posted here, but I am having a difficult time finding whether a solution was found. The problem is: 1. When the docker is first started the log says: ⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-31" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "<mysubdomain.mydomain.com" Another instance of Certbot is already running And then a bunch of challenges fail. 2. When I attempt to manually renew or add SSL certificates from within the interface I get an "Internal Error" notification and the same message as in #1 in the docker log. 3. When I go to the console and attempt "certbot renew --dry-run" as suggested by @mattie112, the challenges fail and I get the following: IMPORTANT NOTES: - The following errors were reported by the server: Domain: mysubdomain.mydomain.com Type: connection Detail: Fetching http://mysubdomain.mydomain.com/.well-known/acme-challenge/hlQQ3HIdDm_aurZNHIpTu3jjgUe3KwBRcOtRtwhk5Vg: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. I can ping from within the nginxproxymanager docker console. My ports 80 and 443 are forwarded to 180 and 1443 and those are mapped to the nginxproxymanager docker just as they were when things were functional prior to the move. When I set things up in my new location I did register my new WAN IP address with duckdns.org to reflect this IP change. My websites are accessible via the internet, but some give me a warning that they are unsafe because of self-signed certificates. Some (e.g. nextcloud) won't allow me to upload files to the server and they time out. I'm not sure what else needs to be done. Could this be something with the new ISP or am I missing something? Thanks! Quote Link to comment
CorneliousJD Posted December 14, 2020 Share Posted December 14, 2020 (edited) On 12/11/2020 at 6:49 PM, fmp4m said: I successfully have plex.domain.com setup and working. I also have plex.domain.com/plex working. 401 Unauthorized - is expected, IF you are not logged in for the /plex to work. However my /plex location is https not http, is yours? I'm not sure how 401 would be expected? There is nothing that needs to be logged in for that to work, but regardless, I'm logged into NPM, Plex, and Organizr. I would also *need* just domain.com/plex to work, I already have plex.domain.com but plex.domain.com/plex/ wouldn't work with Organizr's SSO authentication anyways from my understanding? Also my local plex is HTTP via docker container, but once it's reverse proxied via NPM it would be at https://domain.com/plex, if it would work without the 401 error. Also even if I try to setup plex.domain.com/plex I still get the same 401 error... Main plex.domain.com entry then the custom location Still results in It's hard to imagine I'm doing something that wrong since there's hardly any settings to speak of. Edited December 14, 2020 by CorneliousJD Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 (edited) Hello all, Has anyone encounter this issue? Nothing has changed and all of a sudden this started to happened. Any help is greatly appreciated. [nginx] starting... nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) Edited December 14, 2020 by Tucubanito07 Quote Link to comment
mattie112 Posted December 14, 2020 Share Posted December 14, 2020 10 hours ago, CorneliousJD said: I'm not sure how 401 would be expected? There is nothing that needs to be logged in for that to work, but regardless, I'm logged into NPM, Plex, and Organizr. I would also *need* just domain.com/plex to work, I already have plex.domain.com but plex.domain.com/plex/ wouldn't work with Organizr's SSO authentication anyways from my understanding? Also my local plex is HTTP via docker container, but once it's reverse proxied via NPM it would be at https://domain.com/plex, if it would work without the 401 error. Also even if I try to setup plex.domain.com/plex I still get the same 401 error... Main plex.domain.com entry then the custom location Still results in It's hard to imagine I'm doing something that wrong since there's hardly any settings to speak of. Perhaps you need to also add some other directories? For example I found this post: https://www.reddit.com/r/PleX/comments/3xz4ph/plex_behind_a_ssl_nginx_reverse_proxy/cy9l9fj/?utm_source=reddit&utm_medium=web2x&context=3 Quote Link to comment
mattie112 Posted December 14, 2020 Share Posted December 14, 2020 1 hour ago, Tucubanito07 said: Hello all, Has anyone encounter this issue? Nothing has changed and all of a sudden this started to happened. Any help is greatly appreciated. [nginx] starting... nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) Did you try the things I suggested a few weeks ago: (also see the other posts on that page) Quote Link to comment
mattie112 Posted December 14, 2020 Share Posted December 14, 2020 16 hours ago, njdowdy said: I recently moved and am now having problems renewing my certificates. My issues are similar to what others have posted here, but I am having a difficult time finding whether a solution was found. The problem is: 1. When the docker is first started the log says: ⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-31" --agree-tos --email "[email protected]" --preferred-challenges "dns,http" --domains "<mysubdomain.mydomain.com" Another instance of Certbot is already running And then a bunch of challenges fail. 2. When I attempt to manually renew or add SSL certificates from within the interface I get an "Internal Error" notification and the same message as in #1 in the docker log. 3. When I go to the console and attempt "certbot renew --dry-run" as suggested by @mattie112, the challenges fail and I get the following: IMPORTANT NOTES: - The following errors were reported by the server: Domain: mysubdomain.mydomain.com Type: connection Detail: Fetching http://mysubdomain.mydomain.com/.well-known/acme-challenge/hlQQ3HIdDm_aurZNHIpTu3jjgUe3KwBRcOtRtwhk5Vg: Timeout during connect (likely firewall problem) To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided. I can ping from within the nginxproxymanager docker console. My ports 80 and 443 are forwarded to 180 and 1443 and those are mapped to the nginxproxymanager docker just as they were when things were functional prior to the move. When I set things up in my new location I did register my new WAN IP address with duckdns.org to reflect this IP change. My websites are accessible via the internet, but some give me a warning that they are unsafe because of self-signed certificates. Some (e.g. nextcloud) won't allow me to upload files to the server and they time out. I'm not sure what else needs to be done. Could this be something with the new ISP or am I missing something? Thanks! You can try to stop your docker container and then use the `exec` step so that you are the only one running certbot. I assume a restart of the container did not work? You can check to see if your DNS is configured correctly by using https://dnscheck.ripe.net/ for example. (Or sharing your domain here) 1 Quote Link to comment
DieFalse Posted December 14, 2020 Share Posted December 14, 2020 @CorneliousJD I think I finally, through troubleshooting, figured out a fix that will work for your environment. In you Organizr SSO Setup point it to the local IP/Docker IP of plex. http://IP:32400/plex I was digging in my sso settings and any local comm's go through these on my setup, only externally clickable links etc do not. Quote Link to comment
CorneliousJD Posted December 14, 2020 Share Posted December 14, 2020 13 minutes ago, fmp4m said: @CorneliousJD I think I finally, through troubleshooting, figured out a fix that will work for your environment. In you Organizr SSO Setup point it to the local IP/Docker IP of plex. http://IP:32400/plex I was digging in my sso settings and any local comm's go through these on my setup, only externally clickable links etc do not. Plex SSO doesn't have that type of setup though. The reason I'm trying to get this setup is because SSO for Tautulli and Ombi work just fine (they point to local dockerIP:port like you mentioned) but Plex does not, there's no option to do that. Also see here: https://docs.organizr.app/books/setup-features/page/sso#bkmrk-plex Specifically the part that mentions Plex SSO doesn't work if Plex Reverse Proxy is a subdomain To setup a /plex Reverse Proxy in Nginx, setup the location block Quote Link to comment
DieFalse Posted December 14, 2020 Share Posted December 14, 2020 (edited) 12 minutes ago, CorneliousJD said: The reason I'm trying to get this setup is because SSO for Tautulli and Ombi work just fine (they point to local dockerIP:port like you mentioned) but Plex does not, there's no option to do that. Also see here: https://docs.organizr.app/books/setup-features/page/sso#bkmrk-plex Specifically the part that mentions Plex SSO doesn't work if Plex Reverse Proxy is a subdomain To setup a /plex Reverse Proxy in Nginx, setup the location block Have you created/configured "proxy.conf" and placed it where it wants it? An alternative to the proxy.conf file is setting those options in the advanced nginx settings of the advanced location (gear cog). However I am not proficient with how to format them for this location. client_max_body_size 10m; client_body_buffer_size 128k; proxy_bind $server_addr; proxy_buffers 32 4k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_hide_header X-Frame-Options; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_no_cache $cookie_session; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; client_max_body_size 10m; client_body_buffer_size 128k; proxy_bind $server_addr; proxy_buffers 32 4k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; proxy_hide_header X-Frame-Options; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_no_cache $cookie_session; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; Edited December 14, 2020 by fmp4m Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 (edited) 1 hour ago, mattie112 said: Did you try the things I suggested a few weeks ago: (also see the other posts on that page) I tried the certbot renew --force-renewal and restarted the container and still nothing. What is really weird nothing was done for this to happen. My webui is not even working which is also weird. Thank you for your help. This is also what i see. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/npm-12/fullchain.pem (failure) /etc/letsencrypt/live/npm-13/fullchain.pem (failure) /etc/letsencrypt/live/npm-6/fullchain.pem (failure) /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 4 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (child_process.js:303:12) at ChildProcess.emit (events.js:315:20) at maybeClose (internal/child_process.js:1021:16) at Socket.<anonymous> (internal/child_process.js:443:11) at Socket.emit (events.js:315:20) at Pipe.<anonymous> (net.js:674:12) [nginx] starting... nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) Edited December 14, 2020 by Tucubanito07 Quote Link to comment
DieFalse Posted December 14, 2020 Share Posted December 14, 2020 5 minutes ago, Tucubanito07 said: I tried the certbot renew --force-renewal and restarted the container and still nothing. What is really weird nothing was done for this to happen. My webui is not even working which is also weird. Thank you for your help. This is also what i see. All renewal attempts failed. The following certs could not be renewed: /etc/letsencrypt/live/npm-12/fullchain.pem (failure) /etc/letsencrypt/live/npm-13/fullchain.pem (failure) /etc/letsencrypt/live/npm-6/fullchain.pem (failure) /etc/letsencrypt/live/npm-7/fullchain.pem (failure) 4 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (child_process.js:303:12) at ChildProcess.emit (events.js:315:20) at maybeClose (internal/child_process.js:1021:16) at Socket.<anonymous> (internal/child_process.js:443:11) at Socket.emit (events.js:315:20) at Pipe.<anonymous> (net.js:674:12) [nginx] starting... nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) Have you checked the "/etc/letsencrypt/live/npm-20/" or any of the //etc/letsencrypt/live locations to see if the fullchain.pem is there? It seems the symlinking is broken for them. Example: drwxrwxrwx 1 nobody users 94 Dec 9 17:01 ./ drwx------ 1 nobody users 138 Dec 11 16:39 ../ -rw-rw-rw- 1 nobody users 692 Jul 30 14:01 README lrwxrwxrwx 1 nobody users 29 Dec 9 17:01 cert.pem -> ../../archive/npm-1/cert3.pem lrwxrwxrwx 1 nobody users 30 Dec 9 17:01 chain.pem -> ../../archive/npm-1/chain3.pem lrwxrwxrwx 1 nobody users 34 Dec 9 17:01 fullchain.pem -> ../../archive/npm-1/fullchain3.pem lrwxrwxrwx 1 nobody users 32 Dec 9 17:01 privkey.pem -> ../../archive/npm-1/privkey3.pem Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 4 minutes ago, fmp4m said: Have you checked the "/etc/letsencrypt/live/npm-20/" or any of the //etc/letsencrypt/live locations to see if the fullchain.pem is there? It seems the symlinking is broken for them. Example: drwxrwxrwx 1 nobody users 94 Dec 9 17:01 ./ drwx------ 1 nobody users 138 Dec 11 16:39 ../ -rw-rw-rw- 1 nobody users 692 Jul 30 14:01 README lrwxrwxrwx 1 nobody users 29 Dec 9 17:01 cert.pem -> ../../archive/npm-1/cert3.pem lrwxrwxrwx 1 nobody users 30 Dec 9 17:01 chain.pem -> ../../archive/npm-1/chain3.pem lrwxrwxrwx 1 nobody users 34 Dec 9 17:01 fullchain.pem -> ../../archive/npm-1/fullchain3.pem lrwxrwxrwx 1 nobody users 32 Dec 9 17:01 privkey.pem -> ../../archive/npm-1/privkey3.pem This is what i see. ls -l /mnt/user/appdata/NginxProxyManagerLive/letsencrypt/live/npm-1/ total 20 -rw-rw-rw- 1 nobody users 692 May 24 2020 README lrwxrwxrwx 1 nobody users 29 Dec 14 11:21 cert.pem -> ../../archive/npm-1/cert5.pem lrwxrwxrwx 1 nobody users 30 Dec 14 11:21 chain.pem -> ../../archive/npm-1/chain5.pem lrwxrwxrwx 1 nobody users 34 Dec 14 11:21 fullchain.pem -> ../../archive/npm-1/fullchain5.pem lrwxrwxrwx 1 nobody users 32 Dec 14 11:21 privkey.pem -> ../../archive/npm-1/privkey5.pem Quote Link to comment
DieFalse Posted December 14, 2020 Share Posted December 14, 2020 5 minutes ago, Tucubanito07 said: This is what i see. ls -l /mnt/user/appdata/NginxProxyManagerLive/letsencrypt/live/npm-1/ total 20 -rw-rw-rw- 1 nobody users 692 May 24 2020 README lrwxrwxrwx 1 nobody users 29 Dec 14 11:21 cert.pem -> ../../archive/npm-1/cert5.pem lrwxrwxrwx 1 nobody users 30 Dec 14 11:21 chain.pem -> ../../archive/npm-1/chain5.pem lrwxrwxrwx 1 nobody users 34 Dec 14 11:21 fullchain.pem -> ../../archive/npm-1/fullchain5.pem lrwxrwxrwx 1 nobody users 32 Dec 14 11:21 privkey.pem -> ../../archive/npm-1/privkey5.pem Can you check the archive folder for the originals please? Quote Link to comment
Tucubanito07 Posted December 14, 2020 Share Posted December 14, 2020 2 minutes ago, fmp4m said: Can you check the archive folder for the originals please? If you mean the /ETC/ it does not exist. Do you happen to know the specific directory and i can supply the permission? Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.