mattie112 Posted May 1, 2021 Share Posted May 1, 2021 4 hours ago, JT24 said: Is there a way to make the certificates auto renew every 4 weeks or so? Why? You can add a cron to trigger certbot manually... Quote Link to comment
Raul Perte Posted May 2, 2021 Share Posted May 2, 2021 On 11/30/2020 at 5:24 PM, Spectral Force said: Yeah that's definitely wrong. I'll try changing the subdomain and see if that works. Even with a new subdomain it still is going to that smiles survey, which is weird, should I contact my domain provider at this point? I just got into this and I was dumb enough to use server.duckdns.com - and that one gets resolved to the survey-smiles.com For future reference, it should be duckdns.org. 1 Quote Link to comment
garydapogi Posted May 9, 2021 Share Posted May 9, 2021 (edited) Hi Lads, First of all I thank the author for this wonderful Docker. Was able to setup without problem. Now, it's time to take to the next level and here's what I want to accomplish with it. Mission: Bypass 4G LTE Double NAT connection, so I can host web services on my local Unraid Server, primarily for Nextcloud and Bitwarden Self Hosting. NOTE 1: Im not sure on how to attack this one, the Idea is to use the VPS IP, circumvent double NAT, so anyone on the Internet can visit nextcloud.domain.tld, will be forwarded to the Nextcloud Docker hosted in Unraid. NOTE 2: I don't know how to forward straight to the NPM Docker IP I Need Help With: Port Forwarding or Tunneling to help accomplish the mission. What I've Tried So Far: 1. SSH Remote Port Forwarding: Works, but not ideal for production use, IMO. 2. Using a VPS + Wireguard VPN + IP Tables Forwarding + Nginx Proxy pointing to the NPM: This worked for the http connection, but not with https. Details of the setup: - NPM IP: 192.168.254.107 - NPM Already Created The SSL Certs, when I used SSH Tunnel Port Forward - WG VPN SERVER - THE VPS: 10.66.66.1 - WG VPN CLIENT (with NGINX Installed on Ubuntu): 10.66.66.11 - IP TABLES PORT FORWARD TO: 80, 443, 8080, 4443 (8080/4443, for testing purposes) - WG VPN CLIENT: Ubuntu 20.04 Server with Nginx for Proxy Pass - Nginx Config (Im not good at this, just copy pasted from Google): server { listen 80; server_name nextcloud.domain.tld; location / { proxy_pass http://192.168.254.107:8080/; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } } server { listen 443; server_name nextcloud.domain.tld; location / { proxy_pass http://192.168.254.107:4443/; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; } } Edited May 10, 2021 by garydapogi Quote Link to comment
mattie112 Posted May 10, 2021 Share Posted May 10, 2021 So to confirm: You have 4G internet and you don't want to use that external IP but you want to use a VPN external IP? Can you (from an other connection) access yourip:80 and yourip:443 this is really the first step, if that doesn't work there is no need in debugging NPM. I assume something like this should work: Unraid (or router) -> has VPN connection so it can receive traffic from VPNSERVER. Your VPNSERVER will forward ALL traffic on 80/443 (through iptables yes) to your Unraid. Then your NPM should have just the default config everyone uses. (and yes you could also forward 80 -> 8080 if you prefer in iptables) It looks like you also have Nginx on your VPNSERVER? Why? You want to forward all traffic right, not accept it there and then proxy it to NPM? If you want to accept it there you can simply run NPM on your VPNSERVER 1 Quote Link to comment
garydapogi Posted May 10, 2021 Share Posted May 10, 2021 38 minutes ago, mattie112 said: So to confirm: You have 4G internet and you don't want to use that external IP but you want to use a VPN external IP? Yeah I do. It's the VPS IP address that I want to use. Also, it's not that I don't want to use the external IP - it's because i'ts on a double NATed connection and I don't have control to both of the ISP routers. Quote Can you (from an other connection) access yourip:80 and yourip:443 this is really the first step, if that doesn't work there is no need in debugging NPM. No problem there, hitting the VPS' IP address will take visitor to NPM default/welcome page. Visiting the actual host names of my nextcloud and bitwarden docker will bring up the right pages or home page. This is when using port 80. Once I type the https version - here is where the problem kicks off. And I don't want to do this: Quote I assume something like this should work: Unraid (or router) -> has VPN connection so it can receive traffic from VPNSERVER. Your VPNSERVER will forward ALL traffic on 80/443 (through iptables yes) to your Unraid. Then your NPM should have just the default config everyone uses. ...if only I can install WireGuard on the NPM docker, then that would be great. I don't have the skills for the time being, not sure how to set that up. You asked: Quote It looks like you also have Nginx on your VPNSERVER? Why? Actually, the second server is the Ubuntu VM running on Unraid, it is the VPN Client, NOT the server. It is where NGINX is installed on, then passes the traffic to NPM via proxy_pass. HTTP/S Traffic hitting the VPS IP is being forwarded to this VM. And Like I mentioned above (NOTE: 1), Im NOT sure how to solve the issue, what workaround to employ. As regard: Quote You want to forward all traffic right, not accept it there and then proxy it to NPM? If you want to accept it there you can simply run NPM on your VPNSERVER Well, that would be ideal. The problem is, I don't know Docker well. I'm don't know to run it on a server, that's why I choose Unraid to run it for me. If only I can install Wireguard VPN inside NPM Docker, then would work to. That way, I can forward from VPS/VPN straight to NPM via IP tables + VPN. Quote Link to comment
JT24 Posted May 11, 2021 Share Posted May 11, 2021 I'm trying to update my certificates, every time I hit the update button, it brings up the box saying updating, then the date doesn't change. Any idea how to fix it? Quote Link to comment
mattie112 Posted May 12, 2021 Share Posted May 12, 2021 16 hours ago, JT24 said: I'm trying to update my certificates, every time I hit the update button, it brings up the box saying updating, then the date doesn't change. Any idea how to fix it? Is there anything in the logs? If the certificates are "to new" it will not renew them. Quote Link to comment
mattie112 Posted May 12, 2021 Share Posted May 12, 2021 On 5/10/2021 at 8:45 PM, garydapogi said: Yeah I do. It's the VPS IP address that I want to use. Also, it's not that I don't want to use the external IP - it's because i'ts on a double NATed connection and I don't have control to both of the ISP routers. No problem there, hitting the VPS' IP address will take visitor to NPM default/welcome page. Visiting the actual host names of my nextcloud and bitwarden docker will bring up the right pages or home page. This is when using port 80. Once I type the https version - here is where the problem kicks off. And I don't want to do this: ...if only I can install WireGuard on the NPM docker, then that would be great. I don't have the skills for the time being, not sure how to set that up. You asked: Actually, the second server is the Ubuntu VM running on Unraid, it is the VPN Client, NOT the server. It is where NGINX is installed on, then passes the traffic to NPM via proxy_pass. HTTP/S Traffic hitting the VPS IP is being forwarded to this VM. And Like I mentioned above (NOTE: 1), Im NOT sure how to solve the issue, what workaround to employ. As regard: Well, that would be ideal. The problem is, I don't know Docker well. I'm don't know to run it on a server, that's why I choose Unraid to run it for me. If only I can install Wireguard VPN inside NPM Docker, then would work to. That way, I can forward from VPS/VPN straight to NPM via IP tables + VPN. So :80 works great but :443 does not? What is the issue then when visiting a https link? Do you get an error? No connection? You can also run a wireguard docker: https://hub.docker.com/r/linuxserver/wireguard And then on your NPM container: 1 Quote Link to comment
NY152 Posted May 12, 2021 Share Posted May 12, 2021 Personally, sometimes the redirections don't work. A reboot fixes the problem but I would like to understand why it doesn't work after a while. In the logs, I have an error concerning certbot : 2021-05-12 12:05:01,023:DEBUG:certbot._internal.log:Exiting abnormally: Traceback (most recent call last): File "/opt/certbot/bin/certbot", line 8, in <module> sys.exit(main()) File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main return internal_main.main(cli_args) File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1403, in main plugins = plugins_disco.PluginsRegistry.find_all() File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 237, in find_all plugin_ep = cls._load_entry_point(entry_point, plugins, with_prefix=False) File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 255, in _load_entry_point plugin_ep = PluginEntryPoint(entry_point, with_prefix) File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 51, in __init__ self.plugin_cls: interfaces.IPluginFactory = entry_point.load() File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 2461, in load self.require(*args, **kwargs) File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 2484, in require items = working_set.resolve(reqs, env, installer, extras=self.extras) File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 787, in resolve raise DistributionNotFound(req, requirers) pkg_resources.DistributionNotFound: The 'future<1,>=0' distribution was not found and is required by dns-lexicon 2021-05-12 12:05:01,023:ERROR:certbot._internal.log:An unexpected error occurred: 2021-05-12 12:05:01,023:ERROR:certbot._internal.log:pkg_resources.DistributionNotFound: The 'future<1,>=0' distribution was If anyone has a solution, I'm interested Thanks Quote Link to comment
xyzeratul Posted May 12, 2021 Share Posted May 12, 2021 I just install NPM on my openwrt router, it works mostly fine, but I can't setup a working proxy hosts for my unraid server management page, I can setup other apps of this unraid sever just fine, like filebrowser and emby, all with Let's Encrypt ssl cert. When setup unraid itself, I setup like this : it won't recognize my ssl cert, it directly jump to nas.****.com/main, showing: NET::ERR_CERT_AUTHORITY_INVALID If anyone knows the problem or solution, please help. Thank you Quote Link to comment
mattie112 Posted May 12, 2021 Share Posted May 12, 2021 And the certificate is indeed correct? With all the required intermediate certificates? Is it from letsencrypt or an other provider? You can test your certificate with a site like ssllabs.com 1 Quote Link to comment
JT24 Posted May 13, 2021 Share Posted May 13, 2021 (edited) 20 hours ago, mattie112 said: Is there anything in the logs? If the certificates are "to new" it will not renew them. [5/13/2021] [12:49:40 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry... [5/13/2021] [12:52:31 PM] [SSL ] › ✖ error Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation Challenge failed for domain xxxx.xxxx.com Failed to renew certificate npm-2 with error: Some challenges have failed. Challenge failed for domain xxxx.xxxx.com Failed to renew certificate npm-4 with error: Some challenges have failed. Challenge failed for domain xxxx.xxxx.com Failed to renew certificate npm-5 with error: Some challenges have failed. All renewals failed. The following certificates could not be renewed: /etc/letsencrypt/live/npm-2/fullchain.pem (failure) /etc/letsencrypt/live/npm-4/fullchain.pem (failure) /etc/letsencrypt/live/npm-5/fullchain.pem (failure) 3 renew failure(s), 0 parse failure(s) at ChildProcess.exithandler (child_process.js:308:12) at ChildProcess.emit (events.js:314:20) at maybeClose (internal/child_process.js:1022:16) at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5) Edited May 13, 2021 by JT24 Quote Link to comment
JT24 Posted May 13, 2021 Share Posted May 13, 2021 5 minutes ago, JT24 said: Wait, the ones that are now saying 12 June said 12 May a couple of days ago. Looks like they have auto updated, they just wait till the last minute to put it through. I'll see what happens around 21 May. Quote Link to comment
xyzeratul Posted May 13, 2021 Share Posted May 13, 2021 11 hours ago, mattie112 said: And the certificate is indeed correct? With all the required intermediate certificates? Is it from letsencrypt or an other provider? You can test your certificate with a site like ssllabs.com Yes, I tested my certs with docker app running on this nas, all correct and working. Just unraid itself won't go with NPM. Quote Link to comment
Joshndroid Posted May 21, 2021 Share Posted May 21, 2021 This Might be dumb lol : Can I use Nginx proxy manager to redirect to br0 Hey All, I have no idea if this is possible but thought I might ask. Is it possible to use Nginx Proxy Manager to redirect back to local IP for stuff hosted on VM with SSL I have Nginx Proxy Manager setup and can utilise it for things attributed to custom network 'proxynet' VM's are using br0 network of course. I wish to use it to redirect back out to a VM address on my local lan, providing it a domain and a SSL cert on the way. Is this even possible? Quote Link to comment
Nanobug Posted May 21, 2021 Share Posted May 21, 2021 24 minutes ago, Joshndroid said: This Might be dumb lol : Can I use Nginx proxy manager to redirect to br0 Hey All, I have no idea if this is possible but thought I might ask. Is it possible to use Nginx Proxy Manager to redirect back to local IP for stuff hosted on VM with SSL I have Nginx Proxy Manager setup and can utilise it for things attributed to custom network 'proxynet' VM's are using br0 network of course. I wish to use it to redirect back out to a VM address on my local lan, providing it a domain and a SSL cert on the way. Is this even possible? I'm not sure what you mean by redirecting to br0. But if you have a domain, yourdomain.com you can point the DNS A record to your IP. In your router, you need to forward port 80 (HTTP) and 443 (HTTPS) to your NPM service. In NPM you need to point yourdomain.com to where ever it is on your local network, and the port to reach it. So if you wanted to reach cockpit on a Linux VM, you'd point yourdomain.com on port 9090 to the IP of 192.168.1.10 if that was the IP of your VM/service. Does it make sense? Quote Link to comment
Joshndroid Posted May 21, 2021 Share Posted May 21, 2021 11 minutes ago, Nanobug said: I'm not sure what you mean by redirecting to br0. But if you have a domain, yourdomain.com you can point the DNS A record to your IP. In your router, you need to forward port 80 (HTTP) and 443 (HTTPS) to your NPM service. In NPM you need to point yourdomain.com to where ever it is on your local network, and the port to reach it. So if you wanted to reach cockpit on a Linux VM, you'd point yourdomain.com on port 9090 to the IP of 192.168.1.10 if that was the IP of your VM/service. Does it make sense? I have nginx attached to a proxynetwork, as originally advised within spaceinvaderone's lets encrypt video. I find this to work perfect. I have multiple dockers running just find while attached to proxynetwork What i can't seem to get to work is basically, nginx to redirect straight back to a lan address. Is it possible to hit nginx at 192.168.1.xx have have it kick you back out to a 192.168.1.zz address and supply a cert? (utilising redirect) I can hit nginx at 192.168.1.xx and push across to 172.1.1.yy and get SSL certs. What i am trying to do is utilise Nginx as my catch all and push it to either through to the proxynetwork 172....... addresses or redirect back to 192.168........ address if that it at all possible, mainly due to the fact that I cant get my VM to expose itself onto the proxynetwork for it to work that way as it is just not how it works Quote Link to comment
mattie112 Posted May 21, 2021 Share Posted May 21, 2021 You can only request SSL certificates on a hostname (some.domain.xyz) not on an IP (*). So if you either have your own domain or make up a domain and add it to your local DNS server you could do that yes. *) technically you can sign an IP but this will always be somekind of untrusted self-signed certificate Or are you talking about the service you want to proxy being on an other IP, that should be no problem Quote Link to comment
njdowdy Posted May 25, 2021 Share Posted May 25, 2021 I am experiencing an issue with calibre-web when reverse proxied through nginx via this container. These are the nginx configs I have set for this subdomain: Scheme: http HTTP/2 Support: On The calibre-web container is accessible via the internet and works fine for a short time. I do get a message that "You are not securely connected to this site" and that "parts of this page are insecure (such as images)" (mixed content). After some amount of activity (or 2.5-5 minutes of inactivity), I get re-directed to the login page. This re-direct tends to trigger more often if I am clicking around the application a lot -- for example if I follow 6-10 links (e.g., "Books" to "Settings" to "Top Rated" to "Account", etc) within about 30-45 seconds. It's not unusable, but it is very annoying, especially on mobile where entering my credentials over and over is a chore! This does not occur via local IP, so the issue is with the reverse proxy setup. Is there some custom Nginx configuration I need to include to stop this from happening? I also use Cloudflare. Could it be something with caching that is making it unhappy? I don't understand how it would control my credentials and log-in status though... I don't see anything in any logs to help troubleshoot the problem. Can anyone suggest where I could look for more info? Thanks! Quote Link to comment
neepninja Posted May 27, 2021 Share Posted May 27, 2021 Hello, please can anyone help? I am running NPM on unraid 6.9.1 and using this container: jlesage/nginx-proxy-manager Everything has been running perfect until now. I haven't changed anyhting up until now and can't understand why none of my domains no longer work. I have posted a screenshot of the log with problems in yellow.. as these we expired or no longer used I removed tehm from NPN, and seen as they were giving me errors I removed them manually using certbot remove command but now I get errors in red (2nd screenshot) Please help. This always happens after a few months and I have to remove the container and start again, a pain if you have over 20 hosts. Thanks, Craig. Quote Link to comment
Nanobug Posted May 27, 2021 Share Posted May 27, 2021 Hello, I'm getting a "502 Bad Gateway" error. used docker exec -it NginxProxyManager bash And pinged the container I'm trying to reach, with this result: 64 bytes from 192.168.100.99: seq=0 ttl=64 time=0.103 ms 64 bytes from 192.168.100.99: seq=1 ttl=64 time=0.117 ms 64 bytes from 192.168.100.99: seq=2 ttl=64 time=0.098 ms 64 bytes from 192.168.100.99: seq=3 ttl=64 time=0.099 ms 64 bytes from 192.168.100.99: seq=4 ttl=64 time=0.070 ms 64 bytes from 192.168.100.99: seq=5 ttl=64 time=0.080 ms 64 bytes from 192.168.100.99: seq=6 ttl=64 time=0.097 ms 64 bytes from 192.168.100.99: seq=7 ttl=64 time=0.060 ms 64 bytes from 192.168.100.99: seq=8 ttl=64 time=0.098 ms 64 bytes from 192.168.100.99: seq=9 ttl=64 time=0.096 ms I've also done this: nc 192.168.100.99 8888 GET / And got this result: BusyBox v1.31.1 () multi-call binary. Usage: nc [OPTIONS] HOST PORT - connect nc [OPTIONS] -l -p PORT [HOST] [PORT] - listen -e PROG Run PROG after connect (must be last) -l Listen mode, for inbound connects -lk With -e, provides persistent server -p PORT Local port -s ADDR Local address -w SEC Timeout for connects and final net reads -i SEC Delay interval for lines sent -n Don't do DNS resolution -u UDP mode -v Verbose -o FILE Hex dump traffic -z Zero-I/O mode (scanning) From what I'm reading, I can connect to it. It works on LAN, just not on the subdomain. Any ideas on how to fix this? Quote Link to comment
riddler0815 Posted May 30, 2021 Share Posted May 30, 2021 (edited) NPM is filling up the docker image I have a problem with NPM in combination with the nextcloud container. I set up everything and it works fine. But when I connect from outside via my (dynamiy duckdns) domain and download a file with several gigabytes (somewhere >2GB) the docker image fills up (/loop2) and I get warnings from unraid. Then some containers crashes (eg jDownloader). The crashed container won't start anymore until I restart the docker engine in unraid. When I download a file via web gui of nextcloud in the LAN, everything works fine. So, the problem is caused by NPM and some sort of caching procedure. I had the same problem with SWAG in the first place, so I changed over to NPM. I searched the net and there are some users encountering the same problem, but no solution yet. Some suggest to check the container directories, because they could point into the docker image. But all directories are set up correctly (in my opinion). I have no idea what to check/adapt. Thanks in advance. Edited May 30, 2021 by riddler0815 typo Quote Link to comment
hmoney007 Posted May 30, 2021 Share Posted May 30, 2021 (edited) Nginx is erroring out with this repeated in logs: nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-26/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-26/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) I woke up to backup/restore v2 completed and no containers/vms exposed. Figured out it was nginx which shit the bed and didnt come back up after backup. Backup simply kills all containers then backs them up then starts again, therefore no changes to my config took place. I tried rolling back to v 1.16.0 with no luck. There is no npm-26 anymore.. that was an old proxy host which is not used anymore. Please let me know what I should do to get this up again *EDIT* - I just went to the "live" folder and copied/pasted another proxy host folder and renamed as npm-26 and now it works. Seems like something is broken on the code side but this is a quick and dirty workaround. Edited May 30, 2021 by hmoney007 Quote Link to comment
Albertpj Posted May 30, 2021 Share Posted May 30, 2021 Hello I want to use the Nginx-Proxy-Manager but I would like to use custom: br0 and be able to use ports 80 and 443 and I see that in the template when using another network outside the bridge the 8080 and 4443 are defined, I could change this configuration Quote Link to comment
mattie112 Posted May 31, 2021 Share Posted May 31, 2021 12 hours ago, Albertpj said: Hello I want to use the Nginx-Proxy-Manager but I would like to use custom: br0 and be able to use ports 80 and 443 and I see that in the template when using another network outside the bridge the 8080 and 4443 are defined, I could change this configuration See: https://forums.unraid.net/topic/76460-support-djoss-nginx-proxy-manager/?do=findComment&comment=944261 1 Quote Link to comment
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.