Jump to content
Djoss

[Support] Djoss - Nginx Proxy Manager

1019 posts in this topic Last Reply

Recommended Posts

8 hours ago, Djoss said:

It's related to the different Docker networking mode.  See https://docs.docker.com/network/

 

Not sure why in bridge mode the container is not starting.  If you install the container with all default settings, it should not have any issue starting.

Oh it does. But. (and this is a big but).

This is the default: image.thumb.png.da85a0d7c2ca105f08d7f2ce461a630d.png

 

It'll start fine with the defaults on install. (1880, 18443).


Now, if I change http/https to 80/443, it barfs. Because Unraid itself is already using those. It would be fine to live on the default ports, if I was using IPv4 only.
image.thumb.png.5bd82df3d4072f0c5e0cc939732ba17d.png

The problem lies with ipv6. Because you don't forward ipv6 ports (at least I don't, native /56 network to play with).. then https (v6) = 18443, not the expected 443. There's no network translation, therefore no port forwarding. Therefore having ipv6 on anything *other* than 80/443 isn't an option.

So, the way to get around that, is use something other than bridge. But the config won't do custom ports that way. It forces me to use the defined ports only. So I'm back to square 1. Can't use v6 with the docker.

Share this post


Link to post
Posted (edited)
14 hours ago, binhex said:

certainly worth not included any advanced custom nginx config if possible, just so you can identify the issue, i dont have anything defined in there and auth works correctly so its possible that its overriding the authentication, or its simply a bug in npm.

Boom! Okay I can confirm it does prompt for username and password if I remove the advanced config!

So for some reason adding this to the advanced config kills the authentication:

location / {
root /websites/guide;
}

That is the only way I know how to host a static site with Auth though... Is this expected behavior? Is there another method of hosting a static site on my UnRaid Server with Auth that I am not across?

Edited by Mattyfaz
Added that Auth is a requirement of the Static Site.

Share this post


Link to post
2 hours ago, Mattyfaz said:

Is there another method of hosting a static site on my UnRaid Server I am not across?

The LSIO Letsencrypt container would be the typical choice. This particular container is set up for proxy, not hosting.

Share this post


Link to post
9 minutes ago, jonathanm said:

The LSIO Letsencrypt container would be the typical choice. This particular container is set up for proxy, not hosting.

Sorry, I should've clarified that having Authentication in front of the Static Site is a requirement. Which is the reason I went for NPM.

Share this post


Link to post
38 minutes ago, Mattyfaz said:

Sorry, I should've clarified that having Authentication in front of the Static Site is a requirement. Which is the reason I went for NPM.

I'm not quite following, but if you need to have NPM as the gateway, then just use a plain vanilla apache or nginx container to host the static site and point NPM to that container.

 

I use LSIO's LE with basic authentication for some static pages as well as using it to reverse proxy a bunch of other sites in my LAN, some on Unraid, some hosted on VM's, etc.

Share this post


Link to post
Posted (edited)

Ohhh right, sorry I totally misunderstood.

I'm still confused on how to setup LSIO's LE container with Authentication (and multiple domain names), but regardless I can confirm this solution has worked brilliantly:

47 minutes ago, jonathanm said:

just use a plain vanilla apache or nginx container to host the static site and point NPM to that container.

Thanks @jonathanm - all sorted now :)

Edited by Mattyfaz

Share this post


Link to post

hoping someone could help me track down an issue.

I'm no longer able to access my proxy hosts from external.

I have mydomain.duckdnsorg set to forward to my Jellyfin docker container - But i keep getting error 504 Gateway timeout.

When i disable the proxy, i'm greeted with the Congratulations landing page! 

I have double checked that duckdns has the correct external IP - which it does!

Also, to double check port forward rules are working, i disabled them, and my domains just time out.

 

With the testing ive done, i can only put it down to NPM not forwarding to proxy hosts??

Is there something else i can check??

 

Cheers

Share this post


Link to post

So i tried removing the container completely and re-installing.

My duck DNS name just resolves the the Congratulations landing page..

Now at a loss as to the cause 

Share this post


Link to post
Posted (edited)

Hi Guys.  I had nginix working last month, not sure what happened, I am unable to renew certs. I get an error "timedout".    I'm probably missing something simple here, but im more of a Windows person vs Linux. Thanks for any help.

-Will
 

[8/12/2020] [3:53:46 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --disable-hook-validation

Another instance of Certbot is already running.


 

[8/12/2020] [3:48:21 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #4: o**i.s*******8.net
[8/12/2020] [3:49:13 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --disable-hook-validation

Saving debug log to /config/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 36 seconds
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for o**i.s*******8.net
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (npm-4) from /etc/letsencrypt/renewal/npm-4.conf produced an unexpected error: Failed authorization procedure. o**i.s*******8.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://o**i.s*******8.net/.well-known/acme-challenge/mhVyDF2lpreiKo_kMhAhFdIYNBa6FX3yHvN11vXQKkU: Timeout during connect (likely firewall problem). Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

 

Edited by smartkid808

Share this post


Link to post
Posted (edited)

im having with renewing certs also

 

ive rebuilt the image and re saved all the domains and still no luck

also some domains listed as expired in the SSL page but if i check the site its self it has a newer cert then listed

 

[8/14/2020] [7:26:01 AM] [SSL ] › ✖ error Error: Command failed: /usr/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Attempting to renew cert (npm-6) from /etc/letsencrypt/renewal/npm-6.conf produced an unexpected error: Failed authorization procedure. n***a.d****-r****r.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://n***a.d****-r****r.co.uk/.well-known/acme-challenge/8m7FHu7FrVb7tV2aGGYfLZfhFP5TvqO1iHAu6-mG3Mg [*.*.*.*]: "<html>\r\n<head><title>401 Authorization Required</title><link rel=\"stylesheet\" type=\"text/css\" href=\"https://gilbn.github.io/them". Skipping.
Attempting to renew cert (npm-20) from /etc/letsencrypt/renewal/npm-20.conf produced an unexpected error: Failed authorization procedure. n***a.d****-r****r.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://n***a.d****-r****r.co.uk/.well-known/acme-challenge/DRtRZr77KhC32wvEbt0iN33aUNP22_YB-7enTpaJ56o [*.*.*.*]: "<html>\r\n<head><title>401 Authorization Required</title><link rel=\"stylesheet\" type=\"text/css\" href=\"https://gilbn.github.io/them". Skipping.
Attempting to renew cert (npm-22) from /etc/letsencrypt/renewal/npm-22.conf produced an unexpected error: Failed authorization procedure. **b.d*****r.co.uk (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://**b.d*****r.co.uk/.well-known/acme-challenge/ZMAZSCwrIoLr-8bcIQgBKNH-0ehqEcT_IJVkvkYIOmA [*.*.*.*]: "<!DOCTYPE html>\n<html>\n <head>\n <script src=\"https://ajax.googleapis.com/ajax/libs/jquery/2.1.3/jquery.min.js\"></script>\n ". Skipping.
All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
/etc/letsencrypt/live/npm-20/fullchain.pem (failure)
/etc/letsencrypt/live/npm-22/fullchain.pem (failure)
3 renew failure(s), 0 parse failure(s)

 

 

i have no idea what happened but the issue seems to have fixed its self and all are being renewed now

Edited by Dark-Raptor
issue fixed its self

Share this post


Link to post

How does one revoke a cert with this?  Or, more to the point, revoke a cert created by this?

 

There doesn't seem to be a lot of real world tutorials out there, at least none that I have found.  Any pointers would be appreciated.

 

Thank you!

Share this post


Link to post

Does anyone have pihole running with this? I tried lots of custom configs but i keep getting 502 errors.

Share this post


Link to post
Posted (edited)

My certs are to expire tomorrow and i'm trying to renew in the proxy manager and it gives an error.

 

Help please :)

 

error i get

 

[8/23/2020] [8:38:40 AM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-1" --preferred-challenges "dns,http" --disable-hook-validation

Edited by Greygoose

Share this post


Link to post

How to disable any logs for NPM ?

I have a tons of gigs in /mnt/cache/appdata/NginxProxyManager/log

here i see error.log with

"2020/08/24 13:04:06 [warn] 2546#2546: *907484 an upstream response is buffered to a temporary file /var/tmp/nginx/proxy/2/42/0000000422 while reading upstream ..........."

 

and proxy_host-1.log with

"[24/Aug/2020:12:55:29 +0300] - 404 404 - POST http"

 

this is because i use custom config with

location ~ /(settings/write|torrent/rem|torrent/restart|shutdown) {
    auth_basic            "Authorization required";
    auth_basic_user_file  /data/access/1;

 

so clients see 404 for this pages and this normal. i just need to disable 100 strings per second to logs

Share this post


Link to post
Posted (edited)

Hi, 

 

Just wanted to stop by and say thanks to @Djoss for this container, I've found it much easier to use as my knowledgebase regarding Nginx is limited. I've managed to setup Bitwarden, Droppy, Radarr, Sonarr and NextCloud, and everything has worked great. I'm even getting a complete clean security bill of health in NextCloud which I never managed with Letsencrypt (however no disrespect to the Linuxserver guys, it will have been down to my lack of understanding). 

 

For reference, the only things I had to do in order to transition from Letsencrypt/Swag to Nginx Proxy Manager were;

*Delete all prior certificates generated by Letsencrypt, 

*I haven't had any issues having NPM on its own network rather than Bridge, 

*Disable Cloudflare proxy protection for each of my subdomains, and

*Add my NextCloud domain to the nextcloud config file, under "trusted domains". 

 

Keep up the great work! 

 

 

20200826_134820.jpg

20200826_113256.jpg

20200826_113344.jpg

Edited by LoneTraveler

Share this post


Link to post
On 8/9/2020 at 10:06 AM, bdydrp said:

hoping someone could help me track down an issue.

I'm no longer able to access my proxy hosts from external.

I have mydomain.duckdnsorg set to forward to my Jellyfin docker container - But i keep getting error 504 Gateway timeout.

When i disable the proxy, i'm greeted with the Congratulations landing page! 

I have double checked that duckdns has the correct external IP - which it does!

Also, to double check port forward rules are working, i disabled them, and my domains just time out.

 

With the testing ive done, i can only put it down to NPM not forwarding to proxy hosts??

Is there something else i can check??

 

Cheers

The 504 error seems to indicate that NPM cannot reach your Jellyfin container...

Share this post


Link to post
On 8/12/2020 at 4:59 PM, smartkid808 said:

Hi Guys.  I had nginix working last month, not sure what happened, I am unable to renew certs. I get an error "timedout".    I'm probably missing something simple here, but im more of a Windows person vs Linux. Thanks for any help.

-Will
 


[8/12/2020] [3:53:46 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --disable-hook-validation

Another instance of Certbot is already running.


 


[8/12/2020] [3:48:21 PM] [SSL ] › ℹ info Renewing Let'sEncrypt certificates for Cert #4: o**i.s*******8.net
[8/12/2020] [3:49:13 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot renew --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-4" --preferred-challenges "dns,http" --disable-hook-validation

Saving debug log to /config/log/letsencrypt/letsencrypt.log
Cert is due for renewal, auto-renewing...
Non-interactive renewal: random delay of 36 seconds
Plugins selected: Authenticator webroot, Installer None
Renewing an existing certificate
Performing the following challenges:
http-01 challenge for o**i.s*******8.net
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Attempting to renew cert (npm-4) from /etc/letsencrypt/renewal/npm-4.conf produced an unexpected error: Failed authorization procedure. o**i.s*******8.net (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://o**i.s*******8.net/.well-known/acme-challenge/mhVyDF2lpreiKo_kMhAhFdIYNBa6FX3yHvN11vXQKkU: Timeout during connect (likely firewall problem). Skipping.

All renewal attempts failed. The following certs could not be renewed:

/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
1 renew failure(s), 0 parse failure(s)

 

According to the error, NPM was not reachable through port 80 from the Internet.  Did you verified this ?

Share this post


Link to post
On 8/19/2020 at 3:11 PM, kcgodwins said:

How does one revoke a cert with this?  Or, more to the point, revoke a cert created by this?

 

There doesn't seem to be a lot of real world tutorials out there, at least none that I have found.  Any pointers would be appreciated.

 

Thank you!

I think that deleting the certificate will also revoke it.

Share this post


Link to post
On 8/21/2020 at 8:56 AM, mwwb said:

Does anyone have pihole running with this? I tried lots of custom configs but i keep getting 502 errors.

The 502 error seems to indicate that NPM cannot reach pihole.  Double check you proxy host settings. 

Share this post


Link to post
On 8/23/2020 at 10:51 AM, Nuke said:

Can i use http load balancer with this container?

No, this is not something that can be configured with NPM.

Share this post


Link to post
On 8/24/2020 at 6:08 AM, Nuke said:

How to disable any logs for NPM ?

I have a tons of gigs in /mnt/cache/appdata/NginxProxyManager/log

here i see error.log with

"2020/08/24 13:04:06 [warn] 2546#2546: *907484 an upstream response is buffered to a temporary file /var/tmp/nginx/proxy/2/42/0000000422 while reading upstream ..........."

 

and proxy_host-1.log with

"[24/Aug/2020:12:55:29 +0300] - 404 404 - POST http"

 

this is because i use custom config with

location ~ /(settings/write|torrent/rem|torrent/restart|shutdown) {
    auth_basic            "Authorization required";
    auth_basic_user_file  /data/access/1;

 

so clients see 404 for this pages and this normal. i just need to disable 100 strings per second to logs

Not sure if you saw the answer on GitHub, but I would try to add the following under "location":

error_log    off;
access_log    off;

 

Share this post


Link to post
Posted (edited)

I have a few proxy hosts setup and working fine with Lets Encrypt certs for a few months.

Tried creating a new proxy host today and keep getting "Internal Error" in GUI. Log is pasted below

 

[8/28/2020] [9:04:14 PM] [SSL ] › ℹ info Requesting Let'sEncrypt certificates for Cert #15: grocy.domain.com
[8/28/2020] [9:04:16 PM] [Nginx ] › ℹ info Reloading Nginx
[8/28/2020] [9:04:16 PM] [Express ] › ⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-15" --agree-tos --email "email@address.com" --preferred-challenges "dns,http" --webroot --domains "grocy.domain.com"

Saving debug log to /config/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for grocy.domain.com
Using the webroot path /data/letsencrypt-acme-challenge for all unmatched domains.
Waiting for verification...
Cleaning up challenges
Failed authorization procedure. grocy.domain.com (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from https://grocy.domain.com/.well-known/acme-challenge/-e-long-string-of-characters-4 [2606:4700:3037::681c:12a2]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]> <html class=\"no-js "

 

Edited by itlists

Share this post


Link to post
Posted (edited)
On 8/27/2020 at 9:55 AM, Djoss said:

The 504 error seems to indicate that NPM cannot reach your Jellyfin container...

Thanks

Jellyfin definitely works locally, so i will try and see if i can access another container on my network

 

EDIT: so i have tried a number of different IP:PORT NUMBERS  and it seems there is 2 containers i cant reach

NodeRed @ 192.168.20.10:1880 and Unifi @ 192.168.1.4:8443 as well as Jellyfin container.

But i can reach other devices on my network which have a web interface

 

So im at a loss, as to why i cant reach 3 containers. AFAIK, there is nothing blocking incoming requests via proxy

 

 

 

Edited by bdydrp

Share this post


Link to post

Having a few errors with this container.

 

Setup:

chrome_VrgH7JtfQV.png

 

First being, the nginx config fails to pass test straight out of the box:

/var/tmp/nginx/proxy/3/60 # nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: [emerg] getpwnam("nginx") failed
nginx: configuration file /etc/nginx/nginx.conf test failed

 

Secondly, it's also failing to reverse proxy next cloud (with permissions errors):

2020/09/03 15:57:57 [crit] 1516#1516: *3015 open() "/var/tmp/nginx/proxy/3/59/0000000593" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /core/img/actions/error-white.svg?v=1 HTTP/1.1", upstream: "https://10.0.0.3:82/core/img/actions/error-white.svg?v=1", host: "cloud.anglur.io"
2020/09/03 15:57:57 [crit] 1516#1516: *3007 open() "/var/tmp/nginx/proxy/4/59/0000000594" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /js/core/merged-template-prepend.js?v=a3beacbc-0 HTTP/1.1", upstream: "https://10.0.0.3:82/js/core/merged-template-prepend.js?v=a3beacbc-0", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3017 open() "/var/tmp/nginx/proxy/5/59/0000000595" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /core/img/actions/confirm.svg?v=2 HTTP/1.1", upstream: "https://10.0.0.3:82/core/img/actions/confirm.svg?v=2", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3019 open() "/var/tmp/nginx/proxy/6/59/0000000596" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /core/img/actions/confirm-white.svg?v=2 HTTP/1.1", upstream: "https://10.0.0.3:82/core/img/actions/confirm-white.svg?v=2", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3021 open() "/var/tmp/nginx/proxy/7/59/0000000597" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /core/img/logo/logo.svg?v=1 HTTP/1.1", upstream: "https://10.0.0.3:82/core/img/logo/logo.svg?v=1", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3023 open() "/var/tmp/nginx/proxy/8/59/0000000598" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /core/img/actions/checkmark-white.svg?v=1 HTTP/1.1", upstream: "https://10.0.0.3:82/core/img/actions/checkmark-white.svg?v=1", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3025 open() "/var/tmp/nginx/proxy/9/59/0000000599" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /core/img/background.png?v=2 HTTP/1.1", upstream: "https://10.0.0.3:82/core/img/background.png?v=2", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3035 open() "/var/tmp/nginx/proxy/0/60/0000000600" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /core/img/background.png?v=0 HTTP/1.1", upstream: "https://10.0.0.3:82/core/img/background.png?v=0", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3027 open() "/var/tmp/nginx/proxy/1/60/0000000601" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /apps/theming/img/core/filetypes/text.svg?v=0 HTTP/1.1", upstream: "https://10.0.0.3:82/apps/theming/img/core/filetypes/text.svg?v=0", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3029 open() "/var/tmp/nginx/proxy/2/60/0000000602" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /apps/theming/img/core/filetypes/folder.svg?v=0 HTTP/1.1", upstream: "https://10.0.0.3:82/apps/theming/img/core/filetypes/folder.svg?v=0", host: "cloud.anglur.io"
2020/09/03 15:57:58 [crit] 1516#1516: *3033 open() "/var/tmp/nginx/proxy/3/60/0000000603" failed (13: Permission denied) while reading upstream, client: 74.12.144.41, server: cloud.anglur.io, request: "GET /apps/theming/img/core/filetypes/folder-drag-accept.svg?v=0 HTTP/1.1", upstream: "https://10.0.0.3:82/apps/theming/img/core/filetypes/folder-drag-accept.svg?v=0", host: "cloud.anglur.io"

 

Edited by Jonatino
adding screenshot

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.