[Support] Djoss - Nginx Proxy Manager


Djoss

1455 posts in this topic Last Reply

Recommended Posts

Hello,

I'm getting a few unexpected results. I left all settings default when installing the Docker, other than changing the network from a bridge on the host to br02 so it can have its own address.
Why does Docker show that the mapped resources, specifically the ports it is using, do not match what are in the docker settings?
Also, I think I have an outdated version of the application, though that could be an issue with the Docker image.
Do I have an issue, or am I just missing something that should be obvious?
Screenshots attached.

dockerconfig.PNG

dockerconfig2.PNG

version.PNG

Link to post
  • Replies 1.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Support for Nginx Proxy Manager docker container   Application Name: Nginx Proxy Manager Application Site: https://nginxproxymanager.jc21.com Docker Hub: https://hub.docker.com/r/jlesage/ngi

You can use my fork for now: https://hub.docker.com/r/mattie112/docker-nginx-proxy-manager (which I will delete if/when this gets implemented by Djoss)   My fork is 100% the same c

I ended up adding a completely new NPM container and was able to register new certs without issue, i guess I'll see if they renew in a couple months. Thanks for your help in troubleshooting, I'm still

Posted Images

13 hours ago, alturismo said:

the custom br2 network here is like a host network, it wont map ports, it ll use the native ports from the app(s), so its all correct.

Ah, thank you. That makes sense, I didn't think those settings would have no effect. I take it that's true of all docker containers that use that br2 network?

Do you have a suggestion on the version being out of date? Is that just the Docker container not being maintained? I'm having a couple issues with the application itself that only happen when I run it in Docker instead of in a VM, but I figure I should make sure I'm on the most recent version before pursuing those.

Link to post
1 hour ago, Foxglove said:

Ah, thank you. That makes sense, I didn't think those settings would have no effect. I take it that's true of all docker containers that use that br2 network?

Do you have a suggestion on the version being out of date? Is that just the Docker container not being maintained? I'm having a couple issues with the application itself that only happen when I run it in Docker instead of in a VM, but I figure I should make sure I'm on the most recent version before pursuing those.

to your question, yes, all dockers on their own ip run in host mode(s) for themselves, so port mappings are useless ...

 

anout this docker and version, sorry, cant help there as im back on lsio letsencrypt (swag) due i had some local stuff to reverse which was easier for me now by writing my proxy conf files therefore and im done.

Link to post

I saw SWAG too, but am hoping to get Proxy Manager running to reduce the amount of overhead when managing my servers.

I could probably use it if I could just figure out what nondescript 'internal error' keeps happening whenever I try to get a certificate issued or renewed. The proxy works great, and I can pull sites over http, but I can't get certs for https. Unfortunately I don't know what this error means and I'm hoping someone else may have seen it before.
This error occurs whenever creating or renewing any certificate. Happens consistently, no special steps needed to cause it.

error.PNG

Edited by Foxglove
Link to post

Hi, 

 

Can I ask if and how people are implementing Fail2ban alongside NginxProxyManager? I understand that it is not part of the NPM docker image, and my searching has come up short in identifying a way to run Fail2ban as a standalone entity on Unraid. 

 

Any suggestions would be greatly appreciated. 

 

Kind regards. 

Link to post

Hi,

Sometimes an error message appears in the container logs:

nginx: [emerg] invalid number of arguments in "set_real_ip_from" directive in /etc/nginx/conf.d/include/ip_ranges.conf:250

In the Nginx Proxy Manager web interface an error message is sent to any action:

image.png.85feb7772497410b52ea4947fc184d90.png

 

The file contains a piece of code from the Cloudflare page:

set_real_ip_from 2600:9000:f000::/36;

set_real_ip_from 2600:9000:eee::/48;

set_real_ip_from <!DOCTYPE html>;

set_real_ip_from <!--[if lt IE 7]> <html class="no-js ie6 oldie" lang="en-US"> <![endif]-->;

set_real_ip_from <!--[if IE 7]>    <html class="no-js ie7 oldie" lang="en-US"> <![endif]-->;

set_real_ip_from <!--[if IE 8]>    <html class="no-js ie8 oldie" lang="en-US"> <![endif]-->;

set_real_ip_from <!--[if gt IE 8]><!--> <html class="no-js" lang="en-US"> <!--<![endif]-->;

set_real_ip_from <head>;

set_real_ip_from <title>Attention Required! | Cloudflare</title>;

set_real_ip_from <meta name="captcha-bypass" id="captcha-bypass" />;
  
...

How do I fix this?

Link to post
40 minutes ago, LoneTraveler said:

I'm taking a shot in the dark, but check that you have set your headers correctly;

 

https://www.getpagespeed.com/server-setup/nginx/cloudflare-and-nginx-automatic-sync-of-cloudflare-trusted-ip-addresses/amp

What settings are we talking about? The hosts in nginx Proxy Manager are all docker containers, in which I didn't configure headers.

The content of the uploaded code on the Cloudflare page refers to entering a captcha. Perhaps the script for updating IP ranges from Cloudflare stumbles on a captcha?

Edited by d0xt0p
Link to post
  • 2 weeks later...

Has anyone been able to get the external (remote) client IP address to forward to the proxied server?

I've skimmed a few pages and run a search over this topic but I can't find anything on getting the client's IP address to the server.

 

For clarity I'm running a site using IIS on Windows Server 2016, with Nginx Proxy Manager fronting the public requests.

My web server only ever sees the IP Address of the docker (my unraid server), which is problematic when my application has IP Address banning implemented for security - I've had to disable it incase someone cottoned on that they could effectively use my own security against me 😐

Edited by Saldash
typos r bad
Link to post
  • 2 weeks later...
On 8/5/2020 at 1:03 PM, Experiment626 said:

Oh it does. But. (and this is a big but).

This is the default: image.thumb.png.da85a0d7c2ca105f08d7f2ce461a630d.png

 

It'll start fine with the defaults on install. (1880, 18443).


Now, if I change http/https to 80/443, it barfs. Because Unraid itself is already using those. It would be fine to live on the default ports, if I was using IPv4 only.
image.thumb.png.5bd82df3d4072f0c5e0cc939732ba17d.png

The problem lies with ipv6. Because you don't forward ipv6 ports (at least I don't, native /56 network to play with).. then https (v6) = 18443, not the expected 443. There's no network translation, therefore no port forwarding. Therefore having ipv6 on anything *other* than 80/443 isn't an option.

So, the way to get around that, is use something other than bridge. But the config won't do custom ports that way. It forces me to use the defined ports only. So I'm back to square 1. Can't use v6 with the docker.

Did you find a good solution for this? I have the same issue. IPv4 NAT'ted (so I dont care for the ports) but native IPv6 so it needs to be 80/443. I did open a ticket but no response yet https://github.com/jlesage/docker-nginx-proxy-manager/issues/117

 

I'm currently in the process of having my own fork, building the container (set to 80/443) but new I'm getting stuck with "bind :80 permission denied" errors.

 

edit:

 

I have it working :) 

 

It does require my fork/build that has some changes in the original Dockerfile https://hub.docker.com/r/mattie112/docker-nginx-proxy-manager

The changes are: port 80 instead of 8080 and port 443 instead of 4443. Plus: nginx needs to run as 'root' or it won't have permission to open a port < 1024

 

I also needed to change the "Host access to custom networks" setting to Enabled (Unraid Docker config) as I could ping everything except my Unraid host from within the nginx-proxy-manager container. Please feel free to try this out and let me know if I can assist :)

Edited by mattie112
Link to post
On 7/9/2020 at 3:10 AM, bdydrp said:

I have a situation with one of my dockers on a vlan (.20 network)  needing to write files to unraid (.1 network)

Is this what Streams would be used for? Or could someone explain what they are?

 

I have NodeRed on br0.20 and a my alexa pallete, needs access to read/write a file to my cache drive residing on host network

When i disable my firewall rule to block VLAN 20 to Main Lan, the node works.

 

I'm unsure if streams (or is correct application) would work, or i need to look at my firewall rules to only allow access to unraid

Thanks

Hello,  Not sure if this has been resolved and/or even know the whole story as didn't read rest of replies, so please excuse me but from up above, i would put back the firewall rule to block vlan20 to main lan. I dont know what you are using for firewall or your setup but by default, firewall rules should process from top to bottom. That being said, above the rule you just set, i would make another rule to allow, from vlan20 for the application, ip address, port on the main lan. This will allow that app to communicate from vlan 20  to main lan and nothing else. Hope this works. If your rules are blocking the opposite way, you will need to create another rule from the other side from host network to vlan20.  Hope this helps and as I said, not sure of whole story. 

Link to post
On 10/10/2020 at 4:15 AM, Master_of_None said:

Hello,  Not sure if this has been resolved and/or even know the whole story as didn't read rest of replies, so please excuse me but from up above, i would put back the firewall rule to block vlan20 to main lan. I dont know what you are using for firewall or your setup but by default, firewall rules should process from top to bottom. That being said, above the rule you just set, i would make another rule to allow, from vlan20 for the application, ip address, port on the main lan. This will allow that app to communicate from vlan 20  to main lan and nothing else. Hope this works. If your rules are blocking the opposite way, you will need to create another rule from the other side from host network to vlan20.  Hope this helps and as I said, not sure of whole story. 

Hi, i have this sorted now precisely as you described

I'm using pfSense and I have my IOT vlan blocked form accessing my main lan. But above this rule, i added another rule, so that Nodered docker IP on vlan20 can access main lan.

Has been working well

 

Cheers

Link to post

I just had to reinstall after my docker image was corrupted. I stopped all my dockers, stopped the docker service then deleted the docker image. Reinstalled all of my dockers from the previously installed app list. When I start up nginxproxymanager it never finishes starting. the log follows.

 


[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 00-app-niceness.sh: executing...
[cont-init.d] 00-app-niceness.sh: exited 0.
[cont-init.d] 00-app-script.sh: executing...

Link to post

Can anyone advise on how do you properly configure a reverse proxy host to use websockets in a reverse proxy? I'm trying to put code-server behind a reverse proxy and Authelia. I can get authenticated and hit the code-server container but I think something is not being routed correctly for websocket since I see the browser kicking out a bunch of script related errors. I have it enabled in the GUI and below is my config. I'm aware that depending on how the application was written, I have to proxy absolute paths as well for to get the appropriate resources and that's what the additional locations are doing (hopefully).

 

16.conf.txt

Edited by crazykidguy
added config as txt file
Link to post

I'm hoping someone can give me a hand with a problem. I'm using NginxProxyManager with Cloudflare and DuckDNS for several dockers which all work fine. However, I also have an Ubuntu VM running with a couple of Wordpress sites and a Mastodon instance with it's own dedicated IP. Regardless if I send the domains directly to DuckDNS or send to Cloudflare first, I can't get the sites to load. I always get a too many redirects error.

 

On the Ubuntu server I have VestaCP installed because I let a friend control his own domains. Regardless, I'm not sure what is causing the error. I've tried disabling SSL in NginxProxyManager as well as VestaCP but no matter what I do I get the error. It's all a little convoluted but here's what I've tried:

 

Namecheap -> Cloudflare -> DuckDNS -> NginxProxyManager -> VestaCP

 

Namecheap -> DuckDNS -> NginxProxyManager -> VestaCP

 

I've tried disabling SSL first in NginxProxyManager and then in VestaCP thinking having SSL enabled in both was causing the issue but it wasn't.

 

If I remove both then the error changes to connection lost.

 

Does anyone have a solution to resolving the issue?

Edited by thunderclap
Link to post

So I decided to cut out the VM and try setting up Wordpress in dockers instead. Doing it this way everything is passed through exactly like my subdomains: Namecheap --> Cloudflare --> NginxProxyManager. I figured doing this would make it works since I have no issues with my subdomain dockers.

 

Wrong... I'm still getting too many redirects. So I'm stumped, does anyone have an ideas how to resolve this? Very much appreciated.

Link to post

Can you explain a bit more how it is configured?

 

You have a (sub)domain that has an A record to what? Cloudflare? And then Cloudflare is linked to your NPM? Can you try to disable cloudflare just to confirm your NPM works as expected?

 

(most easy way would probably to edit your own /etc/hosts || C:\Windows\system32\drivers\etc\hosts file)

Link to post
4 hours ago, mattie112 said:

Can you explain a bit more how it is configured?

 

You have a (sub)domain that has an A record to what? Cloudflare? And then Cloudflare is linked to your NPM? Can you try to disable cloudflare just to confirm your NPM works as expected?

 

(most easy way would probably to edit your own /etc/hosts || C:\Windows\system32\drivers\etc\hosts file)

For my Unraid dockers, I have a domain registered through Namecheap. Namecheap points to Cloudflare where I use CNAME's to point the subdomains to DuckDNS and that then points to NginxProxyManager on Unraid. NginxProxyManager then points to the IP of Unraid + the docker port. (eg. Nextcloud, Tautulli, etc.) These all work flawlessly.

 

For other domains (not subdomains) I've tried several set ups. They're registered through Namecheap, Namecheap points to Cloudflare where I use a CNAME to point to DuckDNS that then points to NginxProxyManager on Unraid. This is where I've tried several varying configurations.

 

If I use a VM I point the domain name to the VM's IP. Error.

 

If I use a Wordpress docker instead of the VM I use the Unraid IP + the WP docker port. Error.

 

I've cut out Cloudflare and configured Namecheap to use a CNAME to point to DuckDNS. If I point to the docker or VM I get an error.

 

 

Link to post

Can you give the DNS you are using? Just to confirm it resolves correctly.

 

I would suggest to try to do the following:

In your host file add:

yourdomain -> internal.ip.from.unraid

and after you have tested that change it to

yourdomain -> your.external.ip (what it is at that moment not the duckdns stuff)

 

And also:

nonexistingdomain -> internal.ip.from.unraid

 

That should lead to a connection to NPM but as it cannot find a valid proxy host it should display a 404 (or 403) so you can at least confirm it reaches your NPM.

Link to post
6 hours ago, mattie112 said:

Can you give the DNS you are using? Just to confirm it resolves correctly.

 

I would suggest to try to do the following:

In your host file add:

yourdomain -> internal.ip.from.unraid

and after you have tested that change it to

yourdomain -> your.external.ip (what it is at that moment not the duckdns stuff)

 

And also:

nonexistingdomain -> internal.ip.from.unraid

 

That should lead to a connection to NPM but as it cannot find a valid proxy host it should display a 404 (or 403) so you can at least confirm it reaches your NPM.

If you're talking about the DNS I use at home it's NextDNS.

 

As for the host file, are you talking about in the NginxProxyManager docker, the WP docker, or the VM?

Link to post
On 9/8/2020 at 9:51 PM, Foxglove said:

I could probably use it if I could just figure out what nondescript 'internal error' keeps happening whenever I try to get a certificate issued or renewed. The proxy works great, and I can pull sites over http, but I can't get certs for https. Unfortunately I don't know what this error means and I'm hoping someone else may have seen it before.
This error occurs whenever creating or renewing any certificate. Happens consistently, no special steps needed to cause it.

This is usually caused by the container not being accessible from the internet.  You can look at the container's log, you will probably have more details on the error.

Link to post
On 9/27/2020 at 3:19 PM, Saldash said:

Has anyone been able to get the external (remote) client IP address to forward to the proxied server?

I've skimmed a few pages and run a search over this topic but I can't find anything on getting the client's IP address to the server.

 

For clarity I'm running a site using IIS on Windows Server 2016, with Nginx Proxy Manager fronting the public requests.

My web server only ever sees the IP Address of the docker (my unraid server), which is problematic when my application has IP Address banning implemented for security - I've had to disable it incase someone cottoned on that they could effectively use my own security against me 😐

The IP address of the client is in the "X-Forwarded-For" HTTP header.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.