[Support] Djoss - Nginx Proxy Manager


Djoss

Recommended Posts

On 11/30/2020 at 4:24 PM, Spectral Force said:

Yeah that's definitely wrong.  I'll try changing the subdomain and see if that works.

 

Even with a new subdomain it still is going to that smiles survey, which is weird, should I contact my domain provider at this point?

I would suggest to do that yeah. It seems not to resolve correctly (or at least what you expect)

On 11/30/2020 at 9:55 PM, muwahhid said:

Tell me, how can I get a certificate for one domain, but several ports? 
mydomain.com
ports: 443, 444, 445?

You don't

Your external ip: 1.1.1.1

Your NPM: 192.168.1.1

You forward external:80 and external:443 to NPM

 

Then you can do:

domainA.com -> 1.1.1.1

domainB.com -> 1.1.1.1

domainC.com -> 1.1.1.1

 

NPM can then do:

if i get some connection that wants domainA.com -> go to 192.168.1.2:1234

domainB.com -> 192.168.1.123:80

domainC.com -> 192.168.1.1:9234

 

So NPM is your only "visible" endpoint and that takes care of multiple hosts / subdomains

 

reverse-proxy-featured.png

Edited by mattie112
Link to comment
5 hours ago, mattie112 said:

As it basically is just Nginx you can look into:

https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/

 

For example:


location /some/path/ {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://localhost:8000;
}

I did not test it but I assume you can use this in the advanced config part

That is similar to what I have attempted. For the sake of sanity, I modified the path, address, and port and put it in. I can confirm that it is using the location under the advanced tab as I can break it. However, I am still only seeing the IP of the proxy when I connect to the webserver. If I connect to the webserver directly, I do see the IP of the host I am connecting from. 

image.png.a1dbc215fecb741743648fc89b5e580c.png

Link to comment

Oh boy, 46 pages is a lot to go through.

 

Just a few questions.

 

1. (My most important for now) is it possible to get mydomain.com/plex working as a custom location instead of a subdomain (This is for Organizr SSO with Plex, which requires a /plex location and NOT a subdomain.

 

2. What exactly is caching of assets doing.

 

3. When would you NOT want Websockets, blocking of common exploits, and HTTP/2 enabled?

 

4. HSTS Seems like overkill for a lot of services, am I wrong on this? 

 

Thank you in advance!

Link to comment
2 hours ago, CorneliousJD said:

Oh boy, 46 pages is a lot to go through.

 

Just a few questions.

 

1. (My most important for now) is it possible to get mydomain.com/plex working as a custom location instead of a subdomain (This is for Organizr SSO with Plex, which requires a /plex location and NOT a subdomain.

 

2. What exactly is caching of assets doing.

 

3. When would you NOT want Websockets, blocking of common exploits, and HTTP/2 enabled?

 

4. HSTS Seems like overkill for a lot of services, am I wrong on this? 

 

Thank you in advance!

HSTS by itself it wont do anything, you need to use something like cloudflare which there you can enable HSTS. I dont know much about it. This is what i read somewhere.

Caching assets i had it on on everything, but one day i had some problems with nextcloud. If you run NPM on the same machine as your services you reverse proxy. I don't think you will get any benefit by caching them. Also caching is only beneficial on static content. If you have much static content and you need more speed, I would create a cloudflare account and cache it there.

 

This is all the info i could give, i'm sure the big brains here will help you more!

Link to comment
14 hours ago, skois said:

HSTS by itself it wont do anything, you need to use something like cloudflare which there you can enable HSTS. I dont know much about it. This is what i read somewhere.

Caching assets i had it on on everything, but one day i had some problems with nextcloud. If you run NPM on the same machine as your services you reverse proxy. I don't think you will get any benefit by caching them. Also caching is only beneficial on static content. If you have much static content and you need more speed, I would create a cloudflare account and cache it there.

 

This is all the info i could give, i'm sure the big brains here will help you more!

This makes sense, especailly about caching, no real benefit to cache anything if I'm running nearly everything on this same unraid box.

 

Only thing I need better performance on is Nextcloud and I don't know if anything can be done for that haha. 

 

Still would like to find answers to the following.

 

1. (My most important for now) is it possible to get mydomain.com/plex working as a custom location instead of a subdomain (This is for Organizr SSO with Plex, which requires a /plex location and NOT a subdomain.

 

2. When would you NOT want Websockets, blocking of common exploits, and HTTP/2 enabled?

Link to comment
1 hour ago, fmp4m said:

You can add your TLD example.com and under custom locations point it to /plex. 

image.png.8ae671a2b315b0619884e937e4697ce1.png

Ok so I have my TLD domain.com pointed to organizr, and then adding /plex like this doesn't work. 

 

image.png.4bbbbf6608a43324215a4e3f61e6c8f0.png

 

And then under custom locations, plex is on 32400 for me FYI

 

image.png.423cc780f78a90cf7c5f914aea021340.png

 

Then when I try to go to domain.com/plex I just get...

 

image.png.2e998b84dd839c10440843244440e88d.png

Link to comment

I recently moved and am now having problems renewing my certificates. My issues are similar to what others have posted here, but I am having a difficult time finding whether a solution was found. The problem is:

1. When the docker is first started the log says:

⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-31" --agree-tos --email "myEmail@email.com" --preferred-challenges "dns,http" --domains "<mysubdomain.mydomain.com"
Another instance of Certbot is already running

And then a bunch of challenges fail.

2. When I attempt to manually renew or add SSL certificates from within the interface I get an "Internal Error" notification and the same message as in #1 in the docker log.

3. When I go to the console and attempt "certbot renew --dry-run" as suggested by @mattie112, the challenges fail and I get the following:
 

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mysubdomain.mydomain.com
   Type:   connection
   Detail: Fetching
   http://mysubdomain.mydomain.com/.well-known/acme-challenge/hlQQ3HIdDm_aurZNHIpTu3jjgUe3KwBRcOtRtwhk5Vg:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I can ping from within the nginxproxymanager docker console. My ports 80 and 443 are forwarded to 180 and 1443 and those are mapped to the nginxproxymanager docker just as they were when things were functional prior to the move.

When I set things up in my new location I did register my new WAN IP address with duckdns.org to reflect this IP change. My websites are accessible via the internet, but some give me a warning that they are unsafe because of self-signed certificates. Some (e.g. nextcloud) won't allow me to upload files to the server and they time out.

I'm not sure what else needs to be done. Could this be something with the new ISP or am I missing something?

Thanks!

Link to comment
On 12/11/2020 at 6:49 PM, fmp4m said:

I successfully have plex.domain.com setup and working.  I also have plex.domain.com/plex working.   

 

401 Unauthorized - is expected,  IF you are not logged in for the /plex to work.   However my /plex location is https not http,  is yours?

 

I'm not sure how 401 would be expected? There is nothing that needs to be logged in for that to work, but regardless, I'm logged into NPM, Plex, and Organizr.

 

I would also *need* just domain.com/plex to work, I already have plex.domain.com but plex.domain.com/plex/ wouldn't work with Organizr's SSO authentication anyways from my understanding? 

 

Also my local plex is HTTP via docker container, but once it's reverse proxied via NPM it would be at https://domain.com/plex, if it would work without the 401 error. 

 

Also even if I try to setup plex.domain.com/plex I still get the same 401 error... 

 

Main plex.domain.com entry

image.png.b31bba7dcc20bd92969d1852add55db6.png

 

then the custom location 

image.png.4c2358213791f1307ff8b862538c86d6.png

 

Still results in 

image.png.4e51702df42072e5b3903ae8d18b3211.png

 

 

It's hard to imagine I'm doing something that wrong since there's hardly any settings to speak of.

Edited by CorneliousJD
Link to comment

Hello all,

 

Has anyone encounter this issue? Nothing has changed and all of a sudden this started to happened. Any help is greatly appreciated.

 

[nginx] starting...
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Edited by Tucubanito07
Link to comment
10 hours ago, CorneliousJD said:

 

I'm not sure how 401 would be expected? There is nothing that needs to be logged in for that to work, but regardless, I'm logged into NPM, Plex, and Organizr.

 

I would also *need* just domain.com/plex to work, I already have plex.domain.com but plex.domain.com/plex/ wouldn't work with Organizr's SSO authentication anyways from my understanding? 

 

Also my local plex is HTTP via docker container, but once it's reverse proxied via NPM it would be at https://domain.com/plex, if it would work without the 401 error. 

 

Also even if I try to setup plex.domain.com/plex I still get the same 401 error... 

 

Main plex.domain.com entry

image.png.b31bba7dcc20bd92969d1852add55db6.png

 

then the custom location 

image.png.4c2358213791f1307ff8b862538c86d6.png

 

Still results in 

image.png.4e51702df42072e5b3903ae8d18b3211.png

 

 

It's hard to imagine I'm doing something that wrong since there's hardly any settings to speak of.

Perhaps you need to also add some other directories? For example I found this post:

https://www.reddit.com/r/PleX/comments/3xz4ph/plex_behind_a_ssl_nginx_reverse_proxy/cy9l9fj/?utm_source=reddit&utm_medium=web2x&context=3

Link to comment
1 hour ago, Tucubanito07 said:

Hello all,

 

Has anyone encounter this issue? Nothing has changed and all of a sudden this started to happened. Any help is greatly appreciated.

 

[nginx] starting...
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Did you try the things I suggested a few weeks ago:

(also see the other posts on that page)

 

Link to comment
16 hours ago, njdowdy said:

I recently moved and am now having problems renewing my certificates. My issues are similar to what others have posted here, but I am having a difficult time finding whether a solution was found. The problem is:

1. When the docker is first started the log says:


⚠ warning Command failed: /usr/bin/certbot certonly --non-interactive --config "/etc/letsencrypt.ini" --cert-name "npm-31" --agree-tos --email "myEmail@email.com" --preferred-challenges "dns,http" --domains "<mysubdomain.mydomain.com"
Another instance of Certbot is already running

And then a bunch of challenges fail.

2. When I attempt to manually renew or add SSL certificates from within the interface I get an "Internal Error" notification and the same message as in #1 in the docker log.

3. When I go to the console and attempt "certbot renew --dry-run" as suggested by @mattie112, the challenges fail and I get the following:
 


IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: mysubdomain.mydomain.com
   Type:   connection
   Detail: Fetching
   http://mysubdomain.mydomain.com/.well-known/acme-challenge/hlQQ3HIdDm_aurZNHIpTu3jjgUe3KwBRcOtRtwhk5Vg:
   Timeout during connect (likely firewall problem)

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address. Additionally, please check that
   your computer has a publicly routable IP address and that no
   firewalls are preventing the server from communicating with the
   client. If you're using the webroot plugin, you should also verify
   that you are serving files from the webroot path you provided.

I can ping from within the nginxproxymanager docker console. My ports 80 and 443 are forwarded to 180 and 1443 and those are mapped to the nginxproxymanager docker just as they were when things were functional prior to the move.

When I set things up in my new location I did register my new WAN IP address with duckdns.org to reflect this IP change. My websites are accessible via the internet, but some give me a warning that they are unsafe because of self-signed certificates. Some (e.g. nextcloud) won't allow me to upload files to the server and they time out.

I'm not sure what else needs to be done. Could this be something with the new ISP or am I missing something?

Thanks!

You can try to stop your docker container and then use the `exec` step so that you are the only one running certbot. I assume a restart of the container did not work? You can check to see if your DNS is configured correctly by using https://dnscheck.ripe.net/ for example. (Or sharing your domain here)

  • Thanks 1
Link to comment

@CorneliousJD  I think I finally, through troubleshooting, figured out a fix that will work for your environment.   

In you Organizr SSO Setup point it to the local IP/Docker IP of plex.   http://IP:32400/plex    I was digging in my sso settings and any local comm's go through these on my setup, only externally clickable links etc do not.

Link to comment
13 minutes ago, fmp4m said:

@CorneliousJD  I think I finally, through troubleshooting, figured out a fix that will work for your environment.   

In you Organizr SSO Setup point it to the local IP/Docker IP of plex.   http://IP:32400/plex    I was digging in my sso settings and any local comm's go through these on my setup, only externally clickable links etc do not.

Plex SSO doesn't have that type of setup though.

 

image.png.38a20b214f1bf144bc03629fe3d4beb7.png

 

The reason I'm trying to get this setup is because SSO for Tautulli and Ombi work just fine (they point to local dockerIP:port like you mentioned) but Plex does not, there's no option to do that.

 

Also see here: https://docs.organizr.app/books/setup-features/page/sso#bkmrk-plex

Specifically the part that mentions 

Plex SSO doesn't work if Plex Reverse Proxy is a subdomain

To setup a /plex Reverse Proxy in Nginx, setup the location block

Link to comment
12 minutes ago, CorneliousJD said:

The reason I'm trying to get this setup is because SSO for Tautulli and Ombi work just fine (they point to local dockerIP:port like you mentioned) but Plex does not, there's no option to do that.

 

Also see here: https://docs.organizr.app/books/setup-features/page/sso#bkmrk-plex

Specifically the part that mentions 

Plex SSO doesn't work if Plex Reverse Proxy is a subdomain

To setup a /plex Reverse Proxy in Nginx, setup the location block

 

Have you created/configured "proxy.conf" and placed it where it wants it?  An alternative to the proxy.conf file is setting those options in the advanced nginx settings of the advanced location (gear cog).   However I am not proficient with how to format them for this location.

 

client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_bind $server_addr;
proxy_buffers 32 4k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
proxy_hide_header X-Frame-Options;
# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_no_cache $cookie_session;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_bind $server_addr;
proxy_buffers 32 4k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
proxy_hide_header X-Frame-Options;
# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_no_cache $cookie_session;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

 

Edited by fmp4m
Link to comment
1 hour ago, mattie112 said:

Did you try the things I suggested a few weeks ago:

(also see the other posts on that page)

 

I tried the certbot renew --force-renewal and restarted the container and still nothing. What is really weird nothing was done for this to happen. My webui is not even working which is also weird.  Thank you for your help.

 

This is also what i see.

 

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/npm-12/fullchain.pem (failure)
/etc/letsencrypt/live/npm-13/fullchain.pem (failure)
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
/etc/letsencrypt/live/npm-7/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)

at ChildProcess.exithandler (child_process.js:303:12)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Socket.<anonymous> (internal/child_process.js:443:11)
at Socket.emit (events.js:315:20)
at Pipe.<anonymous> (net.js:674:12)
[nginx] starting...
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

Edited by Tucubanito07
Link to comment
5 minutes ago, Tucubanito07 said:

I tried the certbot renew --force-renewal and restarted the container and still nothing. What is really weird nothing was done for this to happen. My webui is not even working which is also weird.  Thank you for your help.

 

This is also what i see.

 

All renewal attempts failed. The following certs could not be renewed:
/etc/letsencrypt/live/npm-12/fullchain.pem (failure)
/etc/letsencrypt/live/npm-13/fullchain.pem (failure)
/etc/letsencrypt/live/npm-6/fullchain.pem (failure)
/etc/letsencrypt/live/npm-7/fullchain.pem (failure)
4 renew failure(s), 0 parse failure(s)

at ChildProcess.exithandler (child_process.js:303:12)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Socket.<anonymous> (internal/child_process.js:443:11)
at Socket.emit (events.js:315:20)
at Pipe.<anonymous> (net.js:674:12)
[nginx] starting...
nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-20/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-20/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

Have you checked the "/etc/letsencrypt/live/npm-20/" or any of the //etc/letsencrypt/live locations to see if the fullchain.pem is there?   It seems the symlinking is broken for them.

 

Example: 

drwxrwxrwx 1 nobody users  94 Dec  9 17:01 ./
drwx------ 1 nobody users 138 Dec 11 16:39 ../
-rw-rw-rw- 1 nobody users 692 Jul 30 14:01 README
lrwxrwxrwx 1 nobody users  29 Dec  9 17:01 cert.pem -> ../../archive/npm-1/cert3.pem
lrwxrwxrwx 1 nobody users  30 Dec  9 17:01 chain.pem -> ../../archive/npm-1/chain3.pem
lrwxrwxrwx 1 nobody users  34 Dec  9 17:01 fullchain.pem -> ../../archive/npm-1/fullchain3.pem
lrwxrwxrwx 1 nobody users  32 Dec  9 17:01 privkey.pem -> ../../archive/npm-1/privkey3.pem
 

Link to comment
4 minutes ago, fmp4m said:

 

Have you checked the "/etc/letsencrypt/live/npm-20/" or any of the //etc/letsencrypt/live locations to see if the fullchain.pem is there?   It seems the symlinking is broken for them.

 

Example: 

drwxrwxrwx 1 nobody users  94 Dec  9 17:01 ./
drwx------ 1 nobody users 138 Dec 11 16:39 ../
-rw-rw-rw- 1 nobody users 692 Jul 30 14:01 README
lrwxrwxrwx 1 nobody users  29 Dec  9 17:01 cert.pem -> ../../archive/npm-1/cert3.pem
lrwxrwxrwx 1 nobody users  30 Dec  9 17:01 chain.pem -> ../../archive/npm-1/chain3.pem
lrwxrwxrwx 1 nobody users  34 Dec  9 17:01 fullchain.pem -> ../../archive/npm-1/fullchain3.pem
lrwxrwxrwx 1 nobody users  32 Dec  9 17:01 privkey.pem -> ../../archive/npm-1/privkey3.pem
 

This is what i see. 

 

ls -l /mnt/user/appdata/NginxProxyManagerLive/letsencrypt/live/npm-1/
total 20
-rw-rw-rw- 1 nobody users 692 May 24  2020 README
lrwxrwxrwx 1 nobody users  29 Dec 14 11:21 cert.pem -> ../../archive/npm-1/cert5.pem
lrwxrwxrwx 1 nobody users  30 Dec 14 11:21 chain.pem -> ../../archive/npm-1/chain5.pem
lrwxrwxrwx 1 nobody users  34 Dec 14 11:21 fullchain.pem -> ../../archive/npm-1/fullchain5.pem
lrwxrwxrwx 1 nobody users  32 Dec 14 11:21 privkey.pem -> ../../archive/npm-1/privkey5.pem

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.