[Support] Djoss - Nginx Proxy Manager


Djoss

1448 posts in this topic Last Reply

Recommended Posts

5 minutes ago, Tucubanito07 said:

This is what i see. 

 

ls -l /mnt/user/appdata/NginxProxyManagerLive/letsencrypt/live/npm-1/
total 20
-rw-rw-rw- 1 nobody users 692 May 24  2020 README
lrwxrwxrwx 1 nobody users  29 Dec 14 11:21 cert.pem -> ../../archive/npm-1/cert5.pem
lrwxrwxrwx 1 nobody users  30 Dec 14 11:21 chain.pem -> ../../archive/npm-1/chain5.pem
lrwxrwxrwx 1 nobody users  34 Dec 14 11:21 fullchain.pem -> ../../archive/npm-1/fullchain5.pem
lrwxrwxrwx 1 nobody users  32 Dec 14 11:21 privkey.pem -> ../../archive/npm-1/privkey5.pem

Can you check the archive folder for the originals please?

Link to post
  • Replies 1.4k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Support for Nginx Proxy Manager docker container   Application Name: Nginx Proxy Manager Application Site: https://nginxproxymanager.jc21.com Docker Hub: https://hub.docker.com/r/jlesage/ngi

You can use my fork for now: https://hub.docker.com/r/mattie112/docker-nginx-proxy-manager (which I will delete if/when this gets implemented by Djoss)   My fork is 100% the same c

For people who were waiting for it: subfolders support is now there  

Posted Images

4 minutes ago, fmp4m said:

/mnt/cache/appdata/NginxProxyManager/letsencrypt/archive/npm-20

This is for one of the certs. Based on this. seems to be permission issues correct? How would i be able to fix it or what permissions does it need?

 

ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-1/
total 16
-rw-r--r-- 1 nobody users 1838 Dec 14 11:21 cert5.pem
-rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain5.pem
-rw-r--r-- 1 nobody users 3424 Dec 14 11:21 fullchain5.pem
-rw------- 1 nobody users 1704 Dec 14 11:21 privkey5.pem

Edited by Tucubanito07
Link to post
1 minute ago, Tucubanito07 said:

This is for one of the certs. Based on this. seems to be permission issues correct? How would i be able to fix it or what permissions does it need?

 

ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-1/
total 16
-rw-r--r-- 1 nobody users 1838 Dec 14 11:21 cert5.pem
-rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain5.pem
-rw-r--r-- 1 nobody users 3424 Dec 14 11:21 fullchain5.pem
-rw------- 1 nobody users 1704 Dec 14 11:21 privkey5.pem

 

Check certs 6,7,12,13,20 as those are erroring.   Are those files there?  I suspect not.  In which case, you will have to delete those hosts and recreate or manually force those to regenerate.

Link to post
3 minutes ago, fmp4m said:

 

Check certs 6,7,12,13,20 as those are erroring.   Are those files there?  I suspect not.  In which case, you will have to delete those hosts and recreate or manually force those to regenerate.

Here is what i got. I would re-create those but i cant even get into the GUI. That is what i was going to try first.

 

ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-1/
total 16
-rw-r--r-- 1 nobody users 1838 Dec 14 11:21 cert5.pem
-rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain5.pem
-rw-r--r-- 1 nobody users 3424 Dec 14 11:21 fullchain5.pem
-rw------- 1 nobody users 1704 Dec 14 11:21 privkey5.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-12/
total 16
-rw-rw-rw- 1 nobody users 1931 Jul 11 20:35 cert1.pem
-rw-rw-rw- 1 nobody users 1647 Jul 11 20:35 chain1.pem
-rw-rw-rw- 1 nobody users 3578 Jul 11 20:35 fullchain1.pem
-rw------- 1 nobody users 1704 Jul 11 20:35 privkey1.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-13/
total 16
-rw-rw-rw- 1 nobody users 1923 Jul 11 20:47 cert1.pem
-rw-rw-rw- 1 nobody users 1647 Jul 11 20:47 chain1.pem
-rw-rw-rw- 1 nobody users 3570 Jul 11 20:47 fullchain1.pem
-rw------- 1 nobody users 1704 Jul 11 20:47 privkey1.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-15/
total 16
-rw-r--r-- 1 nobody users 1879 Dec 14 11:21 cert4.pem
-rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain4.pem
-rw-r--r-- 1 nobody users 3465 Dec 14 11:21 fullchain4.pem
-rw------- 1 nobody users 1708 Dec 14 11:21 privkey4.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-16/
total 16
-rw-r--r-- 1 nobody users 1866 Dec 14 11:21 cert2.pem
-rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain2.pem
-rw-r--r-- 1 nobody users 3452 Dec 14 11:21 fullchain2.pem
-rw------- 1 nobody users 1704 Dec 14 11:21 privkey2.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-19/
total 16
-rw-r--r-- 1 nobody users 1866 Dec 14 11:21 cert2.pem
-rw-r--r-- 1 nobody users 1586 Dec 14 11:21 chain2.pem
-rw-r--r-- 1 nobody users 3452 Dec 14 11:21 fullchain2.pem
-rw------- 1 nobody users 1704 Dec 14 11:21 privkey2.pem

Link to post

So i did the ones you said and this is what i got. Seems to have the same files.

 

ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-6/
total 16
-rw-rw-rw- 1 nobody users 1956 Oct 14 18:31 cert3.pem
-rw-rw-rw- 1 nobody users 1647 Oct 14 18:31 chain3.pem
-rw-rw-rw- 1 nobody users 3603 Oct 14 18:31 fullchain3.pem
-rw------- 1 nobody users 1704 Oct 14 18:31 privkey3.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-7/
total 16
-rw-rw-rw- 1 nobody users 1952 Oct 14 18:31 cert3.pem
-rw-rw-rw- 1 nobody users 1647 Oct 14 18:31 chain3.pem
-rw-rw-rw- 1 nobody users 3599 Oct 14 18:31 fullchain3.pem
-rw------- 1 nobody users 1704 Oct 14 18:31 privkey3.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-12/
total 16
-rw-rw-rw- 1 nobody users 1931 Jul 11 20:35 cert1.pem
-rw-rw-rw- 1 nobody users 1647 Jul 11 20:35 chain1.pem
-rw-rw-rw- 1 nobody users 3578 Jul 11 20:35 fullchain1.pem
-rw------- 1 nobody users 1704 Jul 11 20:35 privkey1.pem
root@Eleanor:~# ls -l /mnt/cache/appdata/NginxProxyManagerLive/letsencrypt/archive/npm-13/
total 16
-rw-rw-rw- 1 nobody users 1923 Jul 11 20:47 cert1.pem
-rw-rw-rw- 1 nobody users 1647 Jul 11 20:47 chain1.pem
-rw-rw-rw- 1 nobody users 3570 Jul 11 20:47 fullchain1.pem
-rw------- 1 nobody users 1704 Jul 11 20:47 privkey1.pem

Link to post
4 hours ago, fmp4m said:

 

Have you created/configured "proxy.conf" and placed it where it wants it?  An alternative to the proxy.conf file is setting those options in the advanced nginx settings of the advanced location (gear cog).   However I am not proficient with how to format them for this location.

This doesn't apply to NPM. 

 

5 hours ago, mattie112 said:

I can add those directories but the /plex part isn't even working, it's just giving me a 401 error in the first place. I can't even get anywhere with it. 

 

https://github.com/jc21/nginx-proxy-manager/issues/40

 

Seems like an extremely common (and long-term open) request.

The way custom locations portrays itself, everything should already work like this but it just doesn't...?

 

If someone actually has domain.com hosting Organizr and domain.com/plex working please let me know - I'd love to take a look at your exact config.

 

right now while I appreciate everyone's help they seem to just be saying "it's possible" when they may not have it working the way I need it to? 

Link to post

As I have said,  I have mine configured and working.     One thing I am thinking you may have an issue with /plex/ goes to a ".plex.direct" url by translation.  Do you have DNS Rebinding allowed for "plex.direct"?  If not,  ONLY IP:32400/plex will work.   If so, then domain.com/plex/ will work.

Link to post
4 hours ago, Tucubanito07 said:

So i did the ones you said and this is what i got. Seems to have the same files.

 

 

You're welcome.   It appears somehow your fullchain.pem became corrupted (likely blanked out).  Rebuilding would fix this. 

Link to post
26 minutes ago, fmp4m said:

As I have said,  I have mine configured and working.     One thing I am thinking you may have an issue with /plex/ goes to a ".plex.direct" url by translation.  Do you have DNS Rebinding allowed for "plex.direct"?  If not,  ONLY IP:32400/plex will work.   If so, then domain.com/plex/ will work.

How would I check/know if I have DNS rebinding allowed for plex.direct? 

If you mean internally and NAT loopback, then yes that is enabled and working.

 

For what it's worth. i'm getting same 401 unauthorized when testing via my phone off of WiFi. 

I don't understand what would be different about our configs since there's almost zero config in NPM. :/ 

Link to post
11 hours ago, Tucubanito07 said:

How would you rebuild it? Just in case it happens again I know what I can do to try to fix it. 

Hi Tucubanito07,   

 

The npm-01 that had the corrupt PEM would need its "conf" file deleted from the app data.  You can copy the conf to another folder and review it to recreate that proxy host.  When you delete that conf, NGINXProxyManager will load all but that host that is corrupted.  (which sometimes can be more than one) you would then re-add that proxy host.

 

Example: npm-01 = jimmy.domain.com
Delete conf (/etc/letsencrypt/renewal/npm-1.conf)

Load NPM

Review hosts for missing one or review the conf file for the missing host info and re-add.

 

However,  if its multiple, then you will have to delete the others in the log with the same error of nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-1/fullchain.pem": PEM_read_bio_X509_AUX() failed (SSL: error:0909006C:PEM routines:get_name:no start line:Expecting: TRUSTED CERTIFICATE)

 

Alternatively you can go to each PEM (certificate folder) and check the fullchainX.PEM (x being whatever number it is in the dir) for validity.

https://ma.ttias.be/nginx-ssl-certificate-errors-pem_read_bio_x509_aux-pem_read_bio_x509-ssl_ctx_use_privatekey_file/

 

openssl x509 -text -noout -in /etc/letsencrypt/live/npm-1/fullchain.pem

 

Link to post
16 hours ago, CorneliousJD said:

How would I check/know if I have DNS rebinding allowed for plex.direct? 

If you mean internally and NAT loopback, then yes that is enabled and working.

 

For what it's worth. i'm getting same 401 unauthorized when testing via my phone off of WiFi. 

I don't understand what would be different about our configs since there's almost zero config in NPM. :/ 

NAT Loopback and DNS Rebinding are completely different.   Plex uses "HASH".plex.direct to create dns entries or proxy to your server.    the domain.com/plex service uses this.  You can verify this is being done by visiting the /plex location and reviewing the certificate, which you will find is issued to plex.direct.  I feel that something is interrupting the connection to /plex (XML-Plugins-API) interface causing you this issue.

 

Can you create another /anything and point it to a known working interface?  sonarr/radarr/npm If this works, then the config is working and creating the location properly.  It would show that its something needed in advanced config or your router.  If its not working, it shows that its NPM not creating the location correctly.

 

 

Notes:

 

DNS Rebinding

 

Some routers or modems have a feature known as “DNS rebinding protection”, some implementations of which can prevent an app from being able to connect to a Plex Media Server securely on the local network. For most users, this won’t be an issue, but some users of higher-end routers (or those provided by some ISPs) may run into problems.

Similarly, some DNS providers (including some ISPs) may have this feature.

DNS rebinding protection is meant as a security feature, to protect insecurely-designed devices on the local network against attacks. It provides no benefit for devices that are designed and configured correctly.

Link to post
52 minutes ago, fmp4m said:

NAT Loopback and DNS Rebinding are completely different.   Plex uses "HASH".plex.direct to create dns entries or proxy to your server.    the domain.com/plex service uses this.  You can verify this is being done by visiting the /plex location and reviewing the certificate, which you will find is issued to plex.direct.  I feel that something is interrupting the connection to /plex (XML-Plugins-API) interface causing you this issue.

 

Can you create another /anything and point it to a known working interface?  sonarr/radarr/npm If this works, then the config is working and creating the location properly.  It would show that its something needed in advanced config or your router.  If its not working, it shows that its NPM not creating the location correctly.

 

thank you so much for continuing to reply and trying to help. I really do appreciate it very much!

 

So I added a few other /locations for testing and pretty much nothing works like that.

I can get some pages to load their title in the browser, but no contents, and I can get some to show their authentication pages but then fail to load once logged in, etc.

ALL of these services work fine on sub.domain.com however with no issues.

 

So it seems like it's trying to load the proper site, but for whatever reason having them at a /location vs a subdomain is breaking things.

I used to have a /plex location working in a SWAG/LetsEncrypt config, but it was pretty simple, so I'm not sure what I'm missing here.

 

Here's my old SWAG/LetsEncyrpt config

 

# PLEX CONTAINER	
	location /plex/ {
    proxy_pass http://10.0.0.10:32400/;
    include /config/nginx/SSO.conf;
    }
    if ($http_referer ~* /plex/) {
        rewrite ^/web/(.*) /plex/web/$1? redirect;
    }

And SSO.conf was all of this

 

client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_bind $server_addr;
proxy_buffers 32 4k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
proxy_hide_header X-Frame-Options;
# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_no_cache $cookie_session;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

If I add all that into the custom config for the location then I'm still not getting anywhere unfortuantely.

Something really weird the the /plex location happens too where sometimes it will try to load domain.com:4443/plex (where 4443 is the port NPM runs with my internal network) - Nothing should be configured to ever add port 4443 in there so I'm not sure why that's getitng added either. 

 

So weird.

Link to post
2 hours ago, CorneliousJD said:

thank you so much for continuing to reply and trying to help. I really do appreciate it very much!

 

So I added a few other /locations for testing and pretty much nothing works like that.

I can get some pages to load their title in the browser, but no contents, and I can get some to show their authentication pages but then fail to load once logged in, etc.

ALL of these services work fine on sub.domain.com however with no issues.

 

So it seems like it's trying to load the proper site, but for whatever reason having them at a /location vs a subdomain is breaking things.

I used to have a /plex location working in a SWAG/LetsEncrypt config, but it was pretty simple, so I'm not sure what I'm missing here.

 

Here's my old SWAG/LetsEncyrpt config

 


# PLEX CONTAINER	
	location /plex/ {
    proxy_pass http://10.0.0.10:32400/;
    include /config/nginx/SSO.conf;
    }
    if ($http_referer ~* /plex/) {
        rewrite ^/web/(.*) /plex/web/$1? redirect;
    }

And SSO.conf was all of this

 


client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_bind $server_addr;
proxy_buffers 32 4k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
proxy_hide_header X-Frame-Options;
# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_no_cache $cookie_session;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

If I add all that into the custom config for the location then I'm still not getting anywhere unfortuantely.

Something really weird the the /plex location happens too where sometimes it will try to load domain.com:4443/plex (where 4443 is the port NPM runs with my internal network) - Nothing should be configured to ever add port 4443 in there so I'm not sure why that's getitng added either. 

 

So weird.

Do you have Discord or some other online messenger?  Can you PM me your info so I can troubleshoot directly with you.  I feel we can solve this rapidly that way.

 

Link to post
9 hours ago, CorneliousJD said:

The unRAID Web UI? I wouldn't recommend opening that up. There's somethign that will help with this coming soon anways ;)

I think I have not expressed myself very well :) I want to access the Nginx Proxy Manager WebUI through https. Currently I just can access through http://myserverip:7818. If it's possible I want to access it through https://myserverip:7818. For this case it doesn't matter for me if it's verified through a selfmade certificate, as I only access it through the LAN.

Edited by Voss
wrong portnumber
Link to post
On 12/19/2020 at 2:22 AM, Voss said:

I think I have not expressed myself very well :) I want to access the Nginx Proxy Manager WebUI through https. Currently I just can access through http://myserverip:7818. If it's possible I want to access it through https://myserverip:7818. For this case it doesn't matter for me if it's verified through a selfmade certificate, as I only access it through the LAN.

Just reverse proxy the NPM interace itself at proxymanager or npm.domain.com instead. I do not believe you can access locally via HTTPS.

Link to post
21 hours ago, CorneliousJD said:

Just reverse proxy the NPM interace itself at proxymanager or npm.domain.com instead. I do not believe you can access locally via HTTPS.

Couldn't see the wood for the trees :D Thank you! Just to add something that helped me, found some useful tips with access list here using an access list.

Edited by Voss
Link to post

I "resolved" the issue described in my previous post. For those facing similar errors renewing certificates, check your ISP policies. My new ISP has a stricter port policy than my previous one. This ISP blocks port 80, which breaks the Let'sEncrypt certificate renewal process.

My solution was to integrate CloudFlare with NPM. That allows for a work around to the ISP blocking port 80. I hope that helps others.

Link to post
On 12/15/2020 at 1:13 PM, fmp4m said:

Do you have Discord or some other online messenger?  Can you PM me your info so I can troubleshoot directly with you.  I feel we can solve this rapidly that way.

 

So I did PM you but ended up plugging away at this today and I got it...

 

I updated NPM's GitHub issue #40 about this.

https://github.com/jc21/nginx-proxy-manager/issues/40#issuecomment-749770892

 

In short, /plex sitll woudn't work for me, but adding /web DID work.

I think it's because the way the plex container expects /web at the end of everything that it worked like this, but regardless, it allows me to fix my issue!

I now have Organizr setup with Plex OAuth, SSO across Plex, Ombi, Tautulli, and "watch on plex" buttons working, all via NPM :)
hope this comment helps someone else in the future!

 

 

image.png.c44f5551572f1accaeac4f67f8daec81.png

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.