[Support] Djoss - Nginx Proxy Manager


Djoss

1415 posts in this topic Last Reply

Recommended Posts

I seem to get either a Cloudflare 522 or 523 when accessing any of my subdomains. Followed multiple guides but have had no luck. If anyone can take the time to help me figure out what I have configured wrong I'd greatly appreciate it. Let me know what information you need.

Link to post
  • Replies 1.4k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Support for Nginx Proxy Manager docker container   Application Name: Nginx Proxy Manager Application Site: https://nginxproxymanager.jc21.com Docker Hub: https://hub.docker.com/r/jlesage/ngi

You can use my fork for now: https://hub.docker.com/r/mattie112/docker-nginx-proxy-manager (which I will delete if/when this gets implemented by Djoss)   My fork is 100% the same c

Found it; maybe others can be helped with this as well. Had to add the line add_header X-Frame-Options "SAMEORIGIN"; to the "default" config file in /appdata/nextcloud/nginx/site-conf

Posted Images

On 11/30/2020 at 5:24 PM, Spectral Force said:

Yeah that's definitely wrong.  I'll try changing the subdomain and see if that works.

 

Even with a new subdomain it still is going to that smiles survey, which is weird, should I contact my domain provider at this point?

I just got into this and I was dumb enough to use server.duckdns.com - and that one gets resolved to the survey-smiles.com

For future reference, it should be duckdns.org.

Link to post
Posted (edited)

Hi Lads,

 

First of all I thank the author for this wonderful Docker. Was able to setup without problem.

 

Now, it's time to take to the next level and here's what I want to accomplish with it.

 

Mission: Bypass 4G LTE Double NAT connection, so I can host web services on my local Unraid Server, primarily for Nextcloud and Bitwarden Self Hosting.

 

NOTE 1: Im not sure on how to attack this one, the Idea is to use the VPS IP, circumvent double NAT, so anyone on the Internet can visit nextcloud.domain.tld, will be forwarded to the Nextcloud Docker hosted in Unraid.

 

NOTE 2: I don't know how to forward straight to the NPM Docker IP

 

I Need Help With: Port Forwarding or Tunneling to help accomplish the mission.

 

What I've Tried So Far:

1. SSH Remote Port Forwarding:

Works, but not ideal for production use, IMO.

 

2. Using a VPS + Wireguard VPN + IP Tables Forwarding + Nginx Proxy pointing to the NPM:

This worked for the http connection, but not with https. 

 

Details of the setup:

- NPM IP: 192.168.254.107

- NPM Already Created The SSL Certs, when I used SSH Tunnel Port Forward

- WG VPN SERVER - THE VPS: 10.66.66.1

- WG VPN CLIENT (with NGINX Installed on Ubuntu): 10.66.66.11

- IP TABLES PORT FORWARD TO: 80, 443, 8080, 4443 (8080/4443, for testing purposes)

- WG VPN CLIENT: Ubuntu 20.04 Server with Nginx for Proxy Pass

- Nginx Config (Im not good at this, just copy pasted from Google):

server {
    listen 80;
    server_name nextcloud.domain.tld;

    location / {
            proxy_pass http://192.168.254.107:8080/;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
    }
}


server {
    listen 443;
    server_name nextcloud.domain.tld;

    location / {
            proxy_pass http://192.168.254.107:4443/;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $remote_addr;
    }
}

 

 

 

Edited by garydapogi
Link to post

So to confirm:

 

You have 4G internet and you don't want to use that external IP but you want to use a VPN external IP?

 

Can you (from an other connection) access yourip:80 and yourip:443 this is really the first step, if that doesn't work there is no need in debugging NPM.

 

I assume something like this should work:

 

Unraid (or router) -> has VPN connection so it can receive traffic from VPNSERVER. Your VPNSERVER will forward ALL traffic on 80/443 (through iptables yes) to your Unraid. Then your NPM should have just the default config everyone uses.

 

(and yes you could also forward 80 -> 8080 if you prefer in iptables)

 

It looks like you also have Nginx on your VPNSERVER? Why? You want to forward all traffic right, not accept it there and then proxy it to NPM? If you want to accept it there you can simply run NPM on your VPNSERVER :)

Link to post
38 minutes ago, mattie112 said:

So to confirm:

You have 4G internet and you don't want to use that external IP but you want to use a VPN external IP?

 

Yeah  I do. It's the VPS IP address that I want to use. Also, it's not that I don't want to use the external IP - it's because i'ts on a double NATed connection and I don't have control to both of the ISP routers.

 

Quote

Can you (from an other connection) access yourip:80 and yourip:443 this is really the first step, if that doesn't work there is no need in debugging NPM.

 

No problem there, hitting the VPS' IP address will take visitor to NPM default/welcome page.

 

Visiting the actual host names of my nextcloud and bitwarden docker will bring up the right pages or home page. This is when using port 80. Once I type the https version - here is where the problem kicks off.

 

And I don't want to do this:

Quote

I assume something like this should work:
Unraid (or router) -> has VPN connection so it can receive traffic from VPNSERVER. Your VPNSERVER will forward ALL traffic on 80/443 (through iptables yes) to your Unraid. Then your NPM should have just the default config everyone uses.

...if only I can install WireGuard on the NPM docker, then that would be great. I don't have the skills for the time being, not sure how to set that up.

 

You asked:

Quote

It looks like you also have Nginx on your VPNSERVER? Why?

 

Actually, the second server is the Ubuntu VM running on Unraid, it is the VPN Client, NOT the server. It is where NGINX is installed on, then passes the traffic to NPM via proxy_pass. HTTP/S Traffic hitting the VPS IP is being forwarded to this VM.

And Like I mentioned above (NOTE: 1), Im NOT sure how to solve the issue, what workaround to employ.

 

As regard:

Quote

You want to forward all traffic right, not accept it there and then proxy it to NPM? If you want to accept it there you can simply run NPM on your VPNSERVER

 

Well, that would be ideal. 

The problem is, I don't know Docker well. I'm don't know to run it on a server, that's why I choose Unraid to run it for me.

 

If only I can install Wireguard VPN inside NPM Docker, then would work to. That way, I can forward from VPS/VPN straight to NPM via IP tables + VPN.

 

Link to post

I'm trying to update my certificates, every time I hit the update button, it brings up the box saying updating, then the date doesn't change.
Any idea how to fix it?

Link to post
16 hours ago, JT24 said:

I'm trying to update my certificates, every time I hit the update button, it brings up the box saying updating, then the date doesn't change.
Any idea how to fix it?

Is there anything in the logs? If the certificates are "to new" it will not renew them.

Link to post
On 5/10/2021 at 8:45 PM, garydapogi said:

 

Yeah  I do. It's the VPS IP address that I want to use. Also, it's not that I don't want to use the external IP - it's because i'ts on a double NATed connection and I don't have control to both of the ISP routers.

 

 

No problem there, hitting the VPS' IP address will take visitor to NPM default/welcome page.

 

Visiting the actual host names of my nextcloud and bitwarden docker will bring up the right pages or home page. This is when using port 80. Once I type the https version - here is where the problem kicks off.

 

And I don't want to do this:

...if only I can install WireGuard on the NPM docker, then that would be great. I don't have the skills for the time being, not sure how to set that up.

 

You asked:

 

Actually, the second server is the Ubuntu VM running on Unraid, it is the VPN Client, NOT the server. It is where NGINX is installed on, then passes the traffic to NPM via proxy_pass. HTTP/S Traffic hitting the VPS IP is being forwarded to this VM.

And Like I mentioned above (NOTE: 1), Im NOT sure how to solve the issue, what workaround to employ.

 

As regard:

 

Well, that would be ideal. 

The problem is, I don't know Docker well. I'm don't know to run it on a server, that's why I choose Unraid to run it for me.

 

If only I can install Wireguard VPN inside NPM Docker, then would work to. That way, I can forward from VPS/VPN straight to NPM via IP tables + VPN.

 

 

So :80 works great but :443 does not? What is the issue then when visiting a https link? Do you get an error? No connection?

 

You can also run a wireguard docker: https://hub.docker.com/r/linuxserver/wireguard

 

And then on your NPM container:

 

image.thumb.png.e397056e6fb7768ae2df610ddbbe3d1e.png

Link to post

Personally, sometimes the redirections don't work. A reboot fixes the problem but I would like to understand why it doesn't work after a while. In the logs, I have an error concerning certbot :

 

2021-05-12 12:05:01,023:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/opt/certbot/bin/certbot", line 8, in <module>
    sys.exit(main())
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1403, in main
    plugins = plugins_disco.PluginsRegistry.find_all()
  File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 237, in find_all
    plugin_ep = cls._load_entry_point(entry_point, plugins, with_prefix=False)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 255, in _load_entry_point
    plugin_ep = PluginEntryPoint(entry_point, with_prefix)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/plugins/disco.py", line 51, in __init__
    self.plugin_cls: interfaces.IPluginFactory = entry_point.load()
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 2461, in load
    self.require(*args, **kwargs)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 2484, in require
    items = working_set.resolve(reqs, env, installer, extras=self.extras)
  File "/usr/lib/python3.8/site-packages/pkg_resources/__init__.py", line 787, in resolve
    raise DistributionNotFound(req, requirers)
pkg_resources.DistributionNotFound: The 'future<1,>=0' distribution was not found and is required by dns-lexicon
2021-05-12 12:05:01,023:ERROR:certbot._internal.log:An unexpected error occurred:
2021-05-12 12:05:01,023:ERROR:certbot._internal.log:pkg_resources.DistributionNotFound: The 'future<1,>=0' distribution was


If anyone has a solution, I'm interested

Thanks

Link to post

I just install NPM on my openwrt router, it works mostly fine, but I can't setup a working proxy hosts for my unraid server management page, I can setup other apps of this unraid sever just fine, like filebrowser and emby, all with Let's Encrypt ssl cert.

 

When setup unraid itself, I setup like this :

NPM1.png.f0312c4152df67ded00049c39dc3704a.pngNPM2.png.d288d24934405f57346c239f7e643b72.png

it won't recognize my ssl cert, it directly jump to nas.****.com/main, showing: NET::ERR_CERT_AUTHORITY_INVALID

 

If anyone knows the problem or solution, please help.

 

Thank you

 

Link to post

And the certificate is indeed correct? With all the required intermediate certificates? Is it from letsencrypt or an other provider?

 

You can test your certificate with a site like ssllabs.com

Link to post
Posted (edited)
20 hours ago, mattie112 said:

Is there anything in the logs? If the certificates are "to new" it will not renew them.

[5/13/2021] [12:49:40 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[5/13/2021] [12:52:31 PM] [SSL ] › ✖ error Error: Command failed: /opt/certbot/bin/certbot renew --non-interactive --quiet --config "/etc/letsencrypt.ini" --preferred-challenges "dns,http" --disable-hook-validation
Challenge failed for domain xxxx.xxxx.com
Failed to renew certificate npm-2 with error: Some challenges have failed.
Challenge failed for domain xxxx.xxxx.com
Failed to renew certificate npm-4 with error: Some challenges have failed.
Challenge failed for domain xxxx.xxxx.com
Failed to renew certificate npm-5 with error: Some challenges have failed.
All renewals failed. The following certificates could not be renewed:
/etc/letsencrypt/live/npm-2/fullchain.pem (failure)
/etc/letsencrypt/live/npm-4/fullchain.pem (failure)
/etc/letsencrypt/live/npm-5/fullchain.pem (failure)
3 renew failure(s), 0 parse failure(s)

at ChildProcess.exithandler (child_process.js:308:12)
at ChildProcess.emit (events.js:314:20)
at maybeClose (internal/child_process.js:1022:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:287:5)

 

image.thumb.png.f6bd5236b56db59372fc3557471be2e7.png

Edited by JT24
Link to post
5 minutes ago, JT24 said:

image.thumb.png.f6bd5236b56db59372fc3557471be2e7.png

Wait, the ones that are now saying 12 June said 12 May a couple of days ago.
Looks like they have auto updated, they just wait till the last minute to put it through.

I'll see what happens around 21 May.

Link to post
11 hours ago, mattie112 said:

And the certificate is indeed correct? With all the required intermediate certificates? Is it from letsencrypt or an other provider?

 

You can test your certificate with a site like ssllabs.com

Yes, I tested my certs with docker app running on this nas, all correct and working.

 

Just unraid itself won't go with NPM.

 

 

Link to post
  • 2 weeks later...

This Might be dumb lol : Can I use Nginx proxy manager to redirect to br0

 

Hey All,

I have no idea if this is possible but thought I might ask.

Is it possible to use Nginx Proxy Manager to redirect back to local IP for stuff hosted on VM with SSL

I have Nginx Proxy Manager setup and can utilise it for things attributed to custom network 'proxynet'

VM's are using br0 network of course.

I wish to use it to redirect back out to a VM address on my local lan, providing it a domain and a SSL cert on the way.

Is this even possible?

Link to post
24 minutes ago, Joshndroid said:

This Might be dumb lol : Can I use Nginx proxy manager to redirect to br0

 

Hey All,

I have no idea if this is possible but thought I might ask.

Is it possible to use Nginx Proxy Manager to redirect back to local IP for stuff hosted on VM with SSL

I have Nginx Proxy Manager setup and can utilise it for things attributed to custom network 'proxynet'

VM's are using br0 network of course.

I wish to use it to redirect back out to a VM address on my local lan, providing it a domain and a SSL cert on the way.

Is this even possible?

I'm not sure what you mean by redirecting to br0.

But if you have a domain, yourdomain.com you can point the DNS A record to your IP.
In your router, you need to forward port 80 (HTTP) and 443 (HTTPS) to your NPM service.

In NPM you need to point yourdomain.com to where ever it is on your local network, and the port to reach it. So if you wanted to reach cockpit on a Linux VM, you'd point yourdomain.com on port 9090 to the IP of 192.168.1.10 if that was the IP of your VM/service.

Does it make sense?

Link to post
11 minutes ago, Nanobug said:

I'm not sure what you mean by redirecting to br0.

But if you have a domain, yourdomain.com you can point the DNS A record to your IP.
In your router, you need to forward port 80 (HTTP) and 443 (HTTPS) to your NPM service.

In NPM you need to point yourdomain.com to where ever it is on your local network, and the port to reach it. So if you wanted to reach cockpit on a Linux VM, you'd point yourdomain.com on port 9090 to the IP of 192.168.1.10 if that was the IP of your VM/service.

Does it make sense?

 

I have nginx attached to a proxynetwork, as originally advised within spaceinvaderone's lets encrypt video.

I find this to work perfect.

I have multiple dockers running just find while attached to proxynetwork

What i can't seem to get to work is basically, nginx to redirect straight back to a lan address.

Is it possible to hit nginx at 192.168.1.xx have have it kick you back out to a 192.168.1.zz address and supply a cert? (utilising redirect)

I can hit nginx at 192.168.1.xx and push across to 172.1.1.yy and get SSL certs.

What i am trying to do is utilise Nginx as my catch all and push it to either through to the proxynetwork 172....... addresses or redirect back to 192.168........ address if that it at all possible, mainly due to the fact that I cant get my VM to expose itself onto the proxynetwork for it to work that way as it is just not how it works

Link to post

You can only request SSL certificates on a hostname (some.domain.xyz) not on an IP (*). So if you either have your own domain or make up a domain and add it to your local DNS server you could do that yes.

 

*) technically you can sign an IP but this will always be somekind of untrusted self-signed certificate

 

Or are you talking about the service you want to proxy being on an other IP, that should be no problem

Link to post

I am experiencing an issue with calibre-web when reverse proxied through nginx via this container.

These are the nginx configs I have set for this subdomain:
Scheme: http
HTTP/2 Support: On

The calibre-web container is accessible via the internet and works fine for a short time. I do get a message that "You are not securely connected to this site" and that "parts of this page are insecure (such as images)" (mixed content).

After some amount of activity (or 2.5-5 minutes of inactivity), I get re-directed to the login page. This re-direct tends to trigger more often if I am clicking around the application a lot -- for example if I follow 6-10 links (e.g., "Books" to "Settings" to "Top Rated" to "Account", etc) within about 30-45 seconds. It's not unusable, but it is very annoying, especially on mobile where entering my credentials over and over is a chore!

This does not occur via local IP, so the issue is with the reverse proxy setup. Is there some custom Nginx configuration I need to include to stop this from happening? I also use Cloudflare. Could it be something with caching that is making it unhappy? I don't understand how it would control my credentials and log-in status though... I don't see anything in any logs to help troubleshoot the problem. Can anyone suggest where I could look for more info?

Thanks!

Link to post

Hello, please can anyone help? I am running NPM on unraid 6.9.1 and using this container: jlesage/nginx-proxy-manager Everything has been running perfect until now. I haven't changed anyhting up until now and can't understand why none of my domains no longer work. I have posted a screenshot of the log with problems in yellow.. as these we expired or no longer used I removed tehm from NPN, and seen as they were giving me errors I removed them manually using certbot remove command but now I get errors in red (2nd screenshot) 

Please help. This always happens after a few months and I have to remove the container and start again, a pain if you have over 20 hosts. 

Thanks, Craig. 

NPM1.jpg

2021-05-27_12h22_20.png

Link to post

Hello,

I'm getting a "502 Bad Gateway" error.

used 
docker exec -it NginxProxyManager bash
And pinged the container I'm trying to reach, with this result:
64 bytes from 192.168.100.99: seq=0 ttl=64 time=0.103 ms
64 bytes from 192.168.100.99: seq=1 ttl=64 time=0.117 ms
64 bytes from 192.168.100.99: seq=2 ttl=64 time=0.098 ms
64 bytes from 192.168.100.99: seq=3 ttl=64 time=0.099 ms
64 bytes from 192.168.100.99: seq=4 ttl=64 time=0.070 ms
64 bytes from 192.168.100.99: seq=5 ttl=64 time=0.080 ms
64 bytes from 192.168.100.99: seq=6 ttl=64 time=0.097 ms
64 bytes from 192.168.100.99: seq=7 ttl=64 time=0.060 ms
64 bytes from 192.168.100.99: seq=8 ttl=64 time=0.098 ms
64 bytes from 192.168.100.99: seq=9 ttl=64 time=0.096 ms

 

I've also done this:
nc 192.168.100.99 8888 GET /

And got this result:
 

BusyBox v1.31.1 () multi-call binary.

Usage: nc [OPTIONS] HOST PORT  - connect
nc [OPTIONS] -l -p PORT [HOST] [PORT]  - listen

        -e PROG Run PROG after connect (must be last)
        -l      Listen mode, for inbound connects
        -lk     With -e, provides persistent server
        -p PORT Local port
        -s ADDR Local address
        -w SEC  Timeout for connects and final net reads
        -i SEC  Delay interval for lines sent
        -n      Don't do DNS resolution
        -u      UDP mode
        -v      Verbose
        -o FILE Hex dump traffic
        -z      Zero-I/O mode (scanning)

 

From what I'm reading, I can connect to it.

It works on LAN, just not on the subdomain.

Any ideas on how to fix this?

 

Link to post
Posted (edited)

NPM is filling up the docker image

 

I have a problem with NPM in combination with the nextcloud container. I set up everything and it works fine. But when I connect from outside via my (dynamiy duckdns) domain and download a file with several gigabytes (somewhere >2GB) the docker image fills up (/loop2) and I get warnings from unraid. Then some containers crashes (eg jDownloader). The crashed container won't start anymore until I restart the docker engine in unraid. When I download a file via web gui of nextcloud in the LAN, everything works fine. So, the problem is caused by NPM and some sort of caching procedure. I had the same problem with SWAG in the first place, so I changed over to NPM.

 

I searched the net and there are some users encountering the same problem, but no solution yet. Some suggest to check the container directories, because they could point into the docker image. But all directories are set up correctly (in my opinion).

 

I have no idea what to check/adapt.

 

Thanks in advance.

Edited by riddler0815
typo
Link to post
Posted (edited)

Nginx is erroring out with this repeated in logs:

 

nginx: [emerg] cannot load certificate "/etc/letsencrypt/live/npm-26/fullchain.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/letsencrypt/live/npm-26/fullchain.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

 

I woke up to backup/restore v2 completed and no containers/vms exposed. Figured out it was nginx which shit the bed and didnt come back up after backup. Backup simply kills all containers then backs them up then starts again, therefore no changes to my config took place. I tried rolling back to v 1.16.0 with no luck.

 

There is no npm-26 anymore.. that was an old proxy host which is not used anymore.

 

Please let me know what I should do to get this up again :)

 

 

*EDIT* - I just went to the "live" folder and copied/pasted another proxy host folder and renamed as npm-26 and now it works. Seems like something is broken on the code side but this is a quick and dirty workaround.

Edited by hmoney007
Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.