[Support] Djoss - Nginx Proxy Manager


Djoss

1455 posts in this topic Last Reply

Recommended Posts

Hej, first off all, thats a really nice container, worked perfectly for tha last year ;)

 

Right now (after reinstalling my unraid server) I am facing a Problem i can't really solve:

I got CGNat from my Provider, so I cant access my router via IPv4 (i'm fine with IPv6 only though).

My URL has a CNAME-Record to a 'myfritz' adress and my server is set as exposed in my Fritzbox. With standard settings on Unraid I'm able to get on the Unraid Login-Page using my URL, since it is available on port 80. I changed this, so NPM is using port 80/443 right now, and it looks like I am redirected to the Proxy (if I am visiting non-exisiting pages I am redirected to the Congratulations-Page).

 

The destination for my NPM is a Nextcloud Docker so far and i am getting results i cannot really interpret well:

 

I always get "ERR_Empty_Response" in Chrome when opening "myurl.com" , but if i try "https://myurl.com" the site does show up (login is not possible tho, i guess its because it isnt encrypted yet. If I try to create an SSL certificate I get an "internal error" (obviously).

 

I hope i havent forgotten anything really dumb... Thanks for your help!

Link to post
  • Replies 1.5k
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Popular Posts

Support for Nginx Proxy Manager docker container   Application Name: Nginx Proxy Manager Application Site: https://nginxproxymanager.jc21.com Docker Hub: https://hub.docker.com/r/jlesage/ngi

You can use my fork for now: https://hub.docker.com/r/mattie112/docker-nginx-proxy-manager (which I will delete if/when this gets implemented by Djoss)   My fork is 100% the same c

I ended up adding a completely new NPM container and was able to register new certs without issue, i guess I'll see if they renew in a couple months. Thanks for your help in troubleshooting, I'm still

Posted Images

Sorry if that was'nt clear:

Unbenannt.thumb.PNG.14bd7bb4cbfd263e0c82dabbc4d5bb58.PNG

 

 

Checked it once again to be sure:

cloud.xxx.com -> "ERR_EMPTY_RESPONSE"

http://cloud.xxx.com -> "ERR_EMPTY_RESPONSE"

https://cloud.xxx.com/login -> "ERR_EMPTY_RESPONSE"

http://cloud.xxx.com/login -> works fine, but no login possible

 

My log just says something like "Challenge Failed". I dont know if there is a more detailed log...

A thing i forgot to mention is, that if i type cloud.xxx.com into my searchbar, it automatically adds /login, so if i reload the page again it works.

 

Edited by I am gRoot
missed some info
Link to post

Well If i switch to http i get an error 400 because i cannot use ssl without a certificate on NPM. How should I use SSL then?

Sorry If I got something terribly wrong here...

Edited by I am gRoot
Link to post

Normally the flow is:

 

http endpoint locally (eg http://1.2.3.4:port)

https endpoint 'exposed' (eg https://domain.com)

 

In this case the application itself (nextcloud) does not need to know anything from SSL, not the cipers not the certificate, nothing. NPM simply accepts the incoming request, handles the SSL part and then forwards the traffic to a local (unencrypted) endpoint.

 

You are doing:

https external -> https internal

In that case you would need to have a SSL cert on both endpoints

 

For example:

image.thumb.png.58ee501010f284d4c2ef893f3b8cdf49.png

 

image.thumb.png.1e252e2ff9e5cba77d1950cb20822b3e.png

Link to post

Ok so i have to make nextcloud to accept http instead of https? As far as I know it doesnt do that..

 

And If I use "https://cloud.xxx.com" it should work, shouldnt it? Because I still get my empty-response-error...

Edited by I am gRoot
Link to post

It should work but I'm assuming you don't have a valid SSL certificate on your nextcloud internal endpoint so I think it will fail somewhere due to that.

 

Nextcloud works fine with http, see my screenshot, I only forward 80 of the nextcloud container to 8888 and use that in NPM

Link to post

Yes I dont have a valid certificate on there, because my plan was to create one with NPM...

If I try Port 80 I can not connect due to a SSL Protocol Error, do I have to change nextclouds config somewhere? Additionally I wanted to Use Port 80 for the NPM itself since I cant forward IPv6 to another port...

Link to post

If you want your NPM to be on 80/443 you'll need to use my fork (or change it yourself): 

 as the current image does not support it (yet).

 

What container are you using for nextcloud? The official container (https://hub.docker.com/_/nextcloud) uses http and suggest you use a reverse-proxy (like NPM) to terminate SSL

 

edit:

So that would be 80 -> 8888 for example in your nextcloud docker config

and then http://unraidip:8888 in NPM

 

Edited by mattie112
Link to post

I'm sorry what I said is not 100% correct. You can use 80/443 but then you MUST use "br0" as network. As your unraid already listens to 80 (and/or 443). By using "br0" your NPM get it's own IP.

 

You really only need my fork if you use IPv6 as you cannot simply forward a port there (and then the solution is to run NPM om 80/443). If you use IPv4 only then yes use br0 and have the config the way you have it.

Link to post

Thanks for you explanation! I will try and see if it helps!

Although I do not fully understand, because I set Unraids Web UI to Port 180... Is there another reason it does not work with Port 80/443 on NPM in Bridge mode?

 

Edit:

I also noticed, that I can open the URLs from my own Network (Nextcloud is still giving me that Error 400, but other Dockers I testet as well as the Unraid UI on Port 180 are okay)

Edited by I am gRoot
Link to post

Hello All 

 

I am after some help please - I am using Nginx Proxy Manager as my reverse proxy. All is fine and I have next cloud working fine. But when I try and download files greater than 1GB the connection gets reset. From what I have read online I need to add the below to my config of Nginx but I am unsure what file to add it to 

 

The command is - Proxy_buffering off; 

 

If anyone could let me know what file I need to add this to that would be great. Or if I am completely on the wrong path any feedback would be welcome. 

 

Thank you  

Link to post
19 minutes ago, IKWeb said:

Hello All 

 

I am after some help please - I am using Nginx Proxy Manager as my reverse proxy. All is fine and I have next cloud working fine. But when I try and download files greater than 1GB the connection gets reset. From what I have read online I need to add the below to my config of Nginx but I am unsure what file to add it to 

 

The command is - Proxy_buffering off; 

 

If anyone could let me know what file I need to add this to that would be great. Or if I am completely on the wrong path any feedback would be welcome. 

 

Thank you  

 

It needs to be added to the proxy module config (http://nginx.org/en/docs/http/ngx_http_proxy_module.html#proxy_buffering)

 

Afaik that can be simply added to the "custom nginx configuration" in NPM

 

image.png.24892f3cc0fa6de3fc8f344605f500cb.png

 

I would suggest to simply try it...

 

And if it doesn't work you can try to manually edit the file in /mnt/user/appdata/NginxProxyManager/nginx/proxy_host

Link to post

I am running this Nginx Proxy Manager container and I successfully set up a reverse proxy for Plex:

  • Created a "dynamic" subdomain in CloudFlare updated with my current WAN IP
  • Created a "plex" subdomain in CloudFlare using a CNAME record pointing to the "dynamic" subdomain
  • Cloudflare SSL/TLS encryption mode is set to "Full"
  • Cloudflarte Always Use HTTPS is "On"
  • Created a host in Nginx that redirects fromn the "plex" subdomain to the IP address and port that the Plex UI is running on in Unraid with:
    • Cache assets on
    • Block Common Exploits on
    • Requested a new SSL certificate from Let's Encrypt with:
      • Force SSL on
      • HTTP/2 Support on
      • HSTS Enabled on
      • HSTS Subdomains on

This all seems to work well. Now, when I come to create a reverse proxy host for other services (doign exactly the same as above), they always seem to fail when trying to get a new certificate. Looking in the letsencrypt.log I can see:

Quote

2021-06-25 11:29:09,684:WARNING:certbot._internal.auth_handler:Challenge failed for domain deluge.mydomainname.tld
2021-06-25 11:29:09,685:INFO:certbot._internal.auth_handler:http-01 challenge for deluge.mydomainname.tld
2021-06-25 11:29:09,685:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: deluge.mydomainname.tld
Type:   unauthorized
Detail: Invalid response from https://deluge.mydomainname.tld/.well-known/acme-challenge/d8P36g6MnsO3PnL-dUsN-XQzFzMNAOtXeAfHj2Pnsys [2606:4700:3032::6815:1f71]: "<!DOCTYPE html>\n<!--[if lt IE 7]> <html class=\"no-js ie6 oldie\" lang=\"en-US\"> <![endif]-->\n<!--[if IE 7]>    <html class=\"no-js "

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address.


Can anyone give me some pointers as to why I can create my first reverse proxy but no more? I assume I am forwarding the ports in my router correctly to Nginx otherwsie none of them would work. Is trying to create a cert per subdomain the correct thing to do?

 

Thanks!

Link to post

It seem to resolve to a IPv6 address (http://[2606:4700:3032::6815:1f71]/) that gives me an error. Do you get the NPM "welcome" page when you go to yourdomain.tld? Letsencrypt needs unencrypted (port 80/http) access in order to create a certificate.

 

And also are you sure `deluge.mydomainname.tld` resolves correctly?

Link to post
1 hour ago, mattie112 said:

Do you get the NPM "welcome" page when you go to yourdomain.tld? Letsencrypt needs unencrypted (port 80/http) access in order to create a certificate.

Thanks, I thought that Letsencrypt would be contacting my server on the subdomain deluge.yourdomain.tld rather than yourdomain.tld?
 

Anyway, since you say that Letsencrypt needs an unencrypted port I changed the "SSL/TLS encryption mode" setting in Cloudflare from Full to Flexible to allow that insecure connection and then I could get my certificates. One I had done that I set "SSL/TLS encryption mode" back to Full and everything seems to be working.

I still think I have misunderstood something and I don't think I should have to relax "SSL/TLS encryption mode" every time I want to create a new host in NPM. This is the setting I have to relax each time:image.png.90ac5d306835065ce3a577ee755299fe.png

Link to post

I dont use CloudFlare myself (don't see the need for that). But: letsencrypt needs an unencrypted connection always! (So every 90 days to renew).

 

Why?

Well if you don't have a valid certificate how can letsencrypt connect to your server to verify?

 

But: perhaps you can only allow the /.well_known directory? That is what letsencrypt uses

Link to post
54 minutes ago, mattie112 said:

Well if you don't have a valid certificate how can letsencrypt connect to your server to verify?

 

Yes, I guess it's a case of the chicken and egg. I'm sure the guide I followed set Cloudflare to force encryption all the way but didn't have this issue. Maybe I miss-remember and they set the full encryption setting on at the end of the process. Thanks for your help, I'm happy it is working correctly and now adding any other NPM hosts will be infrequent it's not really an issue.

Link to post

Hello Everyone,

Since update (yesterday or the day before), I'm not able anymore to get to my internal resources.

The configuration hasn't changed so for example:

 

on the pfsense firewall there is a rule in the DNS which :

 

IF : dashboard.lan --> unraid server ip

 

then I've configured in the proxy manager a rule that if there is a request for dashboard.lan it have to redirect to : unraidserver:port

 

It has worked flawlessly before the update, now the connection is refused

 

Can someone please help?

Edited by TDA
Link to post

Can you confirm you cannot reach your NPM? Or NPM cannot reach a container?

 

Assuming the first case:

double-check if your unraid/NPM still has the same IP and if you can view NPM by using the IP instead of the hostname

Link to post
5 minutes ago, mattie112 said:

Can you confirm you cannot reach your NPM? Or NPM cannot reach a container?

 

Assuming the first case:

double-check if your unraid/NPM still has the same IP and if you can view NPM by using the IP instead of the hostname

Was this supposed to be an answer to my question?
If yes.

As said, the only thing that doesn't work anymore is internal (.lan) websites.

I can reach the NPM, my external website are working.

Only my internal one are refusing connectino.

Link to post
24 minutes ago, mattie112 said:

Did you confirm the IPs?

 

So:

'ping internal.lan' -> does that resolve to your unraid server (or npm docker address) correctly

Yes it does.

Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.