[Support] Djoss - Nginx Proxy Manager

[garydapogi]

Hi, newbie here and I need help with the port setting.

 

I tried using custom br0 (used my local subnet), and assigned port 80/443, but when I fire up the container, it changes to another port numbers. See screenshot please

 

[XisoP]

47 minutes ago, garydapogi said:

Hi, newbie here and I need help with the port setting.

 

I tried using custom br0 (used my local subnet), and assigned port 80/443, but when I fire up the container, it changes to another port numbers. See screenshot please

 

I see your nextcloud also uses port 80. Every container/app needs a unique port. 

Also, you have to forward the WAN ports to your lan ports in your router 😉 port 80 directs to assigned npm port for http, 443 directs to assigned npm port for http

Edited April 9, 2022 by XisoP

[mattie112]

Nextcloud is on a different IP so that should work.

 

Did you set the port mapping correctly? So 80 on your 'host' and 8080 in the NginxProxyManager for example. Can you show a screenshot of your ports?

 

(If you need NPM to listen on 80/443 for IPv6 for example and you don't use IPv6NAT you can use my fork: https://github.com/Mattie112/docker-nginx-proxy-manager / https://hub.docker.com/repository/docker/mattie112/docker-nginx-proxy-manager)

[garydapogi]

@mattie112

@XisoP

I've resolved it.

 

Was using the wrong docker image, so I was expecting a different behavior.

 

Now I have installed the NPM Official, and went well with my desired setup.

 

 

[Boo-urns]

OK so i'm pulling my hair out here.

I'm trying to expose a Wordpress docker to the internet via Nginx Reverse Proxy (NPM).

I currently own a domain, use cloudflare, and have a NPM docker handling the proxying. For example, currently have mydomain.com going to overseerr (serverip:5055), and nextcloud.mydomain.com going to nextcloud (serverip:444). Router fwds port 443 to npm. I have 'force SSL' on cloudflare enabled, so haven't even opened port 80. Working fine, no problem. Have used the ibracorp tutorial for this process here.

Decided to try and host a site using Wordpress (complete noob with wordpress btw), set it up the same as I had with nextcloud using these steps:

1. Cloudflare: add CNAME 'wp'
2. NPM: add wp.mydomain.com to docker container webui (i'm using cloudflare SSL certs)

Not working! I'm just getting a timeout when attempting to access wp.mydomain.com. Via LAN accessing 192.168.1.4:8282 shows the WP test page perfectly, but no idea why this isn't working via proxy.

I've tried recreating my SSL certificates, forwarding to a different docker (heimdall for example), with same result.

I'm not sure what i'm doing wrong, particularly because I already have 2 working proxies, but if anyone could point me in the right direction i'd be forever grateful. TIA

Edited April 15, 2022 by Boo-urns

[mattie112]

I don't use cloudflare myself but:

 

Can you perhaps try the most simple case? For example with https://hub.docker.com/r/hashicorp/http-echo/ and just let it run on 80. Just to first make sure that cloudflare -> server works.

[plantsandbinary]

Why isn't the nginx_basic_auth pop-up working on my device? I had to re-install this container and for some reason it's no longer working.

 

Here's my access list settings:

 

 

 

 

 

 

When I attempt to go to the proxied URL eg. https://mysite.com

 

I just get this error:

 

 

 

I never get the browser popup asking me to authenticate like I used to.

 

What am I doing wrong here?

Edited April 20, 2022 by plantsandbinary

[plantsandbinary]

Figured it out I think.

 

I have HSTS enabled on Cloudfare. So I was passing proxy http and http port to Nginx which was trying to redirect from http to https (which used to be my setting in Cloudfare). This was giving instant 403 error because after enabling HSTS support, only https requests are parsed and no transport upgrade happens.

 

Proxied https to https port in Heimdall and voilá, it works fine. I get the basic auth popup and failure to enter gives 401 error. Putting it in correctly gives a proper page load.

 

Looks like this now: https > to https port

Edited April 20, 2022 by plantsandbinary

[qw3r7yju4n]

I recently updated my tautulli config to add the location block. Now a couple days later my container wont start. Logs repeat this message.

 

nginx: [emerg] "proxy_pass" directive is duplicate in /etc/nginx/conf.d/include/proxy.conf:7

 

I editted the offending file and i was able to login to webui. But after the edit, proxying was broke. Removed the docker container and reinstalled and my proxy is down again with the offending log entry. Im stumped.

EDIT - When the container starts this is the error it spits before spamming the log with the proxy_pass error

 

nginx: configuration file /etc/nginx/nginx.conf test failed

    at ChildProcess.exithandler (node:child_process:399:12)
    at ChildProcess.emit (node:events:520:28)
    at maybeClose (node:internal/child_process:1092:16)
    at Socket.<anonymous> (node:internal/child_process:451:11)
    at Socket.emit (node:events:520:28)
    at Pipe.<anonymous> (node:net:687:12)

Edited April 28, 2022 by qw3r7yju4n

[Rocka374]

Hello!

I am using NPM and it works great. I have 1 question:

 

If I want to create a virtual ubuntu machine with different internal IP and I want to open ports 80 and 443 for it too, will my router be able to open another pair of the same ports for it?

[mattie112]

Externally you only have 1 IP so you can only 'open' 80/443 once.

 

You don't really 'open'  a port btw, you 'forward' it to a different IP. So for example:

1.1.1.1 -> your external IP

192.1.1.1 -> unraid

192.1.1.2 -> VM

 

1.1.1.1:80 -> 192.1.1.1:8080

1.1.1.1:443 -> 192.1.1.1:443

If you have this you can NOT have

1.1.1.1:80 -> 192.1.1.2:8080

But you CAN do

1.1.1.1:81 -> 192.1.2.8080

 

But why do you want to do that? The whole idea of NPM (or a reverse proxy) is that you have a single entry point. And that within that proxy you can send 'domainA.com' to server A port B and 'domainB.com' to server C port D

[debit lagos]

@mattie112 When you get time, can we get an updated version?  2.9.18 is out on the streets.  Thanks in advance.

[mattie112]

I just have a fork of:

https://github.com/jlesage/docker-nginx-proxy-manager

into

https://github.com/Mattie112/docker-nginx-proxy-manager

that only changes the ports

 

That project was not updated since 23 Feb. Are you looking for something specific? Perhaps I can get that part.

[stuartcarrison]

Hi all, has anyone had any success setting up /nginx_status for proxy monitoring in this docker?

[jimdaway]

Let me preface the following by stating that I am woefully limited in my knowledge of the inner
workings of SSL certificates. I've read some basic tutorials and have a very rudimentary understanding.

 

Having said that, I have a somewhat convoluted setup and I'm hitting walls with everything I try.
I'm suspecting I may be unable to actually establish a working infrastructure.

 

My company website is hosted on HostGator where I have established a subdomain (transfer.mydomain.com) with an HTML meta redirect that points to a specific port (4443) on my fixed WAN IP.

 

At the WAN IP there is a firewall that manages my incoming traffic with numerous and various port mappings.

Inside our firewall is an existing mail server that lives at 10.0.26.10 that MUST use ports 80 and 443 and as such, I MUST redirect all incoming WAN port 80 and 443 traffic to that mail server LAN IP (10.0.26.10) where it is managed by the mail server.

 

I am running an unRAID server on another box within the LAN at IP (10.0.26.15) and I have NPM running in a docker container on a separate network (called "proxynet" - shoutout to SpaveInvaderOne!) on that unRAID server.

 

I also run an instance of NextCloud on the same unRAID "proxynet" network.

On my firewall, I have established a port forward so that any traffic coming from the HostGator redirect to the specific port (4443) is mapped to the unRAID server at 10.0.26.15.

 

The issue I have is that I can't establish a Lets Encrypt SSL cert via NPM due to the appropriation of WAN ports 80 and 443 by the mail server. Further, because 80 and 443 are used by the mail server, I can't use NPM for any Docker containers.

 

I could - as a last resort - just forward the HostGator redirect from the firewall to port 444 where the NextCloud docker lives but again, I don't think I can authenticate an SSL cert against that due to the re-direction from HostGator. HostGator does NOT allow for masked redirection like (I think!) CloudFlare does.

 

Basically, because HTTP and HTTP are being redirect to the mail server, there will be no way to use NPM or get SSL certificates for any of my docker containers.

Edited June 1, 2022 by jimdaway

[alturismo]

7 hours ago, jimdaway said:

I MUST redirect all incoming WAN port 80 and 443 traffic to that mail server LAN IP (10.0.26.10) where it is managed by the mail server.

i assume you talk about the webgui from this mailserver, if it is only http/s ...

 

did you try to put the mailserver also behind the NPM ? as long its using http protocol and its not some weird ...

 

then NPM would route the traffic like

 

mail.yourdoman.com -> your mailserver

cloud.yourdomain.com -> your Nextcloud instance

...

 

im not using NPM anymore (was just playing around with it) but that would be the way to go for all http/s traffic from outside then ...

[jimdaway]

14 hours ago, alturismo said:

i assume you talk about the webgui from this mailserver, if it is only http/s ...

 

did you try to put the mailserver also behind the NPM ? as long its using http protocol and its not some weird ...

 

Hi @alturismo

 

Thank you for the response and insight. So, if I redirect ports 80 and 443 to the unRAID server (10.0.26.15) and then within NPM setup a Host Proxy titled mail.mydomain.com with a redirect to my mail server (10.0.26.10) that may work?

 

The question then is how do I deal with the redirection of both port 80 and 443? I tried creating a Host Proxy titled "mail.mydomain.com" for HTTP pointed to 10.0.26.10 port 80 and when I tried to create a second Host Proxy "mail.mydomain.com" for HTTPS to 10.0.26.10 port 443 (with a Lets Encrypt SSL), it threw an error of "mail.mydomain.com is already in use".

 

Or, should I use a Redirection Host or a Stream? I'm so newb...

[alturismo]

8 hours ago, jimdaway said:

it threw an error of "mail.mydomain.com is already in use".

im a swag user, just played a while ago with NPM ... but yes, you just setup 1 rule for a domain and it should automatically redirect http -> https, sample, when i connect to http://mail.... NPM will (force) redirect auto to https://mail.... 

 

8 hours ago, jimdaway said:

if I redirect ports 80 and 443 to the unRAID server (10.0.26.15) and then within NPM setup a Host Proxy titled mail.mydomain.com with a redirect to my mail server (10.0.26.10) that may work?

exactly

 

8 hours ago, jimdaway said:

Or, should I use a Redirection Host or a Stream? I'm so newb...

prolly host, stream in nginx means tcp streams and no http/s proxy, as mentioned, im no NPM user, sorry.

 

read into the manual so you understand the triggers etc ... NPM is nice as it has a GUI to handle these proxy rules and you dont have to edit config files and so on ...

[aglyons]

Has anyone managed to get external non-standard ports working, specifically with Nextcloud?

 

I've managed to get it working with standard 443 https but if I try to use a non-standard external port everything gets borked.

 

I've added this to the advanced nginx config section as I read in a post

listen 8585 ssl http2;

 

didn't seem to work out right. From what I've seen in the logs that config is not getting added to the conf file.

[6/3/2022] [2:03:52 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/3/2022] [2:03:57 AM] [SSL      ] › ℹ  info      Requesting Let'sEncrypt certificates for Cert #9: domain.domain.com
[6/3/2022] [2:03:57 AM] [SSL      ] › ℹ  info      Command: certbot certonly --config "/etc/letsencrypt.ini" --cert-name "npm-9" --agree-tos --authenticator webroot --email "[email protected]" --preferred-challenges "dns,http" --domains "domain.domain.com" 
[6/3/2022] [2:04:00 AM] [SSL      ] › ✔  success   Requesting a certificate for domain.domain.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/npm-9/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/npm-9/privkey.pem
This certificate expires on 2022-09-01.
These files will be updated when the certificate renews.
NEXT STEPS:
- The certificate will need to be renewed before it expires. Certbot can automatically renew the certificate in the background, but you may need to take steps to enable that functionality. See https://certbot.org/renewal-setup for instructions.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
[6/3/2022] [2:04:01 AM] [Nginx    ] › ℹ  info      Reloading Nginx
[6/3/2022] [2:04:01 AM] [Express  ] › ⚠  warning   Command failed: /usr/sbin/nginx -t -g "error_log off;"
nginx: [emerg] no "ssl_certificate" is defined for the "listen ... ssl" directive in /data/nginx/proxy_host/5.conf:6
nginx: configuration file /etc/nginx/nginx.conf test failed

[6/3/2022] [2:04:33 AM] [SSL      ] › ℹ  info      Testing http challenge for domain.domain.com
[6/3/2022] [2:04:48 AM] [SSL      ] › ℹ  info      HTTP challenge test failed for domain domain.domain.com the host was not found

 

 

5.conf

# ------------------------------------------------------------
# domain.domain.com
# ------------------------------------------------------------


server {
  set $forward_scheme https;
  set $server         "192.168.200.88";
  set $port           444;

  listen 80;
listen [::]:80;


  server_name domain.domain.com;

 

[aglyons]

so the non-standard port issue is a result of letsencrypt.

 

There is a solution but it does not seem to be possible with this container.

 

It requires a TXT DNS entry. I can't seem to figure out how to do this with the current container options.

 

https://community.letsencrypt.org/t/using-encrypt-for-non-standard-ports/20164/3

[mattie112]

You should be able to do that through the UI:

 

[mattie112]

17 hours ago, jimdaway said:

Hi @alturismo

 

Thank you for the response and insight. So, if I redirect ports 80 and 443 to the unRAID server (10.0.26.15) and then within NPM setup a Host Proxy titled mail.mydomain.com with a redirect to my mail server (10.0.26.10) that may work?

 

The question then is how do I deal with the redirection of both port 80 and 443? I tried creating a Host Proxy titled "mail.mydomain.com" for HTTP pointed to 10.0.26.10 port 80 and when I tried to create a second Host Proxy "mail.mydomain.com" for HTTPS to 10.0.26.10 port 443 (with a Lets Encrypt SSL), it threw an error of "mail.mydomain.com is already in use".

 

Or, should I use a Redirection Host or a Stream? I'm so newb...

 

What exactly are you trying to do?

 

Your NPM (= proxy server) is listening on 80/443, you can add a host for anything within that.

 

domainA.com -> 1.2.3.4:80

domainB.com -> 1.2.3.4:81

something.domainC.com -> 1.2.3.5:443

 

If you have an internal 'service' listening on both 80/443 choose one. Usually internally your services are terminated in 80 (as you don't have a ssl cert for them) but 443 should work just fine (as long as the cert is valid)

[aglyons]

50 minutes ago, mattie112 said:

You should be able to do that through the UI:

 

 

Yes, you should but reading the NPM forum post, I should be putting a TXT value as such;

 

But the UI, when I choose my DNS provider, Google. I am presented with this and I have no idea what to do with it.

 

There is no simple TXT value choice in the dropdown.

[mattie112]

8 minutes ago, aglyons said:

 

Yes, you should but reading the NPM forum post, I should be putting a TXT value as such;

 

But the UI, when I choose my DNS provider, Google. I am presented with this and I have no idea what to do with it.

 

There is no simple TXT value choice in the dropdown.

 

No you should not do this manually (as it changes every time you'll need certificates).

 

So: you should input your google credentials and then NPM (or really certbot in this case) will do an API call to update the TXT record and then letsencrypt can verify that.

(also see: https://certbot-dns-google.readthedocs.io/en/stable/)

 

Is there any reason why you want your webserver on non-80/443

[aglyons]

22 minutes ago, mattie112 said:

Is there any reason why you want your webserver on non-80/443

 

Most consumer ISP's do not allow servers to be used on residential connections. Some block 80 and 443 by default. While I know that a hacker could do a port scan and attempt entry, I would prefer to not have standard ports exposed. For both reasons.

 

I am not confident enough in ensuring everything is locked down properly. I have a good firewall but opening ports on servers bypass that security and literally opens your network up. I'm just getting started with UnRaid and homelabs. We gotta start somewhere.

 

PS: If the plugin author is reading this, it would be great if the link to the docs was presented in the UI.

Edited June 3, 2022 by aglyons