Nginx Proxy Manager

[claytondukes]

Anyone wanna take a stab at making Nginx Proxy Manager work? It would be a brilliant addition to this!

The app installs, but the db portion fails with a cni error.

podman run --detach \
           --name sslproxy_app \
           --network host \
           --privileged \
           --volume /etc/localtime:/etc/localtime:ro \
           --volume /mnt/data_ext/sslproxy/data:/data \
           --volume /mnt/data_ext/sslproxy/letsencrypt:/etc/letsencrypt \
           jc21/nginx-proxy-manager:latest

 podman ps
CONTAINER ID  IMAGE                                      COMMAND               CREATED         STATUS             PORTS  NAMES
edcb51c925c5  docker.io/jc21/nginx-proxy-manager:latest                        14 minutes ago  Up 14 minutes ago         sslproxy_app

podman run --detach \
           --name sslproxy_db \
           --env "MYSQL_ROOT_PASSWORD=npm" \
           --env "MYSQL_DATABASE=npm" \
           --env "MYSQL_USER=npm" \
           --env "MYSQL_PASSWORD=npm" \
           --volume /mnt/data_ext/sslproxy/mysql:/var/lib/mysql \
           jc21/mariadb-aria:latest

ERRO[0013] Error adding network: failed to find plugin "loopback" in path [/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin]
ERRO[0013] Error while adding to cni lo network: failed to find plugin "loopback" in path [/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin]
Error: error configuring network namespace for container 7108e35f4924b5570aa1727e44c1c960902f9124da386759d42357ba4abfaf9f: failed to find plugin "loopback" in path [/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin]

[Richigeht]

You haven't got a cni network file for your mariadb docker hence it ain't working.

I would look into that - that should be it. Portainer.io might be actually a thing you might want to check out :)

[renedis]

I wouldn't do this "--network host". If you run the proxy manager and/or DB in that mode it will also run on your WAN address.
Please run this in another VLAN.

[JohnGalt1717]

You can try using this instead of using mssql which will make it more light weight: -e DB_SQLITE_FILE="/data/database.sqlite"

But then you'll get:

s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise nginx: warning: unable to spawn ./run - waiting 10 seconds

Which I can't figure out.

Here's the ticket on nginx proxy manager: NginxProxyManager/nginx-proxy-manager#993

Here's what I have so far otherwise. I think it's close if I can get s6 stuff running in the container we're there.

proxy.zip

PS you don't want host because port 80 and 443 are consumed by the UDM Pro so it will conflict and you won't be able to do redirects. It needs to be it's own vlan or at least network with an IP.

[boostchicken]

So this would be easy, you just need to steal the 10-dns.sh networking magic and make a macvlan interface. Remove all the dns specific stuff and the do --network instead of host.

[JohnGalt1717]

@boostchicken That's basically what I did, however it fails to load per the error that I linked to.

[renedis]

This is an issue with systemd and podman.

Solve it by adding:
--systemd=false

So:

podman run -d \
--network proxy \
--name npm \
--systemd=false \
-p 40080:80 \
-p 40443:443 \
-p 81:81 \
-e TZ="America/New_York" \
-v "/mnt/data/proxy/data:/data" \
-v "/mnt/data/proxy/letsencrypt:/etc/letsencrypt" \
-e DB_SQLITE_FILE="/data/database.sqlite" \
jc21/nginx-proxy-manager:latest

The "--privileged" is not needed. And it can't run on port 80 or 443! You need to specify the ports.

I tried it... but the WebGUI won't load on port 81. Logging shows me that the docker itself runs:

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_s6-secret-init.sh: executing...
[cont-init.d] 01_s6-secret-init.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
  ❯ /etc/nginx/conf.d/include/force-ssl.conf
  ❯ /etc/nginx/conf.d/include/proxy.conf
  ❯ /etc/nginx/conf.d/include/ip_ranges.conf
  ❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
  ❯ /etc/nginx/conf.d/include/assets.conf
  ❯ /etc/nginx/conf.d/include/block-exploits.conf
  ❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
  ❯ /etc/nginx/conf.d/include/resolvers.conf
  ❯ /etc/nginx/conf.d/default.conf
  ❯ /etc/nginx/conf.d/production.conf
❯ Enabling IPV6 in hosts: /data/nginx
[4/5/2021] [3:34:35 PM] [Global   ] › ℹ  info      Generating Sqlite db configuration from environment variables
[4/5/2021] [3:34:35 PM] [Global   ] › ℹ  info      Wrote db configuration to config file: ./config/production.json
sqlite does not support inserting default values. Set the `useNullAsDefault` flag to hide this warning. (see docs http://knexjs.org/#Builder-insert).
[4/5/2021] [3:34:38 PM] [Migrate  ] › ℹ  info      Current database version: none
[4/5/2021] [3:34:39 PM] [Setup    ] › ℹ  info      Creating a new JWT key pair...
[4/5/2021] [3:34:48 PM] [Setup    ] › ℹ  info      Wrote JWT key pair to config file: /app/config/production.json
[4/5/2021] [3:34:48 PM] [IP Ranges] › ℹ  info      Fetching IP Ranges from online services...
[4/5/2021] [3:34:48 PM] [IP Ranges] › ℹ  info      Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[4/5/2021] [3:34:53 PM] [IP Ranges] › ✖  error     getaddrinfo EAI_AGAIN ip-ranges.amazonaws.com
[4/5/2021] [3:34:53 PM] [SSL      ] › ℹ  info      Let's Encrypt Renewal Timer initialized
[4/5/2021] [3:34:53 PM] [SSL      ] › ℹ  info      Renewing SSL certs close to expiry...
[4/5/2021] [3:34:53 PM] [IP Ranges] › ℹ  info      IP Ranges Renewal Timer initialized
[4/5/2021] [3:34:53 PM] [Global   ] › ℹ  info      Backend PID 221 listening on port 3000 ...
[4/5/2021] [3:34:55 PM] [Nginx    ] › ℹ  info      Reloading Nginx
[4/5/2021] [3:34:55 PM] [SSL      ] › ℹ  info      Renew Complete

[renedis]

It's working now with these settings:

podman create \
 --systemd=false \
 --network proxymanager \
 --name proxymanager \
 -p 40080:80 \
 -p 40443:443 \
 -p 81:81 \
 -e TZ=Europe/Amsterdam \
 -e DB_SQLITE_FILE="/data/database.sqlite" \
 -v "/mnt/data/proxymanager/data:/data" \
 -v "/mnt/data/proxymanager/letsencrypt:/etc/letsencrypt" \
 jc21/nginx-proxy-manager:latest

Adjust it to your own needs :)

[renedis]

I'm not able to get it running properly with certs. I can't get answer, it's actively refusing my request while i'm 100% sure the portforwards and A/AAAA records are correct.

I think this has something to do with the UDM/IPTABLES itself.

2021-04-05 16:20:49,470:DEBUG:acme.client:Storing nonce: 0004i6-2jrw5pxzY9FixvKzDorqk8TgeGqO59T_daudBZdc
2021-04-05 16:20:49,471:WARNING:certbot._internal.auth_handler:Challenge failed for domain -deleted-.nl
2021-04-05 16:20:49,472:INFO:certbot._internal.auth_handler:http-01 challenge for -deleted-.nl
2021-04-05 16:20:49,478:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:

Domain: -deleted-.nl
Type:   connection
Detail: Fetching http://-deleted-.nl/.well-known/acme-challenge/Nusv2AEq1QfZvUr5xC9g3vezxD6K_eydtzWkTAM8ntg: Connection refused

To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2021-04-05 16:20:49,479:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

2021-04-05 16:20:49,479:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-04-05 16:20:49,480:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-04-05 16:20:49,481:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/Nusv2AEq1QfZvUr5xC9g3vezxD6K_eydtzWkTAM8ntg
2021-04-05 16:20:49,482:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-04-05 16:20:49,482:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
  File "/usr/bin/certbot", line 11, in <module>
    load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
  File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
    return internal_main.main(cli_args)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main
    return config.func(config, plugins)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly
    lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
    lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
    cert, chain, key, _ = self.obtain_certificate(domains)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
    orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
    authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, best_effort)
  File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.

[JohnGalt1717]

@renedis Use ports below 32000, UDMP won't work above that. I used 16080 and 16443 and it works fine.

@boostchicken Do you want a pull request to add this, or will you add it?

(I also have unbound working as well)

[renedis]

@JohnGalt1717 still not working for me. Rebooted the UDM, still no luck.

My UDM keeps refusing

[JohnGalt1717]

Make sure you force run the .sh script and that the ip in the network config file matches the .sh file's ip at the top.

[renedis]

Got it sorted now. The container/UDM does not accept 16080 and 16443. The container now just runs on 80/81/443.

[JohnGalt1717]

How did you get it to run on 80/81/443? Every time I do that I get port conflicts on 80 or 443 depending.

[renedis]

Simply don't specify the ports.

docker run -d \
 --systemd=false \
 --network proxymanager \
 --name proxymanager \
 -e TZ=Europe/Amsterdam \
 -e DB_SQLITE_FILE="/data/database.sqlite" \
 -v "/mnt/data/proxymanager/data:/data" \
 -v "/mnt/data/proxymanager/letsencrypt:/etc/letsencrypt" \
 jc21/nginx-proxy-manager:latest

#!/bin/sh

## configuration variables:
VLAN=5
IPV4_IP_PROXYMANAGER="10.0.5.6"

# This is the IP address of the container. You may want to set it to match
# your own network structure such as 192.168.5.3 or similar.
IPV4_GW="10.0.5.1/24"
# As above, this should match the gateway of the VLAN for the container
# network as above which is usually the .1/24 range of the IPV4_IP

# container name; e.g. nextdns, pihole, adguardhome, etc.
CONTAINER_PROXYMANAGER=proxymanager

## network configuration and startup:
CNI_PATH=/mnt/data/podman/cni
if [ ! -f "$CNI_PATH"/macvlan ]; then
    mkdir -p $CNI_PATH
    curl -L https://github.com/containernetworking/plugins/releases/download/v0.9.0/cni-plugins-linux-arm64-v0.9.0.tgz | tar -xz -C $CNI_PATH
fi

mkdir -p /opt/cni
rm -f /opt/cni/bin
ln -s $CNI_PATH /opt/cni/bin

for file in "$CNI_PATH"/*.conflist
do
    if [ -f "$file" ]; then
        ln -fs "$file" "/etc/cni/net.d/$(basename "$file")"
    fi
done

# set VLAN bridge promiscuous
ip link set br${VLAN} promisc on

# create macvlan bridge and add IPv4 IP
ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge
ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute

# set macvlan bridge promiscuous and bring it up
ip link set br${VLAN}.mac promisc on
ip link set br${VLAN}.mac up

#######################################################################################
# add IPv4 route to DNS container
ip route add ${IPV4_IP_PROXYMANAGER}/32 dev br${VLAN}.mac
#######################################################################################


#######################################################################################
if podman container exists ${CONTAINER_PROXYMANAGER}; then
  podman start ${CONTAINER_PROXYMANAGER}
else
  logger -s -t podman-dns -p ERROR Container $CONTAINER_PROXYMANAGER not found, make sure you set the proper name, you can ignore this error if it is your first time setting it up
fi
#######################################################################################

{
  "cniVersion": "0.4.0",
  "name": "proxymanager",
  "plugins": [
    {
      "type": "macvlan",
      "mode": "bridge",
      "master": "br5",
      "ipam": {
        "type": "static",
        "addresses": [
          {
            "address": "10.0.5.6/24",
            "gateway": "10.0.5.1"
          }
        ],
        "routes": [
          {"dst": "0.0.0.0/0"}
        ]
      }
    }
  ]
}

[kashalls]

I would like to see this available as well. I would probably have to remove the pihole from my UDMP to make this work, but it would be a great addition!

[JohnGalt1717]

@kashalls You shouldn't have to remove pi hole. Just put it on a different port on a different VLan and your'e set.

[kashalls]

@kashalls You shouldn't have to remove pi hole. Just put it on a different port on a different VLan and your'e set.

Its not that I should change the port, with all that I have on there and how much I abuse my poor UDM Pro, its already at 90% memory usage and adding more would probably break it.

[cowboy]

In case it helps anyone who got to @renedis's excellent comment in this thread without any real context:

1. you need to create the /mnt/data/proxymanager/data and /mnt/data/proxymanager/letsencrypt directories
2. the docker run -d command might need to be podman run -d depending on how you have things configured. run it to create a container
3. you need to create a VLAN in the UDM UI, and if the VLAN ID is not 5, edit the shell script accordingly
4. the shell script (with VLAN=5 etc) is a variation of the 10-dns.sh and should be edited as necessary and saved as something like /mnt/data/on_boot.d/10-proxymanager.sh and set executable
5. the json code should be edited to match the shell script, if necessary, and saved as something like /mnt/data/podman/cni/10-proxymanager.conflist

Also, it's entirely possible that I got parts of this wrong, but it does work for me here. If I made any mistakes, someone please correct me!