[HOW TO] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post Reply
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

Ok, so different things happened in this install. Screens attached.
You do not have the required permissions to view the files attached to this post.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

You have indeed chosen some odd port numbers - but if done correctly, it should work.
1. Can you successfully launch the ProxyManager GUI from http://172.16.1.58:32775 ?
2. What CIDR subnet Mask are you using on your LAN ?
3. Any particular reason why you chose port 32775 and 32777 ?
4. Your Host volume is not located in any of the default shared folders but apparently directly on the QTS root. Why? Did you create /Nginx-Data as a share with the right privileges, or is it just a folder with admin only access?
5. Is your WAN port 80 routed to port 32777 ? Where is your WAN port 433 routed? (only TCP should be routed, for both ports)
6. As long as your router web deamon answers external port 80 calls, how do you plan to have those calls routed to Nginx?

My advice is to try to set things up exactly as described in my guide, just to see if it works. If it does, then you can change only what you must change (for whatever reasons), one step at a time until it fails. Remember to do a fresh "install" from DockerHUB each time, and do not use CS "create" as it will carry over all previous settings from the previous image setup into the new container each time and you'll be stuck in a loop. It's best to delete the image each time you decide to reinstall. Alternatively you can create a YAML installation script and modify it for each new install (trial'n'error).
Even if you are using a Linux client machine, I'm sure you can get hold of a Windows PC (or install a Windows VM) just to verify the certificate file once created. Or, I'm sure there must be a Linux utility somewhere which can do the same (I don't use Linux myself - unless I have to).
ImageImageImage
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

1. Can you successfully launch the ProxyManager GUI from http://172.16.1.58:32775 ? YES. It launches great.
2. What CIDR subnet Mask are you using on your LAN ? 172.16.0.0/16 -- 255.255.0.0
3. Any particular reason why you chose port 32775 and 32777 ? I did not choose those ports. Unlike your guide, my new installations are BLANKING all the port fields and not letting me enter anything. I used to be able to. Not anymore.
4. Your Host volume is not located in any of the default shared folders but apparently directly on the QTS root. Why? Did you create /Nginx-Data as a share with the right privileges, or is it just a folder with admin only access? The /Nginx-data is not on the QTS root. When I create a share for the folder, the share is exposed as /Nginx-data. The actual folder is in /share/Web/Nginx-data. The interface forces me to navigate to the folder and will not let me type it manually. Yes, it is a folder with admin only access.
5. Is your WAN port 80 routed to port 32777 ? Where is your WAN port 433 routed? (only TCP should be routed, for both ports) WAN port 80 routed to 32777. YES. This time it did not tell me the SSL port. Not sure why. I did not choose these ports. Unlike the guide, that are was completely blank. When I installed the same way earlier, I had values in there that I could change.
6. As long as your router web deamon answers external port 80 calls, how do you plan to have those calls routed to Nginx? My router (unifi UDM Pro) should NEVER be responding on port 80. When I am not running NginX-Proxy Manager, my router does not respond on port 80.
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

So, I have installed the app EXACTLY with everything in your GUIDE identically. See the attachment, that is the first error I am getting.
I have also included a screen snap of my virtual switch. This container is the last app in the virtual adapter list and it talks to container network lxcbr0. Is that correct?
This time the web page does not respond at my NAS address port 8181. It has in the past. Ideas?
You do not have the required permissions to view the files attached to this post.
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

Here are screenshots of the Advanced section.
You do not have the required permissions to view the files attached to this post.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

I too am getting confused now (by your screenshots).
The error message clearly says that it cannot locate the pem file (or the folder).
Your explanation on how the path is entered after you browse to the folder - differs distinctively from how it should work. There's definitely something wrong there, which could well be the reason why it fails.
You say you cannot manually change the port numbers during installation (!?). But your next-to-last screendump (Network setting) looks very editable to me (?)
1. What version of QTS are you running?
2. What version of Container Station are you running?
3. You're not trying to install ProxyManager as an LXC container - are you?
ImageImageImage
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

1. QTS 4.4.3.1354
2. Container Station 2.1.3.1360
3. Installed as a Docker Container.

I managed to get the product installed EXACTLY as in your tutorial. I have my firewall routing port 80 and port 443 to ports 35080 and 35443 to the address of my NAS which is where the Docker is running. Now when I try to log in to the web interface at http://172.16.1.58:35081/ I get an error. Attached are two screenshots.
You do not have the required permissions to view the files attached to this post.
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

@oyvindo I have found what I think is the issue. I now believe that the majority of the errors and inconsistencies I have seen were due to one fact only. Prior to installing NginX Proxy Manager, i had my web server at https://www.scottibyte.com/ and a Jitsi server at https://vmsman.scottibyte.com/ . Both these servers have SSL certificates and I have IPv6 wirewall rules making them reachable and they they always worked. When I added NginX Proxy Manager, the role was to get Ipv4 working to the same servers from the outside. literally ALL of my errors I was getting seem to be related to "SSL" conflicts. I accidentally discovered that when I shut both servers down, I was able to 1) Log in to the NginX Proxy Manager web page, 2) I was able to create the proxy for both servers and 3) I was able to request certificates for both servers. Now both servers show "online" via Nginx Proxy Manager. See the screenshot.

After I created and associated the proxies with the SSL certs, I restarted the servers. I also restarted the Docker container as a test and both proxies still show online. This is great news and I hope this helps someone else.

So basically, I have SSL Certs on NginX Proxy Server and SSL certs on the respective servers too. I am not sure if this is correct or not. My IPv6 access continues to work to both servers because nothing has changed there.

I can't say if the IPv4 access (which was the goal of this) is working. My network is Ipv4/Ipv6 and tends to look at IPv6 first. So, if anyone running IPv4 only can get to my two servers, I would appreciate a nod. Thanks to @oyvindo for his very patient assistance. From a QNAP point of view, having the NginX Proxy Manager hosted inside the Docker container NAT seems to be a superior methodology for both security and potential network conflicts.
You do not have the required permissions to view the files attached to this post.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

Super! I'm glad you made it.
I myself don't use Nginx as my Reverse Proxy, I decided to use the Apache server which is already included free with QTS (see my Apache Reverse Proxy Guide here: viewtopic.php?f=32&t=139548)
The reason I ended up testing the Nginx ProxyManager was because the internal QTS function to generate LetsEncrypt certificates, was very buggy, and even after QNAP finally fixed some major bugs and got things working, the resulting certificates failed to support webhooks. Certificates generated with ProxyManager does work with webhooks, so I use ProxyManager to generate certain certificates for Apache :-)

P.S. I tried to visit vmsman, but I only got a 502.
Anyway, good look with your projects :)
ImageImageImage
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

@oyvindo I will have to investigate your Apache Reverse Proxy Guide too. Similarly, I have to say that my favorite function of NginX Proxy Manager is the management of Certificates. I did not realize that it was critically important to shutdown the target nodes while requesting the certificates. All I can imagine is that the original certificates that are on the target nodes might have been conflicting. As I mentioned earlier, I am offering my services both IPv4 and IPv6. The documentation for NginX Proxy manager defaults to having IPv6 enabled.

I am not even sure what that means since the only real reason for a proxy manager is to get around the shortcomings of one IPv4 address for your router and multiple devices behind your network that need port 80 and port 443 services. For that reason, I still have the certs on the local servers as well to presumably service Ipv6. That being said, Ipv6 is being handled by Nginx Proxy Manager in some way because in an active IPv6 session to a target system, if I shutdown the NginX Proxy Manager, the IPv6 user is also disconnected. Very interesting!

P.S. - about the time you tried to visit vmsman, I was back in debugging it. It turns out that a Jitsi server is very precarious in terms of hosting behind NginX since it uses NginX as its web server. I think I have it behaving today.
vmsman
Starting out
Posts: 38
Joined: Thu Jan 19, 2017 7:08 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by vmsman »

So, in summary for others, I would have to say that NginX Proxy Manager is a great tool and oyvindo's guide is quite good. After running in my final configuration for almost 24 hours I ultimately decided to remove NginX Proxy Manager. The reason is that on my mixed IPv4 & IPv6 network, it produced very inconsistent results. Most of these were due to trying to run an NginX web server behind the NginX Proxy Manager Instance of NginX. Another issue was that I discovered that applications that use Websockets experienced massive performance hits with NginX Proxy Manager running in a Docker container in the QNAP Virtual Docker NATed switch. The other issue I was encountering off and on was for some reason, the proxy manager would sometimes use my different A record domain names thinking they aligned to a different system. That should not happen, but it was producing a regular stream of 502 bad gateway errors.

If anyone is interested in self hosting Ipv6, contact me if you need help and I will be glad to provide pointers.
Chompers
First post
Posts: 1
Joined: Fri May 24, 2019 8:52 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by Chompers »

Where are the access and error logs?
deiniolj
New here
Posts: 9
Joined: Tue Sep 22, 2015 4:05 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by deiniolj »

Help I can't get it to certify.

I can connect to my pages from my domain but always get this

If I use DNS challenge with cloudfare or without..

Error: Command failed: /usr/bin/certbot certonly --non-interactive --cert-name "npm-3" --agree-tos --email "me@atmyemail.com" --domains "service.mydomain.co.uk" --authenticator dns-cloudflare --dns-cloudflare-credentials "/etc/letsencrypt/credentials/credentials-3"
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator dns-cloudflare, Installer None
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for service.mydomain.co.uk
Cleaning up challenges
Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the python package cloudflare>=2.3.1. This certbot is running cloudflare 2.8.15)

at ChildProcess.exithandler (child_process.js:303:12)
at ChildProcess.emit (events.js:315:20)
at maybeClose (internal/child_process.js:1021:16)
at Process.ChildProcess._handle.onexit (internal/child_process.js:286:5)

Using latest 2.7.2
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

Sorry, I don't know anything about cloudflare.
The best test strategy is to eliminate as many links in the chain as possible before you start to add them back again, one at a time until the chain breaks (things begin to fail). That's how you find the offending part.
ImageImageImage
faitas
New here
Posts: 5
Joined: Fri Jul 19, 2013 6:48 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by faitas »

hi,
i am having trouble setting up the following

the internal website is - 192.168.0.123:8080/folder/subfolder
the external should be - subfolder.website.com
I can not setup the custom location tab to forward the external address to the internal subfolder. it reaches only up to 192.168.0.123:8080
can you help me ?
Post Reply

Return to “Container Station”