[HOW TO] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post Reply
tiagondelgado
Starting out
Posts: 19
Joined: Wed Oct 12, 2016 8:03 pm

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by tiagondelgado »

One more question, when i configure a shared folder, i have 3 options, which of the 3 should be created? https://i.ibb.co/tBdh5JX/image.png
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

The one in the middle, of the three options.
ImageImageImage
tiagondelgado
Starting out
Posts: 19
Joined: Wed Oct 12, 2016 8:03 pm

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by tiagondelgado »

With jc21/nginx-proxy-manager:latest-data-1

i get this errors in terminal:

[5/4/2021] [2:46:57 PM] [Global ] › ✖ error getaddrinfo ENOTFOUND db

And cant login, because says "bad gateway"
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

I'm not familiar with jc21
I use jlesage-nginx-proxy-manager v1.9.2
ImageImageImage
micattack
Starting out
Posts: 14
Joined: Sat Mar 06, 2021 12:25 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by micattack »

deiniolj wrote: Tue Jan 19, 2021 8:38 am Help I can't get it to certify.

Error determining zone_id: 6003 Invalid request headers. Please confirm that you have supplied valid Cloudflare API credentials. (Did you copy your entire API token/key? To use Cloudflare tokens, you'll need the
Hi!


Look in https://dash.cloudflare.com/profile/api-tokens

Make sure the token has "Edit DNS" and includes your specific domain

https://imgur.com/ZOmYkCg

Then add it in the credential file content

# Cloudflare API token
dns_cloudflare_api_token = 0123456789abcdef0123456789abcdef01234567

Note: I think - but I cannot edit my current settings, that your API token must be in double quotes e.g. "01212....9023967" other then in the example shown
--
QLocker survivor; backup enthusiast
TS-351 with 5. + something FW (always up2date)
Celeron J1800/8GB RAM
RAID-5 (2x 256GB Transcent TS256GMTE110S + 3x 6TB Seagate ST6000VN001)
ceekee
Starting out
Posts: 30
Joined: Thu Nov 05, 2009 10:30 pm

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by ceekee »

Hi,

I am totally lost. I have installed this according to the directions.

Port forwarding:

NGinx

Image

Router:

Image


Proxy host:

Image

Image

The QTS login screen and filestation are working.

xxx.duckdns.org -> QTS admin -> OK
xxx.duckdns.org/filestation -> QTS filestation -> OK

But:

xxx.duckdns.org/sickchill -> 192.168.1.xx:2973/sickchill -> standard QNAP error page
xxx.duckdns.org/spotweb -> 192.168.1xx/spotweb -> standard QNAP error page

both adresses when used locally are functioning.

Please advice.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

Hi,

Did you successfully manage to get to this point:
Image

I also see that you activated Blocking of common exploits. Whys did you do that?
When you implement a new subsystem like a Proxy manager, it's a good idea to keep it very simple during your first attempt.
Don't add anything not advised in the docs.
Then - if you can get a minimum configuration running, you can begin by adding additional settings, one at a time, carefully testing everything between each regression.

Your description leads me ask if you have actually exposed QTS Admin Web through port 80 ??
You should NEVER do that. A proxy like this should NOT be used to access QTS itself remotely. To do that, use instead a VPN.
ImageImageImage
ceekee
Starting out
Posts: 30
Joined: Thu Nov 05, 2009 10:30 pm

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by ceekee »

Yes, the proxy manager is working on http://192.168.1.20:35081/. No problems there.

I am already two days trying with all possibilities given :-) Started simple but then started trying all switches in the hope it works.

But the admin ports are not on pot 80 but on port 39xx and filestation too.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

ceekee wrote: Thu May 27, 2021 8:00 pm Yes, the proxy manager is working on http://192.168.1.20:35081/. No problems there.
No, no - you should get that "Welcome" screen if you visit PM from the internet side. That's what I'm asking. Read the Docs.
ImageImageImage
ceekee
Starting out
Posts: 30
Joined: Thu Nov 05, 2009 10:30 pm

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by ceekee »

Sorry, did not see that.

I tried it from the internetsite service.duckdns.org:35081 and no response. I followed the how-to and don't know what I missed.

Now I have an extra portforwarding in my router port 35081 to the NAS. I now I get the login-screen of the proxymanager.


Please advice
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

I advice you to start over from scratch again.
Obviously you did not follow thw docs to the letter, but jumped a few steps ahead here and there.
That's not a good strategy. As I said, first get the minimum version to run as explained. The add your own configurations on top, one at a time, with thorough testeng between each step.

You are not supposed to get to the logon screen of the Proxy from the internet. You should get to the splash screen. It would be a disaster if you could reach the logon screen directly from the internet.
ImageImageImage
ceekee
Starting out
Posts: 30
Joined: Thu Nov 05, 2009 10:30 pm

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by ceekee »

I tried some things again and removed all my hosts from the setup. Now I am getting the splashscreen at http://service.duckdns.org

But how to proceed to get sickchill or spotweb working.
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

Adding a path to the URI is different from adding a subdomain.
You cannot use the same rewrite rules and redirects for www.yourdomain.com/sickchill as you would for sickchill.yourdomain.com
My guide uses a subdomain approach. If you want a subdirectory approach you have to change the Type to Path-based Reverse Proxy.
That's a whole different story.
If you unfamiliar with this, you have to read up on the subject.
As I have described it, the path is cleaned out from the http header and does not proxy through.

Sorry.
ImageImageImage
Wezyr
Starting out
Posts: 12
Joined: Wed Mar 08, 2017 4:52 am

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by Wezyr »

Just a quick question before I start configuring this solution: is it possible to set up the Proxy Manager in such a way that the share links created from FileStation work, but there is no access to the admin panel? The usual situation is that when I create a share link from FileStation it can be mydomain.com:Port/share, but when I type mydomain.com:Port it shows the Qnap admin panel which is not healthy...
User avatar
oyvindo
Experience counts
Posts: 1399
Joined: Tue May 19, 2009 2:08 am
Location: Norway, Oslo

Re: [How To] install Nginx Reverse Proxy in CS with Let's Encrypt Certificate

Post by oyvindo »

If you can get to your QTS admin page from the internet, you have a serious problem!!
Whatever you do - disable your port forwarding rules immediately so that your NAS is NOT exposed to the internet!

You should not use a Reverse Proxy to access any part of QTS or the core QTS OS apps (such as File Station).
Only use a Reverse Proxy to access isolated Web Apps - preferably running in containers.

If you need to access your QTS remotely (all, or parts of it), then use instead a VPN tunnel connection.
Exposing your NAS to the internet is way too risky.
Last edited by oyvindo on Tue Jun 15, 2021 4:18 am, edited 1 time in total.
ImageImageImage
Post Reply

Return to “Container Station”