NGINX Proxy Manager - Docker Setup on FWG
Pinned FeaturedNGINX Proxy Manager is a fantastic and easy to use tool that enables you expose web services (such as Home Assistant, Sonarr, SABnzbd etc) on your network to the Internet using free auto-updating SSL certificates with Let's Encrypt, all via a shiny Web UI.
Running it on Firewalla is a perfect solution.
----
I have nothing to do with the project, but I’ve been able to get this working on my Firewalla Gold using the docker-compose.yaml I put together here.
Updated with learnings on how to control WAN viewable ports. LAN port (81 for management) is available without a route table command.
1. SSH into your Firewalla Gold and change directory to:
cd /home/pi/.firewalla/run/docker/
2. Create a folder nginxproxymanager :
mkdir nginxproxymanager
then:
cd nginxproxymanager
3. Create a docker-compose.yaml file containing the below.
I use:
sudo nano docker-compose.yaml
to create and edit this file.
version: '3'
# docker-compose.yaml file for NGINX Proxy Manager on Firewalla Gold
# More info at https://nginxproxymanager.com/
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
ports:
# Change 443:443 below to WAN ports you want to use for SSL connectivity
- '443:443'
environment:
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "npm"
DB_MYSQL_PASSWORD: "npm"
DB_MYSQL_NAME: "npm"
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
networks:
default:
# static IP address for nginxproxymanager
ipv4_address: 172.16.0.2
db:
image: 'jc21/mariadb-aria:latest'
environment:
MYSQL_ROOT_PASSWORD: 'npm'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'npm'
MYSQL_PASSWORD: 'npm'
volumes:
- ./data/mysql:/var/lib/mysql
networks:
default:
# static IP address for database
ipv4_address: 172.16.0.3
networks:
default:
driver: bridge
ipam:
config:
# your chosen docker network here
- subnet: 172.16.0.0/24
4. Further steps taken here to setup Firewalla docker and network connection:
cd /home/pi/.firewalla/run/docker/nginxproxymanager
sudo systemctl start docker
sudo docker-compose pull
sudo docker-compose up --no-start
sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect nginxproxymanager_default |jq -r '.[0].Id[0:12]') table wan_routable
sudo docker-compose up --detach
#
# Default NGINX Proxy Manager user/password (change on first use)
#
Email: admin@example.com
Password: changeme
5. Persistence! Make sure Docker and your container(s) load after Firewalla restarts. Note: Not sure if this works... a few times it hasn't loaded automatically.
Create file /home/pi/.firewalla/config/post_main.d/start_npm.sh
sudo systemctl start docker
sudo systemctl start docker-compose@nginxproxymanager sudo ipset create -! docker_lan_routable_net_set hash:net
sudo ipset create -! docker_wan_routable_net_set hash:net
sudo ipset add -! docker_lan_routable_net_set 172.16.0.0/24
sudo ipset add -! docker_wan_routable_net_set 172.16.0.0/24
6. Make the new file executable: sudo chmod +x start_npm.sh
7. Test it runs by issuing: sudo bash start_npm.sh
Note: I use Cloudflare DNS-01 request for Lets Encrypt to avoid having to have port 80 open. This requires you to use a docker or similar DDNS updater that can keep your Cloudflare DNS up to date. Setup instructions for this are here: https://help.firewalla.com/hc/en-us/community/posts/1500001199002-Cloudflare-DDNS-Docker
Thanks,
Shane.
-
OK - while waiting, I've done just that. Edited the docker-compose.yaml and changed this section:
ports:
- '80:80'
- '81:81'
- '443:443'to say
ports:
- '443:443'and I can still access the NGINX Proxy Manager internal url on port 81, and now only 443 is showing open on the WAN when I do a port scan.
Seems I don't need to list the ports for LAN access.
If someone else could set this up and test to ensure I'm correct that would be appreciated - then the instructions can be updated and used by all.
Thanks,
Shane. -
I'm having an issue that I don't understand.
pi@firewalla:~ (416 Home) $ sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect nginxproxymanager_default |jq -r '.[0].Id[0:12]') table wan_routable
Error: No such network: nginxproxymanager_default
Cannot find device "br-null"
-
Hi Shane,
Thanks very much for the guide.
Any chance you have some advice on how I can bind this to the firewalla IP on the network between the Firewalla and my modem? i.e. 192.168.200.0/24My modem won't let me create a route to a network it's not on, so I can't port forward to the network in you're example.
-
No worries. What mode is your Firewalla in for the modem to work in bridged mode?
I tried that when setting mine up, but because the Firewalla 1) didn't have an IP address and 2) my ISP doesn't require a user/password, I couldn't for the life of my work out how to get my modem to work with it in bridged mode.
Note: it's currently in DHCP mode
-
Anyone installed this recently? Im currently running Nginx on a Pi that I'd like to repurpose. Ive installed this twice and everything works great except I cant get SSL certs. When I go to request one, I just get "Internal Error."
I thought originally maybe it was not working right because I had port forwards in place for my Pi so I uninstalled, reinstalled, removed the port forwards and the issue persists.
My only other thought is I might have some old Docker weirdness hanging around causing issues but I did the Docker reset from the tips and tricks page.
-
When let's encrypt verify the domain, it will need to HTTP back to your docker instance, is that path open?
Here are more ways they can challenge https://letsencrypt.org/docs/challenge-types/
-
I mean, it should be. Its working now on my Pi. I just set the Docker instance up according to the tutorial above. I then removed my port forwards to send 80 and 443 to my Pi.
When I go to my subdomains now, it connects and gives me a cert error so I know its connecting to the Docker instance.
So if its not working, its because something isnt set up right in the way the Docker instance is passing traffic. Im only assuming that because it works on my Pi with just two port forward statements in my FWG.
EDIT - Looking above in the setup, I see 80 isnt open. Maybe thats the issue and I need to modify the YAML file and build it all again. My compose file has:
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443' -
That could be it. I really only set this up for DNS-01 challenge as I didn’t want to open ports if I could help it.
You shouldn’t need to rebuild - just change the docker-compose.yaml with the extra ports, then run:
sudo docker-compose pull
sudo docker-compose up —detachif successful let me know your changes and I can add as an option for the HTTP-01 challenge type.
-
Hello Shane,
thanks for the detailed instructions. I was able getting it up and running, but took me a couple of times. You have to follow the instructions by the letter (except the IP@ range I changed from /24 to /29 and even /30) that worked.
I am also using cloudflare for my to domains (different registrars, DNS Server changes have been done). But I am getting the ERROR 522 - connection timed out and ERROR 502 - bad gateway. This is really frustrating.
Any ideas are appreciated.
-
Tried this again and couldnt access the web interface locally. I did add port 80 back into the config and I could reach port 80 but I couldnt get anything to come up on 81.
I may have some leftover docker network stuff in play. I did the reset from here:
Guide: How to reset your docker service (Beta) – Firewalla
Not sure if I need to do something to remove any of the old network statements.
-
I'm trying to get this running... but one thing I notice right away is that stuff is in
/home/pi/.firewalla/run/docker/nginxproxymanager/data
It would be better if that were in /data from Firewalla's perspective.
I'm also not sure I follow what this is:
#
# Default NGINX Proxy Manager user/password (change on first use)
#
Email: admin@example.com
Password: changemeI've got the docker containers running but can't get to the UI.
-
Open for suggestions here. I get this error when trying to update nginx proxy manager:
pi@firewalla:~/.firewalla/run/docker/nginxproxymanager (Firewalla) $ sudo docker-compose pull
Pulling app ... download complete
Pulling db ... done
ERROR: for app write /var/lib/docker/tmp/GetImageBlob102449248: no space left on device
ERROR: write /var/lib/docker/tmp/GetImageBlob102449248: no space left on deviceWhat am I doing wrong?
Update:
After some digging, found I needed to clean up old images. Little confused how the drive filled up so quickly.
Here's the commands I used to update/clean up
# cd to directory
cd /home/pi/.firewalla/run/docker/nginxproxymanager
# download latest images
sudo docker-compose pull
# start docker with new images
sudo docker-compose up -d
# clean up old images
sudo docker system prune --all -
@Joshua
Not sure if you are on Gold or Purple... I've noticed Purple works better if you put larger docker images on an SD card. I have not had that issue on Gold myself.
On Gold or Purple, make sure you use docker image prune appropriately to get rid of old containers or, if you get rid of containers (not running that docker anymore) get rid of that.
For example, this script updates the homebridge docker image on my Firewalla.
https://gist.github.com/mbierman/6cf22430ca0c2ddb699ac8780ef281ef
Please sign in to leave a comment.
Comments
50 comments