NGINX Proxy Manager - Docker Setup on FWG

Pinned Featured

Comments

36 comments

  • Avatar
    Firewalla

    Your port mapping on the yaml file is good.   Do you mean that 443 on the WAN is blocked? 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Your yaml is mapping these ports, so they will be forwarded and mapped to your docker instance.  likely this is forwarding?

        ports:
    - '80:80'
    - '81:81'
    - '443:443'
    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    OK - while waiting, I've done just that. Edited the docker-compose.yaml and changed this section:

        ports:
    - '80:80'
    - '81:81'
    - '443:443'

    to say

        ports:
    - '443:443'

    and I can still access the NGINX Proxy Manager internal url on port 81, and now only 443 is showing open on the WAN when I do a port scan.

    Seems I don't need to list the ports for LAN access.

    If someone else could set this up and test to ensure I'm correct that would be appreciated - then the instructions can be updated and used by all.

    Thanks,
    Shane.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Have you tried to map the port this way?  where x.x.x.x is the host IP?  

    From security perspective, you probably want to none standard ports say 8080 ... instead of 80.

    So in your case, your 80 will map to LAN IP and 443 map to the WAN IP

    ports:
    - "x.x.x.x:8080:80/tcp"
    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Okay great.  My docker knowledge is limited, so please excuse my bad suggestions :)

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    OK - updated instructions. Usable by others now.

    1
    Comment actions Permalink
  • Avatar
    Dustin Carpio

    I'm having an issue that I don't understand.

    pi@firewalla:~ (416 Home) $ sudo ip route add 172.16.0.0/24 dev br-$(sudo docker network inspect nginxproxymanager_default |jq -r '.[0].Id[0:12]') table wan_routable

    Error: No such network: nginxproxymanager_default

    Cannot find device "br-null"

    0
    Comment actions Permalink
  • Avatar
    Dustin Carpio

    I finally got it installed properly but I can't reach the gui at 172.16.0.2:81. Any ideas?

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    @Dustin - try running the commands in the file you created in step 5

    /home/pi/.firewalla/config/post_main.d/start_npm.sh

    They may be required before the network connections go live. If this works I'll update the instructions.

     

    0
    Comment actions Permalink
  • Avatar
    Dustin Carpio

    That worked! Thanks.

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    Awesome! I've added an extra step to ensure this is now covered. Thanks.

    0
    Comment actions Permalink
  • Avatar
    Joshua Wood

    Hi Shane,

    Thanks very much for the guide.
    Any chance you have some advice on how I can bind this to the firewalla IP on the network between the Firewalla and my modem? i.e. 192.168.200.0/24

    My modem won't let me create a route to a network it's not on, so I can't port forward to the network in you're example.

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    Hi Josh.

    I’m sorry but I’m not sure what you could do in your situation. I set my modem in bridge mode and use my FWG as the core router so port forwarding isn’t required.

    Sorry!

    0
    Comment actions Permalink
  • Avatar
    Joshua Wood

    No worries. What mode is your Firewalla in for the modem to work in bridged mode?

    I tried that when setting mine up, but because the Firewalla 1) didn't have an IP address and 2) my ISP doesn't require a user/password, I couldn't for the life of my work out how to get my modem to work with it in bridged mode.

    Note: it's currently in DHCP mode

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    My FWG is in router mode. My modem is in bridge mode. My ISP provides connection via DHCP (IPoE) and doesn’t require username/password or VLAN ID.

    Set modem to bridge mode. FWG WAN to DHCP.

    That worked for me.

    0
    Comment actions Permalink
  • Avatar
    Joshua Wood

    Thanks for the help. Managed to get it working. Might I also suggest adding a section on how to update the docker? I've had some experience doing this myself, but I imagine others might find some benefit as well.

    0
    Comment actions Permalink
  • Avatar
    Jay Carter

    Anyone installed this recently? Im currently running Nginx on a Pi that I'd like to repurpose. Ive installed this twice and everything works great except I cant get SSL certs. When I go to request one, I just get "Internal Error."

    I thought originally maybe it was not working right because I had port forwards in place for my Pi so I uninstalled, reinstalled, removed the port forwards and the issue persists.

    My only other thought is I might have some old Docker weirdness hanging around causing issues but I did the Docker reset from the tips and tricks page.

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    @Jay

    How are you doing your certs? I only set this up and tested it using DNS-01 (DNS Challenge) method via Cloudflare and my certs are installing and updating correctly. Not sure about other methods though.

    0
    Comment actions Permalink
  • Avatar
    Jay Carter

    I have a domain registered at GoDaddy, use a Powershell script to keep the IP up to date and I just request the certs right out of Nginx. On my standalone Pi Nginx setup, that works perfects. On the Docker instance, I get "Internal Error" when I try to request a cert.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    when you are requesting a cert, are you using lets encrypt? does that action require an external verification of your domain?

    0
    Comment actions Permalink
  • Avatar
    Jay Carter

    Im using the built in mechanism of Nginx to request certs from Lets Encrypt. See screenshot from my working installation.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    When let's encrypt verify the domain, it will need to HTTP back to your docker instance, is that path open?  

    Here are more ways they can challenge https://letsencrypt.org/docs/challenge-types/

     

    0
    Comment actions Permalink
  • Avatar
    Jay Carter

    I mean, it should be. Its working now on my Pi. I just set the Docker instance up according to the tutorial above. I then removed my port forwards to send 80 and 443 to my Pi. 

    When I go to my subdomains now, it connects and gives me a cert error so I know its connecting to the Docker instance.

    So if its not working, its because something isnt set up right in the way the Docker instance is passing traffic. Im only assuming that because it works on my Pi with just two port forward statements in my FWG.

     

    EDIT - Looking above in the setup, I see 80 isnt open. Maybe thats the issue and I need to modify the YAML file and build it all again. My compose file has:

    services:
    app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
    - '80:80'
    - '81:81'
    - '443:443'

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    That could be it. I really only set this up for DNS-01 challenge as I didn’t want to open ports if I could help it.

    You shouldn’t need to rebuild - just change the docker-compose.yaml with the extra ports, then run:

    sudo docker-compose pull
    sudo docker-compose up —detach

    if successful let me know your changes and I can add as an option for the HTTP-01 challenge type. 

    0
    Comment actions Permalink
  • Avatar
    Pcpartsg

    Hello Shane,

    thanks for the detailed instructions. I was able getting it up and running, but took me a couple of times. You have to follow the instructions by the letter (except the IP@ range I changed from /24 to /29 and even /30) that worked. 

    I am also using cloudflare for my to domains (different registrars, DNS Server changes have been done). But I am getting the ERROR 522 - connection timed out and ERROR 502 - bad gateway. This is really frustrating.

    Any ideas are appreciated.

     

    0
    Comment actions Permalink
  • Avatar
    Shane Lord

    @Pcpartsg Make sure on Cloudflare you have the DNS entry set to DNS Only. If you use Cloudflares proxy protection it will break.

    0
    Comment actions Permalink
  • Avatar
    Jay Carter

    Tried this again and couldnt access the web interface locally. I did add port 80 back into the config and I could reach port 80 but I couldnt get anything to come up on 81.

    I may have some leftover docker network stuff in play. I did the reset from here:

    Guide: How to reset your docker service (Beta) – Firewalla

    Not sure if I need to do something to remove any of the old network statements.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I'm trying to get this running... but one thing I notice right away is that stuff is in 

    /home/pi/.firewalla/run/docker/nginxproxymanager/data

    It would be better if that were in /data from Firewalla's perspective.

     

    I'm also not sure I follow what this is:

    #
    # Default NGINX Proxy Manager user/password (change on first use)
    #

    Email: admin@example.com
    Password: changeme

    I've got the docker containers running but can't get to the UI. 

    0
    Comment actions Permalink
  • Avatar
    Joshua Wood

    Open for suggestions here. I get this error when trying to update nginx proxy manager:

    pi@firewalla:~/.firewalla/run/docker/nginxproxymanager (Firewalla) $ sudo docker-compose pull
    Pulling app ... download complete
    Pulling db  ... done

    ERROR: for app  write /var/lib/docker/tmp/GetImageBlob102449248: no space left on device
    ERROR: write /var/lib/docker/tmp/GetImageBlob102449248: no space left on device

    What am I doing wrong?

    Update:

    After some digging, found I needed to clean up old images. Little confused how the drive filled up so quickly.

    Here's the commands I used to update/clean up

    # cd to directory
    cd /home/pi/.firewalla/run/docker/nginxproxymanager

    # download latest images
    sudo docker-compose pull

    # start docker with new images
    sudo docker-compose up -d

    # clean up old images
    sudo docker system prune --all
    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Joshua

    Not sure if you are on Gold or Purple... I've noticed Purple works better if you put larger docker images on an SD card.  I have not had that issue on Gold myself. 

    On Gold or Purple, make sure you use docker image prune appropriately to get rid of old containers or, if you get rid of containers (not running that docker anymore) get rid of that. 

    For example, this script updates the homebridge docker image on my Firewalla. 
    https://gist.github.com/mbierman/6cf22430ca0c2ddb699ac8780ef281ef

    0
    Comment actions Permalink

Please sign in to leave a comment.