Nginx Proxy Manager
claytondukes opened this issue · comments
Anyone wanna take a stab at making Nginx Proxy Manager work? It would be a brilliant addition to this!
The app installs, but the db portion fails with a cni
error.
podman run --detach \
--name sslproxy_app \
--network host \
--privileged \
--volume /etc/localtime:/etc/localtime:ro \
--volume /mnt/data_ext/sslproxy/data:/data \
--volume /mnt/data_ext/sslproxy/letsencrypt:/etc/letsencrypt \
jc21/nginx-proxy-manager:latest
podman ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
edcb51c925c5 docker.io/jc21/nginx-proxy-manager:latest 14 minutes ago Up 14 minutes ago sslproxy_app
podman run --detach \
--name sslproxy_db \
--env "MYSQL_ROOT_PASSWORD=npm" \
--env "MYSQL_DATABASE=npm" \
--env "MYSQL_USER=npm" \
--env "MYSQL_PASSWORD=npm" \
--volume /mnt/data_ext/sslproxy/mysql:/var/lib/mysql \
jc21/mariadb-aria:latest
ERRO[0013] Error adding network: failed to find plugin "loopback" in path [/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin]
ERRO[0013] Error while adding to cni lo network: failed to find plugin "loopback" in path [/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin]
Error: error configuring network namespace for container 7108e35f4924b5570aa1727e44c1c960902f9124da386759d42357ba4abfaf9f: failed to find plugin "loopback" in path [/usr/libexec/cni /usr/lib/cni /usr/local/lib/cni /opt/cni/bin]
You haven't got a cni network file for your mariadb docker hence it ain't working.
I would look into that - that should be it. Portainer.io might be actually a thing you might want to check out :)
I wouldn't do this "--network host". If you run the proxy manager and/or DB in that mode it will also run on your WAN address.
Please run this in another VLAN.
You can try using this instead of using mssql which will make it more light weight: -e DB_SQLITE_FILE="/data/database.sqlite"
But then you'll get:
s6-supervise (child): fatal: unable to exec run: Permission denied
s6-supervise nginx: warning: unable to spawn ./run - waiting 10 seconds
Which I can't figure out.
Here's the ticket on nginx proxy manager: NginxProxyManager/nginx-proxy-manager#993
Here's what I have so far otherwise. I think it's close if I can get s6 stuff running in the container we're there.
PS you don't want host because port 80 and 443 are consumed by the UDM Pro so it will conflict and you won't be able to do redirects. It needs to be it's own vlan or at least network with an IP.
So this would be easy, you just need to steal the 10-dns.sh networking magic and make a macvlan interface. Remove all the dns specific stuff and the do --network instead of host.
@boostchicken That's basically what I did, however it fails to load per the error that I linked to.
This is an issue with systemd and podman.
Solve it by adding:
--systemd=false
So:
podman run -d \
--network proxy \
--name npm \
--systemd=false \
-p 40080:80 \
-p 40443:443 \
-p 81:81 \
-e TZ="America/New_York" \
-v "/mnt/data/proxy/data:/data" \
-v "/mnt/data/proxy/letsencrypt:/etc/letsencrypt" \
-e DB_SQLITE_FILE="/data/database.sqlite" \
jc21/nginx-proxy-manager:latest
The "--privileged" is not needed. And it can't run on port 80 or 443! You need to specify the ports.
I tried it... but the WebGUI won't load on port 81. Logging shows me that the docker itself runs:
[s6-init] making user provided files available at /var/run/s6/etc...exited 0.
[s6-init] ensuring user provided files have correct perms...exited 0.
[fix-attrs.d] applying ownership & permissions fixes...
[fix-attrs.d] done.
[cont-init.d] executing container initialization scripts...
[cont-init.d] 01_s6-secret-init.sh: executing...
[cont-init.d] 01_s6-secret-init.sh: exited 0.
[cont-init.d] done.
[services.d] starting services
[services.d] done.
❯ Enabling IPV6 in hosts: /etc/nginx/conf.d
❯ /etc/nginx/conf.d/include/force-ssl.conf
❯ /etc/nginx/conf.d/include/proxy.conf
❯ /etc/nginx/conf.d/include/ip_ranges.conf
❯ /etc/nginx/conf.d/include/ssl-ciphers.conf
❯ /etc/nginx/conf.d/include/assets.conf
❯ /etc/nginx/conf.d/include/block-exploits.conf
❯ /etc/nginx/conf.d/include/letsencrypt-acme-challenge.conf
❯ /etc/nginx/conf.d/include/resolvers.conf
❯ /etc/nginx/conf.d/default.conf
❯ /etc/nginx/conf.d/production.conf
❯ Enabling IPV6 in hosts: /data/nginx
[4/5/2021] [3:34:35 PM] [Global ] › ℹ info Generating Sqlite db configuration from environment variables
[4/5/2021] [3:34:35 PM] [Global ] › ℹ info Wrote db configuration to config file: ./config/production.json
sqlite does not support inserting default values. Set the `useNullAsDefault` flag to hide this warning. (see docs http://knexjs.org/#Builder-insert).
[4/5/2021] [3:34:38 PM] [Migrate ] › ℹ info Current database version: none
[4/5/2021] [3:34:39 PM] [Setup ] › ℹ info Creating a new JWT key pair...
[4/5/2021] [3:34:48 PM] [Setup ] › ℹ info Wrote JWT key pair to config file: /app/config/production.json
[4/5/2021] [3:34:48 PM] [IP Ranges] › ℹ info Fetching IP Ranges from online services...
[4/5/2021] [3:34:48 PM] [IP Ranges] › ℹ info Fetching https://ip-ranges.amazonaws.com/ip-ranges.json
[4/5/2021] [3:34:53 PM] [IP Ranges] › ✖ error getaddrinfo EAI_AGAIN ip-ranges.amazonaws.com
[4/5/2021] [3:34:53 PM] [SSL ] › ℹ info Let's Encrypt Renewal Timer initialized
[4/5/2021] [3:34:53 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[4/5/2021] [3:34:53 PM] [IP Ranges] › ℹ info IP Ranges Renewal Timer initialized
[4/5/2021] [3:34:53 PM] [Global ] › ℹ info Backend PID 221 listening on port 3000 ...
[4/5/2021] [3:34:55 PM] [Nginx ] › ℹ info Reloading Nginx
[4/5/2021] [3:34:55 PM] [SSL ] › ℹ info Renew Complete
It's working now with these settings:
podman create \
--systemd=false \
--network proxymanager \
--name proxymanager \
-p 40080:80 \
-p 40443:443 \
-p 81:81 \
-e TZ=Europe/Amsterdam \
-e DB_SQLITE_FILE="/data/database.sqlite" \
-v "/mnt/data/proxymanager/data:/data" \
-v "/mnt/data/proxymanager/letsencrypt:/etc/letsencrypt" \
jc21/nginx-proxy-manager:latest
Adjust it to your own needs :)
I'm not able to get it running properly with certs. I can't get answer, it's actively refusing my request while i'm 100% sure the portforwards and A/AAAA records are correct.
I think this has something to do with the UDM/IPTABLES itself.
2021-04-05 16:20:49,470:DEBUG:acme.client:Storing nonce: 0004i6-2jrw5pxzY9FixvKzDorqk8TgeGqO59T_daudBZdc
2021-04-05 16:20:49,471:WARNING:certbot._internal.auth_handler:Challenge failed for domain -deleted-.nl
2021-04-05 16:20:49,472:INFO:certbot._internal.auth_handler:http-01 challenge for -deleted-.nl
2021-04-05 16:20:49,478:DEBUG:certbot._internal.reporter:Reporting to user: The following errors were reported by the server:
Domain: -deleted-.nl
Type: connection
Detail: Fetching http://-deleted-.nl/.well-known/acme-challenge/Nusv2AEq1QfZvUr5xC9g3vezxD6K_eydtzWkTAM8ntg: Connection refused
To fix these errors, please make sure that your domain name was entered correctly and the DNS A/AAAA record(s) for that domain contain(s) the right IP address. Additionally, please check that your computer has a publicly routable IP address and that no firewalls are preventing the server from communicating with the client. If you're using the webroot plugin, you should also verify that you are serving files from the webroot path you provided.
2021-04-05 16:20:49,479:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2021-04-05 16:20:49,479:DEBUG:certbot._internal.error_handler:Calling registered functions
2021-04-05 16:20:49,480:INFO:certbot._internal.auth_handler:Cleaning up challenges
2021-04-05 16:20:49,481:DEBUG:certbot._internal.plugins.webroot:Removing /data/letsencrypt-acme-challenge/.well-known/acme-challenge/Nusv2AEq1QfZvUr5xC9g3vezxD6K_eydtzWkTAM8ntg
2021-04-05 16:20:49,482:DEBUG:certbot._internal.plugins.webroot:All challenges cleaned up
2021-04-05 16:20:49,482:DEBUG:certbot._internal.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in <module>
load_entry_point('certbot==1.4.0', 'console_scripts', 'certbot')()
File "/usr/lib/python3.8/site-packages/certbot/main.py", line 15, in main
return internal_main.main(cli_args)
File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1347, in main
return config.func(config, plugins)
File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 1233, in certonly
lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
File "/usr/lib/python3.8/site-packages/certbot/_internal/main.py", line 121, in _get_and_save_cert
lineage = le_client.obtain_and_enroll_certificate(domains, certname)
File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 409, in obtain_and_enroll_certificate
cert, chain, key, _ = self.obtain_certificate(domains)
File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 343, in obtain_certificate
orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
File "/usr/lib/python3.8/site-packages/certbot/_internal/client.py", line 390, in _get_order_and_authorizations
authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 91, in handle_authorizations
self._poll_authorizations(authzrs, max_retries, best_effort)
File "/usr/lib/python3.8/site-packages/certbot/_internal/auth_handler.py", line 180, in _poll_authorizations
raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
@renedis Use ports below 32000, UDMP won't work above that. I used 16080 and 16443 and it works fine.
@boostchicken Do you want a pull request to add this, or will you add it?
(I also have unbound working as well)
@JohnGalt1717 still not working for me. Rebooted the UDM, still no luck.
My UDM keeps refusing
Make sure you force run the .sh script and that the ip in the network config file matches the .sh file's ip at the top.
Got it sorted now. The container/UDM does not accept 16080 and 16443. The container now just runs on 80/81/443.
How did you get it to run on 80/81/443? Every time I do that I get port conflicts on 80 or 443 depending.
Simply don't specify the ports.
docker run -d \
--systemd=false \
--network proxymanager \
--name proxymanager \
-e TZ=Europe/Amsterdam \
-e DB_SQLITE_FILE="/data/database.sqlite" \
-v "/mnt/data/proxymanager/data:/data" \
-v "/mnt/data/proxymanager/letsencrypt:/etc/letsencrypt" \
jc21/nginx-proxy-manager:latest
#!/bin/sh
## configuration variables:
VLAN=5
IPV4_IP_PROXYMANAGER="10.0.5.6"
# This is the IP address of the container. You may want to set it to match
# your own network structure such as 192.168.5.3 or similar.
IPV4_GW="10.0.5.1/24"
# As above, this should match the gateway of the VLAN for the container
# network as above which is usually the .1/24 range of the IPV4_IP
# container name; e.g. nextdns, pihole, adguardhome, etc.
CONTAINER_PROXYMANAGER=proxymanager
## network configuration and startup:
CNI_PATH=/mnt/data/podman/cni
if [ ! -f "$CNI_PATH"/macvlan ]; then
mkdir -p $CNI_PATH
curl -L https://github.com/containernetworking/plugins/releases/download/v0.9.0/cni-plugins-linux-arm64-v0.9.0.tgz | tar -xz -C $CNI_PATH
fi
mkdir -p /opt/cni
rm -f /opt/cni/bin
ln -s $CNI_PATH /opt/cni/bin
for file in "$CNI_PATH"/*.conflist
do
if [ -f "$file" ]; then
ln -fs "$file" "/etc/cni/net.d/$(basename "$file")"
fi
done
# set VLAN bridge promiscuous
ip link set br${VLAN} promisc on
# create macvlan bridge and add IPv4 IP
ip link add br${VLAN}.mac link br${VLAN} type macvlan mode bridge
ip addr add ${IPV4_GW} dev br${VLAN}.mac noprefixroute
# set macvlan bridge promiscuous and bring it up
ip link set br${VLAN}.mac promisc on
ip link set br${VLAN}.mac up
#######################################################################################
# add IPv4 route to DNS container
ip route add ${IPV4_IP_PROXYMANAGER}/32 dev br${VLAN}.mac
#######################################################################################
#######################################################################################
if podman container exists ${CONTAINER_PROXYMANAGER}; then
podman start ${CONTAINER_PROXYMANAGER}
else
logger -s -t podman-dns -p ERROR Container $CONTAINER_PROXYMANAGER not found, make sure you set the proper name, you can ignore this error if it is your first time setting it up
fi
#######################################################################################
{
"cniVersion": "0.4.0",
"name": "proxymanager",
"plugins": [
{
"type": "macvlan",
"mode": "bridge",
"master": "br5",
"ipam": {
"type": "static",
"addresses": [
{
"address": "10.0.5.6/24",
"gateway": "10.0.5.1"
}
],
"routes": [
{"dst": "0.0.0.0/0"}
]
}
}
]
}
I would like to see this available as well. I would probably have to remove the pihole from my UDMP to make this work, but it would be a great addition!
@kashalls You shouldn't have to remove pi hole. Just put it on a different port on a different VLan and your'e set.
@kashalls You shouldn't have to remove pi hole. Just put it on a different port on a different VLan and your'e set.
Its not that I should change the port, with all that I have on there and how much I abuse my poor UDM Pro, its already at 90% memory usage and adding more would probably break it.
In case it helps anyone who got to @renedis's excellent comment in this thread without any real context:
- you need to create the
/mnt/data/proxymanager/data
and/mnt/data/proxymanager/letsencrypt
directories - the
docker run -d
command might need to bepodman run -d
depending on how you have things configured. run it to create a container - you need to create a VLAN in the UDM UI, and if the VLAN ID is not 5, edit the shell script accordingly
- the shell script (with
VLAN=5
etc) is a variation of the 10-dns.sh and should be edited as necessary and saved as something like/mnt/data/on_boot.d/10-proxymanager.sh
and set executable - the json code should be edited to match the shell script, if necessary, and saved as something like
/mnt/data/podman/cni/10-proxymanager.conflist
Also, it's entirely possible that I got parts of this wrong, but it does work for me here. If I made any mistakes, someone please correct me!