jlesage / docker-nginx-proxy-manager Goto Github PK

Docker container for Nginx Proxy Manager

License: MIT License

Dockerfile 14.27% Shell 55.08% Python 6.48% Awk 24.17%

docker-nginx-proxy-manager's Introduction

Docker container for Nginx Proxy Manager

This project implements a Docker container for Nginx Proxy Manager.

Nginx Proxy Manager enables you to easily forward to your websites running at home or otherwise, including free SSL, without having to know too much about Nginx or Letsencrypt.

Quick Start

NOTE: The Docker command provided in this quick start is given as an example and parameters should be adjusted to your need.

Launch the Nginx Proxy Manager docker container with the following command:

docker run -d \
    --name=nginx-proxy-manager \
    -p 8181:8181 \
    -p 8080:8080 \
    -p 4443:4443 \
    -v /docker/appdata/nginx-proxy-manager:/config:rw \
    jlesage/nginx-proxy-manager

Where:

/docker/appdata/nginx-proxy-manager: This is where the application stores its configuration, states, log and any files needing persistency.

Browse to http://your-host-ip:8181 to access the Nginx Proxy Manager web interface.

Usage

docker run [-d] \
    --name=nginx-proxy-manager \
    [-e <VARIABLE_NAME>=<VALUE>]... \
    [-v <HOST_DIR>:<CONTAINER_DIR>[:PERMISSIONS]]... \
    [-p <HOST_PORT>:<CONTAINER_PORT>]... \
    jlesage/nginx-proxy-manager

Parameter	Description
-d	Run the container in the background. If not set, the container runs in the foreground.
-e	Pass an environment variable to the container. See the Environment Variables section for more details.
-v	Set a volume mapping (allows to share a folder/file between the host and the container). See the Data Volumes section for more details.
-p	Set a network port mapping (exposes an internal container port to the host). See the Ports section for more details.

Environment Variables

To customize some properties of the container, the following environment variables can be passed via the -e parameter (one for each variable). Value of this parameter has the format <VARIABLE_NAME>=<VALUE>.

Variable	Description	Default
`USER_ID`	ID of the user the application runs as. See User/Group IDs to better understand when this should be set.	`1000`
`GROUP_ID`	ID of the group the application runs as. See User/Group IDs to better understand when this should be set.	`1000`
`SUP_GROUP_IDS`	Comma-separated list of supplementary group IDs of the application.	(no value)
`UMASK`	Mask that controls how permissions are set for newly created files and folders. The value of the mask is in octal notation. By default, the default umask value is `0022`, meaning that newly created files and folders are readable by everyone, but only writable by the owner. See the online umask calculator at http://wintelguy.com/umask-calc.pl.	`0022`
`LANG`	Set the locale, which defines the application's language, if supported. Format of the locale is `language[_territory][.codeset]`, where language is an ISO 639 language code, territory is an ISO 3166 country code and codeset is a character set, like `UTF-8`. For example, Australian English using the UTF-8 encoding is `en_AU.UTF-8`.	`en_US.UTF-8`
`TZ`	TimeZone used by the container. Timezone can also be set by mapping `/etc/localtime` between the host and the container.	`Etc/UTC`
`KEEP_APP_RUNNING`	When set to `1`, the application will be automatically restarted when it crashes or terminates.	`0`
`APP_NICENESS`	Priority at which the application should run. A niceness value of -20 is the highest priority and 19 is the lowest priority. The default niceness value is 0. NOTE: A negative niceness (priority increase) requires additional permissions. In this case, the container should be run with the docker option `--cap-add=SYS_NICE`.	`0`
`INSTALL_PACKAGES`	Space-separated list of packages to install during the startup of the container. List of available packages can be found at https://mirrors.alpinelinux.org. ATTENTION: Container functionality can be affected when installing a package that overrides existing container files (e.g. binaries).	(no value)
`PACKAGES_MIRROR`	Mirror of the repository to use when installing packages. List of mirrors is available at https://mirrors.alpinelinux.org.	(no value)
`CONTAINER_DEBUG`	Set to `1` to enable debug logging.	`0`
`DISABLE_IPV6`	When set to `1`, IPv6 support is disabled. This is needed when IPv6 is not enabled/supported on the host.	`0`

Deployment Considerations

Many tools used to manage Docker containers extract environment variables defined by the Docker image and use them to create/deploy the container. For example, this is done by:

The Docker application on Synology NAS
The Container Station on QNAP NAS
Portainer
etc.

While this can be useful for the user to adjust the value of environment variables to fit its needs, it can also be confusing and dangerous to keep all of them.

A good practice is to set/keep only the variables that are needed for the container to behave as desired in a specific setup. If the value of variable is kept to its default value, it means that it can be removed. Keep in mind that all variables are optional, meaning that none of them is required for the container to start.

Removing environment variables that are not needed provides some advantages:

Prevents keeping variables that are no longer used by the container. Over time, with image updates, some variables might be removed.
Allows the Docker image to change/fix a default value. Again, with image updates, the default value of a variable might be changed to fix an issue, or to better support a new feature.
Prevents changes to a variable that might affect the correct function of the container. Some undocumented variables, like PATH or ENV, are required to be exposed, but are not meant to be changed by users. However, container management tools still show these variables to users.
There is a bug with the Container Station on QNAP and the Docker application on Synology, where an environment variable without value might not be allowed. This behavior is wrong: it's absolutely fine to have a variable without value. In fact, this container does have variables without value by default. Thus, removing unneeded variables is a good way to prevent deployment issue on these devices.

Data Volumes

The following table describes data volumes used by the container. The mappings are set via the -v parameter. Each mapping is specified with the following format: <HOST_DIR>:<CONTAINER_DIR>[:PERMISSIONS].

Container path	Permissions	Description
`/config`	rw	This is where the application stores its configuration, states, log and any files needing persistency.

Ports

Here is the list of ports used by the container.

When using the default bridge network, ports can be mapped to the host via the -p parameter (one per port mapping). Each mapping is defined with the following format: <HOST_PORT>:<CONTAINER_PORT>. The port number used inside the container might not be changeable, but you are free to use any port on the host side.

See the Docker Container Networking documentation for more details.

Port	Protocol	Mapping to host	Description
8181	TCP	Mandatory	Port used to access the web interface of the application.
8080	TCP	Mandatory	Port used to serve HTTP requests.
4443	TCP	Mandatory	Port used to serve HTTPs requests.

Changing Parameters of a Running Container

As can be seen, environment variables, volume and port mappings are all specified while creating the container.

The following steps describe the method used to add, remove or update parameter(s) of an existing container. The general idea is to destroy and re-create the container:

Stop the container (if it is running):

docker stop nginx-proxy-manager

Remove the container:

docker rm nginx-proxy-manager

Create/start the container using the docker run command, by adjusting parameters as needed.

NOTE: Since all application's data is saved under the /config container folder, destroying and re-creating a container is not a problem: nothing is lost and the application comes back with the same state (as long as the mapping of the /config folder remains the same).

Docker Compose File

Here is an example of a docker-compose.yml file that can be used with Docker Compose.

Make sure to adjust according to your needs. Note that only mandatory network ports are part of the example.

version: '3'
services:
  nginx-proxy-manager:
    image: jlesage/nginx-proxy-manager
    ports:
      - "8181:8181"
      - "8080:8080"
      - "4443:4443"
    volumes:
      - "/docker/appdata/nginx-proxy-manager:/config:rw"

Docker Image Versioning

Each release of a Docker image is versioned. Prior to october 2022, the semantic versioning was used as the versioning scheme.

Since then, versioning scheme changed to calendar versioning. The format used is YY.MM.SEQUENCE, where:

YY is the zero-padded year (relative to year 2000).
MM is the zero-padded month.
SEQUENCE is the incremental release number within the month (first release is 1, second is 2, etc).

Docker Image Update

Because features are added, issues are fixed, or simply because a new version of the containerized application is integrated, the Docker image is regularly updated. Different methods can be used to update the Docker image.

The system used to run the container may have a built-in way to update containers. If so, this could be your primary way to update Docker images.

An other way is to have the image be automatically updated with Watchtower. Watchtower is a container-based solution for automating Docker image updates. This is a "set and forget" type of solution: once a new image is available, Watchtower will seamlessly perform the necessary steps to update the container.

Finally, the Docker image can be manually updated with these steps:

Fetch the latest image:

docker pull jlesage/nginx-proxy-manager

Stop the container:

docker stop nginx-proxy-manager

Remove the container:

docker rm nginx-proxy-manager

Create and start the container using the docker run command, with the the same parameters that were used when it was deployed initially.

Synology

For owners of a Synology NAS, the following steps can be used to update a container image.

Open the Docker application.
Click on Registry in the left pane.
In the search bar, type the name of the container (jlesage/nginx-proxy-manager).
Select the image, click Download and then choose the latest tag.
Wait for the download to complete. A notification will appear once done.
Click on Container in the left pane.
Select your Nginx Proxy Manager container.
Stop it by clicking Action->Stop.
Clear the container by clicking Action->Reset (or Action->Clear if you don't have the latest Docker application). This removes the container while keeping its configuration.
Start the container again by clicking Action->Start. NOTE: The container may temporarily disappear from the list while it is re-created.

unRAID

For unRAID, a container image can be updated by following these steps:

Select the Docker tab.
Click the Check for Updates button at the bottom of the page.
Click the update ready link of the container to be updated.

User/Group IDs

When using data volumes (-v flags), permissions issues can occur between the host and the container. For example, the user within the container may not exist on the host. This could prevent the host from properly accessing files and folders on the shared volume.

To avoid any problem, you can specify the user the application should run as.

This is done by passing the user ID and group ID to the container via the USER_ID and GROUP_ID environment variables.

To find the right IDs to use, issue the following command on the host, with the user owning the data volume on the host:

id <username>

Which gives an output like this one:

uid=1000(myuser) gid=1000(myuser) groups=1000(myuser),4(adm),24(cdrom),27(sudo),46(plugdev),113(lpadmin)

The value of uid (user ID) and gid (group ID) are the ones that you should be given the container.

Accessing the GUI

Assuming that container's ports are mapped to the same host's ports, the interface of the application can be accessed with a web browser at:

http://<HOST IP ADDR>:8181

Shell Access

To get shell access to the running container, execute the following command:

docker exec -ti CONTAINER sh

Where CONTAINER is the ID or the name of the container used during its creation.

Default Administrator Account

After a fresh install, use the following credentials to login:

Email address: [email protected]
Password: changeme

After you login with this default user, you will be asked to modify your details and change your password.

Accessibility From The Internet

NOTE: This section assumes that the container is using the default bridge network type.

For this container to be accessible from the Internet, port forwarding must be configured on your router. This allows HTTP (port 80) and HTTPs (port 443) traffic from the Internet to reach this container on your private network.

Configuration of port forwarding differs from one router to another, but in general the same information must be configured:

External port: The Internet-side port to be forwarded.
Internal port: The port to forward to. Also called private port.
Destination IP address: The IP address of the device on the local network to forward to. Also called private IP address.

The IP address to forward to should be the IP address of the host running the container. The port to forward to should be the port mapped to the container during its creation (via the -p parameter of the docker run command).

Since the container needs to handle both HTTP and HTTPs traffic, two ports need to be forwarded:

Traffic type	Container port	Host port mapped to container	External port	Internal port	Internal IP address
HTTP	8080	XXXX	80	XXXX	IP address of the host running the container.
HTTPs	4443	YYYY	443	YYYY	IP address of the host running the container.

XXXX and YYYY are configurable port values. Unless they conflict with other used ports on the host, they can simply be set to the same value as the container port.

NOTE: Some routers don't offer the ability to configure the internal port to forward to. This means that internal port is the same as the external one. In a such scenario, XXXX must be set to 80 and YYYY to 443.

For more details about port forwarding, see the following links:

Troubleshooting

Password Reset

The password of a user can be reset to changeme with the following command:

docker exec CONTAINER_NAME /opt/nginx-proxy-manager/bin/reset-password USER_EMAIL

Where:

CONTAINER_NAME is the name of the running container.
USER_EMAIL is the email of the address to reset the password.

Support or Contact

Having troubles with the container or have questions? Please create a new issue.

For other great Dockerized applications, see https://jlesage.github.io/docker-apps.

docker-nginx-proxy-manager's People

Contributors

Stargazers

Watchers

Forkers

cyberjunky jrh1812 buzzra thebluekinglp jancioa xuze1993 tankoks neebs42 meiskam w796933 massinger arkx82 fenixvale robsolution pks-os gn01 shengyf1 scottctompkins fryjustinc aniwei ibeyond hyun007 studycwq bankbetch simhaonline mrdaios tvhggg morgion666 thomaspurchas wikijm sujianchao obrien-k haynoikonike n0rbertg simoroco azdnice richardjacton narendrapsgim kvjajoo tenfyroot sprbb coow hotfoot27 livinfree mattie112 hardwarefuture error-id selfhostedpro asaf400 82280zx davidpesticcio unriad-stuff mvpvg hmriit hari7190 advantix78 coltonshipley teachjing mbino techc0de andrey0001 mdlockyer jstebenne groggu allram devzwf dnguyen800 yczpf2019 okiryanoff chifganworld s2233 bolin62007 yuntian123456 gust4ng add-sp xchinjo scloud-swebz bt blakeseufert maxwell456 devotionzhu fahrek itopsmgr pnlinh07 raceland-automacao-lda cadyrayller wilsonfisk77 aroun reinaldoca corrupt-byte magikabdul kamil-akbar bho9668 qqq-tech sevvian zmanhcong whiskey254 swirlclinic hautph ascodeur

docker-nginx-proxy-manager's Issues

NetBIOS name lookup?

Just wondering if you could add NetBIOS name support to this great project! ... would be great to forward to Windows hostnames.

Thanks

Unable to request certs

Whenever I try to request a new LetsEncrypt cert, it seems to fail with an error message of "Internal Error", but then lists the cert. Cert is then unusable.

Looking at the log directory, the letsencrypt log shows this:

2019-07-16 16:35:59,452:DEBUG:certbot.main:certbot version: 0.25.1
2019-07-16 16:35:59,453:DEBUG:certbot.main:Arguments: ['-n', '--force-renewal', '--disable-hook-validation', '--cert-name', 'npm-5']
2019-07-16 16:35:59,453:DEBUG:certbot.main:Discovered plugins: PluginsRegistry(PluginEntryPoint#manual,PluginEntryPoint#null,PluginEntryPoint#standalone,PluginEntryPoint#webroot)
2019-07-16 16:35:59,476:DEBUG:certbot.log:Root logging level set at 20
2019-07-16 16:35:59,477:INFO:certbot.log:Saving debug log to /config/log/letsencrypt/letsencrypt.log
2019-07-16 16:35:59,478:DEBUG:certbot.log:Exiting abnormally:
Traceback (most recent call last):
File "/usr/bin/certbot", line 11, in
load_entry_point('certbot==0.25.1', 'console_scripts', 'certbot')()
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1323, in main
return config.func(config, plugins)
File "/usr/lib/python2.7/site-packages/certbot/main.py", line 1235, in renew
renewal.handle_renewal_request(config)
File "/usr/lib/python2.7/site-packages/certbot/renewal.py", line 388, in handle_renewal_request
conf_files = [storage.renewal_file_for_certname(config, config.certname)]
File "/usr/lib/python2.7/site-packages/certbot/storage.py", line 49, in renewal_file_for_certname
"{1}).".format(certname, path))
CertStorageError: No certificate found with name npm-5 (expected /etc/letsencrypt/renewal/npm-5.conf).

Adding custom SSL cert size limit

I get an error trying to import my custom cert.

Error:
Certificate file is too large (>5kb)

The cert I am trying to import is 8kb

Unable to use it on port 80 and 81

Hello,

I am able to run it on 8181 but not on the port 80,81,443 i have not any apache or nginx configuration installed and if i run the containers i can see that the port are open but i can't access it trought my broswer somehow

Forcing SSL creates too many redirects

Turning on the option "Force SSL" causes too many redirects.

Without force on, the site works in both HTTP, and HTTPS

This is the generated config file: https://pastebin.com/dft7kLq5

Mask Site Forwarder

How do I mask a site that has been forwarded?

Ex. domainname.com forwards to organizr.domainname.com. How do I mask organizr.domainname.com

Netdata multiple backends

With this particular image, any ideas on how best to transfer my current setup for netdata?

Example from https://docs.netdata.cloud/docs/running-behind-nginx/

upstream backend-server1 {
    server 10.1.1.103:19999;
    keepalive 64;
}
upstream backend-server2 {
    server 10.1.1.104:19999;
    keepalive 64;
}

server {
    listen 80;

    # the virtual host name of this subfolder should be exposed
    #server_name netdata.example.com;

    location ~ /netdata/(?<behost>.*)/(?<ndpath>.*) {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_pass_request_headers on;
        proxy_set_header Connection "keep-alive";
        proxy_store off;
        proxy_pass http://backend-$behost/$ndpath$is_args$args;

        gzip on;
        gzip_proxied any;
        gzip_types *;
    }

    # make sure there is a trailing slash at the browser
    # or the URLs will be wrong
    location ~ /netdata/(?<behost>.*) {
        return 301 /netdata/$behost/;
    }
}

Forcing SSL creates too many redirects error.

Hi,

Whenever I enable the force SSL option I get "Too many redirects errors".

Regards,

manifest no found

Hello,

i'm getting this error when I try to pull the image from docker hub

docker pull jlesage/nginx-proxy-manager
Using default tag: latest
Error response from daemon: manifest for jlesage/nginx-proxy-manager:latest not found

Any idea ?

Thanks

Stub file

Does this image have the stub file enabled at all?

https://nginx.org/en/docs/http/ngx_http_stub_status_module.html

If not, would it be possible to have it enabled?

This would enable people to gather stats via netdata etc

Many thanks!

Security Issue: directory traversal vulnerabilities

Stood up container and ran OpenVAS against it. Showed a directory traversal issue.

Vulnerability Detection Result

The following traversal URL(s) where found:

Vulnerable url: http://test.com:8181/../../../../../../etc/passwd

Request:
GET /../../../../../../etc/passwd HTTP/1.1
Connection: Close
Host: test.com:8181
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 [en] (X11, U; GBN-VT 9.0.3)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

Response:
HTTP/1.1 200 OK
Strict-Transport-Security: includeSubDomains; max-age=631138519; preload
X-XSS-Protection: 0
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Pragma: no-cache
Expires: 0
Content-Type: text/html; charset=utf-8
Vary: Accept-Encoding
Date: Sun, 31 Mar 2019 18:58:05 GMT
Connection: close
Transfer-Encoding: chunked

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin
app:x:99:100::/dev/null:/sbin/nologin

Vulnerable url: http://test.com:8181/%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd

Request:
GET /%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2f%2e%2e%2fetc/passwd HTTP/1.1
Connection: Close
Host: test.com:8181
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 [en] (X11, U; GBN-VT 9.0.3)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

Vulnerable url: http://test.com:8181/..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd

Request:
GET /..%2f..%2f..%2f..%2f..%2f..%2fetc/passwd HTTP/1.1
Connection: Close
Host: test.com:8181
Pragma: no-cache
Cache-Control: no-cache
User-Agent: Mozilla/5.0 [en] (X11, U; GBN-VT 9.0.3)
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, /
Accept-Language: en
Accept-Charset: iso-8859-1,*,utf-8

Solution

Solution type: Mitigation Mitigation

Contact the vendor for a solution.
Vulnerability Detection Method

Sends crafted HTTP requests and checks the response.

Details: Generic HTTP Directory Traversal (OID: 1.3.6.1.4.1.25623.1.0.106756)

Version used: $Revision: 12019 $

Feature Request

I would like to see website host in this docker
It should be like the proxy host, but instead of asking you for the Scheme,Forward Hostname / IP and Forward Port, it should ask for a path for the website contents.
It should also support php7 for hosting php files.

Unable to upload files

I am connecting to met nextcloud through the proxy and when uploading big files it disconnects.
When i try it with another proxy it works fine

Container Fails to Start on Raspberry Pi

Upon startup, the container fails and exits with the following message:

standard_init_linux.go:207: exec user process caused "exec format error",

That would seem to indicate that one of the binaries in use isn't correct for the Raspberry Pi's armhf CPU, but looking through the Docker file I don't see anything out of the ordinary or referencing a specific architecture that I would need to change before deploying the container.

Any ideas?

Use custom DB instance

Hi, thanks a lot to share this ,it is really great.
I'm wandering can we use our custom DB instance (like MySQL or Maria DB) instead of MySQL in container ,thanks.

Can't generate SSL certificate

Failed authorization procedure. xxxxxx.xxx (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://xxxxxx.xxx/.well-known/acme-challenge/xxxxxxxxxxxxxxxxxxxxxxxxxxxxx: Timeout during connect (likely firewall problem)

Doesn't matter if it is a fresh install or if it is an old one. I always get this error.
And yes my ports are OPEN and not filtered at all.

please include /etc/nginx/*

In order to proxy php-fpm the file fastcgi_params is needed in /etc/nginx, thanks

Container uses wrong resolv.conf

Is there a way to have this container use docker's built in bridge network's resolv.conf rather than the host's? I am having an issue resolving the names of other containers because /etc/resolv.conf points to the host's nameservers instead of using Docker's.

Allow X-Frame-Options for organizr iframe use

saw someone request the same of jc21s dokcer image and would like to request the same if thats possible.

NginxProxyManager/nginx-proxy-manager#88

Thanks.

PiHole

I'm trying to get PiHole to work via the Nginx Proxy Manger, unfortunately no matter what I try, it doesn't seem to work.

I've tried the following:

But when I try, i get the redirect coming up as http://pihole.mydomain.com:8080/admin

If I try putting the server as 192.168.0.2/admin, it fails instantly.

I've also tried the following setup:

server {

set $forward_scheme http;

set $server "192.168.0.2";

set $port 80;

listen 8080;

server_name pihole.example.com;

# Block Exploits

include conf.d/include/block-exploits.conf;

access_log /data/logs/proxy_host-18.log proxy;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_set_header X-Forwarded-Host $remote_addr;

real_ip_header X-Real-IP;

real_ip_recursive on;

location / {

proxy_set_header Host $host;

proxy_set_header X-Forwarded-Scheme $scheme;

proxy_set_header X-Forwarded-Proto $scheme;

proxy_set_header X-Forwarded-For $remote_addr;

proxy_pass http://192.168.0.2:80;

proxy_redirect off;

}

# Custom

include /data/nginx/custom/server_proxy.conf;

}

If I go to pihole.example.com it doesn't work (comes up with the javascript disabled message which is to be expected).

If I go to pihole.example.com/admin it works! So I obviously need to get the rewrite rules sorted.

If I try return $scheme://$host/admin/index.php?login; it doesn't work unfortunately.

Any help would be fantastic, thank you

week ciphers

Would it be possible to remove some of the weak ciphers?

I ran a test using https://www.ssllabs.com/ssltest/index.html which rated some of the available ciphers as weak

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK	256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014) ECDH x25519 (eq. 3072 bits RSA) FS WEAK	256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH x25519 (eq. 3072 bits RSA) FS WEAK	128
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (0xc013) ECDH x25519 (eq. 3072 bits RSA) FS WEAK	128
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK	128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK	256
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK	256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK	128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK	256
TLS_RSA_WITH_AES_256_CCM_8 (0xc0a1) WEAK	256
TLS_RSA_WITH_AES_256_CCM (0xc09d) WEAK	256
TLS_RSA_WITH_AES_128_CCM_8 (0xc0a0) WEAK	128
TLS_RSA_WITH_AES_128_CCM (0xc09c) WEAK	128
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK	128

custom network in unraid wont let me change ports

im using unraid and trying to set nginx proxy manager to the custom network "br0" and when i do it defaults the ports to 4443:4433, 8080:8080, and 8181:8181.
i need it on br0 to give it, its own ip since i need to forward to port 80 and 443.
in the community applications template ill have 80 and 443 listed but when it installs or updates it will always set it to those ports i mentioned earlier.

Usability Improvement: Provide spinner in Add Proxy Host Dialog

When you use the Add Proxy Host form and you are waiting for a new SSL or the save to complete, the color shift from green to lighter green is too subtle. Feedback would be most welcome, It would be nice to activate a spinner in the dialog to indicate it is working away until it finishes.

Connecting to existing proxy host

I already got an Nginx proxy setup running with letsencrypt and everything.
I thought this would be a neat way to administrate those domains and such.
But there is no way I can reach the current setup through this.

Maybe I am doing it wrong and I should kill the current setup and do everything through this instead?

Access list password

Hi,

This docker app is really easy to use and i would like to thank you for the amazing work.

But when i use access list and put a password like this $.............$ the password is never accepted.
If i erase the last $ sign everything is ok.

Can you please check if it's my container or the app that is having this behaviour??

Thank you

Cannot read property 'avatar' of null

I sotopped seeing the Proxy Hosts settings and instead I got the:

Cannot read property 'avatar' of null

error message. I do not know how that happened, but the first guess is the automatics docker image update jlesage/nginx-proxy-manager

I am using v2.0.13

ERROR: Cannot locate specified Dockerfile: Dockerfile

I had this running with the example files and then I started trying to advance my config but I kept getting errors trying to connect to the database (even though it looked like some previous help nailed my issues exactly), so I ran a docker prune and deleted the files and copied the examples back in just to get back to a known good state. now even with what should be a scratch install that worked before on the same box it's throwing the error from the title of this report. Any suggestions?

PASSWORD RESET

Hello, something happened with my password manager and it did not correctly save the password for the email/password login that I created for my nginx setup (for the browser configuration site). Is there any way I can recover my password without having to rebuild the docker from scratch?

Any help is much appreciated.

SSL settings not saving correctly when requesting a cert with Lets Encrypt

When requesting a cert with Lets Encrypt when creating a Proxy, the options below it (e.g. Force SSL) do not save until you edit the Proxy settings again and re-check these.

No Relevant User Found

Currently with a new iteration of the NPM installed via the docker-compose command that generates npm_app_1 and npm_db_1 i get this error whenever i try to login with the default credentials or any other credentials

issue starting container with NFS docker volume

Hello,

I've been using your project for some time now, and i'm very happy with it !

I've recently migrated all my docker infrastructure on NFS volume only, and i since struggle to start this container.
i tried to apply the permission as mentionned in the readme but no luck :/

NB: other containers work well with that setup and work with no issue.

here's my setup, start command, NFS config and logs:

Setup:

Docker host: Alpine-Linux VM (alpine-virt-3.10.2-x86_64) on a Hyper-V host.
NFS storage: Synology NFS target.

Start command:

docker run -d \
    --name=nginx-proxy-manager \
    --restart always \
    -p 81:8181 \
    -p 80:8080 \
    -p 443:4443 \
    -e USER_ID=1026 \
    -e GROUP_ID=100 \
    -e TZ=Europe/Paris \
    -e KEEP_APP_RUNNING=1 \
    -e CLEAN_TMP_DIR=1 \
    -v nas_docker_ngxpxymgr:/config:rw \
    jlesage/nginx-proxy-manager

(1026 is my Synology user ID and 100 my GID, i got the same issue with 1000:1000)

NFS config (done via Portainer):

Volume details
ID : "nas_docker_ngxpxymgr"
Mount path :  "/var/lib/docker/volumes/nas_docker_ngxpxymgr/_data"
Driver : "local"
device : ":/volume1/docker/ngxpxymgr"
o : "addr=192.168.1.149,rw,noatime,rsize=8192,wsize=8192,tcp,timeo=14"
type : "nfs4"

Containers using volume
Container Name : "nginx-proxy-manager" // Mounted At : "/config" // Read-Only : "false"

And this is the log i get (repeat every couple of seconds) :

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.,
[s6-init] ensuring user provided files have correct perms...exited 0.,
[fix-attrs.d] applying ownership & permissions fixes...,
[fix-attrs.d] done.,
[cont-init.d] executing container initialization scripts...,
[cont-init.d] 00-app-niceness.sh: executing... ,
[cont-init.d] 00-app-niceness.sh: exited 0.,
[cont-init.d] 00-app-script.sh: executing... ,
[cont-init.d] 00-app-script.sh: exited 0.,
[cont-init.d] 00-app-user-map.sh: executing... ,
[cont-init.d] 00-app-user-map.sh: exited 0.,
[cont-init.d] 00-clean-logmonitor-states.sh: executing... ,
[cont-init.d] 00-clean-logmonitor-states.sh: exited 0.,
[cont-init.d] 00-clean-tmp-dir.sh: executing... ,
[cont-init.d] 00-clean-tmp-dir.sh: exited 0.,
[cont-init.d] 00-set-app-deps.sh: executing... ,
[cont-init.d] 00-set-app-deps.sh: exited 0.,
[cont-init.d] 00-set-home.sh: executing... ,
[cont-init.d] 00-set-home.sh: exited 0.,
[cont-init.d] 00-take-config-ownership.sh: executing... ,
[cont-init.d] 00-take-config-ownership.sh: exited 0.,
[cont-init.d] 00-xdg-runtime-dir.sh: executing... ,
[cont-init.d] 00-xdg-runtime-dir.sh: exited 0.,
[cont-init.d] nginx-proxy-manager.sh: executing... ,
[cont-init.d] nginx-proxy-manager.sh: Initializing database data directory...,
[cont-init.d] nginx-proxy-manager.sh: exited 1.,
[services.d] stopping services,
[services.d] stopping s6-fdholderd...,
[cont-finish.d] executing container finish scripts...,
[cont-finish.d] done.,
[s6-finish] syncing disks.,
[s6-finish] sending all processes the TERM signal.,
[s6-finish] sending all processes the KILL signal and exiting.,

if i look into the directory, files and folders are created and set with my user ID.

Thanks a lot for your time !

unraid error Migration table is already locked

i have an error when i try to start the proxy manager in unraid. it gives me: error Migration table is already locked. info Current database version: 20181019052346. Can't take lock to run migrations: Migration table is already locked
If you are sure migrations are not running you can release the lock manually by deleting all the rows from migrations lock table: migrations_lock.
it worked fine until i restarted the server. how do i go about fixing this? i dont have mariadb installed in docker.

Custom Locations Not Working

Hi,

I set up a proxy host, and it is fine with main host xxx.com. however when I tried to add a few "custom locations". such as xxx.com/proxy, or xxx.com/music. all of them not working.

How can I check where I did wrong?
some got 502 Bad Gateway , some got 404 Not Found

Container fails to start

Looking at the logs I see the following:

Installing MariaDB/MySQL system tables in '/config/mysql' ...
2019-06-11 18:56:49 140589216836488 [ERROR] InnoDB: preallocating 12582912 bytes for file ./ibdata1 failed with error 95
2019-06-11 18:56:49 140589216836488 [ERROR] InnoDB: Could not set the file size of './ibdata1'. Probably out of disk space
2019-06-11 18:56:49 140589216836488 [ERROR] InnoDB: Database creation was aborted with error Generic error. You may need to delete the ibdata1 file before trying to start up again.
2019-06-11 18:56:50 140589216836488 [ERROR] Plugin 'InnoDB' init function returned error.
2019-06-11 18:56:50 140589216836488 [ERROR] Plugin 'InnoDB' registration as a STORAGE ENGINE failed.
2019-06-11 18:56:50 140589216836488 [ERROR] Unknown/unsupported storage engine: InnoDB
2019-06-11 18:56:50 140589216836488 [ERROR] Aborting

I've set the user id and group id with same result.

Enable TLS 1.3

How do I enable TLS 1.3?

Support was recently added to jc21/nginx-proxy-manager

NginxProxyManager/nginx-proxy-manager#128

Unable to start container

Container refuses to start and always exits

How to setup in Google cloud VM?

I have the manager running with port 80 and 443 open in my firewall.
I have added a proxy host for a duckdns.org subdomain and i'm trying to get a certificate for my self hosted bitwardenrs site.
I can't seem to figure out the proper configuration for the proxy host. The error I get is:
Failed authorization procedure. bwcloud.duckdns.org (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://*******.duckdns.org/.well-known/acme-challe nge/c8Ero5fXAJ-D2vV-NzfxpSptjG7MWITxVg9oq0gVIe0: Connection refused

I'm using the manager from my home assistant server and it works great. Thought I would try it in a cloud VM but I'm just a newb...

Authorization header is not removed with proxy_set_header instruction

I have a host_proxy set with access list but I need for the Authorization header to not be passed to the proxied server. In the advanced section, I added:
proxy_set_header Authorization "";
However, I still see this header in the request to the proxied server.

Here's the config:

server {
  set $forward_scheme http;
  set $server         "192.168.1.69";
  set $port           80;

  listen 8080;
listen 4443 ssl http2;

  server_name xxxx.duckdns.org;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-3/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-3/privkey.pem;

  # HSTS (ngx_http_headers_module is required) (31536000 seconds = 1 year)
  add_header Strict-Transport-Security "max-age=31536000; preload" always;

  access_log /data/logs/proxy_host-6.log proxy;

proxy_set_header Authorization  "";

  location / {# Access List
    auth_basic            "Authorization required";
    auth_basic_user_file  /data/access/2;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  # HSTS (ngx_http_headers_module is required) (31536000 seconds = 1 year)
  add_header Strict-Transport-Security "max-age=31536000; preload" always;

    # Proxy!
    include conf.d/include/proxy.conf;
  }
}

In the proxied server, when I run a pcap, I see the HTTP request with that header.

In my server, this is causing a failed login attempt because it's receiving the Authorization header filled with the credentials of the nginx user.

Am I missing something or, for some reason, the advanced config is not being set?

docker container request

I'm so sorry to contact you through here, but I found no other way!
Is it possible for you to make a new awesome Docker container for the Sia project?
https://sia.tech/get-started

Like example the jDownloader container, so I can user the GUI through the Webbrowser?
That would be so awesome!
You can delete this message after read :)

Feature: Arm architecture

Hi,

I love the docker, thanks for providing it!

I see that the dev of this (jc21) as an arm version of the docker. Would you be able to provide that as well?

I like the all-in-one-approach from your docker better than his :)

Thanks!

PS: Someone requested the inclusion of nginxproxymanager in this:

https://github.com/GhostWriters/DockSTARTer

so I added yours instead of jc21s. That's why I'm asking about arm :)

Lost of the configuration after deleting user

I lost all the settings after deleting used which created all the settings with new user.

Steps to reproduce

create user as the admin (rename the default user) admin1
set some settings (few Proxy Hosts)
create new user admin2 and give it admin rights
log in admin2
delete admin1
change admin2 email to one originally used by admin1
log out admin2
log in admin2
see that previous settings created by admin1 is gone

Some of the steps might not be related/needed, but I rather state them for the purpose of debugging.

This behaviour is not expected/desired. From my understanding all the settings previously done by deleted user should stay.

internal ports

any chance variables can be passed to set the internal ports in the future? I'm trying to run in custom networking with an ip assigned to the container. As such, I'd like to use port 80 and port 443 directly instead of port mapping.

502 bad gateway

Can't open /etc/letsencrypt/live/npm-2/fullchain.pem for reading, No such file or directory
22948956621672:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/letsencrypt/live/npm-2/fullchain.pem','r')

22948956621672:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load certificate
)
[2/4/2020] [1:27:34 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[2/4/2020] [1:27:35 PM] [SSL ] › ℹ info
[2/4/2020] [1:27:35 PM] [Nginx ] › ℹ info Reloading Nginx
[2/4/2020] [1:27:35 PM] [SSL ] › ℹ info Renew Complete
[2/4/2020] [1:27:35 PM] [SSL ] › ✖ error Certificate is not valid (Command failed: openssl x509 -in /etc/letsencrypt/live/npm-2/fullchain.pem -subject -noout

Can't open /etc/letsencrypt/live/npm-2/fullchain.pem for reading, No such file or directory
23171615255400:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/letsencrypt/live/npm-2/fullchain.pem','r')

23171615255400:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load certificate
)
[2/4/2020] [2:27:34 PM] [SSL ] › ℹ info Renewing SSL certs close to expiry...
[2/4/2020] [2:27:35 PM] [SSL ] › ℹ info
[2/4/2020] [2:27:35 PM] [Nginx ] › ℹ info Reloading Nginx
[2/4/2020] [2:27:35 PM] [SSL ] › ℹ info Renew Complete
[2/4/2020] [2:27:36 PM] [SSL ] › ✖ error Certificate is not valid (Command failed: openssl x509 -in /etc/letsencrypt/live/npm-2/fullchain.pem -subject -noout

Can't open /etc/letsencrypt/live/npm-2/fullchain.pem for reading, No such file or directory
22644860439400:error:02001002:system library:fopen:No such file or directory:crypto/bio/bss_file.c:72:fopen('/etc/letsencrypt/live/npm-2/fullchain.pem','r')

22644860439400:error:2006D080:BIO routines:BIO_new_file:no such file:crypto/bio/bss_file.c:79:

unable to load certificate
)

UI Broken after 1.4.0

I was running this image at version 1.4.0.

Saw there was an update to 1.4.2.
Recreated my container.
UI was totally broken (CSS was all wonky, and the only page that actually worked was login and SSL Certificates).
Tried version 1.4.1 instead.
UI was still broken.
Back to 1.4.0.

How to configure SSL settings for authenticated cloudlflare origin pulls

This docker is working perfectly on Unraid but I have a question on how to secure it using Cloudflare. Right now I'm using Cloudflare in front of my sites but I'd like to secure it as much as possible. I was looking through their security settings and noticed you can enable authenticated origin pulls. I'm trying to follow these instructions they have posted for nginx:

"For authenticated origin pulls to work, use Full SSL in the Cloudflare Crypto app, and update the origin web server SSL configuration. Download origin-pull-ca.pem and place the certificate in a file on your origin web server, for example in /etc/nginx/certs/cloudflare.crt
Then add these lines to the SSL configuration for your origin web server:

ssl_client_certificate /etc/nginx/certs/cloudflare.crt;
ssl_verify_client on;"

However I'm not sure where to place the file that contains the origin-pull-ca.pem or where to edit the SSL configuration to add those last two lines. I really have no idea what I'm doing so is this even possible with this docker? Thanks for the amazing docker!

Password Reset

Hi,

Is there any way how to change/reset the password without loosing all the configuration?

Thanks.

504 Gateway Time-out

If I create a https proxy host I get a 504 Gateway Time-out if I request the site. http site's have no issue.

Port redirection

Hello,

I just wanted to ask if it is possible to use the default ports from the orignial docker container (80,81,443).
I am running in some issues now with the use of unraids new br0 network and this container. My NginxProxyManager is getting it's own IP so I am not able to redirect the ports any longer. So port 8080, 8181 and 4443 are published by the container.

Best Regards :)

No resolver in config

The nginx config has no resolvers, this is important as the proxy will not resolve anything and I am required to now find a way that I can add that to my service build file every time the service restarts. in the event something happens to the proxy container and it rebuilds (i.e. docker service restarts), i have to go back in and edit the /etc/nginx/nginx.conf file and add the 127.0.0.11 resolver again.

nginx + Synology

Apologies in advance as this probably an issue... more so my attempt to get my head around things.

For a few years now I have added my own config to Synology's built-in nginx, and this has been (and still is) working fine. I like to tinker though and so have set up NPM in Docker on the NAS, which loads up fine.

Questions:

Is NPM just a manager which "manages" a nginx setup, or does it handle the lot?
I have 80 and 443 already going to the NAS so moving my config into NPM seems easy enough... would this be a manual thing or can I import it somehow?
Other than a lovely UI, are there actually any benefits in using NPM?

jlesage / docker-nginx-proxy-manager Goto Github PK

docker-nginx-proxy-manager's Introduction

Docker container for Nginx Proxy Manager

Table of Content

Quick Start

Usage

Environment Variables

Deployment Considerations

Data Volumes

Ports

Changing Parameters of a Running Container

Docker Compose File

Docker Image Versioning

Docker Image Update

Synology

unRAID

User/Group IDs

Accessing the GUI

Shell Access

Default Administrator Account

Accessibility From The Internet

Troubleshooting

Password Reset

Support or Contact

docker-nginx-proxy-manager's People

Contributors

Stargazers

Watchers

Forkers

docker-nginx-proxy-manager's Issues

Steps to reproduce

Recommend Projects

Recommend Topics

Recommend Org