Reverse Proxy - Nginx, Traefik, LetsEncrypt, DuckDNS, ... I am lost!

    This site uses cookies. By continuing to browse this site, you are agreeing to our Cookie Policy.

    • Reverse Proxy - Nginx, Traefik, LetsEncrypt, DuckDNS, ... I am lost!

      Hi,

      I am lost... I am trying to understand reverse proxy for two weeks and use it on my OMV server, but I am literally lost... ?(

      On my server, I have NextCloud and Home Assistant which can be access from the outside, with two different DuckDNS address. I have three more docker container that I would like to access from the outside, and I would like to make a better configuration.
      For my OMV setup, I have followed the TechnoDadLife tutorial on his YouTube Channel, and videos are really fabulous. But I haven't found any detailed video which explain how to configure correctly a reverse proxy (even both NextCloud video on that topic, but with no example, I haven't understand anything...). I think a dedicated video to this subject could be a nice thing. <3

      Come back to my setup. I have DuckDNS and LetsEncrypt which are running on a docker container. Both have been configured with the NextCloud tutorial. So, I have two DuckDNS adress to access both NextCloud and HomeAssistant :
      • NextCloud : nextcloud.duckdns.org
      • HomeAssistant : home.duckdns.org
      If I understand the utility of reverse proxy, I could use only one DuckDNS address ? Is that correct ?

      I would like to access, for example, to two more services :
      • AirSonic
      • CloudCommander
      Could you explain how I should setup OMV, which container or plugin should I install, how to choose the addresses to access to these services ? :thumbsup: Should I use Nginix pluggin on OMV, a specific container, Traefik ?

      Or if you know a specific detailed tutorial about this subject ? I haven't find any tutorial which explain that with DuckDNS addresses...

      Thanks for your help! 8o
    • If you have the letsencrypt docker running with valid certificates you are already close to the solution!
      There is a reverse proxy (nginx) already build into the letsencrypt container.

      But you should better setup your letsencrypt container following the newer vid by @TechnoDadLife youtube.com/watch?v=pRt7UlQSB2g

      Then you can have multiple sub-subdomains (e.g. nextcloud.mysubdomain.duckdns.org, home.mysubdomain.duckdns.org, airsonic.mysubdomain.duckdns.org and so on...) which point to your different services. And you only need to have the ports 80 and 443 open on your router.


      To change the configuration of the reverse proxy you have to edit the *.conf files in the appdata/letsencrypt/nginx/proxy-confs/ folder. Also the _readme file in the aforementioned folder and the info-page of the letsencrypt container are helpful here.


      Also these threads deal with this topic: forum.openmediavault.org/index…-encrypt-DynDNS/?pageNo=6 forum.openmediavault.org/index…oxy-Letsencrypt-Heimdall/ forum.openmediavault.org/index…nfigure-Remote-Nextcloud/
    • Thanks for your answer.

      So I have followed the TechnoDadLife tutorial for Lets encrypt.

      For NextCloud, I have rename the nextcloud.subdomain.conf.sample file without the .sample, and editted the server name as nextcloud.mysubdomain.*; ?


      Source Code

      1. # make sure that your dns has a cname set for nextcloud
      2. # assuming this container is called "letsencrypt", edit your nextcloud container's config
      3. # located at /config/www/nextcloud/config/config.php and add the following lines before the ");":
      4. # 'trusted_proxies' => ['letsencrypt'],
      5. # 'overwrite.cli.url' => 'https://nextcloud.your-domain.com/',
      6. # 'overwritehost' => 'nextcloud.your-domain.com',
      7. # 'overwriteprotocol' => 'https',
      8. #
      9. # Also don't forget to add your domain name to the trusted domains array. It should look somewhat like this:
      10. # array (
      11. # 0 => '192.168.0.1:444', # This line may look different on your setup, don't modify it.
      12. # 1 => 'nextcloud.your-domain.com',
      13. # ),
      14. server {
      15. listen 443 ssl;
      16. listen [::]:443 ssl;
      17. server_name nextcloud.mysubdomain.*;
      18. include /config/nginx/ssl.conf;
      19. client_max_body_size 0;
      20. location / {
      21. include /config/nginx/proxy.conf;
      22. resolver 127.0.0.11 valid=30s;
      23. set $upstream_nextcloud nextcloud;
      24. proxy_max_temp_file_size 2048m;
      25. proxy_pass https://$upstream_nextcloud:443;
      26. }
      27. }
      Display All
      After that, I have editted the nextcloud conf file with nextcloud.mysubdomain.duckdns.org.

      Is that the correct way to do that? It worked for fex minutes, but after rebooted my omv server, mysubdomain.duckdns.org/ give me an ERR_CONNECTION_REFUSED error, and I don't understand why...

      Thanks for your help!
    • Here is my LetsEncrypt log :

      Brainfuck Source Code

      1. -------------------------------------
      2. _ ()
      3. | | ___ _ __
      4. | | / __| | | / \
      5. | | \__ \ | | | () |
      6. |_| |___/ |_| \__/
      7. Brought to you by linuxserver.io
      8. We gratefully accept donations at:
      9. https://www.linuxserver.io/donate/
      10. -------------------------------------
      11. GID/UID
      12. -------------------------------------
      13. User uid: 1000
      14. User gid: 100
      15. -------------------------------------
      16. [cont-init.d] 10-adduser: exited 0.
      17. [cont-init.d] 20-config: executing...
      18. [cont-init.d] 20-config: exited 0.
      19. [cont-init.d] 30-keygen: executing...
      20. using keys found in /config/keys
      21. [cont-init.d] 30-keygen: exited 0.
      22. [cont-init.d] 50-config: executing...
      23. Variables set:
      24. PUID=1000
      25. PGID=100
      26. TZ=Europe/Paris
      27. URL=mysubdomain.duckdns.org
      28. SUBDOMAINS=nextcloud,cloudcmd,airsonic,hassio
      29. EXTRA_DOMAINS=
      30. ONLY_SUBDOMAINS=false
      31. DHLEVEL=2048
      32. VALIDATION=http
      33. DNSPLUGIN=
      34. EMAIL=bla@gmail.com
      35. STAGING=
      36. 2048 bit DH parameters present
      37. SUBDOMAINS entered, processing
      38. SUBDOMAINS entered, processing
      39. Sub-domains processed are: -d nextcloud.mysubdomain.duckdns.org -d cloudcmd.mysubdomain.duckdns.org -d airsonic.mysubdomain.duckdns.org -d hassio.mysubdomain.duckdns.org
      40. E-mail address entered: bla@gmail.com
      41. http validation is selected
      42. Generating new certificate
      43. Saving debug log to /var/log/letsencrypt/letsencrypt.log
      44. Plugins selected: Authenticator standalone, Installer None
      45. Obtaining a new certificate
      46. Performing the following challenges:
      47. http-01 challenge for airsonic.mysubdomain.duckdns.org
      48. http-01 challenge for cloudcmd.mysubdomain.duckdns.org
      49. http-01 challenge for hassio.mysubdomain.duckdns.org
      50. http-01 challenge for nextcloud.mysubdomain.duckdns.org
      51. http-01 challenge for mysubdomain.duckdns.org
      52. Waiting for verification...
      53. Challenge failed for domain airsonic.mysubdomain.duckdns.org
      54. Challenge failed for domain cloudcmd.mysubdomain.duckdns.org
      55. Challenge failed for domain hassio.mysubdomain.duckdns.org
      56. Challenge failed for domain nextcloud.mysubdomain.duckdns.org
      57. Challenge failed for domain mysubdomain.duckdns.org
      58. http-01 challenge for airsonic.mysubdomain.duckdns.org
      59. http-01 challenge for cloudcmd.mysubdomain.duckdns.org
      60. http-01 challenge for hassio.mysubdomain.duckdns.org
      61. http-01 challenge for nextcloud.mysubdomain.duckdns.org
      62. http-01 challenge for mysubdomain.duckdns.org
      63. Cleaning up challenges
      64. Some challenges have failed.
      65. IMPORTANT NOTES:
      66. - The following errors were reported by the server:
      67. Domain: airsonic.mysubdomain.duckdns.org
      68. Type: connection
      69. Detail: Fetching
      70. http://airsonic.mysubdomain.duckdns.org/.well-known/acme-challenge/hMmdt7cDbO8q1AG7gLm3napVBQ6xw7Tt-A0D0T2gxYc:
      71. Connection refused
      72. Domain: cloudcmd.mysubdomain.duckdns.org
      73. Type: connection
      74. Detail: Fetching
      75. http://cloudcmd.mysubdomain.duckdns.org/.well-known/acme-challenge/AKGLZj5wl2nb0A95q_gIhPypnL71LR42CchdH4WIeKc:
      76. Connection refused
      77. Domain: hassio.mysubdomain.duckdns.org
      78. Type: connection
      79. Detail: Fetching
      80. http://hassio.mysubdomain.duckdns.org/.well-known/acme-challenge/lcYowdXAfiO6AZ3Xus6RasUBZUAwVRV-4q7RK7kCPeo:
      81. Connection refused
      82. Domain: nextcloud.mysubdomain.duckdns.org
      83. Type: connection
      84. Detail: Fetching
      85. http://nextcloud.mysubdomain.duckdns.org/.well-known/acme-challenge/GlN9wd0SYFn5k7AAIaMQmimC1fKEDVwxq4Jhff9HIQU:
      86. Connection refused
      87. Domain: mysubdomain.duckdns.org
      88. Type: connection
      89. Detail: Fetching
      90. http://mysubdomain.duckdns.org/.well-known/acme-challenge/sTQlBvWlFSb0-XaS3HugKiJVC2pQTaYckW8Oo_b9yYM:
      91. Connection refused
      92. To fix these errors, please make sure that your domain name was
      93. entered correctly and the DNS A/AAAA record(s) for that domain
      94. contain(s) the right IP address. Additionally, please check that
      95. your computer has a publicly routable IP address and that no
      96. firewalls are preventing the server from communicating with the
      97. client. If you're using the webroot plugin, you should also verify
      98. that you are serving files from the webroot path you provided.
      99. ERROR: Cert does not exist! Please see the validation error above. The issue may be due to incorrect dns or port forwarding settings. Please fix your settings and recreate the container
      Display All
    • RomainD2 wrote:

      Yes, as specified in the TechDadLife video, I have setup the port 80 to 90 and 443 to 450.
      please post your router setup to verify this, and say what is your NAS IP
      OMV 4.1.11 x64 on a HP T510, 16GB CF as Boot Disk & 32GB SSD 2,5" disk for Data, 4 GB RAM, CPU VIA EDEN X2 U4200 is x64 at 1GHz

      Post: HPT510 SlimNAS ; HOWTO Install Pi-Hole ; HOWTO install MLDonkey ; HOHTO Install ZFS-Plugin ; OMV_OldGUI ; ShellinaBOX ; ctop
      Dockers: MLDonkey ; PiHole ; weTTY
      Videos: @TechnoDadLife
    • I have reinstalled the LetsEncrypt docker container, and it is working again for NextCloud. Maybe I do something wrong, but I don't remember what.

      Then, I tried to do the same thing for HomeAssistant (Hass.io). So I have edited the homeassistant.subdomain.conf file as following :

      Source Code

      1. # make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url
      2. server {
      3. listen 443 ssl;
      4. listen [::]:443 ssl;
      5. server_name hassio.mysubdomain.*;
      6. include /config/nginx/ssl.conf;
      7. client_max_body_size 0;
      8. # enable for ldap auth, fill in ldap details in ldap.conf
      9. #include /config/nginx/ldap.conf;
      10. location / {
      11. # enable the next two lines for http auth
      12. #auth_basic "Restricted";
      13. #auth_basic_user_file /config/nginx/.htpasswd;
      14. # enable the next two lines for ldap auth
      15. #auth_request /auth;
      16. #error_page 401 =200 /login;
      17. include /config/nginx/proxy.conf;
      18. resolver 127.0.0.11 valid=30s;
      19. set $upstream_homeassistant homeassistant;
      20. proxy_pass http://$upstream_homeassistant:8123;
      21. }
      22. location /api/websocket {
      23. resolver 127.0.0.11 valid=30s;
      24. set $upstream_homeassistant homeassistant;
      25. proxy_pass http://$upstream_homeassistant:8123;
      26. proxy_set_header Host $host;
      27. proxy_http_version 1.1;
      28. proxy_set_header Upgrade $http_upgrade;
      29. proxy_set_header Connection "upgrade";
      30. }
      31. }
      Display All
      But I have a 502 Bad Gateway error when I try to access to hassio.mysubdomain.duckdns.org.

      Another question, as we have configured the letsencrypt docker container, is the duckdns container is usefull ?

      Thanks
    • RomainD2 wrote:

      I have reinstalled the LetsEncrypt docker container, and it is working again for NextCloud. Maybe I do something wrong, but I don't remember what.

      Then, I tried to do the same thing for HomeAssistant (Hass.io). So I have edited the homeassistant.subdomain.conf file as following :

      Source Code

      1. # make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url
      2. server {
      3. listen 443 ssl;
      4. listen [::]:443 ssl;
      5. server_name hassio.mysubdomain.*;
      6. include /config/nginx/ssl.conf;
      7. client_max_body_size 0;
      8. # enable for ldap auth, fill in ldap details in ldap.conf
      9. #include /config/nginx/ldap.conf;
      10. location / {
      11. # enable the next two lines for http auth
      12. #auth_basic "Restricted";
      13. #auth_basic_user_file /config/nginx/.htpasswd;
      14. # enable the next two lines for ldap auth
      15. #auth_request /auth;
      16. #error_page 401 =200 /login;
      17. include /config/nginx/proxy.conf;
      18. resolver 127.0.0.11 valid=30s;
      19. set $upstream_homeassistant homeassistant;
      20. proxy_pass http://$upstream_homeassistant:8123;
      21. }
      22. location /api/websocket {
      23. resolver 127.0.0.11 valid=30s;
      24. set $upstream_homeassistant homeassistant;
      25. proxy_pass http://$upstream_homeassistant:8123;
      26. proxy_set_header Host $host;
      27. proxy_http_version 1.1;
      28. proxy_set_header Upgrade $http_upgrade;
      29. proxy_set_header Connection "upgrade";
      30. }
      31. }
      Display All
      But I have a 502 Bad Gateway error when I try to access to hassio.mysubdomain.duckdns.org.

      Another question, as we have configured the letsencrypt docker container, is the duckdns container is usefull ?

      Thanks
      Yes, because it updates your ip for the dyndns if it should change due to a reconnect.
      In your config files try changing the server_name to hassio.*; instead of hassio.mysubdomain.*;. Also is your homeassistant docker in the same docker-network as letsencrypt and named homeassistant (as in line33: set $upstream_homeassistant homeassistant; ?
    • Morlan wrote:

      Yes, because it updates your ip for the dyndns if it should change due to a reconnect.In your config files try changing the server_name to hassio.*; instead of hassio.mysubdomain.*;. Also is your homeassistant docker in the same docker-network as letsencrypt and named homeassistant (as in line33: set $upstream_homeassistant homeassistant; ?
      I don't understand your last sentence, here is my LetsEncrypt docker container setup :
      [Blocked Image: http://drive.google.com/uc?export=view&id=1fvi38TKiNveGmWiGdYT9H2KkAhQiTRFg]

      And my homeassistant docker container setup
      [Blocked Image: http://drive.google.com/uc?export=view&id=1KFablfP6Qzq071oFlE1UtjOim0JtsMrx]
    • nevermind. Did not know that homeassistant is running in host mode. Therefore (someone correct me if im wrong) your should enter the ip adress of your omv machine after the http:// instead of $upstream_homeassistant

      Source Code

      1. # make sure that your dns has a cname set for homeassistant and that your homeassistant container is not using a base url
      2. server {
      3. listen 443 ssl;
      4. listen [::]:443 ssl;
      5. server_name hassio.*;
      6. include /config/nginx/ssl.conf;
      7. client_max_body_size 0;
      8. # enable for ldap auth, fill in ldap details in ldap.conf
      9. #include /config/nginx/ldap.conf;
      10. location / {
      11. # enable the next two lines for http auth
      12. #auth_basic "Restricted";
      13. #auth_basic_user_file /config/nginx/.htpasswd;
      14. # enable the next two lines for ldap auth
      15. #auth_request /auth;
      16. #error_page 401 =200 /login;
      17. include /config/nginx/proxy.conf;
      18. resolver 127.0.0.11 valid=30s;
      19. #set $upstream_homeassistant homeassistant;
      20. proxy_pass http://192.168.1.xxx:8123;
      21. }
      22. location /api/websocket {
      23. resolver 127.0.0.11 valid=30s;
      24. #set $upstream_homeassistant homeassistant;
      25. proxy_pass http://192.168.1.xxx:8123;
      26. proxy_set_header Host $host;
      27. proxy_http_version 1.1;
      28. proxy_set_header Upgrade $http_upgrade;
      29. proxy_set_header Connection "upgrade";
      30. }
      31. }
      Display All
    • For airsonic, I put my local ip address in the airsonic conf file (last line) :

      Source Code

      1. # make sure that your dns has a cname set for airsonic and that your airsonic container is not using a base url
      2. server {
      3. listen 443 ssl;
      4. listen [::]:443 ssl;
      5. server_name airsonic.rd-home-server.*;
      6. include /config/nginx/ssl.conf;
      7. client_max_body_size 0;
      8. # enable for ldap auth, fill in ldap details in ldap.conf
      9. #include /config/nginx/ldap.conf;
      10. location / {
      11. # enable the next two lines for http auth
      12. #auth_basic "Restricted";
      13. #auth_basic_user_file /config/nginx/.htpasswd;
      14. # enable the next two lines for ldap auth
      15. #auth_request /auth;
      16. #error_page 401 =200 /login;
      17. include /config/nginx/proxy.conf;
      18. resolver 127.0.0.11 valid=30s;
      19. set $upstream_airsonic airsonic;
      20. proxy_pass http://192.168.1.66:4040;
      21. }
      22. }
      Display All

      And it is working great, however, I don't know if it is the correct way to do that!

      For Heimdall, I have done the same thing :


      Source Code

      1. # make sure that your dns has a cname set for heimdall
      2. server {
      3. listen 443 ssl;
      4. listen [::]:443 ssl;
      5. server_name heimdall.rd-home-server.*;
      6. include /config/nginx/ssl.conf;
      7. client_max_body_size 0;
      8. # enable for ldap auth, fill in ldap details in ldap.conf
      9. #include /config/nginx/ldap.conf;
      10. location / {
      11. # enable the next two lines for http auth
      12. #auth_basic "Restricted";
      13. #auth_basic_user_file /config/nginx/.htpasswd;
      14. # enable the next two lines for ldap auth
      15. #auth_request /auth;
      16. #error_page 401 =200 /login;
      17. include /config/nginx/proxy.conf;
      18. resolver 127.0.0.11 valid=30s;
      19. set $upstream_heimdall heimdall;
      20. proxy_pass https://192.168.1.66:8081;
      21. }
      22. }
      Display All
      But it doesn't work... Maybe because of the 443 port that I have replaced by 8081 ?