Using Nginx Proxy Manager with pfSense, Proxmox, and Docker 

Thanks for letting me know it’s still helping.

Hello back. London is one of my favorite places to visit. 👍

Hey I appreciate the topics but a lost of them just aren't in my areas. 1. The internal firewall for Proxmox is ok I guess but seems pretty basic. And I've never had a need/use case to use it differently than default. 2. I run pfsense but I run it on dedicated hardware and probably always will. I don't want my network down just because my server is down. However have you seen this video ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-hdoBQNI_Ab8.html 3. OVS is a pretty heavy hitter for a virtual switch and again I've just never had the need to use it. I have no idea for a use case either. 4. I do backup my VMs and LXCs but I do it manually using what is already in Proxmox. So I don't have a need for the Proxmox Backup Server. But again, TechnoTim has you covered ru-vid.com/video/%D0%B2%D0%B8%D0%B4%D0%B5%D0%BE-jLBNm0fNIog.html 5. I guess I don't understand this one. You want the Proxmox host to be a DHCP server? I mean if you virtualize pfsense, that should be your DHCP server... 6. I have limited experience with Thin Clients, and no experience with PXE boot. But Thinstation seems like an interesting project. I'll be checking that one out...

@@AllenSampsell Thanks for your reply. 1. Internal firewall was suggested in order to provide security to VM/Containers running inside Proxmox. 2. Pfsense suggested in order to save the space / power. The video suggested by you is not a good one. I have already watched 3 weeks back. Techno Tim's video on the subject factually a chit. I have even commented on it but so far never got the convincing answer. 3. OVS can be used to isolating traffic between various vm/containers running inside Proxmox. In home /business environment at times you have to do that. Hence it was suggested. 4. Again the video suggested, lacks quality and is made for beta version of Proxmox-Backup server. Since day before yesterday, ProxmoxBackup Server has come out from Beta , its right time to re look. 5. Unfortunately, you can not decide the IP address in Proxmox while you create a new VM. You have to do it manually inside VM or note down mac address and set it on external dhcp server, which, according to me can be avoided. To the best of my little knowledge, if we have authoritative dhcp server on Proxmox host , the task can be fulfilled. 6. My idea is to make a small vm of Thinstation. With this one can use thinclient to connect Windows VM. Hence suggested. Sorry for long answer. Regards Love from India.

@@mithubopensourcelab482 no worries at all. I appreciate the response. I can see the appeal for many of these things. I just usually make videos on things I use or am wanting to learn. I watched a few videos on Thinstation this afternoon already. Interesting stuff.

Thanks!

If you preplanned your OMV install to use non standard ports for both 80 and 443 then you have a shot at making it work. Tweaking OMV after you already have a stable “normal” configuration seemed like a bad idea. But if you’re going to install OMV fresh and you do your homework on if/how to change the ports, that would be the ideal time.

That is a Docker container called Heimdall. Very useful to have as a homepage.

Ahh yes that is a Docker container called Heimdall. I use an image from Linuxserver.io for that. It’s a great homepage system. Other folks like Organizer I think it’s called....

@@AllenSampsell thanks a lot that was exactly what i was looking for!

@@BlueScream0 no problem at all. I show Heimdall in most of my videos these days and get questions about it all the time.

Well I could definitely do that. But I do t like the idea personally. I try not to change the Proxmox host machine so that updates and upgrades work smoothly. Not saying it wouldn’t, just don’t want to take the chance. Also, by running Docker in a VM or LXC I can easily back it up before I make major upgrades or updates to containers or the VM/LXC host files.

Yes actually. For Proxmox virtual consoles to work correctly you have to enable Web Sockets support. I do this for Portainer as well so that the console to go into a container will work correctly.

That’s a great question. I doubt it because I made all mine FQDN compliant , at least for local DNS use, so they would proxy correctly. There may be a way to do it though.

I wonder if that’s a RU-vid thing. I know the audio isn’t great quality in past videos, but this is the first I’ve heard they play too low.

Unfortunately I am not familiar with using either of those. However in my pfsense firewall I’m using split DNS to resolve the domain internally. But my domain controller is also local. There’s so many ways to do things it’s hard for me to advise on this one.

@@AllenSampsell thx for the quick reply, they are both open source saas to deploy docker templates but they are configured to use a docker swarm and to get them to work without a public IP is far beyond my knowledge at this point sadly

Yes. I believe the custom branding is not part of the Community Edition.

Host Overrides in pfSense is only so the name you use (plex.localname) will go to the right IP address. That IP address, if you're running multiple services should be the Nginx Proxy Manager. NPM is what routes the name to right IP address.

Nothing special at the command line in Proxmox. However, in NPM you'll need to edit config and make sure you enable Websockets.

That is a homepage software call Heimdall. I run it from a docker container. Very useful tool.

You probably need to import the certificate into the browser.

OPNSense is a great alternative. Just as powerful as pfSense, however my attempts to switch to it have not gone well. I have everything dialed in so well on pfSense that it’s proven difficult to duplicate on OPNSense. Just my take on it. But if you’re just starting out try OPNSense first. If it does everything you need then stick with it.

I’m actually using split DNS. PfSense has a DNS Resolver that allows local redirection. But my real DNS server for my websites is built into my Univention Corporate Server VM. So not an easy answer for anyone.

Ohh this is definitely run just internally for this purpose. I have a different reverse proxy for my internet facing apps. That error you’re seeing might be related to that browser. I would try Firefox.

i found my fault...importing the root and intermediate cert in windows solves the problem! Thanks for that video

@@AS-em5jm glad you found it. Was just going to point you to that. 👍

For proxmox did you turn on WebSocket Support? And for NPM I have the Force SSL and HTTP/2 Support enabled. Hope that helps

@@AllenSampsell Thanks, I figured out what the problem was in the meantime. I had a conflicting dns alias entry in unbound. I got it all set up now :D

Sorry, I'm confused, are you setting up Bookstack? Or are you trying to get Heimdall to work? For Heimdall I using https as the scheme in NPM, but I don't have any other options turned on. I am using port 8443 which is a lot lower than yours. What I will say is try to get it all to work without the certs first. Then add that layer.

@@AllenSampsell trying to copy what you did but with Heimdall. I can bring it up with ip address but not a domain. Was able to make it work before purchasing new pfsense 2100. So seems to be something in firewall.

@@Whiskey7BackRoads ahh so in pfSense in the DNS resolver you need to make sure you have that Host Override that points heimdall.local to your NPM IP address. Other than that it should just work.

@@AllenSampsell yea I have tried it there but you can not put in port address. So if I point to internal address without port it doesn't come up. That's the problem, no way to map to that port

@@Whiskey7BackRoads the port goes in NGINX Proxy Manager (NPM) it routes the hostname to the ip address:port

Ahh now that’s an easy one. It’s mainly simplicity and ease of use. I did look at the inbuilt haproxy however I was already familiar with Nginx and the learning curve for me to figure out haproxy seemed unnecessary. If you’re familiar with haproxy, by all means use it. That would be one less docker container you’d need to worry about.

I have not automated them. I just made them last so long that I won’t need to update them very often.

@@AllenSampsell Thanks, going to look into automating it with a cronjob, granted my set up is on opnsense without certificates from opnsense itself. Thanks for the video.

Yes, I believe the same concept works with other Reverse Proxies and pfSense. And HA Proxy is built into pfSense, so give it a shot. I just don't know how HA Proxy works and it was difficult enough that I didn't bother to try to learn. NPM was just so easy. But again, please give it a shot.

That’s a good question. I guess it depends on your setup. I’m sure there must be NPM installers that aren’t Docker containers so I can only tell you Maybe.

@@AllenSampsell thank you sir, unfortunately this also hot issue on reddit which some people demand non-docker but it's too hacky to do. Seems like I have to write my own home server frontpage + proxy or maybe just normal nginx 😅

Yes great catch. I ran into that as well. For that Proxy Host in NPM you must turn on the "Websockets Support". Try that and let me know.

@@AllenSampsell Allen your the best you! Thank you so much for this tutorial it worked

@@TadasTirony glad it worked for you. I use it every day. 👍

I guess that depends on what is producing the Certificate. Are you using pfsense or something else? You could use a text editor and inspect the cert key is in the right format...

@@AllenSampsell I'm useing pfsense

@@nyvek970 Not quite sure then. Never run into that issue. I would check to ensure you're pfsense settings are correct for producing the keys. Try reinstalling NPM. Not sure what to tell you. It does work. But there's too many variables possible for me to tell you if something is wrong with your setup.

Behind? My domain controller is a VM on my Proxmox machine. I have split DNS so that I can redirect to my internal sites. It’s not perfect but it works.

@@AllenSampsell Hey, nah I mean how to get proxmox web gui to work properly behind a local dns entry, whenever i do it i get errors, i think theres extract configuration that has to be done for it to resolve properly. Do you recall what you had to do to get it to work behind your local dns? Great video btw!

@@28469 All I did was put a host override in the DNS Resolver. I didn't make any other configuration changes. In NPM I did enable websockets support...

@@AllenSampsell yup it was the web sockets. Thanks so much!

@@28469 glad to help…

I did look into HAProxy previously and it was overly complex compared to this method. So I'm well aware it's there just did not bother to try. I didn't know about the 2 Year cert life but should be easy to just recreate them if I need to I suppose. I can't actually use Let's Encrypt as I am already running a server for my main website on Port 80 and 443. Also, to create a cert it needs to be a real TLD or you get an error. I'm using a fake TLD that will never leave my local network. And I guess I didn't think about creating a *.allen cert in pfsense and using it for all of them. That seems like a great idea. Will test that tomorrow!

Yeah that didn't work. I could create a *.allen cert in pfsense and could install it in NPM but the browsers were expecting the name i.e. tautulli.allen and I was back to having to override for a local cert.

@@AllenSampsell Hmm, yeah that would essentially be a wild card TLD, which I could see being an issue. A wildcard FQDN should work though

@@AllenSampsell haproxy is definitely more complex. The integration in pfsense, is the primary benefit for my use case. Regarding you already hosting a site on 80/443; you can overcome this by using a virtual IP on pfsense. You essentially use the virtual IP in place of the router ip in an haproxy setup. That way you can run multiple services on the same box on the same port. Regarding the let's encrypt, yes that would have to be a real domain. So if you're set on the .allen domain, your self signed cert is the only option. In my case, installing CAs wasn't an option, so I had and wanted to use an FQDN

@@hockey6611 hmm virtual IP. I’ve seen that option in the menus but never looked into it. Now I will. And the thing about the current setup is that the host override won’t accept an FQDN. Just host.tld.

Thanks. And have you tried putting one device on DHCP to see if it then works? Maybe your devices with the static info doesn't include the DNS resolver? Just guesses here. Good luck with it though.

@@AllenSampsell I have ticked of for "Register DHCP static mappings in the DNS Resolver" so they should be included. Are there any firewall rules that needs to be added? How are the internal queries routed to the NPM?

@@janmagnusrkke8815 I have that same setting turned on. There aren't any specific firewall rules for this. Did you setup the Host Overrides section? That's what points it internally to NPM's IP address.

@@AllenSampsell I feel like an idiot xD I put the IP of the service's host instead of the NPM VM IP in the Host Overrides IP field! Thanks a bunch! :)

@@janmagnusrkke8815 Ohh yeah lol that would not be good. Glad you worked it out though.

That’s an excellent issue to raise…. For anyone trying to use what I show in the video to serve both internal and external services. And your idea to use an access list which is built into NPM would be useful. In reality I have two separate reverse proxies in place so I don’t think it’s possible. But I’ll admit I’m no expert on DNS or reverse proxies and my firewall may be vulnerable in a way I’m not aware of. So please do tell me if you can reach my internal pages. My IP isn’t that hard to find lol

Local DNS configs only translates within your local PC or local networks connected to that PC. It doesn't propagate all the way across Google DNS servers or cloudflares DNS servers for example. So unless your already on a server attached to his network, it won't be possible.

Although I can see the resemblance. Don't be disrespectful..

LOL not the first time I’ve been accused of a resemblance.

And how does DNS resolution get me to a specific port? It’s not like I didn’t look at DNS first but I couldn’t find a way to make that work without a reverse proxy. And the local certs are just so that the browser is happy and doesn’t warn you your passwords might be intercepted. You can run it without the certs but it’s annoying.

How are you able set this up with pfSense so you don't have to type the port number for different services?

You're going to have to elaborate, why can't Proxmox backup container disk images?

​@@illegaldyo Because this containers (I talks 'bout containers like in this video, with unprivileged mode and docker inside) have docker volumes inside.

I’m sorry but you are incorrect. I’ve been running this way for a long time. Maybe your limitation has to do with hardware or how you have things setup. But it does work.

@@AllenSampsell Are u sure? Are u saying that your lxc-container has unprivileged mode and docker containers are running inside this lxc-container? And can u restore from an backup without any problems this lxc-container? Are u tryed do this?

@@AntonStolov very sure. But again I’m not using LVM or ZFS for my storage. Your setup of Proxmox can have side effects of what you can and can’t do.