search

NginxProxyManager / nginx-proxy-manager

Docker container for managing Nginx proxy hosts with a simple, powerful interface
https://nginxproxymanager.com
MIT License
23.06k stars 2.67k forks source link

NPM installed on Linode VPS, proxy hosts installed on LAN, Wireguard tunnel inbetween. Unable to connect. #1930

Open trinity-geology-unstable opened 2 years ago

trinity-geology-unstable commented 2 years ago

My environment is set up in the following way;

  1. Linode VPS - Ubuntu 20.04, Docker and NPM:latest installed, Wireguard peer (10.5.2.1) to local pfSense on LAN, domain name pointed at static Linode public IP address, Linode firewall set to 'allow all'
  2. pfSense on local LAN - Wireguard peer to Linode VPS (10.5.2.2), internal firewalls set to allow tunnel traffic to proxy hosts
  3. Proxy hosts - Nextcloud (10.0.21.20:443), Overseerr (10.0.21.13:5055), Home Assistant (10.0.22.6:8123)

Connection from Linode to proxy hosts is successful - a ping from the NPM console to any proxy hosts at their local IP address is successful and visiting a proxy host from a Firefox container on Linode loads without issue.

However when trying to request a cert in NPM using a HTTP challenge there is an 'internal error' and this in the logs:

Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: [nextcloud.mydomain.tld]
  Type:   connection
  Detail: Fetching http://nextcloud.mydomain.tld/.well-known/acme-challenge/[token]: Connection refused

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

The same error occurs when trying to request a cert for a proxy host on the Linode VPS rather than through the Wireguard tunnel.

I can request a cert for my domain name using DNS challenge, but setting that cert for any proxy host and trying to load the page results in connection refused within the browser.

I have ensured that all firewalls on Linode are disabled or set to 'allow all' so it shouldn't be blocked there. In the IP tables I can see Docker has set up necessary rules to direct incoming traffic to the NPM container. As a test I ran FreshRSS container on Linode at port 80 and I can visit the page at my domain name without any block.

I am at a dead-end of troubleshooting and logs to check. NPM had been running happily for months on a local device on my LAN pointing to the same local proxy hosts when I had my domain name pointed to my home WAN IP address, I just can't understand why it might break in this way when migrated to a Linode host.

Any ideas?

github-actions[bot] commented 8 months ago

Issue is now considered stale. If you want to keep it open, please comment :+1: