Proxy Settings "Nginx Proxy Manager" web UI

[Haecky]

I need settings for "Nginx Proxy Manager" web UI

how do you secure the login?

Please help

[routerino]

As I do not actively use nginx proxy manager, and given the lack of supporting detail, I don't have an answer for you.

Information about security can be found in SECURITY.MD

[ithakaa]

I need settings for "Nginx Proxy Manager" web UI

how do you secure the login?

Please help

I have a working install

[du724931566]

also need settings for "Nginx Proxy Manager" web UI, please thanks a lot

[ithakaa]

Sorry for the late reply

Do the usual stuff for a host entry, leave custom locations empty, and then replace and add the below to the advanced section of Nginx Proxy Manager for the host

proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k; 
proxy_ssl_server_name on;
location /web/ {
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection \"upgrade\";
    proxy_redirect http:// https://;
    proxy_pass http://<server_ip>:8090/web/;
}
location / {
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection \"upgrade\";
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    proxy_redirect http:// https://;
    proxy_buffering off;
    proxy_intercept_errors  on;
    proxy_http_version      1.1;
    proxy_pass http://<server_ip>:8088/;
  }

[du724931566]

Sorry for the late reply

Do the usual stuff for a host entry, leave custom locations empty, and then replace and add the below to the advanced section of Nginx Proxy Manager for the host

proxy_buffer_size   128k;
proxy_buffers   4 256k;
proxy_busy_buffers_size   256k; 
proxy_ssl_server_name on;
location /web/ {
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection \"upgrade\";
    proxy_redirect http:// https://;
    proxy_pass http://<server_ip>:8090/web/;
}
location / {
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection \"upgrade\";
    add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    proxy_redirect http:// https://;
    proxy_buffering off;
    proxy_intercept_errors  on;
    proxy_http_version      1.1;
    proxy_pass http://<server_ip>:8088/;
  }

excuse me,i have try several times to put this into Custom Nginx Configuration but it warming : Please note, that any add_header or set_header directives added here will not be used by nginx. You will have to add a custom location '/' and add the header in the custom config there.

the both proxy_pass settings had been changed to my container ip and port

the container is running ,web up, but the api test failed i dont konw what should i do now, so plagued i used Nginx Proxy Manager Looking forward to your help

[ithakaa]

Do you have a properly working NPM with an SSL CRT you are using with other applications ?

[appleimperio]

@ithakaa I try your config and I'm getting the error "Client sent an HTTP request to an HTTPS server." but I think It's because in the

location /web/ {
    proxy_set_header        Host                $http_host;
    proxy_set_header        X-Real-IP           $remote_addr;
    proxy_set_header        X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto   $scheme;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection \"upgrade\";
    proxy_redirect http:// https://;
    proxy_pass http://<server_ip>:8090/web/;

the last line should be https. but even when I change it I get a withe screen no errors just when accessing the ui the other part works fine. Any idea what I'm doing wrong?

[ithakaa]

the last line should be https.

it works for me are you using a valid ssl crt with NPM ?

[appleimperio]

Yes, I already have external clients running I just want to try the web-ui. Just to be clear the ports you use there. the location /web/ port is the one I have configured in Headscale-ui and the location / is the port I have configured for Headscale?

[ithakaa]

I've provided screenshots, might be easier this way, let me know how you go

https://github.com/ithakaa/headscale-ui-npm/blob/main/README.md

[appleimperio]

Thank you very much. Your installation is with docker?

[ithakaa]

Your installation is with docker?

yes

[appleimperio]

This is my compose

version: '3.5'
services:
  headscale:
    container_name: headscale
    image: headscale/headscale:latest
    restart: unless-stopped
    #ports:
    #  - 8011:8080
    volumes:
      - /srv/dev-disk-by-uuid-36ffb5ee-7f60-4aea-bc0c-45c47cfbd3f7/containersdata/headscale/config:/etc/headscale
      - /srv/dev-disk-by-uuid-36ffb5ee-7f60-4aea-bc0c-45c47cfbd3f7/containersdata/headscale/data:/var/lib/headscale
    command: headscale serve
    networks:
      nginxproxymanager_default:

  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    restart: unless-stopped
    container_name: headscale-ui
    #ports:
    #  - 8443:443 # Use the port of your choice, but map it to 443 on the container
    networks:
      nginxproxymanager_default:  

networks:
  nginxproxymanager_default:
    external: true

can you share your compose. that way I will have everything the same. Thanks

[ithakaa]

version: '3.6'
services:
  headscale:
    container_name: headscale
    image: headscale/headscale:latest
    command: headscale serve
    restart: unless-stopped
    ports:
      - '8089:9090'
      - '8088:8080'
    volumes:
      - ./data:/etc/headscale
      - ./config:/var/lib/headscale      
  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    restart: unless-stopped
    container_name: headscale-ui
    ports:
      - 8090:80

[appleimperio]

@ithakaa Thank for all your help. It was right since the beginning the whole problem was the Browser cache.

[mackandelius]

@ithakaa Hi, so I am using your NPM config and while it generally works fine, the server isn't available through https://:8080/ and just errors with SSL_ERROR_RX_RECORD_TOO_LONG, just removing the 8080 port makes it all work fine.

This is mostly an annoyance since I can technically always remove the port from the register urls, but is annoying, and might be breaking taildrop, but I am not sure yet. (the send to list is entirely empty).

You wouldn't have any ideas on why this is happening? Some headscale config setting that I shouldn't have changed or something.

[ithakaa]

the server isn't available through https://:8080/ and just errors with SSL_ERROR_RX_RECORD_TOO_LONG, just removing the 8080 port makes it all work fine.

Are you getting the ssl error when registering nodes or when accessing the headscale ui?

[mackandelius]

I am getting that error when registering, but accessing the headscale UI I am pretty sure isn't something you should be doing with https://:8080/web, however it errors in the same way.

Using any port not in use of course gives an unable to connect error.

[ithakaa]

you need to register via http://server_ip:8080

[mackandelius]

Which is what doesn't work, to register I need to manually remove the port from the URL, otherwise I just get that SSL error.

[appleimperio]

@mackandelius if the address start with https you cannot use the port 8080. just use your domain. example https://mydomain.com/web

[ithakaa]

otherwise I just get that SSL error.

Are you using the headscale-ui docker image that includes headscale and headscale-ui?

[mackandelius]

@appleimperio that is what I am doing, but the app and program both direct you towards a url using the :8080 port, if this is expected behavior then that is clunky and not worth it.

[mackandelius]

@ithakaa sorry, forgot to mention that I am not, forgot the exact reasons now, but was actually just easier installing headsclae to the server directly, headscale-ui is running in docker. Which means it might be that docker network I am missing.

[ithakaa]

headscale-ui is running in docker.

To be absolutely honest, I actually wouldn't even bother with headscale-ui

The headscale cli is super simple

[mackandelius]

Regardless, doesn't headscale require HTTPS at least partially? Since lines in the config about setting up letsencrypt?

[ithakaa]

Regardless, doesn't headscale require HTTPS at least partially? Since lines in the config about setting up letsencrypt?

Sorry I can't be any further assistance, it seems you need to look into headscale a little more deeply before you start posting requests for help

[zhzy0077]

For someone who also runs into the same issue as I did, I have to trun OFF the "Cache Assets" for the proxy host and things would work without any tricks.

It's actually because assets go to different location which doesn't recognize the /web path:

https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/docker/rootfs/etc/nginx/conf.d/include/assets.conf