LePresidente
[Bug] Current version is NOT drop-in replacement for official npm - ports and mount point are wrong
Current Behavior
Original npm uses ports 80, 443 and 81, and uses /data as the location of configurations, as seen on their example compose file:
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
This project exposes its services on 8181, 4443 and 8080. It also expects config files to be mounted on /config.
Yhis can be very confusing for users looking to migrate, since the project describes itself as a "a drop in replacement for jlesage/nginx-proxy-manager"
Expected Behavior
This project should be changed so that it exposes it services on ports 443, 80 and 81. Config location should be set to /data, in order to be a drop-in replacement for original npm.
No response
Steps To Reproduce
No response
Environment
- OS:
- OS version:
- CPU:
- Docker version:
- Device model:
- Browser/OS:
Container creation
docker run -d
--name=nginx-proxy-manager
-p 8181:8181
-p 8080:8080
-p 4443:4443
-v /docker/appdata/nginx-proxy-manager:/config:rw
lepresidente/nginx-proxy-manager
Container log
-
Container inspect
No response
Anything else?
No response
agreed, the file structure is pretty bad but i managed to get it working. to fix it, just backup your original config and replace over the top. good luck finding where they go though lmfao
Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)
Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)
Just to follow up on my previous comment (and a bit of topic maybe, sorry). I decided to start all over and do it from scratch again, now it's fully functional. It checks logs from all hosts in NMP. But OP is right, still not a dropin. For someone looking for a complete setup though, this is mine:
version: "3.8"
services:
nginx-proxy-manager:
image: 'lepresidente/nginx-proxy-manager:latest'
restart: always
ports:
- "81:8181"
- "80:8080"
- "443:4443"
environment:
TZ: "Europe/Amsterdam"
DISABLE_IPV6: "1"
volumes:
- "/srv/npmsec/data/nginx-proxy-manager:/config:rw"
- "/srv/npmsec/data/nginx-proxy-manager/crowdsec/templates:/templates:ro"
networks:
homelab:
ipv4_address: 172.20.0.14
crowdsec:
image: "crowdsecurity/crowdsec:latest"
container_name: crowdsec
expose:
- 8080
environment:
PGID: "1000"
volumes:
- "/srv/npmsec/crowdsec/data:/var/lib/crowdsec/data"
- "/srv/npmsec/crowdsec/config:/etc/crowdsec"
- "/var/log/auth.log:/var/log/auth.log:ro"
- "/srv/npmsec/data/nginx-proxy-manager/log:/var/log/nginx:ro"
restart: unless-stopped
networks:
homelab:
ipv4_address: 172.20.0.16
networks:
homelab:
external: true
Get your api
sudo docker exec -it crowdsec cscli bouncers add nginx-proxy
Open config:
cd /srv/npmsec/data/nginx-proxy-manager/crowdsec
sudo nano crowdsec-openresty-bouncer.conf
Edit soms parts, paste api:
ENABLED=true
API_URL=http://172.20.0.16:8080 # Edited
API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Edited
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=3000
UPDATE_FREQUENCY=10
# live or stream
MODE=live
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/templates/ban.html # Edited
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=
# Captcha Secret Key
SECRET_KEY=
# Captcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/data/crowdsec//templates/captcha.html
CAPTCHA_EXPIRATION=3600
NPM log parsers
cd /srv/npmsec/crowdsec/config
sudo nano acquis.yaml
filenames:
- /var/log/nginx/*.log
labels:
type: nginx-proxy-manager
---
With a bit of help from @geek2gether youtube vids :)
Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)
Just to follow up on my previous comment (and a bit of topic maybe, sorry). I decided to start all over and do it from scratch again, now it's fully functional. It checks logs from all hosts in NMP. But OP is right, still not a dropin. For someone looking for a complete setup though, this is mine:
version: "3.8" services: nginx-proxy-manager: image: 'lepresidente/nginx-proxy-manager:latest' restart: always ports: - "81:8181" - "80:8080" - "443:4443" environment: TZ: "Europe/Amsterdam" DISABLE_IPV6: "1" volumes: - "/srv/npmsec/data/nginx-proxy-manager:/config:rw" - "/srv/npmsec/data/nginx-proxy-manager/crowdsec/templates:/templates:ro" networks: homelab: ipv4_address: 172.20.0.14 crowdsec: image: "crowdsecurity/crowdsec:latest" container_name: crowdsec expose: - 8080 environment: PGID: "1000" volumes: - "/srv/npmsec/crowdsec/data:/var/lib/crowdsec/data" - "/srv/npmsec/crowdsec/config:/etc/crowdsec" - "/var/log/auth.log:/var/log/auth.log:ro" - "/srv/npmsec/data/nginx-proxy-manager/log:/var/log/nginx:ro" restart: unless-stopped networks: homelab: ipv4_address: 172.20.0.16 networks: homelab: external: trueGet your api
sudo docker exec -it crowdsec cscli bouncers add nginx-proxyOpen config:
cd /srv/npmsec/data/nginx-proxy-manager/crowdsec
sudo nano crowdsec-openresty-bouncer.confEdit soms parts, paste api:
ENABLED=true API_URL=http://172.20.0.16:8080 # Edited API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Edited CACHE_EXPIRATION=1 # bounce for all type of remediation that the bouncer can receive from the local API BOUNCING_ON_TYPE=all FALLBACK_REMEDIATION=ban REQUEST_TIMEOUT=3000 UPDATE_FREQUENCY=10 # live or stream MODE=live # exclude the bouncing on those location EXCLUDE_LOCATION= #those apply for "ban" action # /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE BAN_TEMPLATE_PATH=/templates/ban.html # Edited REDIRECT_LOCATION= RET_CODE= #those apply for "captcha" action #valid providers are recaptcha, hcaptcha, turnstile CAPTCHA_PROVIDER= # Captcha Secret Key SECRET_KEY= # Captcha Site key SITE_KEY= CAPTCHA_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/data/crowdsec//templates/captcha.html CAPTCHA_EXPIRATION=3600NPM log parsers
cd /srv/npmsec/crowdsec/config
sudo nano acquis.yamlfilenames: - /var/log/nginx/*.log labels: type: nginx-proxy-manager ---With a bit of help from @geek2gether youtube vids :)
Hey can I ask you how do you know if it is correctly working?
Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)
Just to follow up on my previous comment (and a bit of topic maybe, sorry). I decided to start all over and do it from scratch again, now it's fully functional. It checks logs from all hosts in NMP. But OP is right, still not a dropin. For someone looking for a complete setup though, this is mine:
version: "3.8" services: nginx-proxy-manager: image: 'lepresidente/nginx-proxy-manager:latest' restart: always ports: - "81:8181" - "80:8080" - "443:4443" environment: TZ: "Europe/Amsterdam" DISABLE_IPV6: "1" volumes: - "/srv/npmsec/data/nginx-proxy-manager:/config:rw" - "/srv/npmsec/data/nginx-proxy-manager/crowdsec/templates:/templates:ro" networks: homelab: ipv4_address: 172.20.0.14 crowdsec: image: "crowdsecurity/crowdsec:latest" container_name: crowdsec expose: - 8080 environment: PGID: "1000" volumes: - "/srv/npmsec/crowdsec/data:/var/lib/crowdsec/data" - "/srv/npmsec/crowdsec/config:/etc/crowdsec" - "/var/log/auth.log:/var/log/auth.log:ro" - "/srv/npmsec/data/nginx-proxy-manager/log:/var/log/nginx:ro" restart: unless-stopped networks: homelab: ipv4_address: 172.20.0.16 networks: homelab: external: trueGet your api
sudo docker exec -it crowdsec cscli bouncers add nginx-proxyOpen config:cd /srv/npmsec/data/nginx-proxy-manager/crowdsecsudo nano crowdsec-openresty-bouncer.confEdit soms parts, paste api:ENABLED=true API_URL=http://172.20.0.16:8080 # Edited API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Edited CACHE_EXPIRATION=1 # bounce for all type of remediation that the bouncer can receive from the local API BOUNCING_ON_TYPE=all FALLBACK_REMEDIATION=ban REQUEST_TIMEOUT=3000 UPDATE_FREQUENCY=10 # live or stream MODE=live # exclude the bouncing on those location EXCLUDE_LOCATION= #those apply for "ban" action # /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE BAN_TEMPLATE_PATH=/templates/ban.html # Edited REDIRECT_LOCATION= RET_CODE= #those apply for "captcha" action #valid providers are recaptcha, hcaptcha, turnstile CAPTCHA_PROVIDER= # Captcha Secret Key SECRET_KEY= # Captcha Site key SITE_KEY= CAPTCHA_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/data/crowdsec//templates/captcha.html CAPTCHA_EXPIRATION=3600NPM log parsers
cd /srv/npmsec/crowdsec/configsudo nano acquis.yamlfilenames: - /var/log/nginx/*.log labels: type: nginx-proxy-manager ---With a bit of help from @geek2gether youtube vids :)
Hey can I ask you how do you know if it is correctly working?
@NazgulCoder Well you can try the various commands
sudo docker exec -it crowdsec cscli metrics
sudo docker exec -it crowdsec cscli decisions list
Try manually banning your ip and check a service running behind your proxy.
sudo docker exec -it crowdsec cscli decisions add -i ipadres
Unban it
sudo docker exec -it crowdsec cscli decisions delete -i ipadres
Sometimes it works a bit too well, I am at the office right now and trying to use a homelab service :)
@Japhys thank you very much, however i recently managed to install NPMplus and I'm not turning back. Just the fact that automatically integrates modsecurity, some other new protocols and backend admin with https. You should try that too ;)
npm-plus is nice, but I've had some issues with it, especially because of modsec. The developer has said they are working on adding openappsec. If they can do that, then ill move to npmplus
npm-plus is nice, but I've had some issues with it, especially because of modsec. The developer has said they are working on adding openappsec. If they can do that, then ill move to npmplus
I tried openappsec and it's bad imho, for these reasons:
- their machine learning requires so much time to learn and be "efficient"
- after researching online, i'd rather rely on common security practices
- their ML is very heavy on resources, it requires a lot of vCPU and RAM
- due to point n3, if your website gets mass Scanned or DDoS attacked it will blow up your host resources making your entire host unresponsive (this does not happen with NPM vanilla or NPMplus)