Nginx Proxy Manager - Configuration Tips (especially if you are stuck at Deploying)

Here are the configuration details for the configuration of the Nginx Proxy Manager for setting up the Reverse Proxy…

User and Group Configuration - The default will be the app user id (in my case 568). Please note the following:

  • Electric Eel: Leave at default - no change is required.
  • Dragonfish: You must change this to the root user id (usually 0), otherwise it will hang at “Deploying” forever.

Network Configuration - You will see the following ports:

  • Web Port (usually 30020) - Used to access the app
  • HTTP Port (usually 30021) - Do not change this to 80. Instead, you will be set up port forwarding in your router to point the external port number of 80 to internal port 30021.
  • HTTPS Port (usually 30022) - Do hot change this to 443. Instead, you will be set up port forwarding in your router to point the external port number of 443 to internal port 30022.

Default login credentials:

  • username: admin@example.com
  • password: changeme

Hanging at deploying (Electric Eel):

Edit the container and add the following to Nginx Proxy Manager Configuration → Additional Environment Variables:

  • Name: S6_STAGE2_HOOK
  • Value: sed -i $d /etc/s6-overlay/s6-rc.d/prepare/30-ownership.sh

Why can’t I set the HTTP port to 80 and 443? I want to use it in my local network and not expose it outside the network

Port 80 and 443 are being used by the TrueNAS Scale UI.

Is there a way to use NPM on the local network without exposing the service publicly?

If you want to use the standard ports of 80 and 443 with nginx, then you need to go into TrueNAS Scale → System → General Settings and change the GUI ports to another port other than 80 and 443 (some have used 880 and 8443 for some reason). Then, change the NGINX ports to 80 and 443 respectively.

this actually make impossible establish a connection from 2 different truenas (eg. for a replication task).
After some research, i’ve found that probably assigning a dedicated ip to NPM should resolve, so im trying to setup a macvlan… any tips?

Edit: macvlan Is not the solution, It isolate NPM and his host (TN).

So, if i assign to NPM other ports than 80 and 443 i can’t properly reverse proxy (every host show the truenas GUI), but if i change TN default ports if i try to connect via SSH 2 system It doesn’t work cuz of NPM… Im having an headache honestly :thinking:

Hey oxyde, this has been my exact issue that I have been fumbling with for the last week. I’m pretty new to TrueNAS Scale (and all things networking/sysadmin/devops), so I’ve been looking for a work around as well.

I should mention something else though, what @MarkHoltz mentioned isn’t possible, as TrueNAS Scale is rather restrictive with port assignment; I haven’t even been able to assign port values less than 9000 to any apps I deploy (even if it’s custom).

I’m going to see if running NPM on a separate server (or even a VM) suits my needs, and see if that offers a little bit more flexibility. Otherwise, I might just switch to a different OS until a better solution is rolled out (or until I’ve polished my skills just a tad more).

I’m not a Nginx expert. My purpose in running a reverse proxy is to allow me and a few close friends to access apps on my server remotely. Audiobookshelf and Kavita do not support a SSL connection natively as well, which is a bad idea nowadays. I’m using a FQDN in my configuration, and ddns-updater to update the DNS records of my domain on a CloudFlare free account. That’s a whole other discussion.

So, part 1 is setting up Nginx on your TrueNAS scale server. Part 2 is configuring the port forwarding on your access point so that ports 80 and 443 from the outside world are forwarded to the http and https ports on Nginx. For my router, it’s as follows:

Part 2 is configuring the proxy host in Nginx. I use subdomain.example.com for the services (e.g. abs.example.com for Audiobookshelf, kavita.example.com for Kavita). So, here are the relevant screens:


I changed my actual domain to abs.example.com for purposes of the screenshot for my AudioBookShelf instance. Since it connects to my http port on my sever, I set NGinx to forward the traffic to 192.168.1.2 (my TrueNAS Scale server) and use the port of 10223.

image
I toggle all four of the switches to force a secure connection. As for the SSL certificate…


I use the DNS verify to check the domain and a API token from CloudFlare to request a Let’s Encrypt certificate. As you probably guessed, the API token is not the real token. :smiley: If you are getting DNS failures, make sure that the proper A record for the subdomain is defined in the DNS record. If you are using ddns-updater, then you have to edit the configuration and add the domain.

Like I said, I’m no expert. I only got this going at the beginning of October after the having reliability issues with the asuscomm dynamic DNS service offered on my router.

That’s a pretty solid setup. I wanted to be able to access my self-hosted services locally with a domain as opposed to ip:port, while also having an SSL encryption so my browser stops panicking. In order to access it from outside my home network, I wanted to use wireguard VPN. Since I don’t have the ports open to the outside world, I thought that maybe doing DNS-01 as opposed to HTTP-01 might help me to circumvent the issue. I eventually found a nice tutorial that covered my issue perfectly, and that had this solution I was looking for.

I think I might know what the issue was with my setup, but I have to do some log reading and some config checking. I guess I’ll keep posted if I find a solution in the near future.

Thank you for sharing your setup; it’ll serve as inspiration with some tweaking here and there.

You are welcome! I’m glad to assist.

One could set the TrueNAS-UI Login Ports to something else like 2080 and 20443 and use the default ports with NPM.

The „cleaner“ way IMO is installing some minimal debian VM with docker compose (and watchtower).

Assign a seperate IP.

Done.

Is the first thing i have done, and work good until you try to establish an SSH connection from/to another TN system, neither using internal IP instead of hostname. So Is impossible for me pull snapshot from main system.
Hope someone can point me in the right direction, forward 80/443 to the world Is not the way i want to do that for security reason (and i move to scale maynly for stop using virtualization…)

Oxyde, I’m not quite sure what you’re looking for, but I think it might be best to just run NPM on separate device. I had the same issue where every proxy host would just show the TrueNAS GUI, and it was a total pain. I have NPM on a separate debian server currently and it does the job. I even have a domain with a DNS Record pointing to the local IP for NPM, that enables me to use HTTPS for my services that I am accessing through a DNS-01 challenge. This also separates the TrueNAS server from the process, but still lets you point proxy hosts to services on it with the IP and port. I was dealing with this problem for weeks and it was driving me insane; So glad that it’s finally over and done with.

1 Like

I was just probably wrongly “blaming” my NPM setup for an issue (SSH connection not possible) that Is making me struggling from 2 days, after some bad research overall…
Thanks for the tips and the guide to all.

1 Like