Why do you think you need host networking enabled for NPM?
Why do you think you need host networking enabled for NPM?
It lets you run the container as if it’s directly connected to your LAN which gives it the capability of having it’s own IP and hostname.
Then you can target it at port 443 and not conflict with TrueNAS.
My goal is to provide separate URLs for the apps running on different ports. Using Nginx-Proxy-Manager on TrueNAS itself, it also increases security because HTTP commands become HTTPS without any unencrypted traffic flowing on my network which would happen if I used another machine to host the proxy.
…which is not necessary.
…which you can accomplish by setting TrueNAS to use a different port.
Of course. But there’s no need for host networking to do that. You’ve already seen this link in the other thread, but it documents how to do this without host networking:
Hi,Thank you very much for the guide, I followed your method to get here but don’t quite understand what updating the DNS records means, the
I should have added to the local /etc/hosts
127.0.0.1 subdomain.example.com
Or do I need to add subdomain.example.com -> NAS ip
to the DNS in cloudflare?
Understood. Let me explain my use case to help answer your question.
My goal was to allow certain applications (AudioBookShelf, Kavita, SFTP, Linkding) to be accessible from the Internet using a fully qualified domain name (e.g. example.com) using subdomains (e.g. kavita.example.com) in a secure manner rather than by IP address and port number. I’m on a residential internet provider, so the public IP address can change, thus Dynamic DNS (DDNS) is needed for the DNS records.
The first part is automatically updating the DDNS record. After registering my domain name and setting up a Cloudflare (or equivelent) account, I’m using the TrueNAS App “DDNS Updater” which gets my current IP address then updates the DNS record at Cloudflare every five minutes so that it knows what IP address “subdomain.example.com” goes to. No modification of the hosts files is needed.
The second part is setting up the Nginx Reverse proxy so that when a requests comes in for subdomain.example.com , it knows where to go with that request. So, as far as the outside world knows, my audiobook server is at abs.example.com with a SSL certificate from Let’s Encrypt and a force redirect from HTTP to HTTPS, but internal to my network, it’s going to http://192.168.1.2:10223.
Let me see if I can find a guide on this.
OK, here we go. These instructions were written up to set up audiobookshelf as an initial configuration.
Part One: Set up Cloudflare account:
In order to make sure
- Sign up for a free Cloudflare account.
- Transfer DNS control of your domain records to Cloudflare.
- Note the following values:
- Zone ID
- Account ID
- User API Token - You will have to generate one using the “Edit Zone DNS” with the Permissions being Zone → DNS → Edit and Zone Resources being Include → Specific Zone → The domain (e.g. example.com). Once it is generated, put it in a safe place.
Part Two: Setting up DDNS Updater
Since I’m allowing access to my ABS instance through a home internet connection, I cannot guarantee that my IP address won’t change. So, I use DDNS updater to automatically update the DNS record on Cloudflare
- Install DDNS Updater with the following settings in the DDNS Updater Configuration → Config section:
- Provider: Cloudflare
- Domain: abs.example.com (additional domains can be comma separated)
- Host (Deprecated): Leave blank
- IP Version: IPv4
- Zone ID: Use Cloudflare Zone ID above
- TTL: Leave at 1
- Token: Use Cloudflare User API Token
- User Service Key: Leave blank
- Email: Your Cloudflare email account
- API Key: Use the Cloudflare Account ID
- Once DDNS updater is running, verify that the DNS record has been updated on Cloudflare.
Part Three: Settings up a reverse proxy
ABS only offers a http connection, and the ABS developer strongly recommends using a reverse proxy to provide a HTTPS connection and to provide additional security. Only Nginx Proxy Manager is offered through TrueNAS Scale’s app store, and fortunately, it is easy to set up.
- Install the Nginx Proxy Manager and note the following values:
- HTTP Port: (e.g. 30021)
- HTTPS Port: (e.g. 30022)
- Go to your router and set up the following port forwarding rules:
- Port 80 → HTTP Port (e.g. 30021)
- Port 443 → HTTPS Port (e.g. 30022)
- Log into Nginx Proxy Manager.
- Go to Hosts → Proxy Hosts
- Click on Add Proxy Host
- In the Details Tab, put in the following:
- Domain name: The name of your ABS server (e.g. abs.example.com)
- Scheme: http
- Forward Hostname / IP: The IP address of your ABS instance (e.g. 192.168.1.2)
- Forward Port: The port of the ABS instance (e.g. 10223)
- Cache Assets: Off
- Block Common Exploits: On
- Websockets Support: On
- Click on the SSL tab and set the following settings:
- Force SSL: On
- HTTP/2 Support: On
- HSTS Enabled: On
- HSTS Subdomains: On
- I use a Lets Encrypt certificate for each of my domains. To generate the certificate, go to SSL certificate and select Request a New SSL certificate.
- Enable Use a DNS challenge which brings up the following values:
- DNS Provider: Cloudflare
- Credentials File Content: The default value will be # Cloudflare API token
dns_cloudflare_api_token=0123456789abcdef0123456789abcdef01234567 . Replace the token value with the Cloudflare User API Token - Propagation Seconds: Leave blank
- Email Address for Let’s Encrypt: Put in a email address. (e.g. domreg@example.com)
- I agree to Let’s Encrypt Terms of Service: Enable
- Click on Save and allow a minute or so for the certificate process to complete.
Addendum: If you want to add additional domain after this initial configuration, then you simply add the additional sub-domains (comma seperated) in the DDNS updater, then add the each domain and certificate following Nginx steps 3-10.
This worked today getting it to deploy. Thank you!
Yes,This step is the one I’m missing. Very detailed steps, thanks for sharing and helping!