When I check my SSL on my server against the SSL certificate shown in my browser, they are different. Is cloudflare decrypting and then re-encrypting the traffic when proxying?
That was good explanation. however we need to choose the dns challenge in NPM while you request for a SSL. This would avoid disabling proxy on the cloud flare. In dns challenge select the cloud flare and create api and paste it in the npm. Let's encrypt would validate you by creating and deleting a text record in cloud flare using the api token. This would avoid disabling proxy on cloud flare every 3 months for ssl renewals.
15:37 The Delay you mentioned is very simple explained. There is a value in your DNS Entries (especially if you install and config a DNS Server locally like BIND) which defines the TTL (Time to Life) of the entries. Here is set the "rhythm" in which the records will be refreshed. That strongly depends on your preferences, how often things change. i know some instances which have 3600 seconds on internal networks, but i know some have 43200 seconds or 86400 seconds. Which are the values for: 1 hr, 1 day and 2 days. If the provider manages that for you, you are out of luck. If you can manage that by yourself you should take in consideration that it would increase the load on the servers depending on the scale. Maybe you need to split up between multiple dns servers with various TTLs. Like a more "static" TTL for the "base systems" which don't change very often and a more "dynamic" TTL for the testlab where thing can change quickly ;) But from the best practices i read and i experienced by myself, you should not go under 3600 for that But the NGINX Proxy Manager looks interesting, i will try that for myself :)
Thank you for this! Love U.Kuma, busy with a oracle cloud free acc + CloudFlare +Ubuntu + docker + portainer + nginx r.proxy + kuma + Wazuh and a few other tools. 4x cores + 24GB Ram + 200GB disk. For . Free.
Nice video. Is it possible to have nginx and lets encrypt working only locally? I don't want my services exposed publicly. I wish you had a video on that. 😅
@@DBTechYT I want to use Cloudflare which routes traffic into my firewall for IPS & IDS, then into NPM, and then onto the service with rules that only allow that route. I’m not comfortable with Cloudflare going direct to my published service.
@@DBTechYT I got this from your Pi4 series, and now use it regularly for any external access to the home network. Thankyou for many great videos, I have learnt a lot.
I’m in a similar situation to you. I have a virgin media modem forwarding ports to my Unifi system. Probing ports 80 and 443 shows they are open so they are been successfully forwarded. However when I try to create a certificate I get this error “There is a server found at this domain but it returned an unexpected status code 502”
I was wondering if you had to go to the Cloudflare SSL/TLS tab, and then toggle your encryption mode between Full/Off the same way you toggled the DNS proxy status. If not, what setting do you have it set to? Did you set it to that status prior to saving the proxy status? I actually watched your first video last year, and got close but no cigar, and am now trying it again.
I have created SSLs on CloudFlare and have installed them in NGINX Proxy Manager (ua-cam.com/video/pwK1LnbTitI/v-deo.html) and use them for whatever domain I've created the SSL for. Once that is done, I leave Proxy Mode to "Proxied" all the time. I don't have to toggle that any more since we already have the SSL setup. Also, because I'm using a custom SSL installed on my local matching, my SSL/TLS encryption mode is Full (strict). Going this route has REALLY simplified my deployment process.
My tunnels won't start no matter what I try... It keeps giving me an error about the quic protocol not being allowed outgoing. I can't find any information on-line. I'm wondering if this is b/c I have comcast's router blocking stuffs. So question is are your tunnels on your main subnet, or like mine behind a secondary router?
@@DBTechYT I have the modem to replace Xfi, but it's just a modem; so I have to wait for the DDWRT to act as Gateway so I can have the control I can't figure out with comcast... I'll let ya know when my hardware comes in. Make my Internet a dumb-net pipe. Comcast is driving me blocking things, that it won't say ANY details and the link that is suppose to explain it doesn't. Ugh... I was thinking about going with tailscale to give me static IP's for my future swarm/?kubernetes clusters & good 4 sharing specific server+services w/ TS. Where as I had planned for 4-6 internal tunnels to various nodes.= for public sharing services to get CF rev._proxy DDOS protection.
Do you have a video that goes over setting up docker and portainer? I tried looking through your past videos and couldn't find one. I've been struggling to get just a good starting point on docker to even begin getting nginx, or other services to work.
Very nice video. I've got some problem using Nginx Proxy Manager and Cloudflare with Home Assistant. If I enable the Cloudflare proxy I can't login using the domain name to my Home Assistant even if I have configured it with the list of proxies and I've enabled the websocket option in NGINX. Any idea?
hi thanks you very much. im having a strange problem though, ive set it just like you did, and pointed to jellyfin on 8096. but it seems to always load the router web interface page ? very odd indeed as i didnt think port forwarding on the router was neccessary. Any ideas ?
If I'm doing this on a VPS, how can I secure access to port 81 of NGNIX Proxy Manager's web interface? It’s exposed and accessible from public IP of VPS! (I can hide the Uptime Kuma container port by giving it to the ngnixproxy network container).
you have good information, however you restrict the meat of the presentation to very small fonts because you are not zooming in a bit. Also, your pip with you in it is taking up a lot of space too. Thanks for all you do for us tubers...
I am trying to setup Uptime Kuma to monitor HTTP(s) monitor but the server keeps returning 302 found eventhough the service is down. I tried adding a firewall rule to disable Browser Integrity Check but that didn't work either :(
When you say to port forward 80 and 443 to the server, are you forwarding to the NPM server or the actual server that you want accessible to the internet?
Point 80 and 443 to whatever the IP of the server hosting NPM is. When you setup a domain on NPM, you'll route the traffic from there to any other server on your network that has an application you want to be accessible from the internet.
Hey, thank you for your videos, they really helped me many times! I have a question regarding Cloudflare's proxy system. How to monitor domains that are being proxied? I faced the situation when the domain responses with the 200 code even if it's down because of Cloudflare's default answer, like on 27:19
Followed to a T and I get a big Red Deceptive site ahead warning and it just sits there then the cloudflare page Connection timed out and error where it shows my domain on their error screen.. I have literally been working on this for 3 days. So frustrating. I'm about to just give up. Every video is a little different so I don't know who to follow. I followed this one exactly just because it seemed the most straight forward. ugh haha. Thanks if anyone has any help! Jason
a deceptive site warning has nothing to do with this. That has to do with Google thinking that your domain name is being used to scam people. You need to find out how to clear your domain's reputation
it helps. you could use a Cloudflare DDNS container to update your Cloudflare records. OR you could use this solution instead: ua-cam.com/video/OAeQwdFXsQQ/v-deo.html
So I created a new domain with Porkbun and switched it to Cloudflare. However, it has 200 CNAME records that I don't really want to delete one by one! Has anybody got any tips on how to remove these quickly?
No. It's a simple ping that happens at whatever interval you decide. It could be every minute or every hour or whatever, but it's just a simple ping to see if the device responds and that's it.
@@DBTechYT By the way a small question about Cloudflare, we can use proxied for the connection to host, it'S possible just with cloudflare? I mean if we dont use cloudflare, there is another option like cloudflare to use proxied mode?
Hi David, I have a question with setting up the nginx proxy manager docker on my nas. I have setup everything, but when I tried to add proxy host to redirect url to some container, it only shows webstation page instead of actual container page. Do you know why this is happening?
DNS propagation is the time period in which it takes updates to DNS records to be in full effect across all servers on the web. The reason changes aren't instantaneous is because nameservers store domain record information in their cache for a certain amount of time before they refresh
I am fairly certain that I followed directions completely however I cannot get the server up.. I am running docker with omv6 if that matters... here is the error in the logs 2022-03-20 12:32:31,965 fail2ban.configreader [1]: INFO Loading configs for filter.d/npm-docker under /etc/fail2ban 2022-03-20 12:32:31,966 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/npm-docker.conf'] 2022-03-20 12:32:31,966 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/npm-docker.conf'] 2022-03-20 12:32:31,969 fail2ban.configreader [1]: INFO Loading configs for action.d/cloudflare-apiv4 under /etc/fail2ban 2022-03-20 12:32:31,970 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/cloudflare-apiv4.conf'] 2022-03-20 12:32:31,971 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/cloudflare-apiv4.conf'] 2022-03-20 12:32:31,973 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/default-host_access.log 2022-03-20 12:32:31,974 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/proxy-host-*_access.log 2022-03-20 12:32:31,974 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/proxy-host-*_error.log 2022-03-20 12:32:31,975 fail2ban [1]: ERROR Failed during configuration: Have not found any log file for npm-docker jail 2022-03-20 12:32:31,977 fail2ban [1]: ERROR Async configuration of server failed Traceback (most recent call last): File "/usr/lib/python3.9/site-packages/fail2ban/client/fail2banserver.py", line 189, in start raise ServerExecutionException('Async configuration of server failed') fail2ban.client.fail2bancmdline.ServerExecutionException: Async configuration of server failed any thoughts?
@@DBTechYT Hi I watch the video step by step, and still getting the same error every time I enter to my domain it says NET::ERR_CERT_AUTHORITY_INVALID.
Let me know what containers or services you'd like to see in upcoming videos!!
When I check my SSL on my server against the SSL certificate shown in my browser, they are different. Is cloudflare decrypting and then re-encrypting the traffic when proxying?
authelia with nginx and cloudflare can be great
I would LOVE a video on setting up reactive resume container. I cant seem to find a good tutorial on it. Thanks DB Tech!
@Luis Rodriguez I've run across that before. Maybe a video for next week :)
@Robin The SSL on your server encrypts the data from your location to CloudFlare. Then CloudFlare's SSL takes over from the internet side of things.
dont apologize for the long video. it is very detailed compared to before. keep up the good work dude!
I was looing for something like Uptime-Kuma for days. Thank you !
YAY!!
That was good explanation. however we need to choose the dns challenge in NPM while you request for a SSL. This would avoid disabling proxy on the cloud flare. In dns challenge select the cloud flare and create api and paste it in the npm. Let's encrypt would validate you by creating and deleting a text record in cloud flare using the api token. This would avoid disabling proxy on cloud flare every 3 months for ssl renewals.
Interesting,
could @DB Tech do a vid on this?
Just moved from route53 to cloudflare - this video was a huge help!
Awesome! Glad to hear it!
15:37 The Delay you mentioned is very simple explained. There is a value in your DNS Entries (especially if you install and config a DNS Server locally like BIND) which defines the TTL (Time to Life) of the entries. Here is set the "rhythm" in which the records will be refreshed. That strongly depends on your preferences, how often things change. i know some instances which have 3600 seconds on internal networks, but i know some have 43200 seconds or 86400 seconds. Which are the values for: 1 hr, 1 day and 2 days.
If the provider manages that for you, you are out of luck. If you can manage that by yourself you should take in consideration that it would increase the load on the servers depending on the scale. Maybe you need to split up between multiple dns servers with various TTLs. Like a more "static" TTL for the "base systems" which don't change very often and a more "dynamic" TTL for the testlab where thing can change quickly ;)
But from the best practices i read and i experienced by myself, you should not go under 3600 for that
But the NGINX Proxy Manager looks interesting, i will try that for myself :)
A note for those receiving the error "too many redirects". Go to the Cloudflare SSL/TLS tab, then set your encryption mode to Full (strict)
You star - thanks for this - was driving me mad!
this doesnt fix it for me and results in a 504 error.
Thank you for this! Love U.Kuma, busy with a oracle cloud free acc + CloudFlare +Ubuntu + docker + portainer + nginx r.proxy + kuma + Wazuh and a few other tools. 4x cores + 24GB Ram + 200GB disk. For . Free.
Nice video. Is it possible to have nginx and lets encrypt working only locally? I don't want my services exposed publicly. I wish you had a video on that. 😅
Awesome information! I appreciate your hard work!
I appreciate that!
This video that goes deep makes things so much clearer!
Glad to hear it!
I love Cloudflare. I wish NPM was even a small fraction as easy to use.
Me too on all of that. I've quit using NPM entirely and have switched to Cloudflare Tunnels.
@@DBTechYT I want to use Cloudflare which routes traffic into my firewall for IPS & IDS, then into NPM, and then onto the service with rules that only allow that route. I’m not comfortable with Cloudflare going direct to my published service.
I get that. Lots of people have the same thought process as you. To each their own :)
Don't forget to use your cloudflare updater if you don't have a permanent /static IP a home. Another great tutorial - thank you.
Great tip!
@@DBTechYT I got this from your Pi4 series, and now use it regularly for any external access to the home network. Thankyou for many great videos, I have learnt a lot.
Another great video, very helpful thanks
did you put Kuma in the same network of nginx? I triple checked the IPs and I get "This is the default server vhost" error when opening the pages
i liked it, subbed
Thanks!!
I’m in a similar situation to you. I have a virgin media modem forwarding ports to my Unifi system. Probing ports 80 and 443 shows they are open so they are been successfully forwarded. However when I try to create a certificate I get this error “There is a server found at this domain but it returned an unexpected status code 502”
I was not able to ping my domain after creating the A record using my public IP. Should I add any firewall rules to be able to ping?
I was wondering if you had to go to the Cloudflare SSL/TLS tab, and then toggle your encryption mode between Full/Off the same way you toggled the DNS proxy status. If not, what setting do you have it set to? Did you set it to that status prior to saving the proxy status? I actually watched your first video last year, and got close but no cigar, and am now trying it again.
I have created SSLs on CloudFlare and have installed them in NGINX Proxy Manager (ua-cam.com/video/pwK1LnbTitI/v-deo.html) and use them for whatever domain I've created the SSL for. Once that is done, I leave Proxy Mode to "Proxied" all the time. I don't have to toggle that any more since we already have the SSL setup.
Also, because I'm using a custom SSL installed on my local matching, my SSL/TLS encryption mode is Full (strict). Going this route has REALLY simplified my deployment process.
How many got the itch to write: “it doesn’t work”?
Lol, I know I did
Good vid though, thanx again
My tunnels won't start no matter what I try... It keeps giving me an error about the quic protocol not being allowed outgoing. I can't find any information on-line.
I'm wondering if this is b/c I have comcast's router blocking stuffs.
So question is are your tunnels on your main subnet, or like mine behind a secondary router?
You'll need to forward ports 80 and 443 from your modem to your router and then to the server running nginx proxy manager
@@DBTechYT I have the modem to replace Xfi, but it's just a modem; so I have to wait for the DDWRT to act as Gateway so I can have the control I can't figure out with comcast... I'll let ya know when my hardware comes in. Make my Internet a dumb-net pipe. Comcast is driving me blocking things, that it won't say ANY details and the link that is suppose to explain it doesn't. Ugh... I was thinking about going with tailscale to give me static IP's for my future swarm/?kubernetes clusters & good 4 sharing specific server+services w/ TS. Where as I had planned for 4-6 internal tunnels to various nodes.= for public sharing services to get CF rev._proxy DDOS protection.
Thanks for amazing tutorial. What is the type of cloudflare connection? I put it flexible and worked for me but others didn’t. Please help thanks
Once you get the SSL setup on your NGINX Proxy Manager, you should be able to set it to "Strict" and be good to go.
Longer AiO videos are good!
Do you have a video that goes over setting up docker and portainer? I tried looking through your past videos and couldn't find one. I've been struggling to get just a good starting point on docker to even begin getting nginx, or other services to work.
There's a whole playlist from start to wherever it is now: ua-cam.com/video/A5ckT7pxrNY/v-deo.html
@Db Tech thank you for this video, would you suggest or do a video about NGINX proxy manager versus HA proxy?
I'll look into it
Very nice video. I've got some problem using Nginx Proxy Manager and Cloudflare with Home Assistant. If I enable the Cloudflare proxy I can't login using the domain name to my Home Assistant even if I have configured it with the list of proxies and I've enabled the websocket option in NGINX. Any idea?
hi thanks you very much. im having a strange problem though, ive set it just like you did, and pointed to jellyfin on 8096. but it seems to always load the router web interface page ? very odd indeed as i didnt think port forwarding on the router was neccessary. Any ideas ?
Then you didn't sucessfully forward ports 80 and 443 from your modem/router to your nginx proxy manager server
If I'm doing this on a VPS, how can I secure access to port 81 of NGNIX Proxy Manager's web interface? It’s exposed and accessible from public IP of VPS!
(I can hide the Uptime Kuma container port by giving it to the ngnixproxy network container).
you have good information, however you restrict the meat of the presentation to very small fonts because you are not zooming in a bit. Also, your pip with you in it is taking up a lot of space too. Thanks for all you do for us tubers...
Well.. this video is 3 years old now, so... my more current videos are less irritating in that regard :)
1 frame, IP leak at 22:27 :P but you have probably changed your IP by now. :D
I am trying to setup Uptime Kuma to monitor HTTP(s) monitor but the server keeps returning 302 found eventhough the service is down. I tried adding a firewall rule to disable Browser Integrity Check but that didn't work either :(
Do I have to disable proxyfying on Cloudflare each time when LE cert needs to be renewed?
Or you can generate and install SSLs from CloudFlare and avoid this issue: ua-cam.com/video/pwK1LnbTitI/v-deo.html
When you say to port forward 80 and 443 to the server, are you forwarding to the NPM server or the actual server that you want accessible to the internet?
That's a good question I should have clarified on. Point 80 and 443 to your NPM server. You'll route your traffic from there :)
@@DBTechYT so it's the server that's hosting npm? Which could be the same server we want to access correct?
Point 80 and 443 to whatever the IP of the server hosting NPM is. When you setup a domain on NPM, you'll route the traffic from there to any other server on your network that has an application you want to be accessible from the internet.
Hey, thank you for your videos, they really helped me many times! I have a question regarding Cloudflare's proxy system. How to monitor domains that are being proxied? I faced the situation when the domain responses with the 200 code even if it's down because of Cloudflare's default answer, like on 27:19
You might need to go into CloudFlare and turn off the "Always On" option.
Followed to a T and I get a big Red Deceptive site ahead warning and it just sits there then the cloudflare page Connection timed out and error where it shows my domain on their error screen.. I have literally been working on this for 3 days. So frustrating. I'm about to just give up. Every video is a little different so I don't know who to follow. I followed this one exactly just because it seemed the most straight forward. ugh haha. Thanks if anyone has any help! Jason
a deceptive site warning has nothing to do with this. That has to do with Google thinking that your domain name is being used to scam people. You need to find out how to clear your domain's reputation
This does not seem to work with cloudflare, any workaround?
Please watch this video: ua-cam.com/video/2mdoHQlZu8M/v-deo.html
@@DBTechYT thanks great
porkbun asks me for my ID verification. I am from Oman . Is it safe to provide my ID card to the website?
I've ben using them for years and have had no issues.
Im having trouble reaching dsm 7 from npm dsm 6 was working and any other apps are working too. Has anyone encountered this problem?
Do I need a static public ip for creating a record in cloudflare
it helps. you could use a Cloudflare DDNS container to update your Cloudflare records. OR you could use this solution instead: ua-cam.com/video/OAeQwdFXsQQ/v-deo.html
@@DBTechYT thank you good sir I shell give this video a watch
So I created a new domain with Porkbun and switched it to Cloudflare. However, it has 200 CNAME records that I don't really want to delete one by one! Has anybody got any tips on how to remove these quickly?
I have run into that. Delete the domain from cloudflare, then wait a few minutes and add it back to cloudflare. I've had that work in the past.
@@DBTechYT That did the trick - thanks!
can be an performance issue for local servers? Always ping is cause this?
No. It's a simple ping that happens at whatever interval you decide. It could be every minute or every hour or whatever, but it's just a simple ping to see if the device responds and that's it.
@@DBTechYT Thanks for the information
@@DBTechYT By the way a small question about Cloudflare, we can use proxied for the connection to host, it'S possible just with cloudflare? I mean if we dont use cloudflare, there is another option like cloudflare to use proxied mode?
Can I have more than 1 domain point to the same IP?
As many as you want
Hi David, I have a question with setting up the nginx proxy manager docker on my nas. I have setup everything, but when I tried to add proxy host to redirect url to some container, it only shows webstation page instead of actual container page. Do you know why this is happening?
DNS doesn't propagate!
DNS propagation is the time period in which it takes updates to DNS records to be in full effect across all servers on the web. The reason changes aren't instantaneous is because nameservers store domain record information in their cache for a certain amount of time before they refresh
I am fairly certain that I followed directions completely however I cannot get the server up.. I am running docker with omv6 if that matters... here is the error in the logs
2022-03-20 12:32:31,965 fail2ban.configreader [1]: INFO Loading configs for filter.d/npm-docker under /etc/fail2ban
2022-03-20 12:32:31,966 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/npm-docker.conf']
2022-03-20 12:32:31,966 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/filter.d/npm-docker.conf']
2022-03-20 12:32:31,969 fail2ban.configreader [1]: INFO Loading configs for action.d/cloudflare-apiv4 under /etc/fail2ban
2022-03-20 12:32:31,970 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/cloudflare-apiv4.conf']
2022-03-20 12:32:31,971 fail2ban.configparserinc[1]: INFO Loading files: ['/etc/fail2ban/action.d/cloudflare-apiv4.conf']
2022-03-20 12:32:31,973 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/default-host_access.log
2022-03-20 12:32:31,974 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/proxy-host-*_access.log
2022-03-20 12:32:31,974 fail2ban.jailreader [1]: NOTICE No file(s) found for glob /log/npm/proxy-host-*_error.log
2022-03-20 12:32:31,975 fail2ban [1]: ERROR Failed during configuration: Have not found any log file for npm-docker jail
2022-03-20 12:32:31,977 fail2ban [1]: ERROR Async configuration of server failed
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/fail2ban/client/fail2banserver.py", line 189, in start
raise ServerExecutionException('Async configuration of server failed')
fail2ban.client.fail2bancmdline.ServerExecutionException: Async configuration of server failed
any thoughts?
sorry wrong video my bad...
hi, i did what you did, but i got this message, when i tried to acess my subdomain NET::ERR_CERT_AUTHORITY_INVALID
Then use this method for your certs: ua-cam.com/video/pwK1LnbTitI/v-deo.html
@@DBTechYT Hi I watch the video step by step, and still getting the same error every time I enter to my domain it says NET::ERR_CERT_AUTHORITY_INVALID.