After my previous post here looking for input on an easily maintained docker and reverse proxy setup, I opted to go for NPM. I also moved my domain registration and DNS from Google Domains to Cloudflare.
It was a breeze to set up for the most part, I did have some pain getting my certs in order - NPM easily pulled down certs from LetsEncrypt, but Cloudflare didn’t like it unless I used their 15-year origin server cert, which worked perfectly. I set up Portainer first, then wordpress and NPM. (I’m generally comfortable with command-line stuff, but I have much less experience with Docker so Portainer is great for someone like me.)
I specified a network I created (“proxy”) in the docker compose files, and that allowed me to use the container name in NPM to set up the proxy hosts. I quickly and easily set up proxy hosts for the main domain (points toward the WP container), a portainer subdomain pointing to the portainer container, and an NPM subdomain pointing to NPM. At this point things have been easy, everything is working beautifully, and I’m thinking about all the other things I want to eventually spin up and host.
Then I started with FreshRSS. I was able to set it up - I could access it via the IP:port but no matter what I did, the subdomain gave me Cloudflare’s 502 Bad Gateway error. I adjusted the BASE_URL in the container, I’ve tried all sorts of settings in NPM - http, https, using different subdomains, different ports, etc (changing them in the docker compose as well of course) but no dice. I did some searching around and found a few examples like this and this where I’ve seen others having similar issues and not being able to fix them.
So I thought maybe it was some kind of weird issue with FreshRSS specifically, so I removed it and spun up Miniflux instead. Same as the previous time - I could access Miniflux perfectly well via the IP:port but the reverse proxy gives me a 502 every single time. The containers are on the same network. What am I missing with these?
For reference, here’s the docker compose for the miniflux stack:
services:
miniflux:
image: miniflux/miniflux:latest
container_name: miniflux
ports:
- "8099:8080"
depends_on:
db:
condition: service_healthy
environment:
- DATABASE_URL=postgres://miniflux:secret@db/miniflux?sslmode=disable
- BASE_URL=[redacted]
db:
image: postgres:15
container_name: miniflux_db
environment:
- POSTGRES_USER=miniflux
- POSTGRES_PASSWORD=secret
volumes:
- /media/config/miniflux:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "miniflux"]
interval: 10s
start_period: 30s
networks:
default:
name: proxy
Here is an example of the NPM setup. Cloudflare is the access list I created that limits it to Cloudflare’s IP ranges, and the site-wide origin cert is selected on the SSL tab, just like my other proxy entries which are currently working.
So not sure what you are using for proxy. I am using Caddy which will make a certificate for you.
I have Cloudflare for DNS and point it to my in-home router and is set to Proxy status to
DNS only
. The in-home router points to my box for 443.Spin up and go to privatebin.mydomain.tld
./data/caddy/Caddyfile
{ email myemail@gmail.com } privatebin.mydomain.tld{ reverse_proxy privatebin:8080 }
docker_compose.yml
version: "3.9" networks: web: external: true caddy_internal: external: false driver: bridge services: caddy: image: caddy:latest restart: unless-stopped container_name: caddy ports: - "80:80" - "443:443" volumes: - ./data/caddy/Caddyfile:/etc/caddy/Caddyfile - ./data/caddy/data:/data # Optional - ./data/caddy/config:/config # Optional networks: - web - caddy_internal privatebin: image: privatebin/nginx-fpm-alpine:latest restart: unless-stopped container_name: privatebin volumes: - ./data/privatebin:/srv/data networks: - caddy_internal
I switched to Cloudflare recently just to play around with various federation instances and had this error until I set SSL/TLS mode to “Full (strict)” and DNS to “proxy only.” I think some of the comments I saw said you can switch that last one back once things are working, but not 100% sure.
Repost from kbin directly since federation is being weird.
I use a similar setup with dockerized NPM. I see 2 things in this example that I do differently.
- Make sure to explicitly call out
external: true
in the network definition. I’m not sure what compose will do if you don’t. But I wouldn’t want it making any new proxy networks accidentally. - proxy should be in the
networks
list for each container you want accessible from NPM. I don’t believe just defining it in the compose adds all containers to that automatically.
Awesome, thanks…I’ll try that. So to be sure I’m understanding - I want to add “external: true” beneath "name: proxy: and then add the following to each container in the compose? Edit: I now realize the below is the freshrss stack and not the miniflux stack, but I have the same issue with both compose files and the proxy host
networks: - proxy
I believe I might be doing that wrong because I get an error about undefined network when I try the below, and simply defining “external” doesn’t fix it:
--- version: "2.1" services: freshrss: image: lscr.io/linuxserver/freshrss:latest container_name: freshrss environment: - PUID=1000 - PGID=1000 - TZ=America/New_York - BASE_URL=[redacted] volumes: - /media/config/freshrss:/config ports: - 8040:80 restart: unless-stopped networks: - proxy networks: default: name: proxy external: true
- Make sure to explicitly call out