After my previous post here looking for input on an easily maintained docker and reverse proxy setup, I opted to go for NPM. I also moved my domain registration and DNS from Google Domains to Cloudflare.

It was a breeze to set up for the most part, I did have some pain getting my certs in order - NPM easily pulled down certs from LetsEncrypt, but Cloudflare didn’t like it unless I used their 15-year origin server cert, which worked perfectly. I set up Portainer first, then wordpress and NPM. (I’m generally comfortable with command-line stuff, but I have much less experience with Docker so Portainer is great for someone like me.)

I specified a network I created (“proxy”) in the docker compose files, and that allowed me to use the container name in NPM to set up the proxy hosts. I quickly and easily set up proxy hosts for the main domain (points toward the WP container), a portainer subdomain pointing to the portainer container, and an NPM subdomain pointing to NPM. At this point things have been easy, everything is working beautifully, and I’m thinking about all the other things I want to eventually spin up and host.

Then I started with FreshRSS. I was able to set it up - I could access it via the IP:port but no matter what I did, the subdomain gave me Cloudflare’s 502 Bad Gateway error. I adjusted the BASE_URL in the container, I’ve tried all sorts of settings in NPM - http, https, using different subdomains, different ports, etc (changing them in the docker compose as well of course) but no dice. I did some searching around and found a few examples like this and this where I’ve seen others having similar issues and not being able to fix them.

So I thought maybe it was some kind of weird issue with FreshRSS specifically, so I removed it and spun up Miniflux instead. Same as the previous time - I could access Miniflux perfectly well via the IP:port but the reverse proxy gives me a 502 every single time. The containers are on the same network. What am I missing with these?

For reference, here’s the docker compose for the miniflux stack:

services:
  miniflux:
    image: miniflux/miniflux:latest
    container_name: miniflux
    ports:
      - "8099:8080"
    depends_on:
      db:
        condition: service_healthy
    environment:
      - DATABASE_URL=postgres://miniflux:secret@db/miniflux?sslmode=disable
      - BASE_URL=[redacted]

  db:
    image: postgres:15
    container_name: miniflux_db
    environment:
      - POSTGRES_USER=miniflux
      - POSTGRES_PASSWORD=secret
    volumes:
      - /media/config/miniflux:/var/lib/postgresql/data
    healthcheck:
      test: ["CMD", "pg_isready", "-U", "miniflux"]
      interval: 10s
      start_period: 30s

networks:
  default:
    name: proxy

Here is an example of the NPM setup. Cloudflare is the access list I created that limits it to Cloudflare’s IP ranges, and the site-wide origin cert is selected on the SSL tab, just like my other proxy entries which are currently working.

  • AceFour@lemmy.thesmokinglounge.club
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    So not sure what you are using for proxy. I am using Caddy which will make a certificate for you.

    I have Cloudflare for DNS and point it to my in-home router and is set to Proxy status to DNS only. The in-home router points to my box for 443.

    Spin up and go to privatebin.mydomain.tld

    ./data/caddy/Caddyfile

    {
    	email myemail@gmail.com
    }
    privatebin.mydomain.tld{
    	reverse_proxy privatebin:8080
    }
    

    docker_compose.yml

    version: "3.9"
    
    networks:
      web:
        external: true
      caddy_internal:
        external: false
        driver: bridge
    
    services:
      caddy:
        image: caddy:latest
        restart: unless-stopped
        container_name: caddy
        ports:
          - "80:80"
          - "443:443"
        volumes:
          - ./data/caddy/Caddyfile:/etc/caddy/Caddyfile
          - ./data/caddy/data:/data # Optional
          - ./data/caddy/config:/config # Optional
        networks:
          - web
          - caddy_internal
      privatebin:
        image: privatebin/nginx-fpm-alpine:latest
        restart: unless-stopped
        container_name: privatebin
        volumes:
          - ./data/privatebin:/srv/data
        networks:
          - caddy_internal
    
  • CapgrasDelusion@kbin.social
    link
    fedilink
    arrow-up
    1
    ·
    1 year ago

    I switched to Cloudflare recently just to play around with various federation instances and had this error until I set SSL/TLS mode to “Full (strict)” and DNS to “proxy only.” I think some of the comments I saw said you can switch that last one back once things are working, but not 100% sure.

  • TheOneCurly@kbin.social
    link
    fedilink
    arrow-up
    0
    ·
    1 year ago

    Repost from kbin directly since federation is being weird.

    I use a similar setup with dockerized NPM. I see 2 things in this example that I do differently.

    1. Make sure to explicitly call out external: true in the network definition. I’m not sure what compose will do if you don’t. But I wouldn’t want it making any new proxy networks accidentally.
    2. proxy should be in the networks list for each container you want accessible from NPM. I don’t believe just defining it in the compose adds all containers to that automatically.
    • hispeedzintarwebz@kbin.socialOP
      link
      fedilink
      arrow-up
      1
      ·
      edit-2
      1 year ago

      Awesome, thanks…I’ll try that. So to be sure I’m understanding - I want to add “external: true” beneath "name: proxy: and then add the following to each container in the compose? Edit: I now realize the below is the freshrss stack and not the miniflux stack, but I have the same issue with both compose files and the proxy host

      networks:
            - proxy
      
      

      I believe I might be doing that wrong because I get an error about undefined network when I try the below, and simply defining “external” doesn’t fix it:

      ---
      version: "2.1"
      services:
        freshrss:
          image: lscr.io/linuxserver/freshrss:latest
          container_name: freshrss
          environment:
            - PUID=1000
            - PGID=1000
            - TZ=America/New_York
            - BASE_URL=[redacted]
          volumes:
            - /media/config/freshrss:/config
          ports:
            - 8040:80
          restart: unless-stopped
          networks:
            - proxy
      
      networks:
        default:
          name: proxy
          external: true