Skip to content

[Bug] Current version is NOT drop-in replacement for official npm - ports and mount point are wrong #15

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
yurividal opened this issue Nov 19, 2024 · 9 comments
Open

[Bug] Current version is NOT drop-in replacement for official npm - ports and mount point are wrong #15

yurividal opened this issue Nov 19, 2024 · 9 comments
Labels
bug Something isn't working

Comments

@yurividal
Copy link

yurividal commented Nov 19, 2024
edited
Loading

Current Behavior

Original npm uses ports 80, 443 and 81, and uses /data as the location of configurations, as seen on their example compose file:

    ports:
      - '80:80'
      - '81:81'
      - '443:443'
    volumes:
      - ./data:/data

This project exposes its services on 8181, 4443 and 8080. It also expects config files to be mounted on /config.

Yhis can be very confusing for users looking to migrate, since the project describes itself as a "a drop in replacement for jlesage/nginx-proxy-manager"

Expected Behavior

This project should be changed so that it exposes it services on ports 443, 80 and 81. Config location should be set to /data, in order to be a drop-in replacement for original npm.

No response

Steps To Reproduce

No response

Environment

  • OS:
  • OS version:
  • CPU:
  • Docker version:
  • Device model:
  • Browser/OS:

Container creation

docker run -d
--name=nginx-proxy-manager
-p 8181:8181
-p 8080:8080
-p 4443:4443
-v /docker/appdata/nginx-proxy-manager:/config:rw
lepresidente/nginx-proxy-manager

Container log

-

Container inspect

No response

Anything else?

No response
@yurividal yurividal added the bug Something isn't working label Nov 19, 2024
@Anthony-Lloyd
Copy link

agreed, the file structure is pretty bad but i managed to get it working. to fix it, just backup your original config and replace over the top. good luck finding where they go though lmfao

@Japhys
Copy link

Japhys commented Dec 20, 2024
edited
Loading

Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)

@Japhys
Copy link

Japhys commented Dec 31, 2024
edited
Loading

Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)

Just to follow up on my previous comment (and a bit of topic maybe, sorry). I decided to start all over and do it from scratch again, now it's fully functional. It checks logs from all hosts in NMP. But OP is right, still not a dropin. For someone looking for a complete setup though, this is mine:

version: "3.8"
services:
  nginx-proxy-manager:
    image: 'lepresidente/nginx-proxy-manager:latest'
    restart: always
    ports:
      - "81:8181"
      - "80:8080"
      - "443:4443"
    environment:
      TZ: "Europe/Amsterdam"
      DISABLE_IPV6: "1"
    volumes:
      - "/srv/npmsec/data/nginx-proxy-manager:/config:rw"
      - "/srv/npmsec/data/nginx-proxy-manager/crowdsec/templates:/templates:ro"

    networks:
      homelab:
        ipv4_address: 172.20.0.14

  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - "/srv/npmsec/crowdsec/data:/var/lib/crowdsec/data"
      - "/srv/npmsec/crowdsec/config:/etc/crowdsec"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "/srv/npmsec/data/nginx-proxy-manager/log:/var/log/nginx:ro"
    restart: unless-stopped
    networks:
      homelab:
        ipv4_address: 172.20.0.16

networks:
  homelab:
    external: true

Get your api

sudo docker exec -it crowdsec cscli bouncers add nginx-proxy

Open config:

cd /srv/npmsec/data/nginx-proxy-manager/crowdsec

sudo nano crowdsec-openresty-bouncer.conf

Edit soms parts, paste api:

ENABLED=true
API_URL=http://172.20.0.16:8080 # Edited
API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Edited
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=3000
UPDATE_FREQUENCY=10
# live or stream
MODE=live
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/templates/ban.html # Edited
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=
# Captcha Secret Key
SECRET_KEY=
# Captcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/data/crowdsec//templates/captcha.html
CAPTCHA_EXPIRATION=3600

NPM log parsers

cd /srv/npmsec/crowdsec/config

sudo nano acquis.yaml

filenames:
  - /var/log/nginx/*.log
labels:
  type: nginx-proxy-manager
---

With a bit of help from @geek2gether youtube vids :)

@NazgulCoder
Copy link

Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)

Just to follow up on my previous comment (and a bit of topic maybe, sorry). I decided to start all over and do it from scratch again, now it's fully functional. It checks logs from all hosts in NMP. But OP is right, still not a dropin. For someone looking for a complete setup though, this is mine:

version: "3.8"
services:
  nginx-proxy-manager:
    image: 'lepresidente/nginx-proxy-manager:latest'
    restart: always
    ports:
      - "81:8181"
      - "80:8080"
      - "443:4443"
    environment:
      TZ: "Europe/Amsterdam"
      DISABLE_IPV6: "1"
    volumes:
      - "/srv/npmsec/data/nginx-proxy-manager:/config:rw"
      - "/srv/npmsec/data/nginx-proxy-manager/crowdsec/templates:/templates:ro"

    networks:
      homelab:
        ipv4_address: 172.20.0.14

  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - "/srv/npmsec/crowdsec/data:/var/lib/crowdsec/data"
      - "/srv/npmsec/crowdsec/config:/etc/crowdsec"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "/srv/npmsec/data/nginx-proxy-manager/log:/var/log/nginx:ro"
    restart: unless-stopped
    networks:
      homelab:
        ipv4_address: 172.20.0.16

networks:
  homelab:
    external: true

Get your api

sudo docker exec -it crowdsec cscli bouncers add nginx-proxy

Open config:

cd /srv/npmsec/data/nginx-proxy-manager/crowdsec

sudo nano crowdsec-openresty-bouncer.conf

Edit soms parts, paste api:

ENABLED=true
API_URL=http://172.20.0.16:8080 # Edited
API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Edited
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=3000
UPDATE_FREQUENCY=10
# live or stream
MODE=live
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/templates/ban.html # Edited
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=
# Captcha Secret Key
SECRET_KEY=
# Captcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/data/crowdsec//templates/captcha.html
CAPTCHA_EXPIRATION=3600

NPM log parsers

cd /srv/npmsec/crowdsec/config

sudo nano acquis.yaml

filenames:
  - /var/log/nginx/*.log
labels:
  type: nginx-proxy-manager
---

With a bit of help from @geek2gether youtube vids :)

Hey can I ask you how do you know if it is correctly working?

@Japhys
Copy link

Japhys commented Jan 8, 2025
edited
Loading

Yes, I am struggling with this as well. These ports make it difficult to just replace the default NPM Docker image. I also tried a clean install, but now I can't access the Docker apps I am running behind this proxy. And requesting an SSL cert gets me an internal error. I am sure it has something to do with the ports or port forwarding, but I am afraid this is beyond the limited knowledge I possess of networking :)

Just to follow up on my previous comment (and a bit of topic maybe, sorry). I decided to start all over and do it from scratch again, now it's fully functional. It checks logs from all hosts in NMP. But OP is right, still not a dropin. For someone looking for a complete setup though, this is mine:

version: "3.8"
services:
  nginx-proxy-manager:
    image: 'lepresidente/nginx-proxy-manager:latest'
    restart: always
    ports:
      - "81:8181"
      - "80:8080"
      - "443:4443"
    environment:
      TZ: "Europe/Amsterdam"
      DISABLE_IPV6: "1"
    volumes:
      - "/srv/npmsec/data/nginx-proxy-manager:/config:rw"
      - "/srv/npmsec/data/nginx-proxy-manager/crowdsec/templates:/templates:ro"

    networks:
      homelab:
        ipv4_address: 172.20.0.14

  crowdsec:
    image: "crowdsecurity/crowdsec:latest"
    container_name: crowdsec
    expose:
      - 8080
    environment:
      PGID: "1000"
    volumes:
      - "/srv/npmsec/crowdsec/data:/var/lib/crowdsec/data"
      - "/srv/npmsec/crowdsec/config:/etc/crowdsec"
      - "/var/log/auth.log:/var/log/auth.log:ro"
      - "/srv/npmsec/data/nginx-proxy-manager/log:/var/log/nginx:ro"
    restart: unless-stopped
    networks:
      homelab:
        ipv4_address: 172.20.0.16

networks:
  homelab:
    external: true

Get your api
sudo docker exec -it crowdsec cscli bouncers add nginx-proxy
Open config:
cd /srv/npmsec/data/nginx-proxy-manager/crowdsec
sudo nano crowdsec-openresty-bouncer.conf
Edit soms parts, paste api:

ENABLED=true
API_URL=http://172.20.0.16:8080 # Edited
API_KEY=xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx # Edited
CACHE_EXPIRATION=1
# bounce for all type of remediation that the bouncer can receive from the local API
BOUNCING_ON_TYPE=all
FALLBACK_REMEDIATION=ban
REQUEST_TIMEOUT=3000
UPDATE_FREQUENCY=10
# live or stream
MODE=live
# exclude the bouncing on those location
EXCLUDE_LOCATION=
#those apply for "ban" action
# /!\ REDIRECT_LOCATION and RET_CODE can't be used together. REDIRECT_LOCATION take priority over RET_CODE
BAN_TEMPLATE_PATH=/templates/ban.html # Edited
REDIRECT_LOCATION=
RET_CODE=
#those apply for "captcha" action
#valid providers are recaptcha, hcaptcha, turnstile
CAPTCHA_PROVIDER=
# Captcha Secret Key
SECRET_KEY=
# Captcha Site key
SITE_KEY=
CAPTCHA_TEMPLATE_PATH=/tmp/crowdsec-openresty-bouncer-install/data/crowdsec//templates/captcha.html
CAPTCHA_EXPIRATION=3600

NPM log parsers
cd /srv/npmsec/crowdsec/config
sudo nano acquis.yaml

filenames:
  - /var/log/nginx/*.log
labels:
  type: nginx-proxy-manager
---

With a bit of help from @geek2gether youtube vids :)

Hey can I ask you how do you know if it is correctly working?

@NazgulCoder Well you can try the various commands

sudo docker exec -it crowdsec cscli metrics

sudo docker exec -it crowdsec cscli decisions list

Try manually banning your ip and check a service running behind your proxy.

sudo docker exec -it crowdsec cscli decisions add -i ipadres

Unban it

sudo docker exec -it crowdsec cscli decisions delete -i ipadres

Sometimes it works a bit too well, I am at the office right now and trying to use a homelab service :)

2025-01-08_125249

@NazgulCoder
Copy link

@Japhys thank you very much, however i recently managed to install NPMplus and I'm not turning back. Just the fact that automatically integrates modsecurity, some other new protocols and backend admin with https. You should try that too ;)

@Japhys
Copy link

Japhys commented Jan 11, 2025

Will give it a try!

@yurividal
Copy link
Author

npm-plus is nice, but I've had some issues with it, especially because of modsec.
The developer has said they are working on adding openappsec. If they can do that, then ill move to npmplus

@NazgulCoder
Copy link

npm-plus is nice, but I've had some issues with it, especially because of modsec. The developer has said they are working on adding openappsec. If they can do that, then ill move to npmplus

I tried openappsec and it's bad imho, for these reasons:

  • their machine learning requires so much time to learn and be "efficient"
  • after researching online, i'd rather rely on common security practices
  • their ML is very heavy on resources, it requires a lot of vCPU and RAM
  • due to point n3, if your website gets mass Scanned or DDoS attacked it will blow up your host resources making your entire host unresponsive (this does not happen with NPM vanilla or NPMplus)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@yurividal @Japhys @NazgulCoder @Anthony-Lloyd