As amazing as this tutorial is, 18:38 has got to be my favourite part even if it has nothing to do with the topic. I wish everyone shared information this way!
It used to use a separate mysql db, but it's all built into one docker file now, so you don't even need that part anymore. Recommend you go to the Nginx Proxy Manager page, and just use the quick start docker-compose.yml he shows there.
Brian you are just amazing. Wondering if this is why I have issues with 523 errors w/t cloud flare and Fios. Can you cover trouble shooting such issues in the future
Let me see what I can do. Those cloudflare 523 errors are kind of odd, and sometimes hard to pin down. I think 523 is their generic code for something isn't setup right.
You would setup 2 ports, 80, and 443. 80 for non-SSL traffic (esentially LetsEncrypt uses 80 to verify it can reach the site), and 443 for the encrypted / secure SSL traffic.
Awesome tutorial Brian! Thank you! I just had one question.. I followed your 5 minute docker/portainer/nginxpm/navidrome tutorial, which was awesome! However, why do I not see a nginx-proxy-manager_db_1 container like you have? I only have the nginx-proxy-manager_app_1. Thanks a ton!
NGinX Prxy Manager was updated, and the need for a separate db was removed at some point. So, given the age of the video, it's just a little outdated on what you'll see afterward.
I haven't figured out yet why RUclips flags some questions to be removed, but not others. I do know if you try to put some links in, it will autoremove comments.
Your work is fantastic. Most of the things I know about docker great open source projects are from your channel. I have a workload running on digital ocean and I tried to use portainer and letsencrypt but I am having an issue setting the host for portainer. everything works except the host for portainer. after setting the host name from NPM with all the certificate, I am unable to connect to the portainer UI using URL. The request is just timing out. All other containers work like a charme. I don't know how to debug this issue. I tried joining your discourse channel but is apparently out of service. I would be grateful if you could direct me to resources that can help me fix it. I don't really want to be accessing portainer UI throught the IP address. Thank you again and thank you in advance
Great information, however, let per se I need to hide port 81 Nginx-Proxy-Manager and 9000 Portainer from the public but allowing port 80 and 443 expose from the outside. It's going to be tricky to do this. I end-up making NPM and Portainer together into a single docker-compose in order to make it run correctly. Else it won't work at all. And you don't actually need to create a new network for NPM since it already creates one for you.
@@metal-beard In my case the way I do it is to run NPM first and setup the link and port 81 first. Then edit docker-compose.yml and remove port 81:81 so it wont get expose. Adding portainer to the list make it work easily.
If you're running on a Public facing VPS, then you can use something like the firewall in DigitalOcean or Linode that sits like a virtual appliance in front of your server, and simply block access to 81, then just use NPM to proxy the traffic to 81. You can also use something like Cloudflare for similar purposes. IF it's on your home network, again, just make sure the only ports you forward for incoming requests are 80 and 443, and block 81. Now you can only access 81 from inside your LAN.
Hi, First I would like to say thank you for your videos, I was able to discover some very nice software tools that I didn't know existed :) Related to your current video, I have been trying for some day's to make it the same but whenever I'm trying to access Heimdall I'm receiving a "Error 520" From the net, showing that Cloudflare is working but on the Host can't access it. If i try the IP of the docker host i'm reaching the Nginx page but if i add the port for the Heimdall I can't... and I can't think were it's stucking. Also a nice video idea if you want to do, check the open source Password Manager called "Passbolt" it can run also on docker though having issues deploying too... It's a nice local kinda like Keypass for teams with browser addons for auto-fill password.
@@AwesomeOpenSource no I can't... If I would install Heimdall without the nginx with the default ports, I can. But if I do it the same way as yours, removing the ports, having the docker network connected with nginx and Heimdall I can't.
The same can be done by prefixing hostport:containerport with 127.0.0.1 in docker run or compose. So instead of 6767:80, you do 127.0.0.1:6767:80 and then reverse proxy port 6767.
Good boy. Now tell us how to do this same thing when you cannot attach Docker Network because that is maybe the more interesting use case. So far you managed to do this the super-easy way.
Am I an idiot and missed WHY this is more secure? The only benefit I see that the container cannot access the host's network. The downside is that this way you have to expose EVERYTHING to the internet because you can only reach them though they subdomain, since there are no exposed ports to the container (talking about Lan access). Am I seeing this wrong?
Not exactly. Think of this from the perspective of a VPS, or a shared LAN where you may not want others to be able to access these services via the host IP and port, but instead want them to go through the SSL encrypted domain name. You can still setup a proxy for internal use on your LAN as well. Does that help? The security part being that now you force SSL vs. allowing someone to access your site via http only, or you having to login over http with no SSL encryption, and on an open LAN you could have someone sniffing your unencrypted traffic. For general home use, with no one else on the LAN, no need to do this, it's just an option.
@@AwesomeOpenSource ok I see your point on the local access. Obv. I'm self hosting locally but being able to access my services is a benefit. But if others are on he network who shouldnt access them or access it though https, this is the way. Also for services in exposing to the net, I might do this. Thanks for clarification!
I’m trying to understand this as well. I’m self hosting. If I don’t publish the port how can I access it on my local network without going through a prox. Wonder if there’s a way to accomplish the best of both worlds. For instance Nextcloud. I’m not publishing the port is accessible through the proxy but how can I access directly from my home network and include in Heimdall dashboard?
Im new to all of this and have struggled with this for over 30 hours and your video was so detailed it got me through!!! Bless you good sir!
Glad it helped!
As amazing as this tutorial is, 18:38 has got to be my favourite part even if it has nothing to do with the topic. I wish everyone shared information this way!
I appreciate it. I want to give as much information as I can, and reinforce the concepts, even if they are tangential.
That is what I call a quality content!!
I appreciate it.
Thank you Brian…it took me even longer than you to get it…
As long as we all get there eventually.
Do you have to setup the databases for nginx proxy manager? If you don't will it just use an internal default one?
It used to use a separate mysql db, but it's all built into one docker file now, so you don't even need that part anymore. Recommend you go to the Nginx Proxy Manager page, and just use the quick start docker-compose.yml he shows there.
Portainer is giving 3 free business licenses right now.
That's awesome!
Brian you are just amazing. Wondering if this is why I have issues with 523 errors w/t cloud flare and Fios. Can you cover trouble shooting such issues in the future
Let me see what I can do. Those cloudflare 523 errors are kind of odd, and sometimes hard to pin down. I think 523 is their generic code for something isn't setup right.
By using this setup i can only have a single open port in my modem, is that it?
You would setup 2 ports, 80, and 443. 80 for non-SSL traffic (esentially LetsEncrypt uses 80 to verify it can reach the site), and 443 for the encrypted / secure SSL traffic.
Awesome tutorial Brian! Thank you! I just had one question.. I followed your 5 minute docker/portainer/nginxpm/navidrome tutorial, which was awesome! However, why do I not see a nginx-proxy-manager_db_1 container like you have? I only have the nginx-proxy-manager_app_1. Thanks a ton!
NGinX Prxy Manager was updated, and the need for a separate db was removed at some point. So, given the age of the video, it's just a little outdated on what you'll see afterward.
Thanks, great video. Can you please make a video on how to setup portainer under NPM proxy network, so I can close port 9443? Thanks
Let me see what I can do.
Thanks. I am thinking to run portainer under a subdomain rather than /portainer/
howd you know the ip address of the nginixpm ?
Do you mean the Docker0 IP, or the private IP of the server host it's running on?
Cheers mate. Whenever I try to do a jellyfisn docker it says running but I can't get to the set up page. I just found Ur channel gonna binge it lol.
I hope it helps. If you have issues, let me know.
Thanks for this video, i did ask once about the network part of docker, but by questions was remove from your video.
I haven't figured out yet why RUclips flags some questions to be removed, but not others. I do know if you try to put some links in, it will autoremove comments.
Your work is fantastic. Most of the things I know about docker great open source projects are from your channel. I have a workload running on digital ocean and I tried to use portainer and letsencrypt but I am having an issue setting the host for portainer. everything works except the host for portainer. after setting the host name from NPM with all the certificate, I am unable to connect to the portainer UI using URL. The request is just timing out. All other containers work like a charme. I don't know how to debug this issue. I tried joining your discourse channel but is apparently out of service. I would be grateful if you could direct me to resources that can help me fix it. I don't really want to be accessing portainer UI throught the IP address. Thank you again and thank you in advance
I responded to you on my discussion (Rocketchat). I'll help you over there.
Great information, however, let per se I need to hide port 81 Nginx-Proxy-Manager and 9000 Portainer from the public but allowing port 80 and 443 expose from the outside. It's going to be tricky to do this. I end-up making NPM and Portainer together into a single docker-compose in order to make it run correctly. Else it won't work at all. And you don't actually need to create a new network for NPM since it already creates one for you.
How'd you hide port 81 from public?
@@metal-beard In my case the way I do it is to run NPM first and setup the link and port 81 first. Then edit docker-compose.yml and remove port 81:81 so it wont get expose. Adding portainer to the list make it work easily.
If you're running on a Public facing VPS, then you can use something like the firewall in DigitalOcean or Linode that sits like a virtual appliance in front of your server, and simply block access to 81, then just use NPM to proxy the traffic to 81.
You can also use something like Cloudflare for similar purposes. IF it's on your home network, again, just make sure the only ports you forward for incoming requests are 80 and 443, and block 81. Now you can only access 81 from inside your LAN.
@@krdesigns Can you do a short video on it please? I removed 81:81 from compose after creating a link but then I get 400-Bad Gateway.
@@AwesomeOpenSource yea, unfortunately, I'm using a cheap VPS with no bells and whistles. Setting up UFW just blocks it on proxied link as well.
Great video. I had asked a question earlier, but for some reason my longer comments aren't making it through.
I appreciate it. Try to ask again, or jump over to my RocketChat server and ask there. I'm happy to try and help if I can.
Sir, do you have a Discord channel?
I would like to join there cause I need some help on some stuff
I don't, but you can find me and assistance at discuss.opensourceisawesome.com.
Hi, First I would like to say thank you for your videos, I was able to discover some very nice software tools that I didn't know existed :)
Related to your current video, I have been trying for some day's to make it the same but whenever I'm trying to access Heimdall I'm receiving a "Error 520" From the net, showing that Cloudflare is working but on the Host can't access it. If i try the IP of the docker host i'm reaching the Nginx page but if i add the port for the Heimdall I can't... and I can't think were it's stucking.
Also a nice video idea if you want to do, check the open source Password Manager called "Passbolt" it can run also on docker though having issues deploying too... It's a nice local kinda like Keypass for teams with browser addons for auto-fill password.
I've been looking at Passbolt, want to do a video on it in the future for sure. AS for Heimdall, can you reach it only by host IP and port?
@@AwesomeOpenSource no I can't... If I would install Heimdall without the nginx with the default ports, I can. But if I do it the same way as yours, removing the ports, having the docker network connected with nginx and Heimdall I can't.
The same can be done by prefixing hostport:containerport with 127.0.0.1 in docker run or compose. So instead of 6767:80, you do 127.0.0.1:6767:80 and then reverse proxy port 6767.
Good to know, thank you.
Awesome!
Thank you! Cheers!
Good boy. Now tell us how to do this same thing when you cannot attach Docker Network because that is maybe the more interesting use case. So far you managed to do this the super-easy way.
I suppose I'm not understanding what you're asking for. Why wouldn't we do things the easy way?
@@AwesomeOpenSource Because none of the easy stuff is all that useful in real terms. Just saying.
Am I an idiot and missed WHY this is more secure? The only benefit I see that the container cannot access the host's network. The downside is that this way you have to expose EVERYTHING to the internet because you can only reach them though they subdomain, since there are no exposed ports to the container (talking about Lan access). Am I seeing this wrong?
Not exactly. Think of this from the perspective of a VPS, or a shared LAN where you may not want others to be able to access these services via the host IP and port, but instead want them to go through the SSL encrypted domain name. You can still setup a proxy for internal use on your LAN as well. Does that help? The security part being that now you force SSL vs. allowing someone to access your site via http only, or you having to login over http with no SSL encryption, and on an open LAN you could have someone sniffing your unencrypted traffic. For general home use, with no one else on the LAN, no need to do this, it's just an option.
@@AwesomeOpenSource ok I see your point on the local access. Obv. I'm self hosting locally but being able to access my services is a benefit. But if others are on he network who shouldnt access them or access it though https, this is the way. Also for services in exposing to the net, I might do this. Thanks for clarification!
@@Daaell you bet!
I’m trying to understand this as well. I’m self hosting. If I don’t publish the port how can I access it on my local network without going through a prox. Wonder if there’s a way to accomplish the best of both worlds. For instance Nextcloud. I’m not publishing the port is accessible through the proxy but how can I access directly from my home network and include in Heimdall dashboard?