HOW-TO: Set up NGINX to reverse proxy your jails w/ Certbot

[555NASE]

Hello,
when I type:
./letsencrypt-auto --debug certonly --standalone -d www.mydomain.de

I get the following Error:



Domain: www.mydomain.de
Type: connection
Detail: Fetching https://mydomain.goip.de: Connection refused (this is like a dynDNS)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
root@nginx_reverse_cert:/certbot #

 

[ZodiacUHD]

Hello,
when I type:
./letsencrypt-auto --debug certonly --standalone -d www.mydomain.de

I get the following Error:



Domain: www.mydomain.de
Type: connection
Detail: Fetching https://mydomain.goip.de: Connection refused (this is like a dynDNS)

To fix these errors, please make sure that your domain name was
entered correctly and the DNS A/AAAA record(s) for that domain
contain(s) the right IP address. Additionally, please check that
your computer has a publicly routable IP address and that no
firewalls are preventing the server from communicating with the
client. If you're using the webroot plugin, you should also verify
that you are serving files from the webroot path you provided.
root@nginx_reverse_cert:/certbot #

Can you check your ports (80 and 443) are open properly? Did you bind correctly your IP to your domain? The error you posted seem related to something like that.

 

[555NASE]

@ZodiacUHD
Thanks for this nice Tipp - that was the mistake.


And now I have another question to this Part

Renew your certificate

Code:

-OPTIONAL- I don't like using vi as an editor, therefore i'm going to switch to nano for crontab as well
setenv VISUAL /usr/local/bin/nano
crontab -e
Code:
30 1 * * 1 ./certbot/letsencrypt-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

In which folder I must run the Crontab -e to add this part?

Code:

30 1 * * 1 ./certbot/letsencrypt-auto renew --pre-hook "service nginx stop" --post-hook "service nginx start"

 

[ZodiacUHD]

Glad i could help. For the crontab it’s not necessary to be in a specific folder, just run it inside the jail and you’ll be good.

 

[555NASE]

Ok Thanks - I mean the path who I save the file - is that no matter?

 

[ZodiacUHD]

Ok Thanks - I mean the path who I save the file - is that no matter?

Just copy and paste what i put in the first thread. Nothing else.

 

[silverback]

I did not think it would work.
All the time I knew the nginx he had only made problems but today he's worked out
I say just because what I did tried it in the past and he only told me errors and now it works

I managed to make him distinguish domains from subdomain
Simply duplicate the

Code:

server {
   listen 80;
   listen [::]:80;
   server_name my domain;
   return 301 https://$host$request_uri;
}
	server {
		listen 443 ssl;
		server_name my domain;
		include ssl_common.conf;
		include proxy_setup.conf;

And I opened a file ( proxy_setup) for every service I use and just modified it in nginx.conf when I duplicated and it worked.
In the past I did this is said error can not be because there is duplication and it has made life difficult

And for the certificate I created a file ( ssl_common) separately for each service that needs it's and it worked.
Otherwise only one works in one file

Thank you for this. It was the only way I was able to access Nextcloud from the nginx reverse proxy.

 

[jbrown705]

Hi, I am wondering if someone is able to give me a little help. I am trying to follow the instructions, but i keep getting and error when i try to run the letsencrypt command. Here is the error it is giving me. I checked the logs but i am not really sure what I should be looking for.

Code:

Exiting abnormally:

Traceback (most recent call last):

  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>

	sys.exit(main())

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1364, in main

	return config.func(config, plugins)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly

	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert

	lineage = le_client.obtain_and_enroll_certificate(domains, certname)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate

	cert, chain, key, _ = self.obtain_certificate(domains)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate

	orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations

	authzr = self.auth_handler.handle_authorizations(orderr, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations

	self._respond(aauthzrs, resp, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond

	self._poll_challenges(aauthzrs, chall_update, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges

	raise errors.FailedChallenges(all_failed_achalls)

FailedChallenges: Failed authorization procedure. www.jasonb.tv (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.jasonb.tv/.well-known/acme-challenge/DjhIxqyaIjAUb7raFKPjaw4-BsyXUfboXSPg2G466GU: Timeout during connect (likely firewall problem)

Please see the logfiles in /var/log/letsencrypt for more details.


IMPORTANT NOTES:

 - The following errors were reported by the server:


   Domain: www.jasonb.tv

   Type:   connection

   Detail: Fetching

   http://www.jasonb.tv/.well-known/acme-challenge/DjhIxqyaIjAUb7raFKPjaw4-BsyXUfboXSPg2G466GU:

   Timeout during connect (likely firewall problem)


   To fix these errors, please make sure that your domain name was

   entered correctly and the DNS A/AAAA record(s) for that domain

   contain(s) the right IP address. Additionally, please check that

   your computer has a publicly routable IP address and that no

   firewalls are preventing the server from communicating with the

   client. If you're using the webroot plugin, you should also verify

   that you are serving files from the webroot path you provided.

I have verified port 443 is open and there is no firewall.

Make sense to anyone?

Thank you!
-Jason

 

[ZodiacUHD]

Hi, I am wondering if someone is able to give me a little help. I am trying to follow the instructions, but i keep getting and error when i try to run the letsencrypt command. Here is the error it is giving me. I checked the logs but i am not really sure what I should be looking for.

Code:

Exiting abnormally:

Traceback (most recent call last):

  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>

	sys.exit(main())

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1364, in main

	return config.func(config, plugins)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly

	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert

	lineage = le_client.obtain_and_enroll_certificate(domains, certname)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate

	cert, chain, key, _ = self.obtain_certificate(domains)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate

	orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations

	authzr = self.auth_handler.handle_authorizations(orderr, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations

	self._respond(aauthzrs, resp, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond

	self._poll_challenges(aauthzrs, chall_update, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges

	raise errors.FailedChallenges(all_failed_achalls)

FailedChallenges: Failed authorization procedure. www.jasonb.tv (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.jasonb.tv/.well-known/acme-challenge/DjhIxqyaIjAUb7raFKPjaw4-BsyXUfboXSPg2G466GU: Timeout during connect (likely firewall problem)

Please see the logfiles in /var/log/letsencrypt for more details.


IMPORTANT NOTES:

 - The following errors were reported by the server:


   Domain: www.jasonb.tv

   Type:   connection

   Detail: Fetching

   http://www.jasonb.tv/.well-known/acme-challenge/DjhIxqyaIjAUb7raFKPjaw4-BsyXUfboXSPg2G466GU:

   Timeout during connect (likely firewall problem)


   To fix these errors, please make sure that your domain name was

   entered correctly and the DNS A/AAAA record(s) for that domain

   contain(s) the right IP address. Additionally, please check that

   your computer has a publicly routable IP address and that no

   firewalls are preventing the server from communicating with the

   client. If you're using the webroot plugin, you should also verify

   that you are serving files from the webroot path you provided.

I have verified port 443 is open and there is no firewall.

Make sense to anyone?

Thank you!
-Jason

Is port 80 also open?

 

[Itay1778]

Hi, I am wondering if someone is able to give me a little help. I am trying to follow the instructions, but i keep getting and error when i try to run the letsencrypt command. Here is the error it is giving me. I checked the logs but i am not really sure what I should be looking for.

Code:

Exiting abnormally:

Traceback (most recent call last):

  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>

	sys.exit(main())

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1364, in main

	return config.func(config, plugins)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly

	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert

	lineage = le_client.obtain_and_enroll_certificate(domains, certname)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate

	cert, chain, key, _ = self.obtain_certificate(domains)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate

	orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations

	authzr = self.auth_handler.handle_authorizations(orderr, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations

	self._respond(aauthzrs, resp, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond

	self._poll_challenges(aauthzrs, chall_update, best_effort)

  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges

	raise errors.FailedChallenges(all_failed_achalls)

FailedChallenges: Failed authorization procedure. www.jasonb.tv (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://www.jasonb.tv/.well-known/acme-challenge/DjhIxqyaIjAUb7raFKPjaw4-BsyXUfboXSPg2G466GU: Timeout during connect (likely firewall problem)

Please see the logfiles in /var/log/letsencrypt for more details.


IMPORTANT NOTES:

 - The following errors were reported by the server:


   Domain: www.jasonb.tv

   Type:   connection

   Detail: Fetching

   http://www.jasonb.tv/.well-known/acme-challenge/DjhIxqyaIjAUb7raFKPjaw4-BsyXUfboXSPg2G466GU:

   Timeout during connect (likely firewall problem)


   To fix these errors, please make sure that your domain name was

   entered correctly and the DNS A/AAAA record(s) for that domain

   contain(s) the right IP address. Additionally, please check that

   your computer has a publicly routable IP address and that no

   firewalls are preventing the server from communicating with the

   client. If you're using the webroot plugin, you should also verify

   that you are serving files from the webroot path you provided.

I have verified port 443 is open and there is no firewall.

Make sense to anyone?

Thank you!
-Jason

Also check that port 80 is open that letsencrypt this way creates the certificate

 

[jbrown705]

Is port 80 also open?

I just checked and port 80 does not appear to be open. I tried to forward it in my router with the IP of the NGINX jail, but it still shows as closed. The strange thing is that unless I have on UPnP, 443 will show as closed as well even if i forward it manually for the jail IP Am I doing something wrong? I'm using the Netgear Orbi mesh routers.

Is port 80 also open?

No, port 80 is not open. i have been trying all day to open it. Here is what is happening. If I turn on UPnP one of my foscam camera's uses that port and it shows in the list under UPnP and it will test as open. If I turn it off an manually port forward 443 it will test open. If i change the ip to the nginx jail ip and forward, it shows closed. If I go into the settings for the camera and change the https port to something else, 443 will not test open no matter what ip i forward it with. Same thing holds true for port 80. I have double checked with ISP to make sure neither is blocked as incoming. I am not great with networking, so i may not understand what I need to do to make this work. Can multiple devices on the same network use port forwarding on port 80 and 443 at the same time? I feel like i am just misunderstanding something with how networking works with ports???

Thanks!

 

[jbrown705]

Also check that port 80 is open that letsencrypt this way creates the certificate

I left the IP cameras using the ports so they both test open on a port tester, but I still get a response like this when i run the command:

Code:

root@nginx:~/certbot # ./letsencrypt-auto --debug certonly --standalone -d jasonb.tv -d www.jasonb.tv
Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator standalone, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for jasonb.tv
http-01 challenge for www.jasonb.tv
Waiting for verification...
Cleaning up challenges
Exiting abnormally:
Traceback (most recent call last):
  File "/opt/eff.org/certbot/venv/bin/letsencrypt", line 11, in <module>
	sys.exit(main())
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1364, in main
	return config.func(config, plugins)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 1254, in certonly
	lineage = _get_and_save_cert(le_client, config, domains, certname, lineage)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/main.py", line 120, in _get_and_save_cert
	lineage = le_client.obtain_and_enroll_certificate(domains, certname)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 391, in obtain_and_enroll_certificate
	cert, chain, key, _ = self.obtain_certificate(domains)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 334, in obtain_certificate
	orderr = self._get_order_and_authorizations(csr.data, self.config.allow_subset_of_names)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/client.py", line 370, in _get_order_and_authorizations
	authzr = self.auth_handler.handle_authorizations(orderr, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 82, in handle_authorizations
	self._respond(aauthzrs, resp, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 155, in _respond
	self._poll_challenges(aauthzrs, chall_update, best_effort)
  File "/opt/eff.org/certbot/venv/lib/python2.7/site-packages/certbot/auth_handler.py", line 226, in _poll_challenges
	raise errors.FailedChallenges(all_failed_achalls)
FailedChallenges: Failed authorization procedure. jasonb.tv (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://jasonb.tv/.well-known/acme-challenge/0ESI4l0PUttE2YvPQMUu_R-htBDUS8yQQL00MIY3yGo: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n		 \"http://www.", www.jasonb.tv (http-01): urn:ietf:params:acme:error:unauthorized :: The client lacks sufficient authorization :: Invalid response from http://www.jasonb.tv/.well-known/acme-challenge/boihLnQzX39xHrXfcU8Hb0rBPNGOlWdARKzF-9Bsm3g: "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n		 \"http://www."
Please see the logfiles in /var/log/letsencrypt for more details.

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: jasonb.tv
   Type:   unauthorized
   Detail: Invalid response from
   http://jasonb.tv/.well-known/acme-challenge/0ESI4l0PUttE2YvPQMUu_R-htBDUS8yQQL00MIY3yGo:
   "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html
   PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n
   \"http://www."

   Domain: www.jasonb.tv
   Type:   unauthorized
   Detail: Invalid response from
   http://www.jasonb.tv/.well-known/acme-challenge/boihLnQzX39xHrXfcU8Hb0rBPNGOlWdARKzF-9Bsm3g:
   "<?xml version=\"1.0\" encoding=\"iso-8859-1\"?>\n<!DOCTYPE html
   PUBLIC \"-//W3C//DTD XHTML 1.0 Transitional//EN\"\n
   \"http://www."

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

My DNS records have 2 A records right now. One is

A Record
@
[my public ip]

A Record
www
[my public ip]

Those look ok?

Thanks!

 

[Itay1778]

I just checked and port 80 does not appear to be open. I tried to forward it in my router with the IP of the NGINX jail, but it still shows as closed. The strange thing is that unless I have on UPnP, 443 will show as closed as well even if i forward it manually for the jail IP Am I doing something wrong? I'm using the Netgear Orbi mesh routers.


No, port 80 is not open. i have been trying all day to open it. Here is what is happening. If I turn on UPnP one of my foscam camera's uses that port and it shows in the list under UPnP and it will test as open. If I turn it off an manually port forward 443 it will test open. If i change the IP to the nginx jail IP and forward, it shows closed. If I go into the settings for the camera and change the https port to something else, 443 will not test open no matter what IP i forward it with. Same thing holds true for port 80. I have double checked with ISP to make sure neither is blocked as incoming. I am not great with networking, so i may not understand what I need to do to make this work. Can multiple devices on the same network use port forwarding on port 80 and 443 at the same time? I feel like i am just misunderstanding something with how networking works with ports???

Thanks!

For every IP the ISP gives can be one port from each port can not be 80 twice or 443 twice only once
The router should be listed something like "TCP or UDP" you choose it when you take out network ports and also out the 443 and 80 to the IP of the jail

 

[jbrown705]

For every IP the ISP gives can be one port from each port can not be 80 twice or 443 twice only once
The router should be listed something like "TCP or UDP" you choose it when you take out network ports and also out the 443 and 80 to the IP of the jail

So let me see if I’m understanding correctly, you are saying my public ip get 1 port 443 and 80 not each local ip (192.168.xx) can have 1 of each assigned to it?

I.E.

192.168.1.10 port 80 and port 443, but i can't have 192.168.1.11 also use 443 and 80, correct?

 

[Itay1778]

So let me see if I’m understanding correctly, you are saying my public IP get 1 port 443 and 80 not each local IP (192.168.xx) can have 1 of each assigned to it?

I.E.

192.168.1.10 port 80 and port 443, but i can't have 192.168.1.11 also use 443 and 80, correct?

In internal IP you can make the same port to as many IPs as you want but you choose an external you must select something that you have not used

Example
192.168.1.20 (internal) should both 80 and 443
192.168.1.22 (internal) should also be 80 and 443
But you take them out of the net and you can choose only one of these ports
Or 192.168.1.20 or 22
To output the same ports to some internal IPs. There is the reverse proxy that it does
You take out the internal IP of a reverse proxy and within the reverse proxy you set the ip you want with their domain
I hope the explanation is clear:);)

 

[jbrown705]

In internal IP you can make the same port to as many IPs as you want but you choose an external you must select something that you have not used

Example
192.168.1.20 (internal) should both 80 and 443
192.168.1.22 (internal) should also be 80 and 443
But you take them out of the net and you can choose only one of these ports
Or 192.168.1.20 or 22
To output the same ports to some internal IPs. There is the reverse proxy that it does
You take out the internal IP of a reverse proxy and within the reverse proxy you set the IP you want with their domain
I hope the explanation is clear:);)

Thanks for the reply, but I am still not sure I am following? Sorry. So you are saying that multiple internal IP's can use the same port (like 80 & 443)? I don't know what you mean when you say "but you take then out of the net and you can only choose one..." I tried to port forward 80 and 443 with another ip, and it says there is a conflict. Are you referring to the internal and external ports that can be forwarded separately? Sorry, I am just not understanding? :(

 

[Itay1778]

Thanks for the reply, but I am still not sure I am following? Sorry. So you are saying that multiple internal IP's can use the same port (like 80 & 443)? I don't know what you mean when you say "but you take then out of the net and you can only choose one..." I tried to port forward 80 and 443 with another IP, and it says there is a conflict. Are you referring to the internal and external ports that can be forwarded separately? Sorry, I am just not understanding? :(

Ok, you're using external ports - which is basically your external IP you can use in one port per port

For example, we say that IP A, which is an internal IP, should be external ports 80 but IP B should also be external ports 80 but you can not exclude two external ports which are the same because you only have one external IP from the ISP

But you, using the internal network you can put them all the same and nothing will happen to it because the IP on the internal network you have everything on your internal network own private IP and outside the network you have only one ISP gives you

Hope I explained clearly and the English is clear (google translate)

And just so you know, I was like that at first. I did not understand much, but I learned and tried things, I made a mistake and learned what the mistakes were
With you want to know the subject and you love these things just try things and will also look for things on youtube with the time you will know everything you want to know:)

 

[jbrown705]

Ok, you're using external ports - which is basically your external IP you can use in one port per port

For example, we say that IP A, which is an internal IP, should be external ports 80 but IP B should also be external ports 80 but you can not exclude two external ports which are the same because you only have one external IP from the ISP

But you, using the internal network you can put them all the same and nothing will happen to it because the IP on the internal network you have everything on your internal network own private IP and outside the network you have only one ISP gives you

Hope I explained clearly and the English is clear (google translate)

And just so you know, I was like that at first. I did not understand much, but I learned and tried things, I made a mistake and learned what the mistakes were
With you want to know the subject and you love these things just try things and will also look for things on youtube with the time you will know everything you want to know:)

Ok I think I am getting this now. Let me know if this sounds correct.

When a device requires a port forward, I should only be setting the external ports and leave the internal ports empty because it’s not necessary unless I’m trying to access it from outside my own network?

I ran a command in terminal to list all ports and I see that my Mac mini is using bother 443 and 80 with a LISTEN after it.

It sounds like I have my router settings messed up but I’m not sure how to go about fixing?

 

[Itay1778]

Ok I think I am getting this now. Let me know if this sounds correct.

When a device requires a port forward, I should only be setting the external ports and leave the internal ports empty because it’s not necessary unless I’m trying to access it from outside my own network?

I ran a command in terminal to list all ports and I see that my Mac mini is using bother 443 and 80 with a LISTEN after it.

It sounds like I have my router settings messed up but I’m not sure how to go about fixing?

You must fill in the internal ports where necessary to let you enter through the domain or external IP that he knew where to refer you
And external ports the way you want (the one you have not used)

And you should use port forward only for things you need to access outside the internal network

 

[adrianwi]

The whole point of the NGINX reverse proxy is that external traffic coming into your router (from a WAN IP address or domains that are directed to that through A records) can be redirected to various internal services.

Typically, you'd open ports 80 (http) and 443 (https) on your router so any external requests on these ports are forwarded to your NGINX reverse proxy jail IP address. You then configure the reverse proxy (through the nginx.conf file, or various .conf files) to direct to other internal services IP addresses based on the server_name in the request.