SOLVED Reverse proxy for TrueNas Scale

[Daisuke]

tell me 1 reason that i need something that's available in truecharts

All @truecharts configs are standardized into all apps, not to mention stellar support. End of thread.

 

[dgrigo]

Thanks for the reply @dgrigo .

If I understand your solution, I have to use the custom port (9001 or whichever) in order to access Nextcloud UI.
That means that if I need to access from outside my network I need to forward the specific port on my router, for every application I want to install (in this case Nextcloud). Is that correct?

Is there a way to configure Nginx to use just the FQDN subdomain to forward to each application?

Cheers

I didn't find a way for it.

 

[DaSnipe]

Most people use the Traefik as their reverse proxy since it's built-into TrueCharts and tested with all the charts they release. You'd have to install Nginx or HAProxy outside of Nextcloud if you want a reverse proxy otherwise

Thanks for the reply @dgrigo .

If I understand your solution, I have to use the custom port (9001 or whichever) in order to access Nextcloud UI.
That means that if I need to access from outside my network I need to forward the specific port on my router, for every application I want to install (in this case Nextcloud). Is that correct?

Is there a way to configure Nginx to use just the FQDN subdomain to forward to each application?

Cheers

 

[Daisuke]

Is there a way to configure Nginx to use just the FQDN subdomain to forward to each application?

Yes, that's what I have now, except I don't use subdomains (e.g. pihole.home.lan) because Pihole does not like it. I use 3 Raspberry Pi, 2 for Pihole redundant DNS and 1 to redirect all traffic to each Scale application through my home network, but you can use Traefik on Scale for that also. I personally don't like that approach because if Scale is down, my entire home network will be down, no DNS, etc. One important detail: you should never open your home network to outside world. Even if you register a domain and use Cloudflare, you expose your network to world and risk of being hacked. I use a VPN to access my local network from outside world.

I run @truecharts Homer app for media.lan front-page with easy access to all my Scale apps, Homer has support for each application API, showing you the errors, warnings, downloads etc. (uranus.lan is my Scale server):

Example of media.lan above screenshot and https://media.domain.com Cloudflare/LetsEncrypt example configuration, running on Pi with Nginx:

Code:

$ cat media.conf
upstream homer {
    server               uranus.lan:10178;
}

server {
    listen               80;
    listen               [::]:80;
    server_name          media.lan;
    index                index.html;
    root                 /usr/share/nginx/html;
    include              /etc/nginx/conf.d/proxy.inc;
    location / {
        proxy_pass       http://homer;
    }
}

server {
    listen               443 ssl http2;
    listen               [::]:443 ssl http2;
    server_name          media.domain.com;
    index                index.html;
    root                 /usr/share/nginx/html;
    auth_basic           $auth_bypass;
    auth_basic_user_file /etc/nginx/htpasswd;
    include              /etc/nginx/conf.d/*.inc;
    location / {
        proxy_pass       http://homer;
    }
}

First server configuration is what I use now, second one is a "just in case I need it" configuration open to world, but I don't have that enabled. $auth_bypass is a mapped variable bypassing the local authentication, if local network is detected. In other words, I will be prompted with a Basic Authentication window, if I try to access media.domain.com from outside my local network. Still, that is not 100% safe, so I always use a VPN to access my local network from outside world.

Example of photoprism.lan configuration:

Code:

$cat photoprism.lan
upstream photoprism {
    server               uranus.lan:2342;
}

server {
    listen               80;
    listen               [::]:80;
    server_name          photoprism.lan;
    index                index.html;
    root                 /usr/share/nginx/html;
    include              /etc/nginx/conf.d/proxy.inc;
    location / {
        proxy_pass       http://photoprism;
    }
}

You can look at my TrueNAS Scale Build for update.tool, to automate the update of @truecharts applications.

Pihole is a key application which needs to be running outside your Scale server, if your server is down, the hole network is down. Hence, running it on 2 Pi for redundancy.

 

[dgrigo]

Yes! you have to use port, also on the nextcloud installation use your domain, instead of ip .

cheers

 

[truecharts]

Most people use the Traefik as their reverse proxy since it's built-into TrueCharts and tested with all the charts they release. You'd have to install Nginx or HAProxy outside of Nextcloud if you want a reverse proxy otherwise

Addition: we do also have a "We very clearly advice you not to use it" nginx proxy manager App in the incubator train.

 

[DaSnipe]

Addition: we do also have a "We very clearly advice you not to use it" nginx proxy manager App in the incubator train.

Yeah I don't advertise incubator train apps on the forum since there's no guarantees when they'll be moved to Stable, but TC def provides options, one supported, one not.

 

[gorrunyo]

Thanks for all the replies. Now I think I have a clear idea on what is the situation.

I did have TrueCharts Nextcloud, OnlyOffice, Plex, and Gitea working through Traefik (with Pihole on RP for DNS) from the very beginning but I was a little bit astonished about not finding any solution published by iXsystems in the same way Truechars has it.

I thought I was missing something perhaps too obvious and I decided to ask the community. I see now that is not the case.

Looking forward to Nextcloud v25

Cheers

 

[Sasquatch]

Addition: we do also have a "We very clearly advice you not to use it" nginx proxy manager App in the incubator train.

Nginx proxy manager is now in stable train but it takes 10 minutes to load nextcloud gui, or any website behind it.
it is deffo the Nginx Proxy Manager as if i switch back to my old homebrew Nginx proxy jail in Truenas core(im migrating from core to scale) it's lightning fast.

 

[truecharts]

Nginx proxy manager is now in stable train but it takes 10 minutes to load nextcloud gui, or any website behind it.
it is deffo the Nginx Proxy Manager as if i switch back to my old homebrew Nginx proxy jail in Truenas core(im migrating from core to scale) it's lightning fast.

We don't take bugreports or offer support here.
You're adviced to file a support ticket on discord instead...

 

[victort]

Caddy. Once you figure it out, it’s an excellent easy way to configure reverse proxy. Including wildcard certificates.

Hoping Truecharts might implement it.

 

[truecharts]

Caddy. Once you figure it out, it’s an excellent easy way to configure reverse proxy. Including wildcard certificates.

Hoping Truecharts might implement it.

We aim to primarily use kubernetes native resources for things like reverse proxy (we use ingress for that).
We already support great solutions for reverse proxy that way and there is a reason nginx proxy is also not officially covered by our support as well.

For normal webservers like caddy and nginx, we might offer them but their proxy functions will also be out of support coverage.

 

[danb35]

Caddy. Once you figure it out, it’s an excellent easy way to configure reverse proxy.

Love Caddy; that's what I use on my OPNsense box as a reverse proxy--even though it (edit: OPNsense) has a GUI to configure HAProxy, and I have to write the Caddyfile by hand, Caddy's still much easier.

But in the case of SCALE, Traefik seems brain-dead simple to configure for this purpose--I'm not sure why a different proxy would be called for.

 

[wsoteros]

You're adviced to file a support ticket on discord instead...

When referring users to another community let's leave a link so they can easily find it. Many users may not notice it at first in the signature of the message :).

For anyone looking to find their way to the TrueCharts Discord, here is the link: https://discord.gg/tVsPTHWTtr

 

[truecharts]

When referring users to another community let's leave a link so they can easily find it. Many users may not notice it at first in the signature of the message :).

For anyone looking to find their way to the TrueCharts Discord, here is the link: https://discord.gg/tVsPTHWTtr

We're not direct-linking it on purpose and have rules requiring people to do some basic research first. Such as reading the docs on our website.
Which includes the support scope we offer.

To be fair, users shouldn't be forwarded to the discord directly in the signature either, but to the support documentation on the website.

 

[mistermanko]

The TrueCharts Traefik and External Services apps have done well for me. I use it to proxy traffic to TC-Apps, VMs and the docker-compose app. The latter is also a very useful creation of TrueCharts.