Having trouble setting up Nginx

Having trouble setting up Nginx
from pirateMonkey@lemmy.world to selfhosted@lemmy.world on 01 Sep 19:46
https://lemmy.world/post/35310613

I’m trying to set up a domain to more easily access my services on my home network, using a vanity URL instead of IP:port. With my current setup, my browser is not able to see the server (‘we can’t connect to the server’ at e.g. plex.mydomain.xyz).

I registered the domain through Cloudflare. In Cloudflare, I set up my DNS records (A - mydomain.xyz - content = 192.168.x.x; A - www; CNAME - *), and got my API token. Nginx is running in Docker (as are the services I am trying to access), using the jc21 container and their docker compose template. I used the API token to generate an SSL certificate in NPM with *.mydomain.xyz as the domain, then added a proxy host using the URL mentioned above as the Domain Name, the IP of the server that’s running all my containers for the forward hostname/IP, and the appropriate port for forward port. Then in the SSL tab told it to force SSL and HTTP/2.

I’m not sure what I’m doing incorrectly, the only thing I have running that might interfere with the network service is a PiHole, and it appears to be sending the request on. Also tried using localhost (127.0.0.1) to no avail. I’ve seen some others say they had to restart NPM a few times, so I’ve tried that as well. Thanks for any help!

#selfhosted

threaded - newest

marsara9@lemmy.world on 01 Sep 19:56 next collapse

Are you wanting to access your sites remotely or only via the local LAN?

If you’re aiming for remote access then you can’t use the 192.168.* range as that’s the up address behind your NAT/router. You have use your public IP and do port forwarding from your router.

pirateMonkey@lemmy.world on 01 Sep 20:04 collapse

Yeah, just looking for internal access right now so I don’t have to remember the correct port for every service. Will use a VPN (leaning toward Tailscale) for remote access once I get this set up.

marsara9@lemmy.world on 01 Sep 20:24 collapse

Are you able to query to see what IP address that domain returns? Does it return the 192.168.x address that you set?

Edit: But the idea is to first see where the connection is failing… first see what error your browser is returning? 5xx? 4xx? This can be an indication as to where the error is happening. But high-level check DNS first, see if nslookup or dig return the IP address that you set. (Remember changes to DNS entries can take time to propagate). Assuming all of that is correct, then check to see what nginx is showing in its logs. Do you see it logging anything every time you try and access it via the domain name? Next up is checking the logs from plex itself, does it show any logs coming though? etc… But the idea is to find where the connection is breaking down.

pirateMonkey@lemmy.world on 01 Sep 21:01 collapse

Thanks for that flow on how to troubleshoot.

When I try nslookup on the server, it doesn’t seem to be working at all (nslookup google.com returns ** server can’t find nslookup: NXDOMAIN). On Windows, it doesn’t return any IP (*** No internal type for both IPv4 and IPv6 Addresses records available). Looking at my Pi-hole query log, I do see that address was queried and allowed. *ETA - I do notice that the Windows nslookup returns a URL for Server and my router’s IP address for Address, while Linux returns the router’s IP address for Server and that address with #53 appended for Address.

How can I check what Cloudflare is seeing (because as I understand that’s the next link in the chain)? I’m not seeing any logs there, but only created my account Saturday… *edit to add it’s obviously in the link in the sidebar that says analytics and logs, but not seeing any activity on any of those, so it seems to not be getting past the Pi-hole?

siph@feddit.org on 01 Sep 22:30 collapse

You could try just using the ping or host commands, they will also try to resolve the domain.

Also can you access the services by using IP:Port?

frongt@lemmy.zip on 01 Sep 20:07 next collapse

What’s in the logs?

pirateMonkey@lemmy.world on 01 Sep 20:22 collapse

I’m still very much in a learning mode here, so forgive my ignorance - which logs? Nginx? I’m seeing a fallback_error and fallback_access (which has nothing interesting). There are also some empty files for the host I have set up (proxy-host-1_access/error)

2025/09/01 12:34:54 [error] 193#193: *1 connect() failed (111: Connection refused) while connecting to upstream, client: 192.168.1.181, server: nginxproxymanager, request: “GET /api/ HTTP/1.1”, upstream: “127.0.0.1:3000”, host: “192.168.1.196:81”, referrer: “192.168.1.196:81/nginx/certificates”

Where, presumably obviously, 196 is the server and 181 is a laptop. FWIW I don’t see the directory it’s mentioning, /nginx/certificates, but I’m looking at the host’s directory rather than in the container.

frongt@lemmy.zip on 01 Sep 20:32 collapse

The upstream refused the connection. You have it there as 127.0.0.1, but for inter-container communication usually you’d use the name. 127.0.0.1 would refer to the same container.

Docker (and other container platform) networking is a bit tricky and I’ll admit I don’t fully understand how it works, because it doesn’t work like regular networking. But a simple scenario like yours shouldn’t be difficult.

pirateMonkey@lemmy.world on 01 Sep 20:51 next collapse

Even without full understanding, I think you’re a few steps ahead of me! I was also under the impression that it would be fairly straightforward, but getting lessons in how to troubleshoot (and I appreciate them!)

I was testing with 127.0.0.1 earlier, so that’s makes sense on one level, but not port 3000.

Is my understanding correct that the upstream connection was refused means that it went to Cloudflare who then sent it back to my server, and it was rejected there?

frongt@lemmy.zip on 01 Sep 21:09 collapse

If your request is showing up in nginx’s log, it means you can reach nginx. The upstream is where nginx is going to get the content you want. In your case, that should be the other containers.

pirateMonkey@lemmy.world on 01 Sep 21:16 collapse

Yep, that makes sense. Thank you!

Lyra_Lycan@lemmy.blahaj.zone on 01 Sep 21:50 collapse

Docker also has its own LAN IP address, in my experience it’s 172.17.0.1 instead of 127.0.0.1. And yes, between containers the container name is used, e.g. plexserver:2736, and it’s good practice to manually give them names.

frongt@lemmy.zip on 01 Sep 22:22 collapse

Yes, there is the internal subnet, but it’s not something you’re supposed to use directly.

e0qdk@reddthat.com on 01 Sep 21:12 next collapse

Nginx is running in Docker

Are you launching the container with the correct ports exposed? You generally cannot make connections into a container from the outside unless you explicitly tell Docker that you want it to allow that to happen… i.e. assuming you want a simple one-to-one mapping for HTTP and HTTPS standard ports are you passing something like -p 80:80 -p 443:443 to docker run on the command line, adding the appropriate ports in your compose file, or doing something similar with another tool for bringing the container up?

pirateMonkey@lemmy.world on 01 Sep 21:37 collapse

Yes, I’m using this container: github.com/NginxProxyManager/nginx-proxy-manager using the compose file as written (except I’m naming it nginx instead of app). It maps ports 80 and 443 for traffic and 81 for the manager, which is running.

Lyra_Lycan@lemmy.blahaj.zone on 01 Sep 21:45 next collapse

Hi, Cloudflare DNS needs to point to the external IP address, aka 201.172.48.922 (check using any ‘what’s my IP’ site on any device connected to the same router). 192.168.x is internal and only used by the router. Changing this, and port forwarding 80 and 443 to the NPM host, will allow everything to work remotely.

That said, in a comment you said you’re only aiming for local access. The only requirement for this is setting your Plex client to the internal IP of the server, 192.168.x. Only when setting up external access do you need a cert, domain and DNS records.

Finally, if you can set your router’s DNS servers, set one to the NPM server. That may allow local devices to find the internal IP by querying the FQDN (domain). Or use your Pi-Hole to add DNS rewrites.

pirateMonkey@lemmy.world on 01 Sep 22:13 collapse

Part of the idea here is to get comfortable with what’s happening here in a safe/unexposed environment before trying something that I would expose to the internet, and I’m of the understanding that you can do it this way (pass it to the internet, which will then return that internal IP that Nginx should route appropriately.

damnthefilibuster@lemmy.world on 02 Sep 00:03 next collapse

TL;DR - don’t do this. Plex on Cloudflare is a bad idea. Read my last notes. Get the Plex Remote Watch Pass instead.

So, regular Cloudflare DNS is not the answer here. Your homelab is almost always natted. As in, there’s a public IP assigned to your home, but your internal network (192.168…) is… internal. Cloudflare doesn’t know of it.

One solution is to expose a port on your router. That would mean that if you go to plex.mydomain.xyz, Cloudflare DNS will send it to your home’s public IP and your router will send it to your internal computer based on that port request. This is NOT recommended. For one, your home’s public IP can change at any time. It’s your ISP’s choice what IP they want to assign to you. They can and will change it when they want to. Second, this opens up your internal network to a barrage of attacks.

Seriously, don’t do this.

A separate alternative is to use something like DynDNS (only if your router supports it). Then folks will go to yourplex.dyndns.io (or something) and that will send them to your router’s public IP, no matter how many times it changes. But if you want to use plex.mydomain.xyz then DynDNS charges you money and, afaik, it’s expensive. So no real point.

The better alternative is Cloudflared and Cloudflare Tunnels. This sits under one.dash.cloudflare.com → Networks → Tunnels.

Hit “Create a Tunnel” and select Cloudflared. Give it a name. Let’s call it “homeserver” (it doesn’t matter).

Once it’s created, click on the name and click Edit. (or maybe the instructions vary if you’re running it the first time). Select Docker, and it’ll give you instructions to run cloudflared as a docker container. The command will look like -

docker run cloudflare/cloudflared:latest tunnel --no-autoupdate run --token CLOUDFLARE_ASSIGNED_TOKEN

Then, you’ll have a tunnel. Once you have it up and running, go to Public Hostnames under the same “homeserver” tunnel edit option.

Add a Public hostname. Subdomain would be plex and domain would be mydomain.xyz (from the dropdown). No path.

For the “service” - type is HTTP mostly (unless you’re running SSL inside your home). And the URL is the internal IP address and port for you. So for Plex it’ll be

192.168.x.y:32400 (internal IP of the computer running Plex)

Once it’s saved and Cloudflare has propagated the change (usually a few seconds), you can go to plex.mydomain.xyz and it’ll show your application 🙂

What’s going on here? Cloudflare’s Tunnel solution sidesteps the Cloudflare DNS feature. You still need your domain attached to your Cloudflare account. Cloudflare gets the request, realizes it’s a Tunnel request, finds the cloudflared container which you’re running inside your network, establishes a secure connection all the way to it. From there, the connection is inside your home, from your cloudflared docker container to your Plex installation and back.

NOTE: Once you do this, everyone who can go to plex.mydomain.xyz (basically the entire internet) will be able to see your Plex setup. Make sure to include strong login credentials. If you do not have any login credentials, you can easily end up with complete strangers streaming your Plex library.

ALSO: This is against Cloudflare TOS. If you’re just using it once in a while, you might get away with it. But if not, Cloudflare will find out and boot your domain and might even close your account.

So… If you are building this for friends and family, get the Plex Remote Watch Pass. It’s $20/year and one possible way for you to give Plex access to people. In this method, you do not need to use cloudflare tunnels or expose a port. Everyone creates a free account on Plex (or you create one account for everyone, and they create their own profiles, whatever) and you grant them access to your libraries. Then they go to app.plex.tv instead of plex.mydomain.xyz, login, and get to your content.

Last Note: I use cloudflare tunnels a LOT. I use it for everything from RSS feeds to Calibre Web. All of my usecases are low traffic scenarios. Cloudflare is chill with those. Video streaming through their network is a whole different ballgame. Do NOT risk it.

This took me way too long to write. Cheers!

damnthefilibuster@lemmy.world on 02 Sep 00:08 next collapse

Huh. I made a big comment reply to this and missed a crucial detail. Are you trying to just make it so that sitting in your own home, you can go to plex.mydomain.xyz instead of the IP?

What are you running plex on? Windows or Linux? On Linux, you can run this thing called Avahi. With it, you can set it up so that your computer starts advertising locally as whatever domain you specify. So I have server.local and newserver.local internally. I just go to server.local on my browser inside my home and it takes me to the landing page of the server where I’ve got Heimdall running, which has links to plex and a bunch of other internal services I’m running.

I don’t know what the equivalent is in Windows, but we can jigger something up. Let me know what OS you’re running on what boxes.

mhzawadi@lemmy.horwood.cloud on 02 Sep 05:54 collapse

What you need is split view DNS, setup cloudflare with your external IP. Get the wildcard cert, then in pihole add your local DNS names to it.

This is almost what it do, just I don’t use cloudflare. OVH for the win.