Securing NGinX Proxy Manager - follow up - securing your admin console for this Open Source Software

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] it's your open source advocate and i'm back with another video so i've been promising this one for a little while and i wanted to go through it nginx proxy manager this is an amazing little piece of software it's open source of course it's free it's self-hosted but what it gives you is the ability to run a lot of like docker servers or just regular servers and virtual machines or servers on different machines on your home network and then basically only open up your network for port 80 and port 443 and and point that to the machine that's running engine x proxy manager and then through internet proxy manager you proxy the traffic from there out to the machine that's actually running the server you want to access before we get into this i want to say thank you so much to all my patrons at patreon and all my subscribers on youtube you guys really make it so that i want to keep doing these things and you make it so worth it that i get good comments that i get good feedback from you guys all the time i really appreciate it and if you have any questions please let me know i try to answer comments as much as i can and i try to answer on telegram whenever you ping me on there as well i just really appreciate everything you guys have done and all the subscribers and all the people who are watching these videos it really means a lot to me so let me just give you some examples here so here i've got nginx proxy manager running on my home network and you can see that i point my actual system to different servers that i'm trying to run inside of my network so the ones with the 172 address are actually docker installs on the same machine as an nginx proxy manager the ones with the 192 addresses are actual other machines on my internal network that i'm pointing to from this machine that's running nginx proxy manager so here i've got a bunch of different servers and services that i run that i can access by using engine x proxy manager and i haven't had to open up a bunch of ports i don't have port 3000 open i don't have port 9046 open i don't have port 8051 open i don't have any of those ports open on my network my network only has ports open to let 80 and 443 through so that i can get to these sites because basically that says go to nginx proxy manager and then give me the site that i requested if i send a request to nginx proxy manager for a site that doesn't exist so if i say anything.routemehome.org if that gets to my nginx proxy manager it's going to come up and just give you this congratulations page it's just going to tell you hey you made it to the proxy manager but i don't know where else to take you so this is what i'm going to show you and that's really great because that means that i'm i'm keeping my network as secure as i can now if i actually want to go see something that's running i can put in analytics.routemyhome.org and what's going to happen when i hit enter is that's going to go out here and it's going to go oh hey i see this request you just made for analytics.romyhome.org and i know that that's running in docker here on this same machine so i'm going to point you to that docker install at your port that you've set up for that particular piece of software and i'm going to let that return back to the person requesting it so when i hit enter it goes out there and it says oh i see that and then it gives me my login information and i can hit login and i can see my actual information for what i'm getting for traffic on my website so that's how nginx proxy manager works now i can do the same thing if i do i think it's my music dot yeah so again if i do that i get apache and apache wants to load up so that i can actually go listen to my music that i'm running here on my site so there's a lot of things you can do with nginx proxy manager but there's a lot of questions that come up when you use something like that as well so i want to go through those things because when it comes back to this you might be saying well i mean couldn't anybody access this site well yeah but you saw there's a login for it and the same thing here right there's a login for this so yes anybody could technically access this site but there's a login that's protecting some of my stuff now if i want to protect it even more there's some options inside of nginx proxy manager that let you do that through access control lists so i want to go through some of these things as well as tell you how do you actually secure nginx proxy manager itself because maybe you're not running this on your home network maybe you're running it on a vps like digitalocean or linux or ssd nodes or you know hundreds of others that are out there that you have first thing i want to cover is it's very easy to get this set up you just click here on setup it's going to take you down the page to his instructions for setup now these are kind of minimal instructions in my opinion so as you go down it gets more complex i just like to go out to his github page right here so that's also linked here on the main page right here at the top right i just go to the github page scroll down and right here is quick setup and right here we've got some information that we need now i've gone through this in several other videos i cover this on show notes dot open source is awesome dot com in several blog posts as well so if you're ever wondering where this is at it's out there but i'm gonna go through it again for you right now so the first thing you actually want to do is have a terminal open on the machine you want to run this on so today we're going to run it on this machine that i'm that i'm actually recording on because i don't have it set up yet and i can show you that right here when i do docker ps there's actually no docker stuff running at all right now so i'm going to clear that out now the first thing you want to set up is docker and docker compose in order to run this and i have videos out there that show you how to do that i will link them in the show notes and in the description for the video and it's really important that you get that installed first but it's not a hard thing to install those things in fact i've got a script that you can run to install if you're running ubuntu 1804 or ubuntu 2004 but after you do that then you need to get nginx proxy manager installed and it installs into docker now if you run portainer you can absolutely use pertainer to get this set up and installed i have pertainer on my other server i don't have it on this one so i'm just going to do this straight up to the command line this is really not difficult so first thing i'm going to do i'm in my home directory here so i'm going to make this just a little bit larger font for you guys how's that so first i'm going to do is make a directory and i'm going to call it npm you can call it enginex pm whatever makes you happy it's just something that's got to have a different name from all the other ones so we could do engine x pm that's fine we're going to cd into that so just cd nginx hyphen pm and now we're inside that directory and you can do an ls to see that it's empty now we need to create two files so we're gonna do nano and the first file is config.json make sure you spell it just like that when you hit enter it's going to take you into nano we're going to go back here to this webpage and we're just going to copy and hi or highlight and copy so control c to copy off the web page and then we're going to come back to nano you can do control shift v like victor to paste and then you've got a few things you've got to change right here so mysql we don't want to change that host we don't want to change that name so we can change this and we can change this to be whatever we want but it's npm it's node it's it's nginx proxy manager see i almost said no package manager so it's a little confusing sometimes so you can change this to something if you want to but the user i recommend changing this use your own name i'm going to use my name in this case and then the password absolutely you should change this to something that's a strong password don't use the one that i'm about to use here but you should use upper lowercase symbols more than eight to ten characters if you can do like 12 that's great and then numbers so don't spell a word just use something random just remember what it is you know if you need to just copy it like this just highlight it and then do ctrl shift c to copy now we're going to save this file before we do anything else we're going to say control o check that the name is still config.json and then hit enter to save it and we're going to do control x to exit out of it so now if we do ls we see there's our config.json file now we're going to make one more file nano and we're going to do docker hyphen compose dot yml again we open it up and it's blank so we're going to go back to the web page here and we're just going to highlight all of this text that's in this second block we're going to copy it and i can scroll this up for you guys so you can see it better if you want to but we're about to paste it into the into the other thing but we're going to highlight that copy it we're going to go back to the terminal we're going to paste with ctrl shift v and there's a few things that we need to adjust now as you go through this particular file you're going to see a few things and i want to talk about it this is the image it's going to pull down for nginx proxy manager don't change this the ports you do not want to change these ports you want to make sure that your host machine has port 80 port 81 and port 443 available because the left side is the host and the right side is the container and in this case we want to leave this exactly like it is we do not want to change this you've got a few volumes that it's going to create that's fine you don't need to do anything here just let it create these volumes and then down here it's going to pull the mariadb database system so this is the next image don't mess with the image name now your root password you want to change this to whatever you can think of don't make it the same as the other password you made just make it something strong and long okay something that somebody couldn't couldn't guess easily then here for the database you're going to leave it in pm unless you renamed it on the other screen leave it the same for user put in whatever username you used i used brian so that's what i'm going to put and for the password now you can do ctrl shift v so right here once you erase this you just do ctrl shift v and it'll paste in the password that you copied from your other screen your config.json if you don't have it still in your clipboard just do control o save control x and you can go and do once you once you're out of that you can just do nano or you can just do cat config.json and you can just copy this right here ctrl shift c nanodoctor compose.yaml and then you can come back down here and you can get rid of whatever's in the space and control shift v and you've got the same password that you have in your config file you want to make sure that your database your user and your password are all exactly the same they have to match once you're done with those changes hit control o make sure it still says dockercompose.yml hit enter to save and then control x to get out of it we've done everything we need to do now assuming that you've already got docker and docker compose installed so now we're going to bring up nginx proxy manager to do that we're going to type in docker hyphen compose up hyphen d which means run it as a daemon so this is going to tell docker now you need to spill docker correctly don't spell it like i did docker compose up hyphen d and then we're going to hit enter it's going to pull those images down now it'll just take a few minutes for it to pull these down and get everything up and running so just be patient all right when you get finished you should have something that says you know app underscore 1 and db underscore 1 and it should say done and done and you can verify with docker ps and now you see that we've got a couple of things running now this is a big mess so i'm going to take this i'm going to take it back down a little bit cleaner looking here so you can see you've got nginx proxy manager at latest running and you've got maria db4 aria at 10.4 running which is what we need so i'm just going to bring this back up for you guys and we'll clear that out now back here in our browser we can actually go to our home so localhost and then colon81 if you're logged onto that actual machine if not use the ip address of that machine at port 81 and if you do this correctly you should come up to the login screen now sometimes nginx proxy manager just doesn't get installed or started up right in docker and you may get a 505 error 502 bad gateway error if you do that's that's okay it happens but your default credentials are admin at example.com and the default password is changeme c-h-a-n-g-e-m-e hit sign in you don't want to save that because you're about to change it change this to the correct information so whatever you want for your email and then it's going to ask you to change the password so this is the same one you just typed in so c-h-a-n-g-e-m-e and then you're going to come down here and type a strong password and hit save once you do that you'll see that you've got your administrator here and now you can tell it sure save my credentials if you want to and we've got nginx proxy manager actually up and running on this machine so this this kind of step is done now i'm logged in through localhost so i can actually log out and i'm going to go back to this thing through the ip address which is 192.168. make sure i get the right one typed in here 168.7.221 and again port 81 is how do you get to the is how you get to the admin console so here we are came back to it now i'm going to type in my proper credentials and i can tell to save that really wants to save but it doesn't need to so i'm logged into nginx proxy manager but i don't have any hosts set up yet so i don't have anything to quote host that's okay there's a few things about nginx proxy manager itself that we may want to set up to host so as you can see i can access this through port 81. now anybody on my network could access this through port 81 technically now they need login credentials to get to it and actually do anything in it but it's not through ssl it's just through http so if i want to make this accessible with https i need to create an entry in nginx proxy manager and then secure it with itself now because i don't actually have a domain pointing to this i'm not going to use this one but one of the things you'll need is a domain name that you're going to point to your actual record so i'm going to go out here and i'm going to show you how i did that i'm going to go to godaddy.com now regardless of who your registrar is for your domain you want to make sure you go to your dns management section so in godaddy that's where i'm at right now and what i've got set up is basically two records i've got the at record which is like my primary domain which is routemyhome.org which points to my home ip address the second thing i did in order to make it so that i don't have to come out and create an a record for every domain that i create which you can see sometimes i do it anyways but i don't have to because i created an asterisk record and i pointed it to my home ip address so anything that i type in whether it's here or not as long as it has routmyhome.org on the end of it it tries to go to my home ip address and then nginx proxy manager tries to handle that and see if it can route it to an actual site and if it can't then it just gives you the congratulations page so that's how i do this that that's that's how i set up my name server in this case for the one that points to my home just because it makes it easy and because i do these videos every week and sometimes i do a couple of videos in a week and i don't want to come out here and set up an a record every single time i do it i just would rather type something in and make it easy to get to now if you want to you can come set an a record for at and then you can actually set the rest of these as cname records instead of a records so let's just say that i'm going to do i'm just gonna call this manage okay so let's go and we'll create an actual a record so i'm gonna say add an a record i'm gonna tell it it's an it's a c name so in this case i'm gonna tell it's a c name i'm gonna call this manage i'm going to say point to the at so that's just telling it hey wherever this is pointed that's where i want this to point so i'm just telling it's going to point to the same ip address now on on godaddy i do this i go and take out the three that turns into 600 seconds that's 10 minutes and then i hit save and now i should have manage it's a c name and it's at so it's going to point to my home now whether that takes or not it's going to point to my home because i have this asterisk record here but if i wanted to point that to some other ip like this one i have vpn set up it points to a different ip address right here you can see that i've got remote setup and it points to a different ip address so there's different things that i do have set up that point to different ip addresses and if i want that i need to come set a specific record for that but in this case i set up a c name and it's going to point back to the at and then whether i set it up or not my star would have caught that but for your own benefit if you do want to do this then you can set it up this way with a cname record and each site you want to set up to point to the same place if you don't want to have this star record you can just set it up as a cname and point it to at and then give it 10 minutes or so and it'll be pointing to the right place all right so now i want to secure nginx proxy manager to itself so while i showed you how to install and get into next proxy manager running i'm going to go back to my other server where i run it here and i'm going to show you how to set it up to be secured to itself all right so what we're going to do is we're going to add a host entry and i'm going to call that exactly what i just said i want it to be which is manage dot routemehome.org i'm going to hit tab so that it creates kind of this little chip if you don't do that it's going to just disappear from the field whenever you leave the field here i'm going to point it to itself now nginx proxy manager is running inside of docker so i can use that same docker ip address that i use here in the background for the rest of these sites so it's 172.17.0 now i know my admin console runs on port 81 so i'm going to type that into there i don't know that i need websocket support but i'm going to block common exploits i'm going to leave it publicly accessible for now and before i do anything else i'm just going to save and then i'm going to go click on manage.rotmyhome.org right here i'm going to click on the url and see if it opens up and gives me my my site it does so i got to my nginx proxy manager login page that's awesome but it's still not secured it's telling me that there which is okay step one is done i always test before i keep going because it makes it easier to troubleshoot as you go along so i'm going to go back down here to manage and i'm going to go over to the right i'm going to click on the little drop drop down here with the three dots i'm going to click on edit now i'm going to click on ssl because this is the next step we want secured sockets right so i'm going to click this i'm going to click request a new ssl certificate i'm going to say force ssl because i don't want anybody getting there without going through ssl especially myself make sure your email address is filled in so that the let's encrypt site can email you if there's a problem with any of your certificates this is very important they don't spam you they just let you know when there's something going on with your certificates and then click on the i agree to the terms of service if you want to read their terms of service first you can click on this link and it'll let you read that as well again click save this time be patient while it works it's going to try to go get you a let's encrypt certificate for the site that you just set up if that modal goes away like that with no error message you probably are successful and the way to test that is just again click here now we've got it and you can see that it is secured and i can log in so i can put in my username and my password if i get the right password it will log me in alright once i'm logged in so it wants to know if i want to save it i don't need to save it it's fine but now i'm back at my site and i'm i'm doing it through a secure ssl layer so i've secured this now i know what you're thinking well okay i mean you secured it to itself great good job i know now it's accessible from the internet but we're going to fix that too so that's where access lists come in and here you can see i've got a couple of access lists that i've created in the past so i don't need this local only one because it actually does the same thing as home ip i just did that for a video recently so oops i didn't want to change i don't want to delete it there we go yes so here i've got home ip set up now i'll show you exactly what i did to set this up so when you want to set up an access list you're going to hit add a new access list you're going to give it a name so in your case you may want to call it home ip or you could just call it home only whatever you want to call it doesn't matter i'll come back to this little checkbox in a minute authorization so right here you want to list anybody that would be authorized to access this url and it's going to basically present them with some authentication information before it even tries to take them to the page so if they try to get to that page it's gonna say hey you need to log in if they don't it's gonna cancel that request okay so we're gonna put in my username and my password that i want to use and then we're going to go over here to the next tab and this is allow so this is for an ip address now this is public i p addresses so basically it checks your public i p address to see like where are you trying to log in from and if it doesn't match one of the ones in the allow then it's going to deny so if you want to use ip as your method for getting logged in then you would need to know your public ip address to get that you can use something like ipchicken.com and when it comes up you can just grab that public ip address you can come back over to your nginx proxy manager and you can tell it there's my public ip and you can hit save but before you hit save remember we set up two different things so right now not only do i have to be logging in for my public ip but it's also going to prompt me before i even get to the normal login page with credentials that i need to have to get to the site now if you're like you know what either i need to have this or i need to be coming in from this ip address you can go here and you can check the accept any so either this one or this one if you uncheck this it becomes and i have to have this one and i have to be on this ip address so you kind of make up your decision on how you're going to set this up so here i'm going to say accept any i'm going to say save okay so now i've got this home only option and what i can do is i can go back to my hosts i can come down to manage i'm again going to click on edit and right here i'm going to say i want home only as my option for this one i'm going to save that now you want to do that after you get your certificate from let's encrypt because when you try to get that certificate if you already have an access list set up let's encrypt's going to try to get in and it's not coming from your ip address and it's not got your credentials so it's going to fail because it can't access this site on port 80 which is what it needs to be able to do so again make sure when you do this that you have got this set as publicly accessible when you're getting the certificate here on the ssl page once you're done with that you can come back in and you can change this to whatever access list you want and you can create multiple access lists they can all have different rules and different people and different users and then you can add that to the site right here once you're done hit save now i want to set one up that only allows credentials and not my ip or else it's going to come through every single time so let me cancel this real quick i'm going to go back over here to my access lists i'm going to edit this home only and i'm actually going to change the name to be just me and i'm going to change this to not just be my ip address but also my credentials so it has to be me and i have to be on my home network so i'm gonna hit save i'm gonna go back to my hosts i'm gonna go back to my manage here and i'm gonna click on i'm edit pick just me just to make sure that it took it and hit save just to make sure that it takes so i'm gonna open up another browser and i'm gonna try to get into my console again and you see here now it presents me with this login screen so you can see there i had to log in and authenticate first of all just to get to the page then it brings up the page and now i have to log into the actual web application so it gives you an extra layer of security so that's how you secure nginx proxy manager to itself as you run through these things you may hit a few hurdles and a few hiccups that's okay it happens reach out to the maker go to github ask questions see if you can get some help making sure those things are running correctly i do my best to help you guys but a lot of times it's hard for me to help you because i'm not sure what your setup's like and i'm not super familiar with the back end of how this software works so i can show you the front end and i can show you the things that i do that work for me but sometimes you may need to set up some things for yourself that are a little bit different before we finish in the past i've shown you to set up things to the public i p address of the actual application and if you're running docker in particular don't do that so on the old video i did show that on this video i want to make sure that you understand you should use the docker zero address if you're running the software on the same system as you're running nginx proxy manager so if you're running the proxy manager and it's on the same system as another server that you're running you should use that docker 0 address and then the port number that you set up for that particular server and that's going to make it much more secure because it never leaves this machine it goes from engine x proxy manager straight to that docker machine and back and there's nothing really leaving the machine so you've got encrypted traffic all the time when it's outside of that server host i hope this little brief overview of how to do some extra things in enginex proxy manager is really useful to you and that you guys get a lot out of it i think this is a really really great tool i hope you guys enjoyed this if you did make sure to like subscribe tell your friends about this and i'll talk to you next time you

Info

Channel: Awesome Open Source

Views: 20,534

Rating: 4.9478827 out of 5

Keywords: open, source, opensource, open-source, self, hosted, selfhosted, self-hosted, free, libre, software, server, web, internet, browser, linux, mac, macos, os x, windows, microsoft, unix, bsd, ios, android, pi, raspberry, desktop, digital, ocean, digitalocean, vps, tutorial, how to, setup, installation, instructions, cli, command line, terminal, interface, open source software, open source news, open source projects, NGinX, NGinX Proxy Manager, NPM, Proxy, Proxying, Traefik, Traffic, Website, Domain, URL, Apache, Webserver

Id: UfCkwlPIozw

Channel Id: undefined

Length: 28min 36sec (1716 seconds)

Published: Tue Oct 20 2020