After my previous post here looking for input on an easily maintained docker and reverse proxy setup, I opted to go for NPM. I also moved my domain registration and DNS from Google Domains to Cloudflare.
It was a breeze to set up for the most part, I did have some pain getting my certs in order - NPM easily pulled down certs from LetsEncrypt, but Cloudflare didn’t like it unless I used their 15-year origin server cert, which worked perfectly. I set up Portainer first, then wordpress and NPM. (I’m generally comfortable with command-line stuff, but I have much less experience with Docker so Portainer is great for someone like me.)
I specified a network I created (“proxy”) in the docker compose files, and that allowed me to use the container name in NPM to set up the proxy hosts. I quickly and easily set up proxy hosts for the main domain (points toward the WP container), a portainer subdomain pointing to the portainer container, and an NPM subdomain pointing to NPM. At this point things have been easy, everything is working beautifully, and I’m thinking about all the other things I want to eventually spin up and host.
Then I started with FreshRSS. I was able to set it up - I could access it via the IP:port but no matter what I did, the subdomain gave me Cloudflare’s 502 Bad Gateway error. I adjusted the BASE_URL in the container, I’ve tried all sorts of settings in NPM - http, https, using different subdomains, different ports, etc (changing them in the docker compose as well of course) but no dice. I did some searching around and found a few examples like this and this where I’ve seen others having similar issues and not being able to fix them.
So I thought maybe it was some kind of weird issue with FreshRSS specifically, so I removed it and spun up Miniflux instead. Same as the previous time - I could access Miniflux perfectly well via the IP:port but the reverse proxy gives me a 502 every single time. The containers are on the same network. What am I missing with these?
For reference, here’s the docker compose for the miniflux stack:
services:
miniflux:
image: miniflux/miniflux:latest
container_name: miniflux
ports:
- "8099:8080"
depends_on:
db:
condition: service_healthy
environment:
- DATABASE_URL=postgres://miniflux:secret@db/miniflux?sslmode=disable
- BASE_URL=[redacted]
db:
image: postgres:15
container_name: miniflux_db
environment:
- POSTGRES_USER=miniflux
- POSTGRES_PASSWORD=secret
volumes:
- /media/config/miniflux:/var/lib/postgresql/data
healthcheck:
test: ["CMD", "pg_isready", "-U", "miniflux"]
interval: 10s
start_period: 30s
networks:
default:
name: proxy
Here is an example of the NPM setup. Cloudflare is the access list I created that limits it to Cloudflare’s IP ranges, and the site-wide origin cert is selected on the SSL tab, just like my other proxy entries which are currently working.
I use a similar setup with dockerized NPM. I see 2 things in this example that I do differently.
- Make sure to explicitly call out
external: true
in the network definition. I’m not sure what compose will do if you don’t. But I wouldn’t want it making any new proxy networks accidentally. - proxy should be in the
networks
list for each container you want accessible from NPM. I don’t believe just defining it in the compose adds all containers to that automatically.
- Make sure to explicitly call out
Repost from kbin directly since federation is being weird.
I use a similar setup with dockerized NPM. I see 2 things in this example that I do differently.
- Make sure to explicitly call out
external: true
in the network definition. I’m not sure what compose will do if you don’t. But I wouldn’t want it making any new proxy networks accidentally. - proxy should be in the
networks
list for each container you want accessible from NPM. I don’t believe just defining it in the compose adds all containers to that automatically.
- Make sure to explicitly call out