App Submission: NPM (Nginx Proxy Manager)

[sahilph]

App Submission

App name

Nginx Proxy Manager

⚠️ Please take care while exposing apps to the internet.

⚠️ Note: This app listen on ports 40080 and 40443. In order to make the apps proxied by NPM accessible from internet, users need to port forward 80 to 40080 and 443 to 40443 on their router.⚠️

DETAILED GUIDE

256x256 SVG icon

https://nginxproxymanager.com/logo.svg

Gallery images

Image 1:

Image 2:

Image 3:

Image 4:

Note: These screenshots are taken from NPM website.

I have tested my app on:

• umbrelOS on a Raspberry Pi
• umbrelOS on an Umbrel Home
• umbrelOS on Linux VM

I do not have Umbrel Home or Raspberry Pi, hence couldn't test it on them. However I have tested it on my Linux Machine (Umbrel OS 1.2.2) and it works fine.

---

For those who want to try it now, Nginx Proxy Manager is also available on my personal app store

[nmfretz]

Really great addition @sahilph, thanks for working on this!

This is almost ready to go, there are just a few items to address below. We'll start working on gallery assets.

[sahilph]

@nmfretz
I have made the requested changes. Please check.

[nmfretz]

@nmfretz
I have made the requested changes. Please check.

Thanks for making those changes @sahilph! I have pushed some changes to finalize the app (app description, UI port, etc). We should have the gallery assets ready soon and can then go live.

In the meantime, would you be able to confirm if using umbrel.local as a forward hostname / ip when configuring a proxy host works for you?

I have just been doing some testing and I can't get this to work even though you have added "${APP_DOMAIN}:host-gateway" to the extra_hosts directive in the compose file. What this does is add 172.17.0.1 umbrel.local to the container's /etc/hosts file. But even so, it does not appear to work.

Using Jellyfin as an example:

1. Forward Hostname / IP = umbrel.local | port = 8096 --> I am hit with a 502 bad gateway
2. Forward Hostname / IP = 127.17.0.1 | port = 8096 --> This works
3. Forward Hostname / IP = 10.21.0.1 | port = 8096 --> This works. 10.21.0.1 is the Gateway IP of the main Docker umbrel network.
4. Forward Hostname / IP = jellyfin_server_1 | port = 8096 --> This works.

The only reason 2 and 3 work in this case is because our app_proxy container sitting in front of Jellyfin has the authentication disabled (Jellyfin has it's own auth):

umbrel-apps/jellyfin/docker-compose.yml

Line 8 in 92d5832

PROXY_AUTH_ADD: "false"

For any apps that sit behind the app_proxy with authentication enabled (by default), they would need to proxy using case 4 above, where they bypass the the app_proxy and instead proxy directly to the main app container. If you want to test that out try proxying to the Radarr app using 127.17.0.1 or 10.21.0.1 and it should not work.

[sahilph]

Forward Hostname / IP = umbrel.local | port = 8096 --> I am hit with a 502 bad gateway

Ahh, this is interesting. I get the same 502 bad gateway. I was surprised by this, considering /etc/hosts already had umbrel.local in it.

It turns out that nginx ignores /etc/hosts when using proxy pass.
Related issue: NginxProxyManager/nginx-proxy-manager#1225

So one option is to ask users to directly use the IP 172.17.0.1 instead of umbrel.local. But not sure if IP is always the same for everyone. Also it not really that convenient as well

Hence, as a workaround, I found a docker image qoomon/docker-host which basically accepts traffic on all ports and forwards it to the host. With this users will be able to use umbrel.local as Forward hostname.

I have added a new commit please check.

[sahilph]

For any apps that sit behind the app_proxy with authentication enabled (by default), they would need to proxy using case 4 above, where they bypass the the app_proxy and instead proxy directly to the main app container. If you want to test that out try proxying to the Radarr app using 127.17.0.1 or 10.21.0.1 and it should not work.

Yes thats correct, because I think the app_proxy redirects to domain.name:2000 to ask for authentication and it wont work as port 2000 will not be accessible from the internet. Maybe we can add a note about this.

Also, is there any way to configure app-proxy to redirect to domain.name:2000/some-custom-path that way we can configure a custom location with /some-custom-path in NPM for the same domain and then set it to Forward to umbrel.local:2000

[github-actions]

⚠️   Linting finished with 1 warning   ⚠️

Thank you for your submission! This is an automated linter that checks for common issues in pull requests to the Umbrel App Store.

Please review the linting results below and make any necessary changes to your submission.

Linting Results

Severity	File	Description
ℹ️	nginx-proxy-manager/docker-compose.yml	External port mapping "40080:80": Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.).
ℹ️	nginx-proxy-manager/docker-compose.yml	External port mapping "40443:443": Port mappings may be unnecessary for the app to function correctly. Docker's internal DNS resolves container names to IP addresses within the same network. External access to the web interface is handled by the app_proxy container. Port mappings are only needed if external access is required to a port not proxied by the app_proxy, or if an app needs to expose multiple ports for its functionality (e.g., DHCP, DNS, P2P, etc.).
ℹ️	nginx-proxy-manager/docker-compose.yml	Potentially using unsafe user in service "docker-host": The default container user "root" can lead to security vulnerabilities. If you are using the root user, please try to specify a different user (e.g. "1000:1000") in the compose file or try to set the UID/PUID and GID/PGID environment variables to 1000.
⚠️	nginx-proxy-manager/umbrel-app.yml	"icon" and "gallery" needs to be empty for new app submissions: The "icon" and "gallery" fields must be empty for new app submissions as it is being created by the Umbrel team.

Legend

Symbol	Description
❌	Error: This must be resolved before this PR can be merged.
⚠️	Warning: This is highly encouraged to be resolved, but is not strictly mandatory.
ℹ️	Info: This is just for your information.

[nmfretz]

It turns out that nginx ignores /etc/hosts when using proxy pass.
Related issue: NginxProxyManager/nginx-proxy-manager#1225

Ah I see, good sleuthing.

So one option is to ask users to directly use the IP 172.17.0.1 instead of umbrel.local. But not sure if IP is always the same for everyone. Also it not really that convenient as well

Hence, as a workaround, I found a docker image qoomon/docker-host which basically accepts traffic on all ports and forwards it to the host. With this users will be able to use umbrel.local as Forward hostname.

Great find with docker-host! A bit unfortunate that we need to use it because the container needs elevated capabilities to run (NET_ADMIN and NET_RAW), but we currently have precedence for this in the app store with other apps like adguard/pihole/wireguard, so we should allow this here for the functionality it provides. In the future we can look into locking this down more.

I have added a dynamic environment variable for hostname (9151cf1) and have tested the app, including using umbrel.local as a forward hostname. Going live! Thanks again for all your hard work bringing this to the app store 🚀

[sahilph]

Awesome. Thanks 👍