In Nginx Proxy Manager (NPM) when you set up a proxy you have to choose “scheme”, either http or https. If you choose “https” for an “https” link, it doesn’t work! The website returns and error.

Today I spent a very long time setting up Vaultwarden. Even though I don’t plan to expose it to the public internet, I had to get an SSL certificate because the thing wouldn’t register/login without it. I setup everything right, it didn’t work until I changed that “scheme” option over from “https” to “http”?

So, if I want to setup a proxy that has: SSL certificate, force SSL, and will be visited through “https://”, why would it only work with that http option?

  • SKBoA
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    The informations you enter in the detail panel are the ones you need to access the service.

    Say, you have a default installation of Vaultwarden on the port 1234, you can access it directly, in http, with the URL http://hostname:1234, and therefore, you will need to configure NPM so that the new proxy host access the service with the http scheme, on the hostname host, with the port 1234.

    Now, you change your installation of Vaultwarden, and add all the necessary TSL public and private keys that it requires, then you will need to directly access your instance with the https scheme, on the https://hostname:1234 URL, so that the TLS handshake can be performed and a secure connection can be made. The NPM configuration then will need to use the https scheme as well to access the service, otherwise, NPM won’t be able to properly connect to the service and it will fail.

    That’s for the “internal” part of your configuration. You can still provide a service with TLS certifications, force TLS and everything, that will be for the external part of your service. If you trust your network, the communication inside it, or the device that holds all your services, it’s totally fine to use an http scheme to access your service internally. But if you have to access it through a network that you don’t trust, say, all the communications are unencrypted, and your NPM host is not the same as your Vaultwarden one, then you should definitely go through the hassle of setting up all the TLS encryption directly inside Vaultwarden first, and access it only with the https scheme.

  • AnonymusChief@alien.topB
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    Unfortunately, I currently do not have an NPM deployment. However, NPM has a section wheee you setup the DNS challenge. Can you confirm that is setup?