NGINX Proxy Manager cannot resolve locations

Question

Please read Update below

My setup:

My goal:

Access Heimdall at https://heimdall.myserver.lan instead of https://myserver.lan:8444/.

My configuration:

I've set up a freshly installed NPM at http://myserver.lan:8185/ which is a Docker container made with Portainer on a Debian VM inside a Promox VE server.

I've got Heimdall ready at https://myserver:8444/ which is a Docker container as well. SSL is managed by Heimdall itself.

This is my NPM Proxy Host config:

When I click on heimdall.myserver.lan the browser opens the location correctly but no server can be found: "We can’t connect to the server at heimdall.myserver.lan."

These are the locations which I can access directly in my browser:

Heimdall:
https://myserver:8444/
https://myserver.lan:8444/

NPM:
http://myserver:8185/
http://myserver.lan:8185/

Apache container:
http://myserver:8080
http://myserver.lan:8080

I can shell into the NPM container:

# docker container exec -it npm /bin/bash
# cat /etc/hostname
a521690d0bd0

# cat /etc/hosts
127.0.0.1       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.9      a521690d0bd0

# cat /etc/resolv.conf
domain lan
search lan
nameserver 192.168.1.1

Ping works for:

myserver / myserver.lan
myrouter / myrouter.lan
a521690d0bd0 (the localhost)

But not for:

a521690d0bd0.lan
d4fa6db15d5e
d4fa6db15d5e.lan (the heimdall container)

I could certainly add a521690d0bd0.lan to /etc/hosts but I guess that won't matter.

I thought maybe just the other docker containers aren't reachable but it's the same with Apache at http://myserver.lan:80 This is not a container, it's a regular Apache on myserver.lan.

No external access is required. It's all in my homelab. AdGuard Home is the DNS server in my OpenWrt router. There are two rules:

[/lan/]127.0.0.1:5353
[//]127.0.0.1:5353

I did this once to be able to resolve all my local hostnames because the DHCP server is kept inside OpenWrt itself.

What am I missing here? What's the next step to troubleshoot?

Update:

I managed to update my DNS with a CNAME record like this:

config cname
        option cname 'heimdall.myserver.lan'
        option target 'myserver.lan'

Now https://heimdall.myserver.lan resolves correctly to myserver.lan and NPM delivers the page. This is because I temporarily changed the NPM port in Portainer to 80:80 for HTTP. I still don't know how to overcome the port issue. Heimdall at https://myserver.lan:8444 is working and delivering a valid SSL certificate. The Scheme in NPM is set to HTTPS. But opening https://heimdall.myserver.lan shows:

403 Forbidden nginx/1.23.2

So my questions are: Why can I only use Port 80 for the subdomain and how can I solve the SSL problem?

Answer 1

When I click on heimdall.myserver.lan the browser opens the location correctly but no server can be found: "We can’t connect to the server at heimdall.myserver.lan."

NGINX Proxy Manager is not the problem here. It is not doing any resolving at this point – it's your browser that cannot resolve the domain name of the Proxy Manager itself.

In short the problem seems to be that you haven't created the domain in DNS at all. The configuration that you have in Proxy Manager does not do that automatically – all it does is define how requests for this domain would be handled if the domain existed and if it were successfully resolved to the proxy's address.

The domain needs to be added to your .lan DNS server (the 127.0.0.1:5353 on OpenWrt, whatever that is); although you currently have myserver.lan there, but that does not automatically make subdomains exist – they all need to be added separately.

If the .lan DNS server doesn't allow creating custom entries and is strictly DHCP-only, you might be able to create a static override in your AdGuard configuration (which looks a lot like dnsmasq configuration, really).