[Support]: Nginx Proxy Manager Configuration for ZTNET? Traefik?

[TBT-TBT]

📝 Inquiry

A lot of people don't use Caddy as reverse proxy, but NPM or Traefik.

I have tried setting up ZTNET with NPM, but wasn't able to. I would be happy for some guide on how to set up ZTNET with NPM. And a lot of people certainly would be happy about some Traefik guidance.

Great work, amazing software, which I would love to use!

Yours
TBT

🔖 Version

not applicable -> docker-compose / NPM issue

🔧 Deployment Type

• Docker
• Standalone

💻 Operating System

Debian

🌐 Browser

Chrome

📚 Any Other Information That May Be Helpful

No response

[pbksol]

NGINX is super simple (this is for the .conf without the Manager – don't use it):

    server {
        server_name SERVER;
        
         access_log  /var/log/nginx/ztnet_access.log;
         error_log  /var/log/nginx/ztnet_error.log;
         
         location / {
                        proxy_pass http://localhost:3000;
         }
    }

Then just add a LE cert and you're done.

Make sure, the firewall blocks access from WAN to port 3000 and that's it.

[TBT-TBT]

I really need to use Nginx Proxy Manager, everything is set up to use it. I will not switch to Nginx alone or Caddy at this point.

Also I prefer a method to not expose port 3000 in the first place and then close it down via firewall (as I have done for many other proxied services).

I found a solution now (for others to find and follow):

1. I put all ZTNET containers in the same network as Nginx Proxy Manager: "proxy_network", which is a preexisting network for me.

networks:
  proxy_network:
    external: true

that is all, no use of the network in the compose file here, so every service uses this network. I would have preferred only ztnet using it and a separate network for Postgres and ZT, but that didn't work.

2. Configuration of ZT:

    environment:
      - ZT_OVERRIDE_LOCAL_CONF=true
      - ZT_ALLOW_MANAGEMENT_FROM=172.19.0.0/29

...which is the fixed IP range of my external network "proxy_network".

3. I commented out all ports of the "ztnet" service.

  ztnet:
...
#    ports:
#     - 3000:3000
`` 
so no external port (3000) for the "ztnet" container, only the 9993 port for the "zerotier" container, no access via http only and port 3000, even without configuring the firewall.

4. Environment of ZTNET:

environment:
  NEXTAUTH_URL: "https://myztnet.domain.tld" # !! Important !! Set the NEXTAUTH_URL environment variable to the canonical URL or IP of your site
  NEXTAUTH_SECRET: "MYTOTALLYPRIVATESECRET*CHANGEME*"
  NEXTAUTH_URL_INTERNAL: "http://ztnet:3000" # Internal NextAuth URL for 'ztnet' container on port 3000. Do not change unless modifying container name.

5. Configuration of NPM:
Just a simple proxy host with

http ztnet 3000

for "myztnet.domain.tld", with a Let's Encrypt SSL cert and no additional . The ZTNET container can be addressed this way, because the container name is set this way in the compose file and because the ZTNET container is in the same network as the Nginx Proxy Manager container.