How to reverse proxy with NGINX Proxy Manager?

[phere-x]

Weirdly enough, it works when accessing on my local network through the domain. But when I gave it to a friend to join it came up with 'peer connecting failed'.

I had only port 80 & 443 forwarded to NGXPM to handle reverse proxying.

  neko:
    image: "m1k1o/neko:vlc"
    restart: "unless-stopped"
    shm_size: "4gb"
    ports:
      - "8080:8080"
      - "52000-52100:52000-52100/udp"
      - "52101:52101/udp"
    cap_add:
      - SYS_ADMIN
    environment:
      NEKO_EPR: 52000-52100
      NEKO_UDPMUX: 52101
      NEKO_ICELITE: "true"
      NEKO_ICESERVER: stun:stun.l.google.com:19302
      NEKO_NAT1TO1: 192.168.1.100
      #
      NEKO_PASSWORD: neko
      NEKO_PASSWORD_ADMIN: admin
      NEKO_CONTROL_PROTECTION: "true"
      NEKO_LOCKS: control login file_transfer
      NEKO_VIDEO_CODEC: h264 
      NEKO_SCREEN: 1600x900@60
      NEKO_MAX_FPS: 23

logs at the time:

2023-01-19 00:50:15,322 DEBG 'neko' stdout output:
12:50AM INF signaling state changed to have-local-offer module=webrtc submodule=pion subsystem=pc
2023-01-19 00:50:15,323 DEBG 'neko' stdout output:
12:50AM INF sent all ICECandidates module=webrtc
2023-01-19 00:50:15,369 DEBG 'neko' stdout output:
12:50AM INF signal update - RemoteAnswer id=RvavWkVWUuSGUY7v9mcnACsZ2z88F__8 module=session
2023-01-19 00:50:15,369 DEBG 'neko' stdout output:
12:50AM INF signaling state changed to stable module=webrtc submodule=pion subsystem=pc
12:50AM INF Setting new connection state: Checking module=webrtc submodule=pion subsystem=ice
2023-01-19 00:50:15,369 DEBG 'neko' stdout output:
12:50AM INF ICE connection state changed: checking module=webrtc submodule=pion subsystem=pc
12:50AM INF connection state has changed connection_state=checking module=webrtc
2023-01-19 00:50:27,409 DEBG 'neko' stdout output:
12:50AM INF Setting new connection state: Failed module=webrtc submodule=pion subsystem=ice
2023-01-19 00:50:27,410 DEBG 'neko' stdout output:
12:50AM INF ICE connection state changed: failed module=webrtc submodule=pion subsystem=pc
12:50AM INF connection state has changed connection_state=failed module=webrtc
12:50AM INF peer connection state changed: failed module=webrtc submodule=pion subsystem=pc
12:50AM WRN peer failed id=RvavWkVWUuSGUY7v9mcnACsZ2z88F__8 module=webrtc
12:50AM INF Setting new connection state: Closed module=webrtc submodule=pion subsystem=ice
2023-01-19 00:50:27,410 DEBG 'neko' stdout output:
12:50AM INF peer connection state changed: closed module=webrtc submodule=pion subsystem=pc
12:50AM INF destroying session module=session session_id=RvavWkVWUuSGUY7v9mcnACsZ2z88F__8
12:50AM INF ICE connection state changed: closed module=webrtc submodule=pion subsystem=pc
2023-01-19 00:50:27,410 DEBG 'neko' stdout output:
12:50AM INF connection state has changed connection_state=closed module=webrtc
12:50AM WRN Failed to start manager: connecting canceled by caller module=webrtc submodule=pion subsystem=pc
12:50AM WRN Failed to start SCTP: DTLS not established module=webrtc submodule=pion subsystem=pc
12:50AM WRN undeclaredMediaProcessor failed to open SrtcpSession: the DTLS transport has not started yet module=webrtc submodule=pion subsystem=pc
12:50AM INF peer closed id=RvavWkVWUuSGUY7v9mcnACsZ2z88F__8 module=webrtc
2023-01-19 00:50:27,410 DEBG 'neko' stdout output:
12:50AM WRN undeclaredMediaProcessor failed to open SrtpSession: the DTLS transport has not started yet module=webrtc submodule=pion subsystem=pc

[m1k1o]

You should change NEKO_NAT1TO1 to your public IP. See docs: https://neko.m1k1o.net/#/getting-started/?id=networking

[phere-x]

from #/getting-started/networking

If you want to use n.eko in external network, you can omit NEKO_NAT1TO1. It will automatically get your Public IP.

Tried exactly this. Did not work.
also tried these (verified on local ip, public ip, domain name):

1. setting NEKO_NAT1TO1: <my_public_ip> (this made neko unusable/forever loading)

2. completely omitting it (as mentioned here) with the same outcome as # 1

3. omitting & adding NEKO_IPFETCH: http://checkip.amazonaws.com (from here)

4. setting NEKO_NAT1TO1: <my_public_ip> & adding NEKO_IPFETCH: https://checkip.amazonaws.com

5. Also tried pointing my nginx proxy manager to my public IP & opening port 8080

[BulldogMW]

from #/getting-started/networking

If you want to use n.eko in external network, you can omit NEKO_NAT1TO1. It will automatically get your Public IP.

Tried exactly this. Did not work. also tried these (verified on local ip, public ip, domain name):

1. setting `NEKO_NAT1TO1: <my_public_ip>` (this made neko unusable/forever loading)

2. completely omitting it (as mentioned [here](https://neko.m1k1o.net/#/getting-started/?id=networking)) with the same outcome as **# 1**

3. omitting & adding `NEKO_IPFETCH: http://checkip.amazonaws.com` (from [here](https://neko.m1k1o.net/#/getting-started/configuration?id=neko_ipfetch))

4. setting `NEKO_NAT1TO1: <my_public_ip>` & adding `NEKO_IPFETCH: https://checkip.amazonaws.com`

5. Also tried pointing my nginx proxy manager to my public IP & opening port `8080`

I had some issues getting it to work with NGINX Proxy because we have other stuff on the network forwarding to 8080. What I had to do was set a Port in the docker-compose file.

ports: (Just an example. Can be any port not being used)
"1234:8080"

I set NEKO_ROOMS_NAT01=(My public ip)
I set NEKO_ROOMS_INSTANCE_URL=https://subdomain.domain.com/ (Any domain if you want to use one. You can also use your outside ip https://outsideip/)

I then setup my router firewall to open the port I just used and assigned it to the local ip of the neko-room host.

Then in Nginx Proxy I set it up like in the photos below:
https://i.imgur.com/Ylj16en.jpg
https://i.imgur.com/Cs8suCg.jpg
Note: I did setup an SSL (let's encrypt) as well because I am using a domain

Not sure if this will work for you but it's what got it working for me.

[m1k1o]

Check if you have properly forwarded ports using troubleshooting guide.

Also when specifying NEKO_UDPMUX means, that NEKO_EPR will not be used anymore. If you want to have EPR, remove MUX or vice versa. Or only way could be TCPMUX + EPR.

[phere-x]

Going through troubleshooting guide

Validate UDP

Was successful

Running docker-compose logs neko | grep nat_ips:

INF webrtc starting ephemeral_port_range=52000-52100 ice_lite=true ice_servers="[{URLs:[stun:stun.l.google.com:19302] Username: Credential:<nil> CredentialType:password}]" module=webrtc nat_ips=192.168.1.217

That's when I set NEKO_NAT1TO1 to my local IP 192.168.1.217. And this makes the room function. I can locally access it & also through my domain while on the same network as the app.

But again, when I change NEKO_NAT1TO1 to my public IP or omit it & set NEKO_IPFETCH: https://ifconfig.co/ip, it falls into a forever loading screen.

I'll try doing exactly what you did with neko-rooms & get back. If all else fails, I'll rent a VPS & use the reverse proxy script & work backwards to see what I can figure out.

[Apuru]

Hey I use Nginx reverse proxy manager too and here's what I've found.

I believe if you set neko_nat to your local IP then your friend won't be able to connect but you will be able to. If you set it to public IP, you won't be able to connect on the local network but your friend will be able to.

The solution here is to leave neko_nat alone so its set to your public IP. Turn on nat hairpinning on your router, then connect to your public ip with port on your web browser. That should work. So for you it would be public ip:8080.

Try it in a different browser too, it could be a cache issue (that isn't resolved in a private browsing window). I normally use Firefox but I tried it in Chrome and it worked fine in Chrome but didn't work in Firefox.

[phere-x]

Ok so I managed to make it work (currently tested with one UDP port). I didn't think to try it 'cause every app I've hosted has never needed all ports be exposed to the world.

On my router, I had to expose the neko_bind AND UDP ports on my router (before I only ever had port 80 & 443 exposed for nginx manager, with 10+ apps running)

Basically all that I changed:

In my compose, I manually set my public IP & used the aws service. Both worked.

      NEKO_NAT1TO1: <MY_PUBLIC_IP> / https://checkip.amazonaws.com

In my router settings, I exposed both the default NEKO_BIND port & the UDP port (NEKO_UDPMUX) - both of these are ofcourse opened in the compose file.

And in NGX-PM, I couldn't use the service name (neko in my case), I had to set the local IP of that machine.

But I don't know how safe it is to keep it like this as I've always heard it's best not to do that.

[m1k1o]

You can forward NEKO_BIND using proxy, and therefore adding HTTPS layer to your connection - this is the prefered solution. Only NEKO_UDPMUX and/or NEKO_TCPMUX need to be exposed for WebRTC. They are only used to multiplex connections from clients, secured by password that is exchanged using signaling protocol over HTTP(s).

You could use turn servers (either custom deployed in DMZ or bought as a service) to get rid of the ports.

Connection from proxy -> neko service can use local IP addresses. Only NEKO_NAT1TO1 needs public IP, and that is only needed for ports NEKO_UDPMUX and NEKO_TCPMUX or NEKO_EPR.

[phere-x]

You can forward NEKO_BIND using proxy, and therefore adding HTTPS....

Done. I've made the changes you've mentioned & left it at that. Currently working & trust it's safe enough. If it ever becomes a worry I'll try to look into the turn servers. Thank you & Apuru for helping me stop drilling my nails into my head over this. No doubt I'll come back with another issue :D