[GUIDE] Installing the NGINX reverse proxy with an SSL certificate for Umbrel / BTCPay Server

Hi!

Today I published a guide on my website on how to expose one’s Umbrel node with BTCPay Server to the internet using a reverse SSL proxy. This will allow you to accept Bitcoin payments on your own domain.

The link is: https://jorijn.com/installing-nginx-reverse-proxy-with-ssl-certificate-umbrel-btcpayserver/

If you have any questions following this guide, leave a comment here and I’ll do my best to help out.

Jorijn

5 Likes

Hey Jorijn!

first of all thanks for your tutorial.

I set up the same environment some days ago (with quite the same configuration).

But i still have a problem inside BTCPayserver regarding websocket / notifications - only if i connect via reverse proxy.

“WebSocket connection to ‘wss://btcpay.myurl.com/Notifications/SubscribeUpdates’ failed”
“Error while connecting to websocket for notifications (callback)”

Do you have the same errors in your DEV console?

Thanks and BR,
Tobi

Hi Tobi,

My guide contains configuration to circumvent that. You should instruct NGINX to return Connection: upgrade on some occasions to make the websocket work. See the manual for more information but it comes down to including this part somewhere in your NGINX config;

proxy_buffer_size          128k;
proxy_buffers              4 256k;
proxy_busy_buffers_size    256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
http2_max_field_size       500k;
http2_max_header_size      500k;

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

Then, in the vhost, include these lines:

        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;

Source: https://docs.btcpayserver.org/FAQ/FAQ-Deployment/#can-i-use-an-existing-nginx-server-as-a-reverse-proxy-with-ssl-termination

Let me know if this worked :slight_smile:

Jorijn

2 Likes

everybody is not really good with line and code , could be good if you drop a video or youtube version otherwise thank you i appreciate that .

Hey @mccolister1017

I’m a firm believer in technical articles in plain text. This allows you to read and understand at your own pace.

Thanks for the suggestion though :slight_smile:

2 Likes

Hi Jorijn,

Thank you for putting up this guide! I’m halfway through, but I got stuck at requesting the SSL certificate. The following command from your guide (of course with my own domain/email) results in

-bash: /etc/nginx/sites-enabled: Is a directory

Is it possible that the command is missing something?

/etc/nginx/sites-enabled $ sudo certbot --nginx -d btcpay.jorijn.com -m jorijn@jorijn.com --agree-tos --tls-sni-01-port 15443 --http-01-port 15080

Hope you can help..

grtz,

Bart.

Hi @crapdeluxe

From the information you gave me, I can’t really determine what’s wrong. I suspect the symlink might be corrupt or wrongly created. It should look like this;

umbrel@umbrel:/etc/nginx/sites-enabled $ ls -la
total 8
drwxr-xr-x 2 root root 4096 Aug 12 14:51 .
drwxr-xr-x 8 root root 4096 Aug 12 14:43 ..
lrwxrwxrwx 1 root root   33 Aug 12 14:26 btcpay -> /etc/nginx/sites-available/btcpay

If the symlink is fine, please give me a bit more logging/information to go on :slight_smile:

Jorijn

Hi Jorijn,

Thanks for your answer!

umbrel@umbrel:/ $ /etc/nginx/sites-enabled $ ls -la
-bash: /etc/nginx/sites-enabled: Is a directory

I guess there was no symlink created (?). Being not too unix literate I started with a clean Umbrel install and followed your guide again, but same problem.

umbrel@umbrel:/etc/nginx/sites-enabled $ ls -al
total 8
drwxr-xr-x 2 root root 4096 Aug 23 15:46 .
drwxr-xr-x 8 root root 4096 Aug 23 15:43 …
lrwxrwxrwx 1 root root 33 Aug 23 15:46 btcpay -> /etc/nginx/sites-available/btcpay
lrwxrwxrwx 1 root root 34 Aug 23 15:43 default -> /etc/nginx/sites-available/default

I don’t get it. The following command from your guide should have made it a symlink afaik. Strange…

Then, enable the configuration:
umbrel@umbrel:~ $ sudo ln -s /etc/nginx/sites-available/btcpay /etc/nginx/sites-enabled/

I’ve attached the full output of ‘sudo apt update’. Maybe that helps? apt update log

Hi @crapdeluxe

I found the culprit. The manual states:

umbrel@umbrel:/etc/nginx/sites-enabled $ sudo certbot --nginx -d btcpay.jorijn.com -m jorijn@jorijn.com --agree-tos --tls-sni-01-port 15443 --http-01-port 15080

But, the command only starts after the dollar ($) sign. I updated the article for clarification.

Jorijn

1 Like

Okay, I could have spotted that myself :roll_eyes:

Thanks again!

Hi @jorijn thanks for this amazing guide, I’m wondering if by any chance you know how to make the BTCTransmuter plugin available using BTCPay on Umbrel, I tried to follow the instructions here but obviously Umbrel installation of BTCpay do not follow the same files structure.

Hi @juanchi_pty

I haven’t heard of this plugin yet. If there’s enough interest I could have a look :slight_smile:

Thanks for your respond @jorijn I think there will be a lot of interest on this plugin but the fact is that not many are aware of his existence, it give very useful new functionalities to BTCPay, like these ones:

  • Fiat Conversion - Convert incoming money to fiat on an exchange by market selling when BTCPay invoice statuses change.
  • Exchange - Provides you a way to connect to a variety of exchanges and place orders on them
  • Lightning - Provides you interoperability with lightning nodes to be able to do basic channel and invoice management

But I guess it all depend on the community and if they want to use this plugin, but again, I think people are not aware of this plugin and that is why there are not many looking for a way to make it work under Umbrel.

Awesome guide, @jorijn. Thank you!

I followed it but am getting this error at the last step about adding the manual HTTP redirect:

umbrel@umbrel:~ $ sudo nginx -t
nginx: [warn] conflicting server name "btcpay. jorijn.com" on 0.0.0.0:15080, ignored
nginx: [warn] conflicting server name "btcpay. jorijn.com" on [::]:15080, ignored
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

My config file at /etc/nginx/sites-available/btcpay looks like this:

proxy_buffer_size          128k;
proxy_buffers              4 256k;
proxy_busy_buffers_size    256k;
client_header_buffer_size 500k;
large_client_header_buffers 4 500k;
http2_max_field_size       500k;
http2_max_header_size      500k;

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
}

server {
    server_name btcpay.jorijn.com;

    location / {
        proxy_pass http://127.0.0.1:3003;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
    }

    listen 15080;
    listen [::]:15080;
}

server {
    if ($host = btcpay.jorijn.com) {
        return 301 https://$host$request_uri;
    }

    listen 15080;
    listen [::]:15080;

    server_name btcpay.jorijn.com;
    return 404;
}

Anything stand out to you?

I think I figured it out. You need to listen on ports listen 15443 instead of 15080 in the second server block.

But a video will not help you more than this excellent piece of tutorial.
Nowadays people really don’t want to read, damn it. Only YT videos to do what? To watch the same text?

not for me , but for the noobs im good

So you’re saying:
server {
if ($host = btcpay.jorijn.com) {
return 301 https://$host$request_uri;
}

listen 15443;
listen [::]:15443

server_name btcpay.jorijn.com;
return 404;

}

Correct ?

Thanks for this amazing guide ! Anywhere to donate some sats ?

I’m stuck in the SSL request and when I submit
sudo certbot --nginx -d btcpay.jorijn.com -m jorijn@jorijn.com --agree-tos --tls-sni-01-port 15443 --http-01-port 15080

the error is like:

Failed authorization procedure. btcpay.jorijn.com (http-01): urn:ietf:params:acme:error:connection :: The server could not connect to the client to verify the domain :: Fetching http://btcpay.jorijn.com/.well-known/acme-challenge/GOGEEfQRjgEQfFN7FpT_rMRmNaUpp0zllYvzPwihETc: Connection refused

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain:btcpay.jorijn.com
   Type:   connection
   Detail: Fetching
   http:// btcpay.jorijn.com/.well-known/acme-challenge/GOGEEfQRjgEQfFN7FpT_rMRmNaUpp0zllYvzPwihETc:
   Connection refused

I think I need to ask another certificate? Any Idea ?
The Certbot did not ask me about redirecting as you mentioned on your guide

Thanks

Yes