How to configure Umbrel BTCPay Server with NGINX reverse proxy

Hey.

Did you replace btcpay.jorijn.com with the correct domain name? If so, were you able to properly forward the ports in your router?

If privacy is an issue, feel free to reach out to me on Telegram. My username is @jorijn over there.

Donations are always very welcome, you can send me sats over at https://jorijn.com/donate/ :slight_smile:

1 Like

Hello great job! Is there a consideration here to integrate this directly into Umbrel so that a simple setup is possible?

2 Likes

This was fantastic thanks. Would be great if this was built into GetUmbrel (you would need to be able to configure the dynamic DNS and request an SSL certificate of course). It meant I could finish my sons Bitcoin 3D printing store (www.robotechy.com) this evening.

2 Likes

Dankje well Jorijn, works well so far. Really appreciate the effort putting this together :pray:
Two questions I have

  1. Why is step 7 necessary, as in Step 6 certbot would be able to offer an option to do the redirect for you?

    Redirect - Make all requests redirect to secure HTTPS access. Choose this for
    new sites, or if you’re confident your site works on HTTPS. You can undo this
    change by editing your web server’s configuration.

  2. After adding the manual redirect, I’m getting the following Warn message from nginx testing:

    umbrel@umbrel:~ $ sudo nginx -t
    nginx: [warn] conflicting server name “subdomain.main-domain.com” on 0.0.0.0:15080, ignored
    nginx: [warn] conflicting server name “subdomain.main-domain.com” on [::]:15080, ignored
    nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
    nginx: configuration file /etc/nginx/nginx.conf test is successful

While it was fine at step 5 (so basically before the SSL certificate pull). Any idea where the warning is coming from?

Hey @Hakuna

In my case it didn’t recognise the automated redirect so I had to add it manually.

Your second warning might indicate that the manual redirect wasn’t needed anymore. The message basically means you have two server blocks for the same server name. This would be 1) the automated redirect and 2) the manual redirect.

Good luck!

Jorijn

All good, works anyway, despite the warning log. BTCPay Server online.
I’ll try it a second time on another node (not umbrel), should be same straightforward, just need to adjust the ports and add UFW rules. Rest should be similar. Will report back here.

I am on step 3 and am having trouble setting up port forwarding…

When I try to forward port 80 to port 15080 and port 443 to port 15443 I get the following error message:
“The configured port range including the Connection Request port is not permitted”

My router does not seem to want to let me forward to any port higher than port 7547.

Any suggestions how to fix this issue?

Hey Filou,

that’s strange, but use lower substitutes instead.
780 > 80
7443 > 443
Don’t forget to adjust this in your .conf files, and see how that goes.

1 Like

@Hakuna Thanks for the reply!

I am now stuck on trying to create the SSL certificate, when I run the certbot command it returns an error:

IMPORTANT NOTES:
 - The following errors were reported by the server:

   Domain: btcpay.domain.com
   Type:   unauthorized
   Detail: Invalid response from
   http://btcpay.domain.com/.well-known/acme-challenge/8RVwXhBNY3JbHSVCwQPrI7g2w9BDra-pvUM55UMSNNw
   [100.100.100.100]: "<!DOCTYPE html><html
   lang=en><head><title>Umbrel</title><meta charset=utf-8><meta
   http-equiv=X-UA-Compatible content=\"IE=edge\"><"

   To fix these errors, please make sure that your domain name was
   entered correctly and the DNS A/AAAA record(s) for that domain
   contain(s) the right IP address.

*where btcpay.domain.com is the subdomain I’m using and 100.100.100.100 is the home IP

I’m hoping you get an answer. I’m stuck on port forwarding as well. My router won’t let me port forward 443 and 80 to the desired ports at the same time. Im going to try doing different port numbers like you did but The error is saying I can’t do both at the same time because one is in use? Doesn’t make sense because one is 80 and the other is 443.
Just a thought but I do see it talk about dns. Not sure if you checked that. Maybe something is off. Also. Not sure what he meant by conf files… maybe this happens if you don’t do that?

Hey, I was able to get this working in the end…

I used ports 780 and 7443 in place of the ports given in the guide.

You can use any ports, as long as they are not already claimed on your network. You just have to replace the corresponding ports you are actually forwarding to in the config settings.

So in my example, port 80 forwards to 780, and port 443 forwards to 7443. In this case, follow the guide as written being sure to replace every mention of “1580” with “780”, and every mention of “15443” with “7443” (or whatever ports you actually choose).

Hope that helps!

Hi,
I am very much stuck with Step 4.
I ran this command and installed everything “sudo apt update”. No problem.
Then ran this command “sudo apt install python3-acme python3-certbot python3-mock python3-openssl python3-pkg-resources python3-pyparsing python3-zope.interface python3-certbot-nginx nginx” and everything installed error free. When trying to access umbrel, I get redirected to the nginx screen. It seems like nginx was installed on port 80.
Am I doing something wrong? And where am I going wrong?

Update:
I got it to work. I reflashed the SD card with umbrel. And attempted the installation of nginx again. This time I got the expected errors and was able to remap the port.

Hi jorijn first of all I want to thank you for the excellent contribution … I have successfully performed your procedure on raspberry pi 4 … now I have installed umbrel on parallales on mac successfully and btcpay is installed … I have tried to run your procedure again but I receive an error in the installation of the certificates … maybe you’ve already been there and can help me … thanks

sudo certbot --nginx -d negozi.pagainbitcoin.com -m info@negozi.pagainbitcoin.com --agree-tos --tls-sni-01-port 15443 --http-01-port 15080

certbot: error: unrecognized arguments: --tls-sni-01-port 15443

Hey @valerio

That means you’re not running the right version of certbot. Certbot on Raspbian (on Umbrel) is held back a couple of versions. The newer versions don’t support SNI TLS validation. You can however look through --help as I’m sure there’s another option available. I don’t know which one from the top of my mind.

Best of luck,
Jorijn

1 Like

Thank you I will let you know !!

Rookie question: is “Home IP” my actual computer network IP address? Can’t anyone see that once I forward my domain to it?

  • Internet public domain names / IPs: google.com / 142.250.74.78, these are IP/domain names that anybody connected to the internet can “see” and access them and are maintained by public DNS servers. You need to buy or rent an IP from a ISP in order to be able to manage it for your own machines/systems.
  • Private IPs: 192.168.1.x / 10.0.0.x / 172.16.0.x These are IPs visible ONLY inside your LAN (home area network) and are maintained by your home router, assigning one to each of your devices connected to that router. In Umbrel configuration also you can see them in lnd.conf file as one IP per service /app. So these IPs ARE NOT accessible from outside, only if you configure in your router to forward specific ports to specific IPs inside your LAN.
  • Public VPN IPs: special services that offers you a secured tunnel to a specific server, that offers you a dedicated public IP to be used for accessing the internet. Like a strawman, a fake identity to hide your real IP / location. These IPs are visible and accessible by anybody in internet.
  • Private VPN IPs: special private IPs, generated in a public server, with encryption and secured access, that offers to users a dedicated tunnel through an internal private IP range, directly to your home devices. Each point / device will have its own IP, in the same range. This is what is using Tailscale.
  • Tor Network: a special network that uses the normal Internet network, but is not visible and accessible by regular browsers / devices, they need a dedicated proxy that convert and decrypt the onion addresses in order to be accessible. All traffic on Tor network is encrypted P2P and is not necessary to use open ports, each onion address can be redirected internally to a specific port.

To test / see which is your “public IP” of your location, go to https://ping.eu (not using any vpn, just a simple browser). That is your IP that anybody in internet “see” you. If you do not have any port forwarding from outside into your internal devices/IPs, NOBODY can access any of your home devices.

Now, your internal LAN IP, is managed by your router.
You can find your assigned IP, by running arp -a in a terminal command prompt screen. Or just look into your router, which IP is assigned to your node/devices.
Internal LAN IPs are NOT accessible from outside.

1 Like