I just used this amazing tutorial and had a few roadblocks I hit and am posting the solutions I found in case it helps someone else.
When I got down to 5. Configuring nginx reverse-proxy, I had to manually create the reverse-proxy.conf file as it was not already there. There was a file already there called default
sudo nano reverse-proxy.conf
I found that I had to disable the default config and activate my new config.
First I disabled the default config.
unlink /etc/nginx/sites-enabled/default
Then I enabled my new custom config by creating a symbolic link to it from the /etc/nginx/sites-available folder to the /etc/nginx/sites-enabled folder.
First of all, million thanks for writing this up. I’ve followed your instructions and everything is working out fine. I can now use Bluewallet to connect to a wallet via the reverse proxy to LNbits. Just a few questions…
What is the best way to handle Letsencrypt cert renew ( I think it needs to be renewed every 90 days)
I noticed that if I use a browser and point to the reverse proxy host directly (ie:https://lightning.domain.com in your example), I will have direct access to the Lnbits page on my Umbrel and anyone will be able to create a new wallet. Will this be a security issue where anyone will be able to create wallets? Not sure how this can be avoided.
Again - many thanks and looking forward to comments from all…
You can block the creation of new wallets, in the env file.
set ALLOWED_USERS in .env, now you and and whoever you say can have access, but others wont be able to create wallets. All the public pages, such as paywalls, lnurls, tpos, etc will all still work and can be shared.
Copy paste the url or bookmark. then add usr to .env. go back to basic url and try to create an new wallet. it won’t let you
I will give it a try for sure. Just want to re-confirm… Should I edit the .env file in the ~/umbrel dir and add the line
APP_LNBITS_ALLOWED_USERS-“xxx” as I am using umbrel. And I guess I will need to somehow restart lnbits app (hopefully will be able to do this from ssh without restarting my node)
@Microstorm
I was able to figure it out.
I have added the following line LNBITS_ALLOWED_USERS: “YOUR_USER_ID_FROM_WALLET_URL”
in the file ~/umbrel/apps/lnbits/docker-compose.yml under # App Section.
After node reset i was able to access lnbits with only one user ID which i specified.
Im not sure but i think it is propable that if the lnbits app gets updated this config will be lost and it will need to be updated again.
Hey there! Be very carefull with LNbits publicly accessible from the internet until this fix finds its way to Umbrel. Nasty attack with malicious hop node was made few days ago.
Thanks for pulling this together. Really helpful. Did a first DNS auth with certbot, which worked fine, so this is a great insight already.
But I’m struggling with what @DarthCoin outlined: I have a BTC-Pay Server AND lnbits on the same umbrel, here’s the config and problem outlined
ports forwarded from 15443 > Umbrel
certificates retrieved for both subdomains lnbits and btcpay
/etc/nginx/sites-available/xxx > one configuration file only
server 1 and server 2 in this config file and the only differences are:
server_name
proxy_pass port http://127.0.0.1:(3003 for btcpay and 3007 for lnbits)
specific links for ssl_certificate and ssl_certificate_key are adjusted
Apart from this, for simplicity I’m listening only at listen 15443 ssl for now. http is working fine.
Accessing lnbits.xxx.com via https keeps throwing a “Your connection is not private” error, because it’s using certificate from 1.
I’ve doublechecked that the SSL blurp in Server 2 section of /etc/nginx/sites-available/xxx links to the right ssl certicate files, both public and private key files are there. But somehow the lnbits subdomain doesn’t use those, but the one from btcpay subdomain.
Is that what you’re referring to as "one port shouldn’t be shared by the same server? I am not using the gateway front yet, since I felt this should be doable based on your post here above. But I’m struggling to see
where my config is possibly wrong
whether it’s better to split to server config into two files, eg /etc/nginx/sites-available/btcpay and /etc/nginx/sites-available/lnbits. But when I do this, nginx -t reports a nginx: [warn] conflicting server name "lnbits.xxx.com" on 0.0.0.0:15443, ignored
if /var/log/nginx/reverse-access.log would possibly give any insight
Hope this makes sense. Any pointers how to handle 2 subdomains on one umbrel would be appreciated
I got it. As stupid as a typo in the server_name. Apparently nginx falls back to domain 1 if server_name of domain 2 cannot be found.
So, LNbits running on port 3007, BTCpay on port 3003, with two separate subdomains incl SSL certificate. All running this way
Internet => Modem => Router => Node
Btw I concluded it’s cleaner to have two separate nginx conf files, makes maintenance easier.
Need to build out the certificate renew process, and then I’m ready to roll.
Post here in case you like to build something similar and struggle with the setup.
Just a simple clarification for others: put just the string, without “ ”.
Anyways, soon Lnbits will have a nice admin user management extension and will not be necessary this trick.
@Uxellodunum I may need your help. LNbits works fine, I can use it in clearnet, make invoices, pay them.
The only thing is not working is scan the QR code LN invoice or LNURL.
It return:
"error from vendor"
java.net.ConnectException:
Failed to connect to lnbits.my-domain.com/<my public IP>:443
Why is adding that IP after the domain?
I don’t know if is something wrong with LNbits or my nginx config (I followed exactly your guide).
If were the nginx then should not be able to use it with copying the invoice code and LNURL.
All wallets works just fine, imported some in Zeus, in Bluewallet, make/pay sats, I even connect it to Alby browser extension, also works fine.
Only scanning QR is not working.
Hi @DarthCoin, Big thank you for pretty much taking over and helping users further.
I’ve moved onto other projects so I haven’t been able to keep up with this thread unfortunately, but glad it’s still helping people.
Oddly I can’t seem to edit my own posts so I haven’t been too inclined to update the OP either (aside from the lack of time to look into it).
Regarding the issue you had, I think there may be some relation between it and the second point I made in the Overview & Why Section. Essentially, the NAT setup. Either way, glad you got it sorted. For it to work over LAN, you’ll have to use a LAN IP to access LNBits - If I recall correctly, it depends on the address used to access LNBits in the first palce, it takes that address and creates the QR Code based on it.
I may have missed something in this thread’s history, but for convenience’s sake it’s possible to have both of your subdomains only use one certificate, essentially a wildcard certificate, which Let’sEncrypt also supports. The process is essentially the same.
So it would look like *.domain.com when requesting the cert.
For automating the certbot renewals, there are a few ways. One is to tinker a bit with things and see if you can get it to do a standard HTTP check which is much easier to automate, assuming you do not require port 80 for any other services. Personally, I prefer the DNS check but that means a couple conditions:
Scripting something.
That your DNS Service Provider offers an API you can communicate with.
Thanks man! Your guide inspired a lot of Umbrel users, myself included.
For convenience I would prefer to have a separate subdomain / certificate for each app / port.
So if I setup lnbits I would have lnbits.my-domain.com
If I setup also a BTCpay, I would have btcpay.my-domain.com.
Same public IP (of the node) but different subdomain and certificate, even can use same port 443, for example, the nginx could handle it.
Yes we will try to keep here this post open and help other users that are interested in this aspect.
Thanks again!
For anyone interested, I’ve came to a roadblock trying to implement the procedure above, simply cause I had “one more hurdle” to overtake.
My setup runs on Unraid, and I have Umbrel inside VM (as I wanted to keep all-things-umbrel separate).
The thing is, I don’t have public IP, and therefore I had to use my public VPS, which could have SSH tunnel opened.
However, I was trying for couple days to make LNBits work without success, only to eventually install it in the public server directly (which took like 30 minutes, could have saved me hours of work), and it worked right away!
So the steps above are kinda matching, I had to do few more things:
Install LNBits on public VPS, which will act as proxy as well
Use Caddy instead of nginx (I find Caddy much easier to use, the config is super simple):
{
handle /api/v1/payments/sse* {
reverse_proxy 0.0.0.0:5000 {
header_up X-Forwarded-Host
transport http {
keepalive off
compression off
}
}
}
reverse_proxy 0.0.0.0:5000 {
header_up X-Forwarded-Host
header_up X-Forwarded-Proto https
}
}
Open SSH tunnel from my private server to the public VPS, using “Scripts” in Unraid, to keep the SSH tunnel running:
if [ -z “$PID” ]; then #the process is not running, start it
$SSH_CMD &
else #the process is running, kill it
kill $PID #start the process again
$SSH_CMD &
fi
Make sure to set LNBits properly, I used “gRPC” settings from the LN Node. More info can be found here: LNBits - installation
Now you should be able to visit your domain, which will get you to your LNBits instance, running in public VPS, but connecting to your backend LN node over SSH tunnel on given port.
If this guide helped you a bit, you can tip me some sats to: donach@bitcoli.com
I had some problems but got here after using Synology’s DSM reverse proxy to point to my umbrel node on lndbits port 3007.
So now I have lndbits under a subdomain working.
Although lnurlp is not working.
First, the lnurl generated is with http instead of https:
If I decode the generated lnurl here lnurl codec , it clearly shows http.
I then generate a new one with https but lnbits says:
Error: 2 validation errors for LnurlPayResponse callback URL host invalid, top level domain required (type=value_error.url.host) callback URL scheme not permitted (type=value_error.url.scheme; allowed_schemes={‘https’})
Any clues? It seems lnbits although proxied from https, is running on http and is assuming local schema http and hostname.
On the reverse proxy I have the same headers set as you.