impulsivefps
/
LemonSec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
LemonSec/MIGRATE-FROM-NPM.md

255 lines
6.2 KiB
Markdown
Raw Permalink Blame History

# Migrating from Nginx Proxy Manager (NPM)
## Concept Mapping
| NPM Feature | Traefik Equivalent |
|-------------|-------------------|
| Proxy Hosts | Routers + Services |
| SSL Certificates | certresolver (automatic) |
| Custom Locations | Middlewares |
| Access Lists | Authelia / Basic Auth |
| 404 Page | Custom error middleware |
| Redirection Hosts | Redirect middleware |
| Streams | TCP Routers |
## Migration Steps
### 1. Document Current NPM Setup
In NPM UI, go through each Proxy Host and note:
- Domain names
- Forward hostname/IP and port
- Scheme (http/https)
- Custom locations
- Access lists
- SSL settings
- Advanced configuration
### 2. Export NPM Config (Optional Backup)
NPM → **Settings****Backup****Download**
This creates a JSON backup of all hosts.
### 3. Create docker-compose.override.yml
This is where your migrated hosts go:
```yaml
version: "3.8"
networks:
services:
external: true
services:
# ========================================
# MIGRATED FROM NPM
# ========================================
# Example: Migrating "nextcloud.lemonlink.eu"
# NPM Settings:
# - Domain: nextcloud.lemonlink.eu
# - Forward: 192.168.1.100:9001
# - Scheme: http
# - Block Common Exploits: yes
# - SSL: yes (LE)
nextcloud-migration:
image: alpine:latest
container_name: npm-migration-nextcloud
restart: "no"
command: "echo 'Migrated from NPM'"
networks:
- services
labels:
# Enable Traefik
- "traefik.enable=true"
# Router (like Proxy Host)
- "traefik.http.routers.nextcloud.rule=Host(`nextcloud.lemonlink.eu`)"
- "traefik.http.routers.nextcloud.entrypoints=websecure"
- "traefik.http.routers.nextcloud.tls.certresolver=letsencrypt"
# Service (Forward to)
- "traefik.http.services.nextcloud.loadbalancer.server.url=http://192.168.1.100:9001"
# Middlewares (Access Lists, Security)
- "traefik.http.routers.nextcloud.middlewares=security-headers@file,rate-limit@file"
# Add more migrations here...
# service2-migration:
# ...
```
### 4. Common NPM → Traefik Patterns
#### Pattern 1: Basic Proxy Host
```
NPM:
Domain: app.lemonlink.eu
Forward: 192.168.1.10:8080
SSL: yes
Traefik:
labels:
- "traefik.enable=true"
- "traefik.http.routers.app.rule=Host(`app.lemonlink.eu`)"
- "traefik.http.routers.app.entrypoints=websecure"
- "traefik.http.routers.app.tls.certresolver=letsencrypt"
- "traefik.http.services.app.loadbalancer.server.url=http://192.168.1.10:8080"
- "traefik.http.routers.app.middlewares=security-headers@file,rate-limit@file"
```
#### Pattern 2: Access List (Basic Auth)
```
NPM:
Access List: Family
Users: user1 / pass1, user2 / pass2
Traefik:
# In docker-compose.override.yml middlewares section
# Or use Authelia (recommended)
# Option A: Basic Auth (simple)
labels:
- "traefik.http.routers.app.middlewares=app-basicauth"
- "traefik.http.middlewares.app-basicauth.basicauth.users=user1:$$apr1$$..."
# Option B: Authelia (SSO, recommended)
labels:
- "traefik.http.routers.app.middlewares=authelia@docker"
```
#### Pattern 3: Custom Location
```
NPM:
Location: /api
Forward: 192.168.1.10:8080/api
Traefik:
# Use PathPrefix rule
labels:
- "traefik.http.routers.app-api.rule=Host(`app.lemonlink.eu`) && PathPrefix(`/api`)"
- "traefik.http.routers.app-api.service=api-service"
- "traefik.http.services.api-service.loadbalancer.server.url=http://192.168.1.10:8080"
```
#### Pattern 4: Custom Nginx Config
```
NPM Advanced:
proxy_set_header X-Custom-Header value;
client_max_body_size 10G;
Traefik:
# Add to dynamic/middlewares.yml or inline
labels:
- "traefik.http.middlewares.custom-headers.headers.customRequestHeaders.X-Custom-Header=value"
- "traefik.http.routers.app.middlewares=custom-headers"
# For body size, use buffering:
- "traefik.http.services.app.loadbalancer.responseforwarding.flushinterval=100ms"
```
### 5. Gradual Migration Strategy
Don't migrate everything at once:
**Week 1: Setup LemonSec**
- Deploy Traefik + Authelia + CrowdSec
- Test with one non-critical service
- Keep NPM running
**Week 2: Migrate Low-Risk Services**
- Move internal services first
- Test thoroughly
- Keep Nextcloud on NPM for now
**Week 3: Migrate Nextcloud**
- Schedule downtime
- Update TrueNAS Nextcloud config
- Test with family
- Keep NPM as backup
**Week 4: Decommission NPM**
- After 1 week stable
- Stop NPM container
- Remove port forwards to NPM
- Keep config backup
### 6. Parallel Running
You can run both during migration:
```
Internet
Router (port 443)
├─► NPM (port 444) ──► Some services
└─► Traefik (port 443) ──► New services
```
Change router port forward to test:
- Port 443 → Traefik
- Port 444 → NPM (backup access)
### 7. Testing Checklist
For each migrated service:
- [ ] HTTP redirects to HTTPS
- [ ] SSL certificate valid
- [ ] Can login
- [ ] All pages load
- [ ] File uploads work
- [ ] Mobile apps connect
- [ ] No console errors
### 8. Rollback Plan
If something breaks:
```bash
# Stop Traefik
docker-compose -f docker-compose.yml -f docker-compose.override.yml down
# Restart NPM
docker start npm
# Revert router port forward to NPM
# Access via: https://old-domain:444 (if configured)
```
Keep NPM container stopped but available:
```bash
docker stop npm
docker rename npm npm-backup
# Don't delete until migration complete
```
## NPM Features Not in Traefik
| NPM Feature | Traefik Alternative |
|-------------|---------------------|
| Nice Web UI | Traefik Dashboard + Portainer |
| One-click SSL | Automatic via certresolver |
| Built-in auth | Authelia (more powerful) |
| Redirection UI | YAML config |
| Access Logs | JSON logs in traefik/logs/ |
## Benefits of Migrating
1. **Declarative**: All config in Git-trackable files
2. **Automatic**: SSL certificates without clicks
3. **Integrated**: Built-in CrowdSec, Authelia
4. **Fast**: Better performance than NPM
5. **Flexible**: More routing options
6. **Modern**: Active development, Traefik 3.x
## Need Help?
- Check `examples/` for common patterns
- See `docs/TRUENAS-NEXTCLOUD.md` for Nextcloud specifically
- Review `QUICKSTART.md` for fresh setup
- Traefik docs: https://doc.traefik.io/
Reference in New Issue View Git Blame Copy Permalink