Thanks in advance for any help!
My issue:
I’ve been banging my head on the wall for a week because I can’t seem to get external access into the npm dockers, however home access is not an issue.
On my laptop and cell phone when remote if I try to hit any of the sub-domains for the various dockers (Nextcloud, Joplin, Vaultwarden) I’m getting a 403 error (OpenResty) which is apparently Nginx catching it?
My network setup:
I have nginx installed on my Raspberry Pi which is hosting a few dockers. I also have tailscale installed on the Pi, as well as tailscale being installed on my laptop, phone, and a Synology.
I have 3 dockers behind NPM each with a sub-domain from cloudflare and https certs for them installed on NPM. Those 3 proxy-hosts share a Access List which says that my home LAN subnet 192.168.0.0/24 and my tailscale 100.64.0.0/10 are allowed. UFW on the server is currently disabled so that’s not affecting anything right now.
In Cloudflare the 3 Subdomains have A-Records that each point to the Tailscale IP Address of the Raspberry Pi Docker Server with nginx.
My router is unning OpenWRT with configured Split DNS so that any requests to my https-subdomains hit the local LAN IP address of the Raspberry Pi.
In Tailscale Admin panel I have advertised and approved the Subnet 192.168.0.0/24 for the Raspberry Pi Machine. On my cell phone where I primarily need the external access to get nextcloud, and joplin working, I have the phone Tailscale set to Use Tailscales DNS.
Finally in nginx under the 3 Proxy-Hosts (sub-domains) I have turned ON - Force SSL, HSTS, HSTS Subdomains, HTTP/2 Support. I’ve also tried not having HSTS turned on.
IF I set the NPM Access List to Pulicly Available, I can access ALL the subdomains externally okay and npm works externally and internally. I’ve been googling, watching videos, reading reddit posts and banging my head on the wall.
LOGS
I’ve checked the Log Files for Nginx, and for instance for one of the error logs for a sub-domain, I see:
2025/10/10 03:41:25 [error] 193#193: *34 access forbidden by rule, client: 172.21.0.1, server: my-sub-domain request: “GET / HTTP/2.0”, host: “my-sub-domain”
2025/10/10 03:41:27 [error] 193#193: *34 access forbidden by rule, client: 172.21.0.1, server: my-sub-domain, request: “GET /favicon.ico HTTP/2.0”, host: “my-sub-domain”, referrer: “``https://my-sub-domain``”
2025/10/10 01:56:27 [warn] 541#541: *26633 an upstream response is buffered to a temporary file /var/cache/nginx/proxy_temp/5/24/0000005245 while reading upstream, client: 172.21.0.1, server: my-sub-domain, request: “GET /dist/core-main.js?v=2a2ef177-0 HTTP/2.0”, upstream: “``http://172.21.0.4:80/dist/core-main.js?v=2a2ef177-0”``, host: “my-sub-domain”