How to configure Umbrel LNbits app without Tor

I just used this amazing tutorial and had a few roadblocks I hit and am posting the solutions I found in case it helps someone else.

When I got down to 5. Configuring nginx reverse-proxy, I had to manually create the reverse-proxy.conf file as it was not already there. There was a file already there called default

sudo nano reverse-proxy.conf

I found that I had to disable the default config and activate my new config.
First I disabled the default config.

unlink /etc/nginx/sites-enabled/default

Then I enabled my new custom config by creating a symbolic link to it from the /etc/nginx/sites-available folder to the /etc/nginx/sites-enabled folder.

ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/reverse-proxy.conf

When I tried to restart the nginx service it failed though, so I tested my config by running

sudo nginx -t

It spit out errors and I found that I needed a semi-colon at the end of every line and a second closing bracket.

server {
listen 443 ssl;
access_log /var/log/nginx/reverse-access.log;
error_log /var/log/nginx/reverse-error.log;

location / {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection ‘upgrade’;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $host;
proxy_http_version 1.1;

ssl on;
ssl_certificate /etc/letsencrypt/live/;
ssl_certificate_key /etc/letsencrypt/live/;

After modifying and saving the file, the nginx test ran successfully and the service could be restarted.

I am now up and rolling!


First of all, million thanks for writing this up. I’ve followed your instructions and everything is working out fine. I can now use Bluewallet to connect to a wallet via the reverse proxy to LNbits. Just a few questions…

  1. What is the best way to handle Letsencrypt cert renew ( I think it needs to be renewed every 90 days)

  2. I noticed that if I use a browser and point to the reverse proxy host directly (ie: in your example), I will have direct access to the Lnbits page on my Umbrel and anyone will be able to create a new wallet. Will this be a security issue where anyone will be able to create wallets? Not sure how this can be avoided.

Again - many thanks and looking forward to comments from all…

You can block the creation of new wallets, in the env file.

set ALLOWED_USERS in .env, now you and and whoever you say can have access, but others wont be able to create wallets. All the public pages, such as paywalls, lnurls, tpos, etc will all still work and can be shared.
Copy paste the url or bookmark. then add usr to .env. go back to basic url and try to create an new wallet. it won’t let you

Join to Telegram group for more help

Thanks for the info @DarthCoin.

I will give it a try for sure. Just want to re-confirm… Should I edit the .env file in the ~/umbrel dir and add the line

APP_LNBITS_ALLOWED_USERS-“xxx” as I am using umbrel. And I guess I will need to somehow restart lnbits app (hopefully will be able to do this from ssh without restarting my node)

I will try to search for more info.

Thanks again…

I was able to figure it out.
I have added the following line
in the file ~/umbrel/apps/lnbits/docker-compose.yml under # App Section.
After node reset i was able to access lnbits with only one user ID which i specified.
Im not sure but i think it is propable that if the lnbits app gets updated this config will be lost and it will need to be updated again.

1 Like

Hey there! Be very carefull with LNbits publicly accessible from the internet until this fix finds its way to Umbrel. Nasty attack with malicious hop node was made few days ago.

1 Like

Amazing guide, thank you. I have a Pi 3 running a Tor node. Can this be run on the same machine? They won’t interfere? Thanks!

Understanding what a proxy server is and does, this youtube clip helped me:

Thanks for pulling this together. Really helpful. Did a first DNS auth with certbot, which worked fine, so this is a great insight already.

But I’m struggling with what @DarthCoin outlined: I have a BTC-Pay Server AND lnbits on the same umbrel, here’s the config and problem outlined

  • ports forwarded from 15443 > Umbrel
  • certificates retrieved for both subdomains lnbits and btcpay
  • /etc/nginx/sites-available/xxx > one configuration file only
  • server 1 and server 2 in this config file and the only differences are:

proxy_pass port for btcpay and 3007 for lnbits)
specific links for ssl_certificate and ssl_certificate_key are adjusted

Apart from this, for simplicity I’m listening only at listen 15443 ssl for now. http is working fine.


  1. Accessing via https is working fine.
  2. Accessing via https keeps throwing a “Your connection is not private” error, because it’s using certificate from 1.

I’ve doublechecked that the SSL blurp in Server 2 section of /etc/nginx/sites-available/xxx links to the right ssl certicate files, both public and private key files are there. But somehow the lnbits subdomain doesn’t use those, but the one from btcpay subdomain.

Is that what you’re referring to as "one port shouldn’t be shared by the same server? I am not using the gateway front yet, since I felt this should be doable based on your post here above. But I’m struggling to see

  • where my config is possibly wrong
  • whether it’s better to split to server config into two files, eg /etc/nginx/sites-available/btcpay and /etc/nginx/sites-available/lnbits. But when I do this, nginx -t reports a nginx: [warn] conflicting server name "" on, ignored
  • if /var/log/nginx/reverse-access.log would possibly give any insight

Hope this makes sense. Any pointers how to handle 2 subdomains on one umbrel would be appreciated

1 Like

I got it. As stupid as a typo in the server_name. Apparently nginx falls back to domain 1 if server_name of domain 2 cannot be found.

So, LNbits running on port 3007, BTCpay on port 3003, with two separate subdomains incl SSL certificate. All running this way
Internet => Modem => Router => Node
Btw I concluded it’s cleaner to have two separate nginx conf files, makes maintenance easier.

Need to build out the certificate renew process, and then I’m ready to roll.
Post here in case you like to build something similar and struggle with the setup.


Just a simple clarification for others: put just the string, without “ ”.
Anyways, soon Lnbits will have a nice admin user management extension and will not be necessary this trick.

@Uxellodunum I may need your help. LNbits works fine, I can use it in clearnet, make invoices, pay them.
The only thing is not working is scan the QR code LN invoice or LNURL.
It return:

"error from vendor" 
Failed to connect to<my public IP>:443

Why is adding that IP after the domain?
I don’t know if is something wrong with LNbits or my nginx config (I followed exactly your guide).
If were the nginx then should not be able to use it with copying the invoice code and LNURL.
All wallets works just fine, imported some in Zeus, in Bluewallet, make/pay sats, I even connect it to Alby browser extension, also works fine.
Only scanning QR is not working.

EDIT - is fixed, user error.
For those that fall into this user error like me (I was dumb) I posted here the mistake I did.

Hi @DarthCoin, Big thank you for pretty much taking over and helping users further.
I’ve moved onto other projects so I haven’t been able to keep up with this thread unfortunately, but glad it’s still helping people.
Oddly I can’t seem to edit my own posts so I haven’t been too inclined to update the OP either (aside from the lack of time to look into it).

Regarding the issue you had, I think there may be some relation between it and the second point I made in the Overview & Why Section. Essentially, the NAT setup. Either way, glad you got it sorted. For it to work over LAN, you’ll have to use a LAN IP to access LNBits - If I recall correctly, it depends on the address used to access LNBits in the first palce, it takes that address and creates the QR Code based on it.

1 Like

I may have missed something in this thread’s history, but for convenience’s sake it’s possible to have both of your subdomains only use one certificate, essentially a wildcard certificate, which Let’sEncrypt also supports. The process is essentially the same.
So it would look like * when requesting the cert.

For automating the certbot renewals, there are a few ways. One is to tinker a bit with things and see if you can get it to do a standard HTTP check which is much easier to automate, assuming you do not require port 80 for any other services. Personally, I prefer the DNS check but that means a couple conditions:

  • Scripting something.
  • That your DNS Service Provider offers an API you can communicate with.

Best of luck!

1 Like

Thanks man! Your guide inspired a lot of Umbrel users, myself included.
For convenience I would prefer to have a separate subdomain / certificate for each app / port.
So if I setup lnbits I would have
If I setup also a BTCpay, I would have
Same public IP (of the node) but different subdomain and certificate, even can use same port 443, for example, the nginx could handle it.

Yes we will try to keep here this post open and help other users that are interested in this aspect.
Thanks again!

1 Like

Hi everyone. I follow all of the tutoriel for doing great things with lnbits and lnurl.

Lnbits work on clearnet but lnurl not.

I use lnurl décoder for ans lnurl pay and i see it’s http no https used. So wallet cant accept it.

I have the ngninx certificate…

Can you Help me?

I have used your configuration file with success. The bracket and semicolons made the difference!

For anyone interested, I’ve came to a roadblock trying to implement the procedure above, simply cause I had “one more hurdle” to overtake.

My setup runs on Unraid, and I have Umbrel inside VM (as I wanted to keep all-things-umbrel separate).
The thing is, I don’t have public IP, and therefore I had to use my public VPS, which could have SSH tunnel opened.
However, I was trying for couple days to make LNBits work without success, only to eventually install it in the public server directly (which took like 30 minutes, could have saved me hours of work), and it worked right away!

So the steps above are kinda matching, I had to do few more things:

  1. Install LNBits on public VPS, which will act as proxy as well
  2. Use Caddy instead of nginx (I find Caddy much easier to use, the config is super simple):

handle /api/v1/payments/sse* {
reverse_proxy {
header_up X-Forwarded-Host
transport http {
keepalive off
compression off
reverse_proxy {
header_up X-Forwarded-Host
header_up X-Forwarded-Proto https

  1. Open SSH tunnel from my private server to the public VPS, using “Scripts” in Unraid, to keep the SSH tunnel running:

SSH_CMD=‘ssh -N @<public_server_ip> -p 22 -R <LNgRPC_Port>:<ip_of_umbrel>:<LNgRPC_Port> -i /path/to/private/keyfile’
PID=$(ps -ef | grep “$SSH_CMD” | grep -v grep | awk ‘{print $2}’)

if [ -z “$PID” ]; then
#the process is not running, start it
#the process is running, kill it
kill $PID
#start the process again

  1. Make sure to set LNBits properly, I used “gRPC” settings from the LN Node. More info can be found here:
    LNBits - installation

  2. Now you should be able to visit your domain, which will get you to your LNBits instance, running in public VPS, but connecting to your backend LN node over SSH tunnel on given port.

If this guide helped you a bit, you can tip me some sats to:

I’m in the same boat. Works perfectly for LNBits and BTCPay over SSL, but LNURL can’t resolve.

1 Like

I had some problems but got here after using Synology’s DSM reverse proxy to point to my umbrel node on lndbits port 3007.

So now I have lndbits under a subdomain working.

Although lnurlp is not working.
First, the lnurl generated is with http instead of https:
If I decode the generated lnurl here lnurl codec , it clearly shows http.
I then generate a new one with https but lnbits says:

Error: 2 validation errors for LnurlPayResponse callback URL host invalid, top level domain required ( callback URL scheme not permitted (type=value_error.url.scheme; allowed_schemes={‘https’})

Any clues? It seems lnbits although proxied from https, is running on http and is assuming local schema http and hostname.

On the reverse proxy I have the same headers set as you.

1 Like