Lab - Install Nginx Proxy Manager

Context Compared to using Nginx directly for setting up a reverse proxy, using NPM allows a more friendly UI and convenient management utilities. However Docker is assumed if choosing this route.

Preparation

  • Docker compose installed on the machine. See this lab for more.
  • Know basic OS, networking, and domain name registry.

Installation

Create parent folder that will hold future container configurations:

mkdir ws
cd ws

Create the folder inside to hold NPM assets

mkdir mynpm
cd mynpm

Create a docker-compose.yaml file inside the folder:

networks:
  mynet:
    name: mynet

services:
  mynpm:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    ports:
      - '80:80'
      - '443:443'
      - '81:81'
    networks:
      - mynet
You can change the port mapping to something else if 80/81/443 is already in use

Launch NPM

docker compose up -d

For Home User (Inside NAT)

In contrast to hosting NPM facing the public, the steps below assume HTTP is used, and sensitive data like passwords will not be leaked to the public.

  1. Assuming the IP of your docker engine is 192.168.0.10. First visit the site http://192.168.0.10:81
  2. Use the username admin@example.com and password changeme to log in
  3. Change the admin name and password as requested
  4. As an exercise, you can a proxy host to the NPM itself. Add a local domain name such as mynpm to /etc/hosts , then create a proxy host with the domain mynpm and scheme/host/port to http://192.168.0.10:91.

For VPS in the Cloud

When putting NPM in the cloud for own use but publicly visible, extra care is needed. Here we mainly concern how to avoid admin password being transmitted in the open, since HTTP is used in the beginning.

Here we choose a simple approach without involving extra secure tunneling. It is not air tight, thus in general you should be wary about the process and figure out a better way that suits you.

  1. Assume you have set up NPM on a VPS that has public IP 10.100.0.1
  2. You have also prepared a (sub)domain, say npm.example.com , bound to the IP.
  3. If you want and know how to, you can configure the firewall for the VPS to restrict traffic only between your home IP and the public IP at port 81.
  4. Visit your site at http://10.100.0.1:81, then login with the initial username and password. When changing the admin password, use a one-time password that will be discarded later.
  5. Use the interface to create a proxy host using the domain npm.example.com, with scheme/host/port set to http://mynpm:81 where mynpm is the name of the NPM container. Also, obtain a new SSL certificate for it. Once successful, create the proxy host at last.
  6. Make sure you can access your NPM via https://npm.example.com
  7. Now you can change the admin password for real.

Advanced Configurations

NPM allows custom configuration at global level (Custom Nginx Configurations) as well as per proxy host (in the Advanced tab for the proxy host). For cases when I need more time to do experiments or want to restrict access for myself only, I will add the custom Nginx configuration for a particular proxy host like:

allow x.x.x.x;
allow 192.168.x.x/24;
deny all;

to allow access only from particular IPs. But you need to have more knowledge about Nginx configuration and proceed carefully. For example I also restrict the access to NPM itself. If I make mistakes somewhere, I may not be able to access the NPM interface, which prevents me from managing other proxy hosts.

I had this error before. I had to access the SQLite database (i.e. data/database.sqlite and clear the advanced_config data of the proxy_host table. (E.g. update proxy_host set advanced_config = '' where id = x;) and also manually edit the file inside data/nginx (E.g. data/nginx/proxy_host/x.conf) to clear the configuration.

References


To be continued...