Lab - Install Nginx Proxy Manager
Context Compared to using Nginx directly for setting up a reverse proxy, using NPM allows a more friendly UI and convenient management utilities. However Docker is assumed if choosing this route.
Preparation
- Docker compose installed on the machine. See this lab for more.
- Know basic OS, networking, and domain name registry.
Installation
Create parent folder that will hold future container configurations:
mkdir ws
cd ws
Create the folder inside to hold NPM assets
mkdir mynpm
cd mynpm
Create a docker-compose.yaml
file inside the folder:
networks:
mynet:
name: mynet
services:
mynpm:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
ports:
- '80:80'
- '443:443'
- '81:81'
networks:
- mynet
You can change the port mapping to something else if 80/81/443 is already in use
Launch NPM
docker compose up -d
For Home User (Inside NAT)
In contrast to hosting NPM facing the public, the steps below assume HTTP is used, and sensitive data like passwords will not be leaked to the public.
- Assuming the IP of your docker engine is
192.168.0.10
. First visit the sitehttp://192.168.0.10:81
- Use the username
admin@example.com
and passwordchangeme
to log in - Change the admin name and password as requested
- As an exercise, you can a proxy host to the NPM itself. Add a local domain name such as
mynpm
to/etc/hosts
, then create a proxy host with the domainmynpm
and scheme/host/port tohttp://192.168.0.10:91
.
For VPS in the Cloud
When putting NPM in the cloud for own use but publicly visible, extra care is needed. Here we mainly concern how to avoid admin password being transmitted in the open, since HTTP is used in the beginning.
Here we choose a simple approach without involving extra secure tunneling. It is not air tight, thus in general you should be wary about the process and figure out a better way that suits you.
- Assume you have set up NPM on a VPS that has public IP
10.100.0.1
- You have also prepared a (sub)domain, say
npm.example.com
, bound to the IP. - If you want and know how to, you can configure the firewall for the VPS to restrict traffic only between your home IP and the public IP at port
81
. - Visit your site at
http://10.100.0.1:81
, then login with the initial username and password. When changing the admin password, use a one-time password that will be discarded later. - Use the interface to create a proxy host using the domain
npm.example.com
, with scheme/host/port set tohttp://mynpm:81
wheremynpm
is the name of the NPM container. Also, obtain a new SSL certificate for it. Once successful, create the proxy host at last. - Make sure you can access your NPM via
https://npm.example.com
- Now you can change the admin password for real.
Advanced Configurations
NPM allows custom configuration at global level (Custom Nginx Configurations) as well as per proxy host (in the Advanced tab for the proxy host). For cases when I need more time to do experiments or want to restrict access for myself only, I will add the custom Nginx configuration for a particular proxy host like:
allow x.x.x.x;
allow 192.168.x.x/24;
deny all;
to allow access only from particular IPs. But you need to have more knowledge about Nginx configuration and proceed carefully. For example I also restrict the access to NPM itself. If I make mistakes somewhere, I may not be able to access the NPM interface, which prevents me from managing other proxy hosts.
I had this error before. I had to access the SQLite database (i.e.data/database.sqlite
and clear theadvanced_config
data of theproxy_host
table. (E.g.update proxy_host set advanced_config = '' where id = x;
) and also manually edit the file insidedata/nginx
(E.g.data/nginx/proxy_host/x.conf
) to clear the configuration.
References
To be continued...