SHARE

Introduction

Nginx Proxy Manager is a powerful tool that simplifies the process of managing proxy hosts with SSL termination. This guide will walk you through the steps to install and configure Nginx Proxy Manager using Docker Compose.

Prerequisites

Before we begin, ensure you have the following installed on your system:

• Ubuntu Server
• Docker
• Docker Compose

You will also need a domain name to point to your dedicated server's public IP address. To do this you need to create an address record for the domain - an A record. For this article we will assume that the domain is npm.domain.com.

Step 1: Configure Firewall

We have to open port 81 which is used by the Admin Site.

ufw allow 81

Reload firewall to apply the changes.

sudo ufw reload

Step 2: Create a network

Create the Nginx Proxy Manager network

docker network create NginxProxyManagerNet

This network will help us later to allow other Docker Containers to communicate with Nginx Proxy Manager. In this way we will be able to make our Docker Containers available to the Nginx Proxy Manager for viewing their content through a domain.

Step 3: Create a Docker Compose file

First, create a docker-compose.yml file in your desired directory. This file will define the services required for Nginx Proxy Manager.

Create a folder called docker where we will store all our applications.

mkdir Docker
cd Docker

Create a folder for the Nginx Proxy Manager application.

mkdir NginxProxyManager
cd NginxProxyManager

Create a file called docker-compose.yml to store the configuration settings for the Nginx Proxy Manager application.

nano docker-compose.yml

• SQLite version
• MariaDB version

services:

  NginxProxyManager:
    container_name: NginxProxyManager
    image: jc21/nginx-proxy-manager:latest
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    ports:
      # Public HTTP Port
      - "80:80"
      # Public HTTPS Port
      - "443:443"
      # Admin Web Port
      - "81:81"
    networks: ["NginxProxyManagerNet"]
    restart: unless-stopped

networks:
    NginxProxyManagerNet:
        external: true

services:

  NginxProxyManager:
    container_name: NginxProxyManager
    image: jc21/nginx-proxy-manager:latest
    environment:
      - DB_MYSQL_HOST=NginxProxyManagerDB
      - DB_MYSQL_PORT=3306
      - DB_MYSQL_USER=NginxProxyManager
      - DB_MYSQL_PASSWORD=83be6956-e8d9-4ab1-8b95-e2efe0210ff4
      - DB_MYSQL_NAME=NginxProxyManager
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    ports:
      # Public HTTP Port
      - "80:80"
      # Public HTTPS Port
      - "443:443"
      # Admin Web Port
      - "81:81"
    depends_on:
      - NginxProxyManagerDB
    networks: ["NginxProxyManagerNet"]
    restart: unless-stopped

  NginxProxyManagerDB:
    container_name: NginxProxyManagerDB
    image: jc21/mariadb-aria:latest
    environment:
      - MYSQL_ROOT_PASSWORD=83be6956-e8d9-4ab1-8b95-e2efe0210ff4
      - MYSQL_DATABASE=NginxProxyManager
      - MYSQL_USER=NginxProxyManager
      - MYSQL_PASSWORD=83be6956-e8d9-4ab1-8b95-e2efe0210ff4
    volumes:
      - ./mysql:/var/lib/mysql
    networks: ["NginxProxyManagerNet"]
    restart: unless-stopped

networks:
    NginxProxyManagerNet:
        external: true

Save and close the docker-compose.yml file.

Step 4: Run Docker Compose

Run the following command to start the services:

docker compose up -d

We can view the service logs using the following command:

docker compose logs -f

We can combine the above commands in the following way:

docker compose up -d && docker compose logs -f

We can create a new bash session in the container using the following commands:

docker exec -ti NginxProxyManager bash
exit
docker exec -ti NginxProxyManagerDB bash
exit

Step 5: Access the Admin Interface

Once the containers are up and running, you can access the Nginx Proxy Manager admin interface by navigating to http://<your-server-ip>:81. 

The default login credentials are:

• Email: admin@example.com
• Password: changeme

After your first login to the admin interface, you will be immediately asked to change these settings.

Step 6: Setting up Domain Name and SSL for Nginx Proxy Manager

In this step we will create a host in which we will define our domain and SSL for the Admin Panel. 

1. Navigate to the Proxy Hosts Section:
   • Click on the “Hosts” tab.
   • Select “Proxy Hosts”.
2. Add a New Proxy Host:
   • Click on the “Add Proxy Host” button.
   • Enter the domain name you want to associate with this service.
   • Select the http scheme.
   • Enter the value “NginxProxyManager” for the “Forward Hostname / IP”.
   • Enter the value “81” for the port number.
   • We enable the “Block Common Exploits” switch.
3. Configure the SSL Certificate
   • Click the “SSL” link at the top of the modal.
   • Select the value “Request a new SSL Certificate” from the “SSL Certificate” drop down.
   • Enable the “Force SSL”, “HTTP/2 Support” and “HSTS Enabled” switches. After create the host we will have to reselect these switches because due to a bug these settings are not applied.
   • Enter your email in the “Email Address for Let’s Encrypt” field.
   • Enable the “I Agree to the Let’s Encrypt Terms and Service” switch.
   • Click Save to create the host and request the SSL Certificate for your domain.

Your domain should be live and working. Try opening https://npm.domain.com in your browser, and you should get Nginx Proxy Manager's login screen.

Step 7: Block port 81 with firewall

Now that we've configured our domain to handle port 81 traffic, we'll block that port from being accessible from the internet. To make it we must follow the following steps:

First we need to display a list of all firewall rules by typing the following command:

ufw status numbered

This will have the following output:

Status: active

     To                         Action      From
     --                         ------      ----
[ 1] 80                         ALLOW IN    Anywhere
[ 2] 443                        ALLOW IN    Anywhere
[ 3] OpenSSH                    ALLOW IN    Anywhere
[ 4] 81                         ALLOW IN    Anywhere
[ 5] 80 (v6)                    ALLOW IN    Anywhere (v6)
[ 6] 443 (v6)                   ALLOW IN    Anywhere (v6)
[ 7] OpenSSH (v6)               ALLOW IN    Anywhere (v6)
[ 8] 81 (v6)                    ALLOW IN    Anywhere (v6)

The number in front of each rule will be used to define which rule to delete. We want to delete port 81 which for our example has the number 4 so we type the following command:

ufw delete 4

A message asking us to confirm will appear on the screen. 

Deleting:
 allow 80
Proceed with operation (y|n)?

We type y and press enter. 

We repeat this procedure by using again the status switch in order to find the number for the 81 (v6) as well in order to delete it.

Reload firewall to apply the changes.

sudo ufw reload

Finally we have to edit the docker-compose.yml file so that we will not expose the port 81.

nano docker-compose.yml

We change the ports line to comment out the line for port 81.

      #- "81:81"

Apply the changes to the docker.compose.yml file by typing the following command:

docker compose up -d

Step 8: Access Lists

Access Lists provide a blacklist or whitelist of specific client IP addresses along with authentication for the Proxy Hosts via Basic HTTP Authentication. 

You can configure multiple client rules, usernames and passwords for a single Access List and then apply that to a Proxy Host.

This is most useful for forwarded web services that do not have authentication mechanisms built in or that you want to protect from access by unknown clients.

Authorization (username and password)

It allows us to set one or more usernames and passwords to protect a website. To define it we should follow the following steps:

1. Navigate to the Access Lists Section by clicking the “Access Lists” link.
2. We click the “Add Access List” button.
3. We type the name for our Access List.
4. We click the Authorization tab.
5. We type username and password which will be used in order to access the site.
6. We can add more fields by click the Add button.
7. When we finish, we click the Save button.

Access (IP)

It allows us to define one or more IP or IP ranges which will have access to a site

1. Navigate to the Access Lists Section by clicking the “Access Lists” tab.
2. We click the “Add Access List” button.
3. We type the name for our Access List.
4. We click the Access tab.
5. We type an IP or an IP range in the allow input.
   • 161.97.85.219 – define one IP.
   • 161.97.85.0/24 – define one IP set which contains all the 161.97.85.* IPs.
6. We can add more fields by click the Add button.
7. When we finish, we click the Save button.

Authorization and Access combination

In case we use Authorization and Access, we can set if both options should be true to access the site. This option can be set by the “Satisfy Any” switch on the Details tab.

If the switch is off, this will result in both the password and IP being valid to allow access to the site. Otherwise, one of these options must be valid to allow access.

Apply Access list to a host

To be able to apply an Access List to a Host, we should go to the Host's edit screen and select the Access List from the drop-down list box at the bottom of the modal.

Conclusion

By following these steps, you can easily set up Nginx Proxy Manager using Docker Compose. This setup allows you to manage your proxy hosts efficiently, with the added benefit of SSL termination.