NGINX Proxy Manager: Providing Docker services securely via SSL

Estimated reading time: 16 minutes

Imagine you've set up a fantastic home lab. There's a Home Assistant running for your smart home, a Nextcloud for your data, maybe a Plex server for media and a Pi-hole to block ads. All of these services are running beautifully - but they have one huge problem: they're all under different IP addresses or, even worse, under the same IP address but with wild port numbers like :8123, :8080 or :32400 accessible.

And then the moment comes when you want to access your Nextcloud on the move. What do you do? Open ports in the router? Please don't! Hanging every single port for every service on the Internet is a security nightmare. Plus, you can't possibly remember all those port numbers. You want nextcloud.yourdomain.com and you're done. And of course the whole thing should be encrypted, with a green lock in the browser bar (HTTPS).

This is exactly where the NGINX Proxy Manager (NPM) into play.

It is the „gatekeeper“ for your network. It accepts requests from the Internet (on the standard ports 80 and 443), looks at which domain has been called (e.g. home.yourdomain.com), and forwards the visitor internally to the correct container and port. The best thing about it? You don't have to edit cryptic configuration files in the console. The NGINX Proxy Manager provides you with a beautiful graphical interface to control everything.

In the world of web hosting and network management, a reverse proxy is a key component in improving the performance, security and scalability of web applications. The NGINX Proxy Manager is a powerful tool that simplifies the setup and management of NGINX as a reverse proxy and makes it almost child's play. In this post, I'll show you how to set up the NGINX Proxy Manager as a reverse proxy.

What is a reverse proxy?

First, let's clarify what a reverse proxy actually is. Think of a reverse proxy as a middleman that stands between the users' requests and the servers of your application. It forwards requests to the servers and sends the responses back to the users. This gives you a lot of advantages such as load balancing, improved security and efficient caching mechanisms.

As shown here, the reverse proxy communicates with the Internet and with your server, including the services. You can think of it as an interpreter. A person tries to access the domain sascha-brockel.de via the Internet. The request is forwarded to the hosting provider of the domain, which in turn refers to an IP address where a server is located.

However, the server itself is not addressed, as the network traffic in most cases only runs via ports 80 and 443. In the meantime, almost only port 443 is used, as actually every page https as a protocol and is therefore secure. However, as we can only release one service via one port and the port would therefore be blocked, we use a reverse proxy. This accepts all requests for the port and contains a mapping table for the internal network that determines where which request should be forwarded.

So we can send the request to sascha-brockel.com to the WordPress docker container. The same applies to the WordPress service, which now knows where to send the response back to. The response therefore runs via the reverse proxy again and back to the Internet to the requestor.

Why NGINX?

NGINX (pronounced „Engine X“) is one of the fastest and most popular web servers in the world. It is extremely resource-efficient and can handle thousands of simultaneous connections. However, the configuration of „raw“ NGINX is often tedious. A wrong bracket in the nginx.conf and nothing works anymore.

Why NGINX Proxy Manager?

The developers behind the project (see GitHub) have realized that NGINX is ingenious but complicated. The NPM puts a user-friendly web interface (GUI) on the NGINX server. When you click in the GUI, the tool writes the complex NGINX configuration for you in the background.

The key features at a glance:

• Beautiful UI: based on Tabler, very clear.
• SSL management: Integrated „Let's Encrypt“ support. Certificates are created and renewed automatically.
• Docker support: Runs perfectly as a container.
• Access Lists: Protect services that do not have their own login with an additional password or restrict access to certain IP addresses.
• Several users: You can create admin and restricted users.

Advantages of NGINX Proxy Manager compared to normal NGINX

1. user-friendly graphical user interface (GUI)

• SimplicityThe biggest advantage of the NGINX Proxy Manager is its user-friendly graphical interface. While NGINX is normally managed via configuration files in the command line, the NGINX Proxy Manager offers an intuitive web interface.
• Time savingThe GUI allows you to configure proxy settings quickly and efficiently without having to dig into configuration files. This saves time, especially for users who are less experienced with configuring NGINX via the command line.
• Less complexity: I speak from experience when I say how frustrating it is to get started with NGINX if you have never written a configuration before.

2. simple SSL/TLS certificate management

• AutomationThe NGINX Proxy Manager simplifies the handling of SSL/TLS certificates enormously. You can request Let's Encrypt certificates directly via the GUI and have them renewed automatically.
• SecurityThis facilitates the implementation of HTTPS on your websites and promotes a more secure web environment, which is almost mandatory nowadays.

3. access control and authentication

• User-friendly setupIn the NGINX Proxy Manager you can easily set up access control rules and authentication options for your web applications.
• FlexibilityIt offers greater flexibility in configuring access restrictions without having to delve into the depths of complex NGINX configuration files.

4. simple troubleshooting and monitoring

• Access logsNGINX Proxy Manager provides a simple interface to view access and error logs. This makes troubleshooting much easier than manually searching through log files on the server.
• ClarityThe clear display of configurations and protocols in the GUI helps to quickly identify and resolve problems.

5. support for Docker

• Docker integrationNGINX Proxy Manager is available as a Docker container, which facilitates installation and scaling on different systems.
• Portability and consistencyBy using Docker, you can ensure a consistent environment across different development, test and production environments.

6. extended configuration options

• User-defined headersYou can configure custom HTTP headers directly via the GUI, which requires more technical knowledge and manual configuration work with the standard NGINX version.
• AdaptabilityThe NGINX Proxy Manager offers greater flexibility in customizing proxy settings for specific requirements.

Intel NUC 13 PRO NUC13ANHi5 Arena Canyon, 16 GB RAM 512 GB SSD, Intel Core i5-1340P, Win 11 Pro Mini Desktop Computer, 8K/4K UHD, Gigabit Ethernet/WiFi-6/VESA for business/office/home*

by Intel Corporation

Price: € 759.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

ASUS NUC 15 Pro Tall Kit RNUC15CRHI300002 (Intel Core i3 processor, Arc graphics, WiFi 7, Bluetooth 5.4, without operating system, with EU power cable)*

by Asus

Price: € 295.58 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

ASUS NUC 15 Pro Slim Kit RNUC15CRKU500002 (Intel Core i5 Ultra processor, Arc graphics, WiFi 7, Bluetooth 5.4, without operating system, with EU power cable)*

by Asus

Price: € 429.99 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

FutureNUC Pro Mini PC Intel® Core i5-13420H 13th Gen - 8 cores up to 4.6GHz - 16GB RAM & 512GB SSD - USB-C 3.2, WiFi 6E, 2X HDMI 2.1 8K - Win 11 Pro - Desktop PC for home, office, school*

by CONCEPT International GmbH

Price: € 589.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Intel NUC 13 PRO NUC13ANHi5 Arena Canyon, 16 GB RAM, 1 TB SSD, Intel Core i5-1340P, Windows 11 Pro, 8K/4K UHD, Gigabit Ethernet/WiFi-6, VESA for work/office/home*

by Intel Corporation

Price: € 839.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Intel NUC Pro Chassis Element Mini-PC, integrated NUC 8 Compute Element, Core i7-8665U, 8GB RAM, 256GB SSD, Win 11 Pro, WiFi 5, BT 5.1, Dual GbE, 2×HDMI, Intel vPro platform, industrial/business PC*

by Intel Corporation

Price: € 449.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

ACEMAGICIAN Mini PC AMD Ryzen 4300U 3.7GHz, 16GB LPDDR4 RAM 256GB M.2 SSD W11 Pro Micro Desktop Computer, 4K Triple-Display, WiFi 5/ Bluetooth4.2/ Gigabit Ethernet for Business & Home Cinema*

by ACEMAGICIAN

Price: € 329.90 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Intel NUC 13 Pro NUC13ANHi7 Arena Canyon: CPU 13th Gen, 32 GB RAM, SSD 1 TB, Intel Core i7-1360P, Win 11 Pro Mini-PC, 8K/4K UHD, Gigabit/WiFi-6/VESA, Enterprise/Office/Home*.

by Intel

Price: € 959.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

NUC 14 Pro, for ASUS NUC 14 Pro，Intel NUC 14 Pro NUC14RVH Revel Canyon AI Mini-PC, Core Ultra 7 155H CPU, Intel Arc GPU, 32 GB RAM, 1TB SSD, Win 11, Mini-Computer 8K/4K Quad-Display/WiFi 6E/BT 5.3*

by ASUS

Price: € 1,299.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

GEEKOM Mini PC IT12 with Intel i5-12450H [3-year warranty], 16GB RAM & 512GB SSD(max. 96GB + 8TB) Windows 11 Pro Preconfigured, 8K Quad-Display | 2X USB 4.0 | SD card slot, for business/office*

by GEEKOM

Price: € 479.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

GEEKOM IT12 Mini PC with Intel i5-12450H, 16GB DDR4 RAM 512GB(Up to 4TB) SSD Mini PC Windows 11 Pro with 2.5G LAN|SD card reader|Wi-Fi 6E|Bluetooth 5.2|2*USB4 8K Mini Desktop PC for Home&Office&Busiess*

by GEEKOM

Price: € 475.15 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Intel NUC 12 Pro Mini PC Core i7-1260P|12 Cores 16 Threads Mini Desktop Computer Iris Xe Graphics|32GB RAM 1TB SSD|Windows 11 Pro Desktop Mini Computer|Bluetooth 5.3|WiFi 6E |Thunderbolt4*

by Intel

Price: € 919.99 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Intel/Asus NUC 13 Pro Mini PC Core i7-1360P|12 Cores 16 Threads NUC13ANHi7 Mini Desktop Computer|32GB RAM 2TB SSD|Windows 11 Pro Desktop Computer|4K/8K UHD|HDMI|2xThunderbolt 4|WiFi 6E|BT5.3, Black*

by Intel

Price: € 1,098.99 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Intel NUC 13 Pro NUC13ANHi7 Arena Canyon Mini PC, Core i7-1360P, 32GB RAM, 1TB SSD, Mini Computer Windows 11 Pro for Business Home Office, Support 8K/4K Quad Display/WiFi 6E/BT 5.3/Thunderbolt 4*

by Intel Corporation

Price: € 969.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Intel NUC 12 Pro, for ASUS NUC12 Pro Wall Street Canyon Mini PC, 0GB RAM, 0GB SSD, Intel Core i7-1260P CPU (18M Cache, up to 4.70 GHz), WiFi 6E, BT 5.2, 2*Thunderbolt 4 (NUC12WSHi7)*

by Intel

Price: € 699.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

HP 18cm Silent Mini-PC Business Office Multimedia Computer with 3 years warranty! | Intel®Pentium® 4400T 2x2.90GHz | 8GB DDR4 | 256 GB SSD | USB3 | Windows 11 Prof. 64-Bit | #7297*

by HP

Price: € 119.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

ASUS NUC 15 Pro Plus Kit RNUC15CRSU500002 (Intel Core Ultra 5 225H processor, Intel Arc graphics, WiFi 7, Bluetooth 5.4, without operating system, with EU power supply, white)*

by Asus

Price: € 535.98 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

NUC suitable for Intel NUC 12 Pro, ASUS NUC 12 Pro Wall Street Canyon Mini PC, i5-1240P, Barebone, 8K/4K, Quad-Display, Gigabit Ethernet, Wi-Fi 6E, Bluetooth 5.3 (NUC12WSHi5)*

by Intel Corporation

Price: € 549.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

ASUS NUC 15 Pro Slim Kit RNUC15CRKI300002 (Intel Core i3 processor, Arc graphics, WiFi 7, Bluetooth 5.4, without operating system, with EU power cable)*

by Asus

Price not available Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

HP EliteDesk 800 G5 Mini Intel i5 9500t 6-Thread | 16 GB RAM | 512 GB SSD | Business Office Multimedia Computer with 24 months warranty! USB 3.0 | WLAN | Windows 11 Prof. 64-Bit incl. USB stick*

by HP

Price: € 299.00 Buy now on Amazon* Price incl. VAT., Excl. Shipping

Amazon

Preparation and requirements

To get started, you need a solid foundation.

1. the hardware

The NGINX Proxy Manager is very frugal. It runs on:

• A Raspberry Pi (3B+ or 4/5 recommended).
• An old laptop/PC with Linux.
• A VPS (Virtual Private Server) from providers such as Hetzner, Netcup or DigitalOcean.
• A NAS (Synology, QNAP), if Docker is supported.

2. the software

We assume that you are using a Linux system (e.g. Ubuntu, Debian or Raspberry Pi OS). Docker and Docker Compose must be installed.

If you have not already done so, install Docker with these commands:

curl -sSL https://get.docker.com | sh
sudo usermod -aG docker $USER

(Log out once and then log in again).

3. domains and DNS

This is the most important point that many people forget: You need a domain (e.g. mydomain.com) or at least a DynDNS address (like myserver.duckdns.org).

For the Proxy Manager to work, the ports 80 (HTTP) and 443 (HTTPS) on your router to the IP address of the device on which the Proxy Manager will run.

• Port Forwarding: Router -> port 80 to server IP port 80.
• Port Forwarding: Router -> port 443 to server IP port 443.

Installation of the NGINX Proxy Manager

1. Creating a Docker Compose fileStart with a Docker Compose file for the NGINX Proxy Manager. Here you define how Docker builds the necessary containers. Here is an example for your docker-compose.yml-file:

services:
  nginx-proxy-manager:
    image: jc21/nginx-proxy-manager:latest
    container_name: nginx-proxy-manager
    networks:
      - sascha
    restart: unless-stopped
    ports:
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '81:81' # Admin Web Port
    environment:
      TZ: Europe/Berlin
      X_FRAME_OPTIONS: SAMEORIGIN
    volumes:
      - /mnt/cache/appdata/network/nginx-proxy-manager/data:/data
      - /mnt/cache/appdata/network/nginx-proxy-manager/letsencrypt:/etc/letsencrypt
    healthcheck:
        test: /bin/check-health
        interval: 1m
        timeout: 3s
        retries: "2"

networks:
  sascha:
    external: true

2. Start containerNow start the container with docker-compose up -d. Docker now downloads the image and starts the service. This may take a few minutes the first time. The NGINX Proxy Manager should now be running on your server.

Important notes on configuration:

• Database: In this example, we use the integrated SQLite database. This is completely sufficient for 99% home users. If you are running a huge environment, you can also connect a separate MariaDB/MySQL database (see GitHub documentation), but this is overkill for the start.
• Ports: Port 81 is the administration port. You should use this not in the router! It is only intended for you in the local network (LAN).

Network and accessibility

• Ports: The container opens three important access points: Port 80 for normal web traffic (HTTP), port 443 for encrypted traffic (HTTPS) and port 81 for the graphical administration interface in the browser.
• Network: It is integrated into the existing network sasha in order to be able to forward requests directly to other containers in this network.

Configuration and security

• Surroundings: The time zone is set to Berlin. In addition, a security header is activated that prevents the web interface from being embedded in external frames (protection against clickjacking).
• Health check: The system automatically checks every minute whether the service is still running properly. If this test fails twice in succession, the container is marked as „unhealthy“.

Data storage

To ensure that your configurations and the SSL certificates you have created (e.g. from Let's Encrypt) are permanently retained, two directories are mirrored from your host system directly into the container. This means that all settings are retained even after updates to the container.

The first start & basic setup

As soon as the container is running (check this with docker ps), you can access the interface.

1. Open your browser.
2. Navigate to http://:81.
   • Example: http://192.168.178.50:81

You should now see the login screen. The Standard access data are:

• Email: [email protected]
• Password: changeme

Attention: You will be asked to change this data immediately after your first login. Please do so! Choose a strong password and enter a real e-mail address. This e-mail will be used later for Let's Encrypt notifications (e.g. expiring certificates).

Publish your first (public) service

Now comes the fun part. We assume that you have a service (e.g. Portainer or Nextcloud) running on your server that is available under http://192.168.178.50:9000 is reachable. You would like to contact him at portainer.mydomain.com reach.

Step 1: Set DNS entry

Go to your domain provider (Strato, Cloudflare, Namecheap, etc.) and create an A-Record (for IPv4) or AAAA-Record (for IPv6).

• Host/Subdomain: portainer
• Target/Value: Your public WAN IP address (at home).

Tip: If you have a dynamic IP at home, set up a CNAME record that points to your DynDNS address.

Step 2: Create proxy host

In the NGINX Proxy Manager Dashboard, go to Hosts -> Proxy hosts and click on the top right on Add Proxy Host.

A window opens with several tabs. Here is the magic:

Tab: Details

• Domain Names: Here you wear portainer.mydomain.com on. Press Enter, so that the chip is created.
• Scheme: Mostly http (as the communication internal between proxy and service is often unencrypted).
• Forward Hostname / IP: The IP address of the target service must be entered here.
  • Pro Tip: If the target container is in the same Docker network as the NPM, you can use the container name.
  • Standard: Enter the local IP of your server (e.g. 192.168.178.50). Stretcher not 127.0.0.1 or localhost as this would refer to the container itself!
• Forward Port: The port of the service, e.g. 9000.
• Cache Assets / Block Common Exploits: You can usually activate this (improves performance and security somewhat).
• Websockets Support: Be sure to activate this for services such as Home Assistant or Portainer that require live updates.

Tab: SSL (The encryption)

Do not click on „Save“ yet. Switch to the „SSL“ tab.

• SSL Certificate: Select „Request a new SSL Certificate“.
• Force SSL: Activate this. It forces visitors to use HTTPS. If someone http://... it is automatically switched to https://... redirected.
• HTTP/2 support: Activate (makes the page faster).
• Email Address for Let's Encrypt: Should already be pre-filled.
• I Agree to the Terms: Check the box.

Now click on Save.

What happens now?

1. The NPM contacts Let's Encrypt.
2. Let's Encrypt checks whether your domain is really pointing to your server (that's why we had to open port 80!).
3. If everything fits, the certificate is downloaded, installed and the proxy is activated.

After a few seconds you should see „Online“ in the list. Call up your domain - you should see the lock symbol!

Setting up a local reverse proxy host

In principle, you do the same as with a public host, but it has to point somewhere else. Assuming you are using DuckDNS, as shown in the video linked below, you will need to store the IP address of your server there in order to resolve the domains locally. You can then use an SSL certificate for your DuckDNS address and a wildcard address, for example. saschatest.duckdns.org and *.saschatest.duckdns.org and then use local proxy hosts with this domain.

1. Add proxy hostIn the NGINX Proxy Manager interface, go to „Hosts“ and then to „Proxy Hosts“. Here you click on „Add Proxy Host“.
2. Enter detailsEnter the domain you want to redirect and the IP address and port of the internal service you want to route through the proxy.
3. Configure SSL certificateYou can choose a free SSL certificate for Let's Encrypt or use an existing certificate.
4. Save changesSave your settings and the NGINX Proxy Manager will immediately redirect traffic to your application. There is a hot reload that does not require a restart.

Advanced functions

The NGINX Proxy Manager can do more than just simple forwarding.

1. access lists (additional password protection)

Some services have no login at all or only a weak one. Or you don't even want to show your admin dashboard to the public without a second hurdle. You can and should also use access lists for internal services to double protect yourself and only allow access to devices from the local network, as shown in the video.

• Go to Access Lists -> Add Access List.
• Give the list a name (e.g. „Admin-Only“).
• You can create usernames and passwords in the „Authorization“ tab.
• Go back to your proxy host, edit it and select your new list in the „Details“ tab under „Access List“.
• Result: Before the page loads, the browser now asks for the user name and password.

2. redirection hosts

Sometimes you just want to redirect one domain to another. Example: www.meinedomain.de shall be based on mydomain.com lead. Or store.mydomain.com to your Etsy store. You can do this under Hosts -> Redirection Hosts. Simply enter the source and destination, select the status code (usually 301 for permanent) and you're done.

3. 404 Hosts (Default Site)

What happens if someone calls your IP address directly or a subdomain that you have not configured? By default, NGINX shows a „Congratulations“ page. However, this reveals that a server is running. Under Settings -> Default Site you can set what should happen. Best: „404 Page“ or simply „Redirect“ to https://www.google.com/search?q=Google.com. This way you give attackers less information.

4. custom nginx configuration

For the absolute pros: In every proxy host there is the tab Advanced. Here you can insert pure NGINX-Config-Snippets. You often need this for Nextcloud, for example, to set specific headers for CalDAV/CardDAV (location /.well-known/carddav { ... }). This makes the NPM extremely flexible, without you having to edit files via SSH.

Troubleshooting and common errors

Even the best tool can sometimes go wrong. Here are the classics:

„Internal error“ when creating the certificate

• Cause: In most cases, port 80 on the router is not open or the DNS settings have not yet been updated worldwide (DNS propagation can take up to 24 hours, but usually works in minutes).
• Solution: Check whether you can reach your IP on port 80 from outside.

502 Bad gateway error

• Cause: The proxy is running, but it cannot internal service cannot be reached.
• Solution: Check the IP address and port of the „Forward Host“. Is the target container running? Are they in the same network? If you are using Docker network names, make sure that both containers are in the same docker network are.

504 Gateway time-out error

• Cause: The destination server takes too long to respond.
• Solution: Either the server is overloaded or has crashed.

Safety tips

The NGINX Proxy Manager is the gateway to your network. Keep it secure!

1. Strong password for the admin: The default password changeme is taboo!
2. Never release port 81: The admin interface belongs in the LAN or should only be accessible via VPN.
3. Updates: Update the Docker container regularly (docker compose pull && docker compose up -d).
4. Fail2Ban (optional): Advanced users can install Fail2Ban on the host system and monitor the NGINX Proxy Manager logs to ban IPs that enter incorrect passwords too often.

YouTube video implementation

Conclusion

The NGINX Proxy Manager is one of those tools that makes you ask yourself: „How did I do it before without it?“ It takes the horror out of complex server administration. Instead of struggling with certificate renewals (cronjobs for Certbot) and cryptic config files, you click together your infrastructure.

It is the perfect bridge between professional IT technology and home user friendliness. Whether you're hosting a small blog or running a massive home lab, the NPM scales with your requirements. The combination of Docker, Let's Encrypt automation and the simple GUI makes it an indispensable standard tool for every self-host enthusiast.

Get started today, clean up your port mess and give your services the professional HTTPS addresses they deserve!

Useful links at a glance

• Let's Encrypt: letsencrypt.org
• Official website: nginxproxymanager.com
• GitHub Repository: github.com/NginxProxyManager/nginx-proxy-manager
• Docker documentation: docs.docker.com

Interested, but lack time or knowledge?

No problem. Contact me and we will discuss your requirements. No matter if business or private.