Nginx Proxy Manager — Web UI for Nginx Reverse Proxy

Introduction

Nginx Proxy Manager (NPM) lets anyone run a production-grade reverse proxy without editing nginx.conf by hand. You define proxy hosts, redirections, 404 hosts, and stream forwards in a dashboard; the container regenerates the nginx config and requests Let's Encrypt certificates for you.

What Nginx Proxy Manager Does

• Proxies HTTP(S) hosts to internal upstreams with one form per site.
• Automates certificate issuance and renewal via ACME HTTP-01 and DNS-01.
• Supports access lists with HTTP basic auth and IP allow/deny rules.
• Forwards raw TCP/UDP streams (MQTT, SSH, game servers).
• Multi-user admin with per-user permissions and audit log.

Architecture Overview

A single Docker image bundles nginx, Node.js (the admin API and UI), and SQLite/MySQL for state. The admin UI writes configuration to /data/nginx/; a file watcher reloads nginx gracefully on change. Certbot runs in the same container and stores certs in /etc/letsencrypt, shared across proxy hosts.

Self-Hosting & Configuration

• Expose ports 80 (ACME), 443 (TLS), and 81 (admin UI) behind a firewall.
• Persist /data and /etc/letsencrypt — deleting either wipes your hosts.
• Swap SQLite for MySQL via DB_MYSQL_* env vars for multi-replica setups.
• Use DISABLE_IPV6=true on IPv4-only hosts to silence nginx warnings.
• Put NPM behind Cloudflare with DNS challenge for certs on private services.

Key Features

• Point-and-click HTTPS for any internal service.
• Websocket and HTTP/2 support toggles per host.
• Custom locations let you route /api/* and / to different upstreams.
• Audit log shows who changed which proxy host, with rollback-friendly history.
• Stream forwarding handles non-HTTP protocols on the same box.

Comparison with Similar Tools

• Traefik — label-driven config, better for Docker Compose stacks, steeper UI story.
• Caddy — automatic HTTPS with a tiny Caddyfile, no GUI.
• HAProxy — higher performance L4/L7, no built-in ACME or UI.
• SWAG (LinuxServer) — bundled nginx + Let's Encrypt, config by files only.
• Cloudflare Tunnel — no open ports, but ties you to Cloudflare.

FAQ

Q: Can I keep my existing nginx config? A: Yes — put custom .conf files in /data/nginx/custom/; NPM includes them untouched.

Q: DNS-01 challenge providers? A: 30+ providers including Cloudflare, Route53, DigitalOcean, DuckDNS, via the built-in certbot plugins.

Q: Is it safe to expose port 81? A: No — bind it to localhost or put it behind a VPN; it is the admin plane.

Q: HA deployment? A: Point two replicas at a shared MySQL, keep /data/nginx on shared storage, and round-robin DNS the front.

Sources

• https://github.com/NginxProxyManager/nginx-proxy-manager
• https://nginxproxymanager.com/guide/