# Nginx Proxy Manager — Web UI for Nginx Reverse Proxy

> Docker container that gives you a polished web interface on top of Nginx, with automatic Let's Encrypt SSL, access lists, and streams.

## Install

Save in your project root:

# Nginx Proxy Manager — Web UI for Nginx Reverse Proxy

## Quick Use
```yaml
# docker-compose.yml
services:
  npm:
    image: jc21/nginx-proxy-manager:latest
    restart: unless-stopped
    ports: ["80:80", "443:443", "81:81"]
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
# First login: http://HOST:81  (admin@example.com / changeme)
```

## Introduction
Nginx Proxy Manager (NPM) lets anyone run a production-grade reverse proxy without editing nginx.conf by hand. You define proxy hosts, redirections, 404 hosts, and stream forwards in a dashboard; the container regenerates the nginx config and requests Let's Encrypt certificates for you.

## What Nginx Proxy Manager Does
- Proxies HTTP(S) hosts to internal upstreams with one form per site.
- Automates certificate issuance and renewal via ACME HTTP-01 and DNS-01.
- Supports access lists with HTTP basic auth and IP allow/deny rules.
- Forwards raw TCP/UDP streams (MQTT, SSH, game servers).
- Multi-user admin with per-user permissions and audit log.

## Architecture Overview
A single Docker image bundles nginx, Node.js (the admin API and UI), and SQLite/MySQL for state. The admin UI writes configuration to `/data/nginx/`; a file watcher reloads nginx gracefully on change. Certbot runs in the same container and stores certs in `/etc/letsencrypt`, shared across proxy hosts.

## Self-Hosting & Configuration
- Expose ports 80 (ACME), 443 (TLS), and 81 (admin UI) behind a firewall.
- Persist `/data` and `/etc/letsencrypt` — deleting either wipes your hosts.
- Swap SQLite for MySQL via `DB_MYSQL_*` env vars for multi-replica setups.
- Use `DISABLE_IPV6=true` on IPv4-only hosts to silence nginx warnings.
- Put NPM behind Cloudflare with DNS challenge for certs on private services.

## Key Features
- Point-and-click HTTPS for any internal service.
- Websocket and HTTP/2 support toggles per host.
- Custom locations let you route `/api/*` and `/` to different upstreams.
- Audit log shows who changed which proxy host, with rollback-friendly history.
- Stream forwarding handles non-HTTP protocols on the same box.

## Comparison with Similar Tools
- **Traefik** — label-driven config, better for Docker Compose stacks, steeper UI story.
- **Caddy** — automatic HTTPS with a tiny Caddyfile, no GUI.
- **HAProxy** — higher performance L4/L7, no built-in ACME or UI.
- **SWAG (LinuxServer)** — bundled nginx + Let's Encrypt, config by files only.
- **Cloudflare Tunnel** — no open ports, but ties you to Cloudflare.

## FAQ
**Q:** Can I keep my existing nginx config?
A: Yes — put custom `.conf` files in `/data/nginx/custom/`; NPM includes them untouched.

**Q:** DNS-01 challenge providers?
A: 30+ providers including Cloudflare, Route53, DigitalOcean, DuckDNS, via the built-in certbot plugins.

**Q:** Is it safe to expose port 81?
A: No — bind it to localhost or put it behind a VPN; it is the admin plane.

**Q:** HA deployment?
A: Point two replicas at a shared MySQL, keep `/data/nginx` on shared storage, and round-robin DNS the front.

## Sources
- https://github.com/NginxProxyManager/nginx-proxy-manager
- https://nginxproxymanager.com/guide/

---
Source: https://tokrepo.com/en/workflows/bdb6aa4e-3918-11f1-9bc6-00163e2b0d79
Author: AI Open Source