starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 01:45:54 +03:00

[GH-ISSUE #1658] How to secure Nginx Proxy Manager itself (SSL only)? #1237

New issue

Closed

opened 2026-02-26 06:36:21 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 06:36:21 +03:00

Owner

Originally created by @rucksman on GitHub (Dec 18, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1658

How can I secure NPM itself with a SSL certificate? I tried some proxy host configurations for npm.mydomain.tld where Nginx Proxy Manager is accessible, but whatever I tried, I can still access npm.mydomain.tld over http on port 81. Goal would be to make npm.mydomain.tld to be accessible only via https (either on port 80 or 81).

I noticed that there are at least two issues here concerning more or less the same problem, but there was no clear example on how to achieve that. So could someone please show a working example for this? Thank you!

Originally created by @rucksman on GitHub (Dec 18, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1658 How can I secure NPM itself with a SSL certificate? I tried some proxy host configurations for npm.mydomain.tld where Nginx Proxy Manager is accessible, but whatever I tried, I can still access npm.mydomain.tld over http on port 81. Goal would be to make npm.mydomain.tld to be accessible only via https (either on port 80 or 81). I noticed that there are at least two issues here concerning more or less the same problem, but there was no clear example on how to achieve that. So could someone please show a working example for this? Thank you!

kerem

2026-02-26 06:36:21 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-26 06:36:22 +03:00

Author

Owner

@chaptergy commented on GitHub (Dec 18, 2021):

You create a proxy host as you did for the admin interface pointing to localhost:81 and then remove the port mapping for port 81 from your docker-compose, so only port 80 and 443 remain.
If you enable Force SSL and HSTS for that proxy host, you should now only be able to access the interface via your domain and https.

@chaptergy commented on GitHub (Dec 18, 2021): You create a proxy host as you did for the admin interface pointing to `localhost:81` and then remove the port mapping for port `81` from your docker-compose, so only port 80 and 443 remain. If you enable _Force SSL_ and _HSTS_ for that proxy host, you should now only be able to access the interface via your domain and https.

kerem commented

2026-02-26 06:36:22 +03:00

Author

Owner

@bryankruman commented on GitHub (Dec 31, 2023):

Hello! @chaptergy I have the same question, however I have actually tried already to pass localhost (or 127.0.0.1) with a proxy host for the appropriate domain and I'm running into issues. I wasn't sure whether this behavior was supported, but seeing this and another commenter on GitHub it seems this is supported.

When I go to npm.example.com I should see the admin interface, however instead I just see a generic "Welcome to OpenResty" page. If I go to the IP address and port of the host directly it works just fine (10.0.10.21:81 in this case).

Even with just setting http and having no SSL set I see no difference there. After seeing your comment, I tried removing port 81 from the docker compose but that did not resolve the issue (I still see the Welcome to OpenResty page). I have also tried setting up a separate bare nginx instance to proxy_pass to 10.0.10.21:81 and get the exact same result.

Any ideas on how to resolve? Would greatly appreciate assistance!

@bryankruman commented on GitHub (Dec 31, 2023): Hello! @chaptergy I have the same question, however I have actually tried already to pass localhost (or 127.0.0.1) with a proxy host for the appropriate domain and I'm running into issues. I wasn't sure whether this behavior was supported, but seeing this and another commenter on GitHub it seems this is supported. When I go to npm.example.com I should see the admin interface, however instead I just see a generic "Welcome to OpenResty" page. If I go to the IP address and port of the host directly it works just fine (10.0.10.21:81 in this case). Even with just setting http and having no SSL set I see no difference there. After seeing your comment, I tried removing port 81 from the docker compose but that did not resolve the issue (I still see the Welcome to OpenResty page). I have also tried setting up a separate bare nginx instance to proxy_pass to 10.0.10.21:81 and get the exact same result. Any ideas on how to resolve? Would greatly appreciate assistance!

kerem commented

2026-02-26 06:36:22 +03:00

Author

Owner

@LeedsGeek commented on GitHub (Jul 19, 2024):

For those who are looking at this thread still,
Note: i am using openappsec version of the npm

First Create a DNS record that points to the IP of the npm IP. E.g npm.example.com A xxx.xxx.xxx.xxx
Next create the SSL certificate for the site using letsencrypt

Then Add a proxy host
domain: npm.example.com
Scheme: http
Forward IP: 127.0.0.1
Port: 81

test this works first and the portal should appear .

Then modify the ports section on the docker compose file so port 81 in attached to the loopback address. thus meaning its no longer exposed publicly

services:
  npm-centrally-managed-attachment:
    container_name: npm-centrally-managed-attachment
    image: 'ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:latest'
    ipc: host
    restart: unless-stopped
    ports:
      - '80:80' # Public HTTP Port
      - '443:443' # Public HTTPS Port
      - '127.0.0.1:81:81' # Admin Web Port
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt

This worked for me, so now the nginx proxy manager is no longer publicly exposed on 81 and you have a ssl certificate.

further steps can be taken by access list or authorization to protect it.

@LeedsGeek commented on GitHub (Jul 19, 2024): For those who are looking at this thread still, Note: i am using openappsec version of the npm First Create a DNS record that points to the IP of the npm IP. E.g npm.example.com A xxx.xxx.xxx.xxx Next create the SSL certificate for the site using letsencrypt Then Add a proxy host domain: npm.example.com Scheme: http Forward IP: 127.0.0.1 Port: 81 test this works first and the portal should appear . Then modify the ports section on the docker compose file so port 81 in attached to the loopback address. thus meaning its no longer exposed publicly ``` services: npm-centrally-managed-attachment: container_name: npm-centrally-managed-attachment image: 'ghcr.io/openappsec/nginx-proxy-manager-centrally-managed-attachment:latest' ipc: host restart: unless-stopped ports: - '80:80' # Public HTTP Port - '443:443' # Public HTTPS Port - '127.0.0.1:81:81' # Admin Web Port volumes: - ./data:/data - ./letsencrypt:/etc/letsencrypt ``` This worked for me, so now the nginx proxy manager is no longer publicly exposed on 81 and you have a ssl certificate. further steps can be taken by access list or authorization to protect it.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1237

No description provided.

Rows
Columns