Nginx Proxy Manager

Manage Nginx reverse proxies and free Let's Encrypt SSL through a beautiful web interface — no Nginx expertise required.

32Kstars
3.6Kforks
MIT License
TypeScript

Nginx Proxy Manager is a Docker-based reverse proxy management tool that wraps OpenResty (Nginx + LuaJIT) in a polished web interface, letting you expose self-hosted services to the internet with automatic HTTPS — without ever editing an Nginx config file. Created to make reverse proxying as approachable as possible, it handles SSL certificate provisioning, renewal, and revocation automatically through Let’s Encrypt’s ACME protocol.

Behind the scenes, the application generates real Nginx configuration files using LiquidJS templates and applies them transactionally: each config change is tested with nginx -t before and after, and automatically rolled back if the test fails — so a misconfigured host can never bring down your entire proxy. The system supports HTTP, HTTPS, TCP, and UDP proxying in a unified interface.

The project supports 86 DNS provider certbot plugins for DNS-01 challenge-based certificate issuance, making it possible to obtain SSL certificates even for internal services that aren’t publicly reachable. Access control, user management, 2FA with TOTP, and a full audit log are built in, so multiple people can safely manage proxies with appropriate permissions.

Deployment requires only Docker Compose with three exposed ports — 80, 81 (admin UI), and 443. The backend stores configuration in SQLite, MySQL, or PostgreSQL via Knex, and the React frontend communicates through a validated REST API backed by Swagger schema linting in CI.

What You Get

  • Proxy Host Management - Create, edit, and toggle HTTP/HTTPS reverse proxy rules for any internal service — Home Assistant, Nextcloud, Jellyfin — through a form-based UI that generates and applies real Nginx configs without manual editing.
  • Automatic SSL via Let’s Encrypt - Provision and auto-renew free SSL certificates using HTTP-01 or DNS-01 ACME challenges, with 86 DNS provider plugins available for services that aren’t publicly accessible.
  • Custom SSL Certificate Upload - Upload your own certificate, private key, and intermediate certificate chain for domains that can’t use Let’s Encrypt, such as internal CA-signed or wildcard certificates.
  • TCP and UDP Stream Proxying - Forward raw TCP and UDP traffic (game servers, MQTT brokers, database ports) through the same interface used for HTTP proxying, with port-based logging.
  • Access Lists and HTTP Authentication - Restrict proxy hosts to specific IP ranges or require HTTP Basic authentication credentials before traffic reaches the upstream service.
  • Multi-User Management with RBAC - Create additional admin accounts with granular permissions, delegate proxy management to teammates or family members, and enforce TOTP-based two-factor authentication per user.
  • Audit Log - Every configuration change — proxy host creation, certificate updates, user actions — is recorded with timestamps and user attribution for security review and troubleshooting.
  • Redirection and 404 Hosts - Configure HTTP-to-HTTPS redirections and custom fallback responses for unmatched domains, preventing requests from leaking to unexpected services.

Common Use Cases

  • Home lab reverse proxy - A self-hoster running Nextcloud, Vaultwarden, and Home Assistant on a single server uses Nginx Proxy Manager to route each subdomain to the correct container over HTTPS, with Let’s Encrypt certs renewed automatically.
  • DNS-01 certificate issuance for internal services - A homelab operator needs SSL for an internal-only service (192.168.x.x) that can’t complete HTTP challenges; they configure a Cloudflare DNS plugin so certbot proves ownership via DNS record instead.
  • Shared proxy management for small teams - A small agency uses Nginx Proxy Manager as their deployment gateway, granting developers proxy-host creation rights while restricting certificate and user management to admins, with the audit log tracking who changed what.
  • Exposing a Minecraft server and web app on the same host - A game server host uses stream proxying to forward TCP port 25565 to the game container and HTTP proxying for the companion website, both managed through the same dashboard.
  • Replacing Apache VirtualHost configs - A developer migrating from manual Apache config files sets up Nginx Proxy Manager to manage multiple websites with HSTS, HTTP/2, and individual SSL certificates through a UI instead of maintaining config files by hand.

Under The Hood

Architecture The application uses a clean layered design in which an Express 5 HTTP layer routes authenticated requests to route handlers, which delegate all business logic to a set of internal service modules — nginx, certificate, proxy-host, access-list, and others. The central nginx module manages config generation through LiquidJS templates, implementing a transactional pattern: configs are generated, tested with nginx -t, applied, and tested again — with automatic rollback to an .err configuration on failure. This ensures that no single host misconfiguration can destabilize the entire proxy. Objection.js models sitting atop a Knex query builder provide the data persistence layer, abstracting over SQLite, MySQL, and PostgreSQL. The React 19 frontend communicates with this backend entirely through a versioned REST API validated against a Swagger schema.

Tech Stack The backend runs on Node.js with Express 5 and Objection.js for ORM-style database access, with Knex providing query building and migration management across SQLite, MySQL, and PostgreSQL. Nginx configuration templates are rendered using LiquidJS. The actual proxy engine is OpenResty (Nginx + LuaJIT), which processes all proxied traffic while the Node.js process handles only management operations. The frontend is built with React 19, TypeScript, Vite, TanStack Query v5 for data fetching, TanStack Table v8 for data grids, Formik for form management, and Tabler for UI components. Certbot handles ACME certificate provisioning with support for 86 DNS provider plugins. The container uses s6-overlay for process supervision, managing both the Node.js backend and the OpenResty server within a single Docker image.

Code Quality The project’s testing strategy centers on Cypress-based end-to-end API tests that exercise endpoints against a running backend and validate responses against the Swagger schema definition — including a dedicated test for the full certificate provisioning flow. The frontend includes Vitest unit tests for locale utilities using React Testing Library. Biome serves as a unified linter and formatter for both the backend (JavaScript) and frontend (TypeScript), replacing the ESLint/Prettier combination. The backend is written in plain JavaScript with ES modules, limiting compile-time type safety there, while the frontend has comprehensive TypeScript coverage. Error handling follows HTTP status code conventions via a shared error library rather than typed exception classes.

What Makes It Unique The standout technical contribution is the transactional Nginx config management pipeline: LiquidJS renders real Nginx config files, nginx -t validates them before and after each change, and failed configurations are automatically renamed and rolled back — making config mutations safe by default. The bundling of 86 DNS provider certbot plugins directly into the Docker image means DNS-01 certificate issuance works for a wide range of registrars without any manual setup. The combination of per-user TOTP enforcement, granular permissions, and timestamped audit logging gives the project an operational maturity that most comparable self-hosted proxy managers lack.

Self-Hosting

Nginx Proxy Manager is released under the MIT License, which is one of the most permissive open-source licenses available. You can use it for any purpose — including commercial deployments — modify the source code, redistribute it, and incorporate it into proprietary systems without any obligation to share your changes. The only requirement is preserving the copyright notice. There are no copyleft implications, no network-use clauses, and no contributor license agreements to sign. This makes it suitable for any organization that wants to deploy it internally or embed it in a commercial product.

Running Nginx Proxy Manager yourself means accepting full operational responsibility for the proxy layer in your infrastructure. You’ll need to keep the Docker image updated as new releases ship (roughly monthly), ensure your host machine has stable internet access for Let’s Encrypt certificate renewals, and manage your own backups of the /data volume containing your proxy configuration and certificates. The application is intentionally lightweight — a single Docker Compose file with three port mappings is all that’s needed to start — but high-availability setups (multiple nodes, failover, load balancing across the manager itself) require additional infrastructure that you must design and maintain.

There is no official paid cloud tier or managed version of Nginx Proxy Manager. The project is community-maintained and supported through GitHub Issues, GitHub Discussions, and a Reddit community. This means there are no SLAs, no guaranteed response times for bug reports, and no vendor to call if something goes wrong in production. Users who need enterprise features like built-in HA clustering, centralized secrets management, advanced WAF rules, or commercial support should evaluate alternatives such as NGINX Plus, Traefik Enterprise, or managed reverse proxy services. What Nginx Proxy Manager gives up in managed convenience it gains in zero ongoing cost and complete control over your proxy configuration.

Join founders buildingwith open source

Opinionated takes, migration guides, cost-saving tips, and insights from the open source ecosystem.

Subscribe on Substack

No spam. Unsubscribe anytime.

Join 750+ subscribers
No spam. Unsubscribe anytime.

Search