Configuring Nginx Proxy Manager with Wildcard SSL Certs
Deploy Nginx Proxy Manager with Docker Compose to manage containers via FQDN and wildcard sub-domains.
This guide will focus on deploying Nginx Proxy Manager (NPM), a popular reverse proxy service, to access containers through an FQDN and wildcard sub-domains. This guide will use Docker Compose to deploy the stack, configure SSL certificates, and configure DNS to point all DNS for integration.
Why use a reverse proxy?
- Load Balancing: Distributes incoming traffic across multiple servers to improve performance and reliability.
- SSL Termination: Simplifies SSL management by handling SSL/TLS encryption and decryption.
- Security: Protects backend servers from direct exposure to the internet and filters malicious traffic.
- Caching: Reduces load on backend servers and speeds up response times by serving cached content.
- Centralized Management: Allows for easy management of multiple servers, updates, and monitoring.
Plus, you get to reach your services through an actual domain rather than IP:Port.
Requirements
This configuration requires the following components:
- A server with Docker and Docker Compose installed.
- Access to a domain name (Cloudflare)
- Cloudflare account for managing the domain and SSL certificates
- A DNS (Pi-hole) to point to the NPM server
- Basic understanding of Docker, Docker Compose, and DNS configurations.
Docker Compose
- Deploy the stack with the following compose YAML:
version: "3"
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '443:443'
- '81:81'
environment:
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "username"
DB_MYSQL_PASSWORD: "password"
DB_MYSQL_NAME: "npm"
volumes:
- data:/data
- letsencrypt:/etc/letsencrypt
depends_on:
- db
db:
image: 'jc21/mariadb-aria:latest'
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: 'npm'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'username'
MYSQL_PASSWORD: 'password'
volumes:
- mysql:/var/lib/mysql
volumes:
data:
letsencrypt:
mysql:docker-compose.yml
Accessing Nginx Proxy Manager
Once deployed, the Nginx Proxy Manager can be accessed through http://{Host-IP}:81. Sign in and change the default credentials:
- Email: [email protected]
- Password: changeme
Setting Up Wildcard SSL Certificates with NPM and Cloudflare
Navigate to SSL Certificates in NPM:
- Click Add SSL Certificate and enter your wildcard FQDN (e.g.,
*.example.com).
Configure LetsEncrypt:
- Select LetsEncrypt, enter the wildcard domain, enable Use a DNS challenge, and agree to the T&Cs.
- Set Up DNS Provider:
- Under DNS provider, select Cloudflare.
- Generate a new Cloudflare token by creating a new API token:
- Use the Edit Zone template.
- Include All Zones.
- Rename the token for future reference.
- Copy the API token.
- Enter the API token in NPM, replacing the existing key value
0123456789abcdef0123456789abcdef01234567. - Click Save.
Update the DNS Resolver
To leverage domain names, configure your A record wildcard FQDN in the DNS resolver to point to the NPM host as the source IP. This example uses Pi-hole as the DNS resolver. Access your Pi-hole server and perform the following actions:
- Create a custom DNS config:
sudo nano /etc/dnsmasq.d/99-wildcard-dns.conf
- Add the following line:
host-record=*.mydomain.com,192.168.1.2- Save and exit.
- Reboot the Pi-hole server to apply the changes.
You must repeat this on every Pi-hole instance manually, as Gravity will not automatically sync it.
Add the First NPM Host
Finally, add your first host on your Docker Swarm NPM server as follows:
- Navigate to Hosts > Add Proxy Host:
- Domain name: npm.mydomain.com
- Scheme: http
- Forward Hostname/IP: {Manager-1-IP}
- Forward Port: 81
- Enable Additional Settings:
- Enable Block Common Exploits and Websockets Support.
- Assign SSL Certificate:
- Click the SSL tab and assign the wildcard certificate, then enforce HTTPS.
By following these steps, you’ll have a fully functional Nginx Proxy Manager setup with wildcard SSL certificates and configured DNS.