This project comes as a pre-built docker image that enables you to easily forward to your websites running at home or otherwise, including free SSL, without having to know too much about Nginx or Letsencrypt.
I created this project to fill a personal need to provide users with a easy way to accomplish reverse proxying hosts with SSL termination and it had to be so easy that a monkey could do it. This goal hasn't changed. While there might be advanced options they are optional and the project should be as simple as possible so that the barrier for entry here is low.
- Beautiful and Secure Admin Interface based on Tabler
- Easily create forwarding domains, redirections, streams and 404 hosts without knowing anything about Nginx
- Free SSL using Let's Encrypt or provide your own custom SSL certificates
- Access Lists and basic HTTP Authentication for your hosts
- Advanced Nginx configuration available for super users
- User management, permissions and audit log
I won't go in to too much detail here but here are the basics for someone new to this self-hosted world.
- Your home router will have a Port Forwarding section somewhere. Log in and find it
- Add port forwarding for port 80 and 443 to the server hosting this project
- Configure your ___domain name details to point to your home, either with a static ip or a service like DuckDNS or Amazon Route53
- Use the Nginx Proxy Manager as your gateway to forward to your other web based services
- Install Docker and Docker-Compose
- Create a docker-compose.yml file similar to this:
version: '3'
services:
app:
image: 'baudneo/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt- Bring up your stack by running
docker-compose up -d- Log in to the Admin UI
When your docker container is running, connect to it on port 81 for the admin interface.
Sometimes this can take a little bit because of the entropy of keys.
Default Admin User:
Email: [email protected]
Password: changeme
Immediately after logging in with this default user you will be asked to modify your details and change your password.
TZ- Set to your timezone. Example:TZ=America/Chicago
- Instead of setting
TZyou can mount/etc/localtimeinto the docker container
- If you don't see the bouncer hitting your local API, send a request to one of the proxied hosts in NPM. I have noticed the bouncer does not start until NPM gets a request once it is all loaded up.
- To check if the bouncer is running, use
docker logs --follow [name of your NPM container]. There will be a log line like ->nginx: [alert] [lua] init_by_lua:8: [Crowdsec] Initialisation done
CROWDSEC_BOUNCER=1- Enable CrowdSec OpenResty bouncer, still needs to be configured.CROWDSEC_LAPI=[URL]- configure CrowdSec local API URLCROWDSEC_KEY=[API KEY]- configure CrowdSec API key$CROWDSEC_RECAP_SECRET=[SECRET KEY]- configure reCAPTCHA$CROWDSEC_RECAP_SITE=[SITE KEY]- configure reCAPTCHASSL_CERTS_PATH- CA certificate used to communicate with Google for reCAPTCHA validation
- Config file located at
data/crowdsec/crowdsec-openresty-bouncer.conf - HTML templates are located at
/crowdsec/templates/inside the container - The first time the container is run, a crowdsec config file is created with ENV vars substituted out. User is responsible for config after first creation of the file.
- Set the URL and API key at a minimum. reCAPTCHA's vars if wanted.
ADMIN_DASHBOARD_LOG=1- Enable admin (Port 81) dashboard loggingOPENRESTY_DEBUG=1- Enable DEBUG level logging for the default OpenRestyERRORlog
- Admin panel logs are located at
data/logs/admin-panel_access.loganddata/logs/admin-panel_error.log - OpenResty default logs
fallback_access.logandfallback_error.log.DEBUGlevel will be set on the error log, it is set toWARNby default.
ModSecurity WAF is installed and loaded by default, OWASP-CoreRuleSet is installed and used as the default rule set. The user is responsible for configuring modsecurity via config/CLI.
MODSEC_CREATE=1- Force recreating the default modsecurity config, This should never be neededMODSEC_ADMIN_PANEL=1- Enable ModSec for the admin panelMODSEC_ENABLE=1- Enable ModSec for the default.conf server block
- See all directives -> https://github.com/SpiderLabs/ModSecurity-nginx#usage
modsecurity on;
modsecurity_rules_file /etc/nginx/modsec/main.conf;
- To enable modsec for ALL HTTP hosts, add the directives to
data/nginx/custom/http_top.conf - To enable for only certain HTTP hosts, add the directives to the
Advancedtab configuration at the root level (not inside a___locationblock) - To enable only for certain locations on certain HTTP hosts, place the directives into a
___locationblock inside theAdvancedtab - Stream hosts are untested and, as far as I know, unsupported. ModSec directives go in server and HTTP blocks.
- By default, the audit log is enabled and is located at
data/logs/modsec_audit.log - The config and rule set are located at
data/modsecanddata/modsec/ruleset data/modsec/modsecurity.confis the main modsec config file.data/modsec/main.confis the main rules file, it hasIncludedirectives that load the actual rulesdata/modsecis symbolically linked to/etc/nginx/modsec
version: "3"
services:
npm:
#image: 'jc21/nginx-proxy-manager:latest'
image: 'baudneo/nginx-proxy-manager:latest'
restart: always
container_name: npm-crowdsec
ports:
# Public HTTP Port:
- '80:80'
# Public HTTPS Port:
- '443:443'
# Admin Web Port:
- '81:81'
environment:
# This is the default cert used to validate reCAPTCHA
SSL_CERTS_PATH: "/etc/ssl/certs/GTS_Root_R1.pem"
TZ: "America/Chicago"
ADMIN_PANEL_LOG: "1"
CROWDSEC_BOUNCER: "1"
OPENRESTY_DEBUG: "0"
CROWDSEC_LAPI: "http://IP TO CROWDSEC LOCAL API:8080"
CROWDSEC_KEY: "xxxxxxxxxxxxxxxxxxxxxxxx"
CROWDSEC_RECAP_SECRET: "XXXX"
CROWDSEC_RECAP_SITE: "XXXX"
# These are the settings to access your db
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "npm-user"
DB_MYSQL_PASSWORD: "db user password"
DB_MYSQL_NAME: "npm"
# If you would rather use Sqlite uncomment this
# and remove all DB_MYSQL_* lines above
# DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
depends_on:
- db
db:
image: 'jc21/mariadb-aria:latest'
restart: always
container_name: npm_db
environment:
MYSQL_ROOT_PASSWORD: 'xxXXxxXXXxxxXXX'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'npm-user'
MYSQL_PASSWORD: "db user password"
volumes:
- ./data/mysql:/var/lib/mysql
Special thanks to the following contributors:
