Nginx Proxy Manager on Proxmox VE

What Is Nginx Proxy Manager?

Nginx Proxy Manager (NPM) is a web-based interface for managing Nginx reverse proxy configurations. It eliminates the need to write Nginx config files by hand, provides automatic SSL certificate management through Let's Encrypt, and includes access control lists for restricting access to services. For homelabs running multiple services on Proxmox VE, NPM acts as a single entry point that routes traffic to the correct VM or container based on domain name.

Why Use a Reverse Proxy?

Without a reverse proxy, each service needs its own port (Nextcloud on 8080, GitLab on 8443, Plex on 32400, and so on). A reverse proxy lets you access everything through standard ports 80 and 443 using subdomains like cloud.example.com, git.example.com, and plex.example.com — each with its own SSL certificate.

Deployment Options

NPM runs best in Docker, which you can host inside either an LXC container or a VM. An LXC container with Docker is the most resource-efficient approach:

# Create an LXC container for NPM
pct create 170 local:vztmpl/debian-12-standard_12.2-1_amd64.tar.zst \
  --hostname npm \
  --memory 512 \
  --cores 1 \
  --rootfs local-lvm:8 \
  --net0 name=eth0,bridge=vmbr0,ip=192.168.1.70/24,gw=192.168.1.1 \
  --unprivileged 1 \
  --features nesting=1,keyctl=1 \
  --start 1

The nesting=1 and keyctl=1 features are required for Docker to function inside an unprivileged LXC container.

Installing Docker

# Inside the container
apt update && apt install -y curl ca-certificates gnupg

# Add Docker repository
install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/debian/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg

echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/debian $(. /etc/os-release && echo $VERSION_CODENAME) stable" > /etc/apt/sources.list.d/docker.list

apt update && apt install -y docker-ce docker-ce-cli containerd.io docker-compose-plugin

Deploying Nginx Proxy Manager

Create a Docker Compose file for NPM:

# Create the project directory
mkdir -p /opt/npm && cd /opt/npm

# Create docker-compose.yml
cat <<'EOF' > docker-compose.yml
version: '3.8'
services:
  app:
    image: jc21/nginx-proxy-manager:latest
    restart: unless-stopped
    ports:
      - "80:80"
      - "443:443"
      - "81:81"       # Admin panel
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    environment:
      DISABLE_IPV6: 'true'
EOF

# Start NPM
docker compose up -d

Access the admin panel at http://192.168.1.70:81 with the default credentials:

• Email: admin@example.com
• Password: changeme

You will be prompted to change these on first login.

Configuring Proxy Hosts

Each service you want to expose gets a "Proxy Host" entry. Here is how to set one up for Nextcloud running at 192.168.1.30:

1. Go to Hosts > Proxy Hosts > Add Proxy Host
2. Set Domain Names to cloud.example.com
3. Set Scheme to http
4. Set Forward Hostname/IP to 192.168.1.30
5. Set Forward Port to 80
6. Enable Websockets Support if the service uses them
7. Under the SSL tab, select "Request a new SSL Certificate" and enable "Force SSL"

For services that need custom Nginx directives, use the Advanced tab:

# Example: Custom Nginx config for Nextcloud
# Add to the Advanced tab of the proxy host

proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;

client_max_body_size 16G;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;

SSL with Let's Encrypt

NPM handles certificate issuance and renewal automatically. For this to work, your domain must point to your public IP address, and ports 80 and 443 must be forwarded to the NPM container on your router.

For wildcard certificates (covering all subdomains), use DNS challenge instead of HTTP challenge:

# In NPM, go to SSL Certificates > Add SSL Certificate
# Choose "Let's Encrypt"
# Enter *.example.com as the domain
# Enable "Use a DNS Challenge"
# Select your DNS provider (Cloudflare, Route53, etc.)
# Enter your API credentials

DNS challenge is particularly useful because it does not require ports 80/443 to be open during certificate issuance, and a single wildcard certificate covers all your subdomains.

Access Lists

Access lists restrict who can reach specific services. This is essential for admin panels or internal-only services that you expose through the proxy:

# Create an Access List in NPM:
# Go to Access Lists > Add Access List

# Name: "LAN Only"
# Satisfy Any: No

# Under the "Access" tab, add:
# Allow: 192.168.1.0/24
# Allow: 10.0.0.0/24    (if you have a VPN subnet)
# Deny: all

# Then attach this access list to any proxy host
# that should only be reachable from your local network

You can also add HTTP Basic Authentication to an access list by defining usernames and passwords under the "Authorization" tab. This adds a login prompt in front of services that lack their own authentication.

Common Proxy Host Examples

Here is a quick reference for typical homelab services:

# Service                Domain                    Forward To
# -------                ------                    ----------
# Proxmox Web UI         pve.example.com           192.168.1.1:8006 (scheme: https)
# Nextcloud              cloud.example.com         192.168.1.30:80
# GitLab                 git.example.com           192.168.1.60:80
# Plex                   plex.example.com          192.168.1.10:32400
# Home Assistant         ha.example.com            192.168.1.20:8123 (websockets: on)
# Grafana                grafana.example.com       192.168.1.50:3000

Startup Order and Reliability

Since NPM is the gateway for all your services, it should start before any other container or VM that depends on web traffic. Configure the container to start early in the Proxmox boot order:

# Set NPM container to start first
pct set 170 --onboot 1 --startup order=2,up=15

Monitoring

NPM is lightweight and rarely needs attention once configured. However, if it goes down, all proxied services become unreachable — making it the most critical container in your homelab. When you need to verify that NPM is running after a host reboot or network change, ProxmoxR provides a quick way to check the container's status from your phone without needing to access the Proxmox web interface through a browser.

Conclusion

Nginx Proxy Manager transforms your homelab's networking by giving every service a clean URL with automatic SSL — all managed through a simple web interface. Running it in a Docker container inside a Proxmox LXC keeps resource usage minimal while providing full reverse proxy capabilities. Combined with access lists and Let's Encrypt, NPM is the simplest way to make your self-hosted services both accessible and secure.