2020-03-11 06:54:10 +00:00
# Advanced Configuration
2023-03-30 05:37:59 +00:00
## Running processes as a user/group
By default, the services (nginx etc) will run as `root` user inside the docker container.
You can change this behaviour by setting the following environment variables.
Not only will they run the services as this user/group, they will change the ownership
on the `data` and `letsencrypt` folders at startup.
```yml
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
environment:
PUID: 1000
PGID: 1000
# ...
```
This may have the side effect of a failed container start due to permission denied trying
to open port 80 on some systems. The only course to fix that is to remove the variables
and run as the default root user.
2021-09-04 19:47:14 +00:00
## Best Practice: Use a Docker network
2021-02-17 10:55:12 +00:00
2021-09-04 19:47:14 +00:00
For those who have a few of their upstream services running in Docker on the same Docker
host as NPM, here's a trick to secure things a bit better. By creating a custom Docker network,
you don't need to publish ports for your upstream services to all of the Docker host's interfaces.
2021-02-17 10:55:12 +00:00
Create a network, ie "scoobydoo":
```bash
docker network create scoobydoo
```
Then add the following to the `docker-compose.yml` file for both NPM and any other
2021-09-04 19:47:14 +00:00
services running on this Docker host:
2021-02-17 10:55:12 +00:00
```yml
networks:
default:
2022-11-02 02:26:01 +00:00
external: true
name: scoobydoo
2021-02-17 10:55:12 +00:00
```
Let's look at a Portainer example:
```yml
2023-03-21 23:41:19 +00:00
version: '3.8'
2021-02-17 10:55:12 +00:00
services:
portainer:
image: portainer/portainer
privileged: true
volumes:
- './data:/data'
- '/var/run/docker.sock:/var/run/docker.sock'
2021-06-07 22:48:26 +00:00
restart: unless-stopped
2021-02-17 10:55:12 +00:00
networks:
default:
2022-11-02 02:26:01 +00:00
external: true
name: scoobydoo
2021-02-17 10:55:12 +00:00
```
Now in the NPM UI you can create a proxy host with `portainer` as the hostname,
and port `9000` as the port. Even though this port isn't listed in the docker-compose
2021-09-04 19:47:14 +00:00
file, it's "exposed" by the Portainer Docker image for you and not available on
the Docker host outside of this Docker network. The service name is used as the
2021-02-17 10:55:12 +00:00
hostname, so make sure your service names are unique when using the same network.
2021-08-22 22:50:07 +00:00
## Docker Healthcheck
2021-09-04 19:47:14 +00:00
The `Dockerfile` that builds this project does not include a `HEALTHCHECK` but you can opt in to this
2021-08-22 22:50:07 +00:00
feature by adding the following to the service in your `docker-compose.yml` file:
```yml
healthcheck:
test: ["CMD", "/bin/check-health"]
interval: 10s
timeout: 3s
```
2023-03-21 23:41:19 +00:00
## Docker File Secrets
2021-02-08 00:12:20 +00:00
2023-03-21 23:41:19 +00:00
This image supports the use of Docker secrets to import from files and keep sensitive usernames or passwords from being passed or preserved in plaintext.
2021-02-08 00:12:20 +00:00
You can set any environment variable from a file by appending `__FILE` (double-underscore FILE) to the environmental variable name.
```yml
2023-03-21 23:41:19 +00:00
version: '3.8'
2021-02-08 00:12:20 +00:00
secrets:
# Secrets are single-line text files where the sole content is the secret
# Paths in this example assume that secrets are kept in local folder called ".secrets"
DB_ROOT_PWD:
file: .secrets/db_root_pwd.txt
MYSQL_PWD:
file: .secrets/mysql_pwd.txt
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
2021-06-07 22:48:26 +00:00
restart: unless-stopped
2021-02-08 00:12:20 +00:00
ports:
# Public HTTP Port:
- '80:80'
# Public HTTPS Port:
- '443:443'
# Admin Web Port:
- '81:81'
environment:
# These are the settings to access your db
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "npm"
# DB_MYSQL_PASSWORD: "npm" # use secret instead
2021-02-17 10:55:12 +00:00
DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
2021-02-08 00:12:20 +00:00
DB_MYSQL_NAME: "npm"
2023-03-21 08:26:28 +00:00
# If you would rather use Sqlite, remove all DB_MYSQL_* lines above
2021-02-08 00:12:20 +00:00
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
2021-03-11 21:59:26 +00:00
secrets:
- MYSQL_PWD
2021-02-08 00:12:20 +00:00
depends_on:
- db
2023-03-21 23:41:19 +00:00
2021-02-08 00:12:20 +00:00
db:
image: jc21/mariadb-aria
2021-06-07 22:48:26 +00:00
restart: unless-stopped
2021-02-08 00:12:20 +00:00
environment:
# MYSQL_ROOT_PASSWORD: "npm" # use secret instead
MYSQL_ROOT_PASSWORD__FILE: /run/secrets/DB_ROOT_PWD
MYSQL_DATABASE: "npm"
MYSQL_USER: "npm"
# MYSQL_PASSWORD: "npm" # use secret instead
2021-02-17 10:55:12 +00:00
MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
2023-11-27 22:27:11 +00:00
MARIADB_AUTO_UPGRADE: '1'
2021-02-08 00:12:20 +00:00
volumes:
2023-07-25 16:00:48 +00:00
- ./mysql:/var/lib/mysql
2021-03-11 21:59:26 +00:00
secrets:
- DB_ROOT_PWD
- MYSQL_PWD
2021-02-08 00:12:20 +00:00
```
2020-05-20 11:14:00 +00:00
## Disabling IPv6
2020-04-07 00:43:19 +00:00
2021-09-04 19:47:14 +00:00
On some Docker hosts IPv6 may not be enabled. In these cases, the following message may be seen in the log:
2020-04-07 00:43:19 +00:00
> Address family not supported by protocol
The easy fix is to add a Docker environment variable to the Nginx Proxy Manager stack:
```yml
environment:
DISABLE_IPV6: 'true'
```
2020-05-20 11:14:00 +00:00
## Custom Nginx Configurations
2019-08-09 01:19:42 +00:00
If you are a more advanced user, you might be itching for extra Nginx customizability.
NPM has the ability to include different custom configuration snippets in different places.
You can add your custom configuration snippet files at `/data/nginx/custom` as follow:
2020-04-10 05:57:45 +00:00
- `/data/nginx/custom/root.conf` : Included at the very end of nginx.conf
2021-03-14 09:13:26 +00:00
- `/data/nginx/custom/http_top.conf` : Included at the top of the main http block
2020-04-10 05:57:45 +00:00
- `/data/nginx/custom/http.conf` : Included at the end of the main http block
2022-12-02 21:32:04 +00:00
- `/data/nginx/custom/events.conf` : Included at the end of the events block
2020-12-01 19:24:14 +00:00
- `/data/nginx/custom/stream.conf` : Included at the end of the main stream block
2020-04-10 05:57:45 +00:00
- `/data/nginx/custom/server_proxy.conf` : Included at the end of every proxy server block
- `/data/nginx/custom/server_redirect.conf` : Included at the end of every redirection server block
- `/data/nginx/custom/server_stream.conf` : Included at the end of every stream server block
- `/data/nginx/custom/server_stream_tcp.conf` : Included at the end of every TCP stream server block
- `/data/nginx/custom/server_stream_udp.conf` : Included at the end of every UDP stream server block
2019-08-09 01:19:42 +00:00
2020-02-19 04:55:06 +00:00
Every file is optional.
2020-03-11 06:54:10 +00:00
2020-05-20 11:14:00 +00:00
## X-FRAME-OPTIONS Header
2020-03-11 06:54:10 +00:00
You can configure the [`X-FRAME-OPTIONS` ](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options ) header
value by specifying it as a Docker environment variable. The default if not specified is `deny` .
```yml
...
environment:
X_FRAME_OPTIONS: "sameorigin"
...
```
2023-12-30 14:23:17 +00:00
## Customising logrotate settings
By default, NPM rotates the access- and error logs weekly and keeps 4 and 10 log files respectively.
Depending on the usage, this can lead to large log files, especially access logs.
You can customise the logrotate configuration through a mount (if your custom config is `logrotate.custom` ):
```yml
volumes:
...
- ./logrotate.custom:/etc/logrotate.d/nginx-proxy/manager
```
For reference, the default configuration can be found [here ](https://github.com/NginxProxyManager/nginx-proxy-manager/blob/develop/docker/rootfs/etc/logrotate.d/nginx-proxy-manager ).