Note: This Docker container is entirely unofficial and not made by the creators of Nginx Proxy Manager.
Nginx Proxy Manager is a self-hosted reverse proxy with a web UI that just works. Route your domains to your services, get automatic SSL, and never write an nginx config file again.
If you're running multiple services on your own server — whether that's a homelab, a VPS, or an on-premise machine — this is the missing piece that ties everything together.
- Developers hosting multiple Docker containers on a single server
- Homelab enthusiasts who want real domains and real SSL on their self-hosted apps
- Small teams managing internal tools without a dedicated ops person
- Anyone tired of remembering which service runs on which port
No config files. Add a proxy host, point it at a service or container, and you're done. What used to take hours of nginx editing takes under a minute.
Docker-friendly out of the box. Running ten containers on ten different ports? Map each one to a clean subdomain — app.yourdomain.com instead of yourdomain.com:8080. No port juggling, no awkward URLs.
SSL that manages itself. Let's Encrypt certificates are issued and renewed automatically. Set it up once, forget about it.
More than just HTTP. Proxy TCP and UDP streams alongside your web services — all from the same interface.
Runs anywhere, depends on nothing. Fully self-hosted, air-gap capable, no cloud account required. Your infrastructure stays yours.
Grows with you. When you need it — access lists, basic auth, rate limiting, custom nginx directives — it's all there.
Nginx Proxy Manager handles routing and SSL at your server. Cloudflare's free tier covers everything in front of it — DDoS protection, CDN, edge caching, and a basic WAF — with no extra cost or complexity.
Together, they give you a production-grade stack that punches well above its weight:
- Cloudflare — protects and accelerates traffic before it reaches your server
- Nginx Proxy Manager — routes that traffic to the right service once it arrives
Neither replaces the other. They do different jobs, and they do them well together.
| Good fit | Probably overkill |
|---|---|
| Multiple Docker containers on one server | Single app, single domain |
| Teams without dedicated DevOps | Full infrastructure-as-code setup |
| Mixed HTTP + TCP/UDP workloads | Everything already on a managed platform |
| Self-hosted, on-prem, or air-gapped | Cloudflare Tunnel covers all your needs |
The official image (jc21/nginx-proxy-manager) bundles OpenResty and depends on upstream for CVE patches — which can lag weeks or months behind disclosure. This fork owns the entire chain from nginx.org apt → base image → app image, so CVEs can be patched the same day they are disclosed.
| Feature | Official (jc21) |
This fork (jrandombytes) |
|---|---|---|
| nginx version | OpenResty 1.27.1.2 (nginx 1.27.1) | nginx mainline 1.31.0+ |
| CVE-2026-42945 (CVSS 9.2) | ❌ Unpatched | ✅ Patched |
| CVE-2025-6965 (SQLite) | ❌ Unpatched | ✅ Patched |
| Base image control | Upstream-controlled | Own pipeline |
| Build frequency | Manual upstream release | Weekly auto-rebuild |
| Timing oracle (user enumeration) | Vulnerable | ✅ Fixed |
| Shell escape RCE (DNS credentials) | Vulnerable (PR#5498 incomplete) | ✅ Fixed (correct POSIX idiom) |
| SSRF guard | Not available | ✅ Opt-in (BLOCK_PRIVATE_UPSTREAM=true) |
| Per-host rate limiting | Not available | ✅ limit_req_zone / limit_req with UI controls |
| Cloudflare Turnstile on login | Not available | ✅ Opt-in bot protection (Settings UI) |
| Login + 2FA rate limiting | Not available | ✅ express-rate-limit (10 req / 15 min) |
| Cloudflare IP restriction | Not available | ✅ Drop non-CF origin requests (return 444, Settings UI) |
services:
npm:
image: jrandombytes/nginx-proxy-manager:latest
restart: unless-stopped
ports:
- "80:80"
- "81:81"
- "443:443"
volumes:
- npm_data:/data
- npm_letsencrypt:/etc/letsencrypt
environment:
PUID: 1000
PGID: 1000
volumes:
npm_data:
npm_letsencrypt:Access the admin UI at http://<your-server>:81
Default credentials:
admin@example.com/changemeChange these immediately after first login.
| Variable | Default | Purpose |
|---|---|---|
PUID |
1000 |
UID to run the npm process |
PGID |
1000 |
GID to run the npm process |
BLOCK_PRIVATE_UPSTREAM |
false |
Block proxy hosts targeting LAN/private IPs (SSRF hardening) |
DISABLE_IPV6 |
false |
Disable IPv6 in generated nginx configs |
DB_SQLITE_FILE |
/data/database.sqlite |
SQLite database path |
DB_MYSQL_HOST |
— | MySQL host (if using MySQL instead of SQLite) |
DB_POSTGRES_HOST |
— | PostgreSQL host (if using PostgreSQL instead of SQLite) |
LE_STAGING |
false |
Use Let's Encrypt staging environment |
SQLite is the default. MySQL/MariaDB and PostgreSQL are also supported via environment variables.
| Port | Purpose |
|---|---|
80 |
HTTP proxy traffic |
81 |
Admin UI |
443 |
HTTPS proxy traffic |
- CVE-2026-42945 (NGINX Rift, CVSS 9.2) — nginx ≤ 1.30.0 heap overflow RCE in rewrite module. Own base image uses nginx 1.31.0 mainline.
- CVE-2025-6965 (SQLite < 3.50.2) — Memory corruption.
better-sqlite3upgraded to bundle SQLite 3.52.0. - Timing oracle — Login always runs bcrypt even for unknown users, preventing email enumeration.
- Shell escape RCE — DNS provider credentials correctly escaped with POSIX
'\''idiom. - Schema injection — Pattern constraints on user-supplied fields prevent nginx config injection.
- Per-host rate limiting —
limit_req_zone/limit_reqwith UI controls (rate req/s, burst, nodelay). - Cloudflare Turnstile — Opt-in bot protection on the login page (Settings UI). Includes secret key redaction, nonce replay protection, and CSP headers for the widget.
- Login + 2FA rate limiting —
express-rate-limiton/api/tokens(10 failed/15 min) and/api/tokens/2fa(10/5 min). - Cloudflare IP restriction — Global toggle (Settings UI) that silently drops (
return 444) any proxy host request not from a Cloudflare edge IP. Protects origins from bypass attacks when all traffic flows through Cloudflare. - TLS —
ssl_prefer_server_ciphers on; TLS 1.2+ only.
This fork tracks the upstream 2.14.x release line. Patch versions (2.14.x) are this fork's own releases. The minor version will advance to 2.15.x when the official NginxProxyManager project releases v2.15.0.
- This fork (GitHub): https://github.com/jrandombytes/nginx-proxy-manager
- Docker Hub: https://hub.docker.com/r/jrandombytes/nginx-proxy-manager
- Upstream: https://github.com/NginxProxyManager/nginx-proxy-manager