Skip to main content

NGINX Proxy Manager (public facing http->https)

Nginx proxy Manager from https://nginxproxymanager.com/

  • essential core service which should be configured first
  • requires docker already installed
  • exposes open ports on the main server public IP 
    • Port 80 listens and if  matched to a valid hostname or wildcard, routes the traffic; all http should simply redirect to https
    • Port 443 listens and routes traffic dependiong on hostnames 
      • *.pknw1.co.uk domains are uysd for publicly accessible services
      • *.admin.pknw1.co.uk domains are used for restricted access services
      • routed to an appropriate proxy host configuration based on DNS name
      • the FQDN SSL connection is verified against the system wide wildcard cert for either .pknw1.co.uk or .admin.pknw1.co.uk
Named Proxy Hosts in NGINX catch any *.pknw1.co.uk catch *.admin.pknw1.co.uk

The preferred method of routing is by matching the request wirh the appropriate wildcard domain configuration 

all wildcard matches are validated against any access rules and then passed through to the nginx proxy which directs the request to the configuired container

 

This setuop allows the domain config to be done with the service container environment variables in an automated way rather than manually setting a proxy host and reverese proxy config for each new service

passed to the backend and routed via internal proxy;

a manual config can also be added and further restricted 

 

all public containers should be on the proxy docker network 

 

172.22.20.1

matched as a wildcard for the admin domain

before passing to the internal_proxy for hostname based routing, the source of the session is determined

 

as this is admin only - only over tailscale, we configure any source with a local docker address 172.22.0.0/16 or from the Tailscale network 100.100.69.0/24 it is allowed 

 

any non matches are deny;



 

Example wildcard proxy configuration for *.pknw1.co.uk

Screenshot 2025-06-21 at 21.22.04.png Screenshot 2025-06-21 at 21.22.28.png Screenshot 2025-06-21 at 21.23.04.png Screenshot 2025-06-21 at 21.22.49.png

 

Example wildcard proxy configuration for *.admin.pknw1.co.uk

Screenshot 2025-06-21 at 21.29.57.png Screenshot 2025-06-21 at 21.30.16.png Screenshot 2025-06-21 at 21.30.27.png Screenshot 2025-06-21 at 21.30.36.png
nginx proxy manager proxy host config files on disk

cd /etc/pknw1/config/core-system/nginx_proxy_manager/data/nginx/proxy_host

for f in $(ls *conf); do DOM=$(head -n2 $f | tail -n1); FN=$(echo $f | awk -F. '{print $1}'); echo $FN $DOM | sed 's/#//'; done

 

1  *.pknw1.co.uk
10  dev.pknw1.co.uk, yt-dev.pknw1.co.uk
12  search.pknw1.co.uk
15  mobile.engineering.pknw1.co.uk
16  webmin.pknw1.co.uk
18  engineering.pknw1.co.uk
2  *.admin.pknw1.co.uk
23  admin.pknw1.co.uk
25  jackett.pknw1.co.uk
26  *.streaming-from.cloud, streaming-from.cloud
28  accounts.pknw1.co.uk, my.pknw1.co.uk
3  webmin.admin.pknw1.co.uk
31  check.pknw1.co.uk
32  notflix.pknw1.co.uk, test.pknw1.co.uk
33  requests.pknw1.co.uk
35  tv.pknw1.co.uk
36  jf.pknw1.co.uk
37  hub.pknw1.co.uk
38  ut.admin.pknw1.co.uk, utorrent.admin.pknw1.co.uk
41  404.pknw1.co.uk
42  reddit_webhook.pknw1.co.uk, webhook.pknw1.co.uk
43  vue.pknw1.co.uk
6  login.pknw1.co.uk

 

The folllowing manual configurations are required for mapping non-docker services via the proxy

Service Name External URL Mapped Service
Webmin https://webmin.admin.pknw1.co.uk

http port 80 -> 443

443 -> webmin proxy host config

SSL cert validated *.admin.pknw1.co.uk

source checked via advanced config

if allowed, direct the connection

NPM -> proxy docker network -> 10000






 

Back to top