version: '3.8'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt如果使用的是家庭公网IP,需要修改下端口,因为家宽公网IP封了80和443端口,那么以上代码端口号部分需要修改
ports:
- '80:80'
- '81:81'
- '443:443'
修改为:
ports:
- '8080:80'
- '81:81'
- '6443:443'
#这里面的80:80,指的是-本地端口:容器端口,那么我们只需要修改本地端口即可,容器端口不修改。Full Setup Instructions
Running the App
Create a docker-compose.yml file:
yml
version: '3.8'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP
# Uncomment the next line if you uncomment anything in the section
# environment:
# Uncomment this if you want to change the location of
# the SQLite DB file within the container
# DB_SQLITE_FILE: "/data/database.sqlite"
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
Then:
bash
docker compose up -d
Using MySQL / MariaDB Database
If you opt for the MySQL configuration you will have to provide the database server yourself. You can also use MariaDB. Here are the minimum supported versions:
MySQL v5.7.8+
MariaDB v10.2.7+
It's easy to use another docker container for your database also and link it as part of the docker stack, so that's what the following examples are going to use.
Here is an example of what your docker-compose.yml will look like when using a MariaDB container:
yml
version: '3.8'
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# These ports are in format <host-port>:<container-port>
- '80:80' # Public HTTP Port
- '443:443' # Public HTTPS Port
- '81:81' # Admin Web Port
# Add any other Stream port you want to expose
# - '21:21' # FTP
environment:
# Mysql/Maria connection parameters:
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "npm"
DB_MYSQL_PASSWORD: "npm"
DB_MYSQL_NAME: "npm"
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
depends_on:
- db
db:
image: 'jc21/mariadb-aria:latest'
restart: unless-stopped
environment:
MYSQL_ROOT_PASSWORD: 'npm'
MYSQL_DATABASE: 'npm'
MYSQL_USER: 'npm'
MYSQL_PASSWORD: 'npm'
MARIADB_AUTO_UPGRADE: '1'
volumes:
- ./mysql:/var/lib/mysql
WARNING
Please note, that DB_MYSQL_* environment variables will take precedent over DB_SQLITE_* variables. So if you keep the MySQL variables, you will not be able to use SQLite.
Running on Raspberry PI / ARM devices
The docker images support the following architectures:
amd64
arm64
armv7
The docker images are a manifest of all the architecture docker builds supported, so this means you don't have to worry about doing anything special and you can follow the common instructions above.
Check out the dockerhub tags for a list of supported architectures and if you want one that doesn't exist, create a feature request.
Also, if you don't know how to already, follow this guide to install docker and docker-compose on Raspbian.
Please note that the jc21/mariadb-aria:latest image might have some problems on some ARM devices, if you want a separate database container, use the yobasystems/alpine-mariadb:latest image.
Initial Run
After the app is running for the first time, the following will happen:
JWT keys will be generated and saved in the data folder
The database will initialize with table structures
A default admin user will be created
This process can take a couple of minutes depending on your machine.
Default Administrator User
Email: admin@example.com
Password: changeme
Immediately after logging in with this default user you will be asked to modify your details and change your password.
Pager
Previous page
Screenshots
Advanced Configuration
Running processes as a user/group
By default, the services (nginx etc) will run as root user inside the docker container. You can change this behaviour by setting the following environment variables. Not only will they run the services as this user/group, they will change the ownership on the data and letsencrypt folders at startup.
yml
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
environment:
PUID: 1000
PGID: 1000
# ...
This may have the side effect of a failed container start due to permission denied trying to open port 80 on some systems. The only course to fix that is to remove the variables and run as the default root user.
Best Practice: Use a Docker network
For those who have a few of their upstream services running in Docker on the same Docker host as NPM, here's a trick to secure things a bit better. By creating a custom Docker network, you don't need to publish ports for your upstream services to all of the Docker host's interfaces.
Create a network, ie "scoobydoo":
bash
docker network create scoobydoo
Then add the following to the docker-compose.yml file for both NPM and any other services running on this Docker host:
yml
networks:
default:
external: true
name: scoobydoo
Let's look at a Portainer example:
yml
version: '3.8'
services:
portainer:
image: portainer/portainer
privileged: true
volumes:
- './data:/data'
- '/var/run/docker.sock:/var/run/docker.sock'
restart: unless-stopped
networks:
default:
external: true
name: scoobydoo
Now in the NPM UI you can create a proxy host with portainer as the hostname, and port 9000 as the port. Even though this port isn't listed in the docker-compose file, it's "exposed" by the Portainer Docker image for you and not available on the Docker host outside of this Docker network. The service name is used as the hostname, so make sure your service names are unique when using the same network.
Docker Healthcheck
The Dockerfile that builds this project does not include a HEALTHCHECK but you can opt in to this feature by adding the following to the service in your docker-compose.yml file:
yml
healthcheck:
test: ["CMD", "/usr/bin/check-health"]
interval: 10s
timeout: 3s
Docker File Secrets
This image supports the use of Docker secrets to import from files and keep sensitive usernames or passwords from being passed or preserved in plaintext.
You can set any environment variable from a file by appending __FILE (double-underscore FILE) to the environmental variable name.
yml
version: '3.8'
secrets:
# Secrets are single-line text files where the sole content is the secret
# Paths in this example assume that secrets are kept in local folder called ".secrets"
DB_ROOT_PWD:
file: .secrets/db_root_pwd.txt
MYSQL_PWD:
file: .secrets/mysql_pwd.txt
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
# Public HTTP Port:
- '80:80'
# Public HTTPS Port:
- '443:443'
# Admin Web Port:
- '81:81'
environment:
# These are the settings to access your db
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: 3306
DB_MYSQL_USER: "npm"
# DB_MYSQL_PASSWORD: "npm" # use secret instead
DB_MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
DB_MYSQL_NAME: "npm"
# If you would rather use Sqlite, remove all DB_MYSQL_* lines above
# Uncomment this if IPv6 is not enabled on your host
# DISABLE_IPV6: 'true'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencrypt
secrets:
- MYSQL_PWD
depends_on:
- db
db:
image: jc21/mariadb-aria
restart: unless-stopped
environment:
# MYSQL_ROOT_PASSWORD: "npm" # use secret instead
MYSQL_ROOT_PASSWORD__FILE: /run/secrets/DB_ROOT_PWD
MYSQL_DATABASE: "npm"
MYSQL_USER: "npm"
# MYSQL_PASSWORD: "npm" # use secret instead
MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
MARIADB_AUTO_UPGRADE: '1'
volumes:
- ./mysql:/var/lib/mysql
secrets:
- DB_ROOT_PWD
- MYSQL_PWD
Disabling IPv6
On some Docker hosts IPv6 may not be enabled. In these cases, the following message may be seen in the log:
Address family not supported by protocol
The easy fix is to add a Docker environment variable to the Nginx Proxy Manager stack:
yml
environment:
DISABLE_IPV6: 'true'
Custom Nginx Configurations
If you are a more advanced user, you might be itching for extra Nginx customizability.
NPM has the ability to include different custom configuration snippets in different places.
You can add your custom configuration snippet files at /data/nginx/custom as follow:
/data/nginx/custom/root_top.conf: Included at the top of nginx.conf
/data/nginx/custom/root.conf: Included at the very end of nginx.conf
/data/nginx/custom/http_top.conf: Included at the top of the main http block
/data/nginx/custom/http.conf: Included at the end of the main http block
/data/nginx/custom/events.conf: Included at the end of the events block
/data/nginx/custom/stream.conf: Included at the end of the main stream block
/data/nginx/custom/server_proxy.conf: Included at the end of every proxy server block
/data/nginx/custom/server_redirect.conf: Included at the end of every redirection server block
/data/nginx/custom/server_stream.conf: Included at the end of every stream server block
/data/nginx/custom/server_stream_tcp.conf: Included at the end of every TCP stream server block
/data/nginx/custom/server_stream_udp.conf: Included at the end of every UDP stream server block
Every file is optional.
X-FRAME-OPTIONS Header
You can configure the X-FRAME-OPTIONS header value by specifying it as a Docker environment variable. The default if not specified is deny.
yml
...
environment:
X_FRAME_OPTIONS: "sameorigin"
...
Customising logrotate settings
By default, NPM rotates the access- and error logs weekly and keeps 4 and 10 log files respectively. Depending on the usage, this can lead to large log files, especially access logs. You can customise the logrotate configuration through a mount (if your custom config is logrotate.custom):
yml
volumes:
...
- ./logrotate.custom:/etc/logrotate.d/nginx-proxy-manager
For reference, the default configuration can be found here.
Enabling the geoip2 module
To enable the geoip2 module, you can create the custom configuration file /data/nginx/custom/root_top.conf and include the following snippet:
load_module /usr/lib/nginx/modules/ngx_http_geoip2_module.so;
load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
四、进入Nginx Proxy Manager 后台
IStoreOS的后台地址+端口81进入。
五、端口转发
内网地址就是IStoreOS的后台地址
评论区