Close Menu

    A Beginner’s Guide to Nginx Proxy Manager on Linux

    The easiest way to securely access your self-hosted apps (like Immich) from anywhere. We cover Docker, DuckDNS, port forwarding, and firewalls.
    By System Optimization 8 Mins Read
    A diagram showing how Nginx Proxy Manager securely routes internet traffic to Docker apps on a Linux server.
    linuxallday.com

    The “Last Mile” of Self-Hosting

    So, you did it. You followed our guide on WHAT IS DOCKER, and you’ve successfully launched your first application, maybe the IMMICH PHOTO MANAGER.

    But there’s a problem. You can only access it by typing something like http://192.168.1.100:2283 into your browser. This has two huge limitations:

    1. It only works when you are at home on your local Wi-Fi.
    2. It’s insecure (running on http, not https).

    This means your Immich mobile app won’t upload photos when you’re at a friend’s house, and you can’t show off your photo library from work. Your app is trapped in your home network.

    To truly “replace” Google Photos, you need to solve this “last mile” problem. You need a way to access your apps securely from anywhere in the world. Welcome to the world of reverse proxies. This guide will show you the easiest way to set this up using Nginx Proxy Manager.

    What is a Reverse Proxy? (The Simple Analogy)

    Think of your home network like an apartment building.

    • Your router is the front door to the building (your public IP address).
    • Each Docker app (Immich, Nextcloud, etc.) is a different apartment (192.168.1.100:2283, 192.168.1.100:8080, etc.).

    If you tell a friend to visit “apartment 2283,” it’s confusing and insecure.

    A Reverse Proxy is like a friendly, professional receptionist that sits at the front desk (at the standard ports 80 and 443).

    1. It Handles All Visitors: Everyone from the internet talks only to the receptionist.
    2. It Checks IDs (SSL/HTTPS): It provides a secure, encrypted https connection for everyone, so the conversation is private.
    3. It Guides Traffic: You just tell your friend, “Visit immich.my-domain.com.” They tell the receptionist, who knows that request should be securely routed to apartment 192.168.1.100:2283.

     

    Why Nginx Proxy Manager (NPM)?

    A “reverse proxy” is a concept. Tools like Nginx, Traefik, and Caddy are the software. For beginners, most of them are configured with complex text files.

    Nginx Proxy Manager (NPM) is different. It’s a powerful Nginx reverse proxy that runs in Docker and gives you a beautiful, simple web interface for everything.

    With NPM, adding a new app and securing it with a free Let’s Encrypt SSL certificate is literally a 30-second-long, point-and-click process. It’s the perfect tool for linuxallday.com users.

    The 4-Step Plan to Get You Online

    This is our roadmap. We’ll tackle each step one by one.

    1. Get a Domain Name: We need a public address. We’ll get a free one from DuckDNS.
    2. Open Your Router: We’ll tell your router to send all web traffic to your Linux server (this is Port Forwarding).
    3. Open Your Server’s Firewall: We’ll tell Linux to accept that traffic (on Fedora, Debian, and Arch).
    4. Install & Configure NPM: We’ll set up the “receptionist” using a simple Docker command.

    Part 1: Get a Free Domain with DuckDNS

    Before we can get an SSL certificate, we need a registered domain name.

    1. Go to the OFFICIAL DUCKDNS WEBSITE.
    2. Log in using your preferred method (e.g., Google, Reddit). It’s free.
    3. In the “domains” section, type a name for your “subdomain.” For example, mylinuxhomelab.
    4. Click “add domain.” You are now the owner of mylinuxhomelab.duckdns.org.
    5. On that same page, it will show your “current ip.” This is your public IP address. Click the “update ip” button to point your new domain to your home’s public IP.

    That’s it! You now have a domain name. (Note: If your IP address changes often, DuckDNS has scripts to update it, but for now, this manual step is all we need).

    Part 2: Your Router (Port Forwarding)

    This step is critical and different for every router (Netgear, TP-Link, Asus, etc.).

    We need to tell your router: “Any traffic that comes from the internet on port 80 or port 443 should be sent directly to the internal IP address of your Linux server.”

    1. Find Your Server’s Internal IP: On your Linux server, type ip a. Look for your IP address, it will be something like 192.168.1.100 or 10.0.0.50.
    2. Log in to Your Router: Open your browser and go to your router’s admin page (usually 192.168.1.1 or 192.168.0.1).
    3. Find “Port Forwarding”: Look for a section called “Port Forwarding,” “NAT Forwarding,” or “Virtual Servers.”
    4. Create Two Rules:
      • Rule 1 (HTTP):
        • External Port: 80
        • Internal Port: 80
        • Internal IP: 192.168.1.100 (Your server’s IP)
        • Protocol: TCP
      • Rule 2 (HTTPS):
        • External Port: 443
        • Internal Port: 443
        • Internal IP: 192.168.1.100 (Your server’s IP)
        • Protocol: TCP

    Save the rules and (if needed) reboot your router. You have now “opened the door” for web traffic.

    Part 3: Your Linux Firewall (Fedora, Debian, Arch)

    You’ve opened the router, but now your Linux server’s own firewall is blocking the door. We need to tell it to allow the traffic we just forwarded.

    This is the one part that is different for each distribution.

    Option 1: Fedora (firewalld)

    Fedora uses firewalld by default. It’s very easy.

    Bash

    # Allow HTTP traffic (port 80)
sudo firewall-cmd --add-service=http --permanent

# Allow HTTPS traffic (port 443)
sudo firewall-cmd --add-service=https --permanent

# Reload the firewall to apply changes
sudo firewall-cmd --reload

    Option 2: Debian / Ubuntu (ufw)

    Debian and Ubuntu derivatives (like Mint, Zorin, etc.) often use ufw (Uncomplicated Firewall).

    Bash

    # Allow HTTP traffic (port 80)
sudo ufw allow http

# Allow HTTPS traffic (port 443)
sudo ufw allow https

# Reload the firewall to apply changes
sudo ufw reload

    (If ufw isn’t enabled, you may need to run sudo ufw enable first.)

     

    Option 3: Arch Linux / Manjaro

    Arch and Manjaro don’t have a default firewall.

    • If you installed and enabled firewalld, use the Fedora commands.
    • If you installed and enabled ufw, use the Debian/Ubuntu commands.
    • If you have no firewall enabled, you can skip this step (but you should consider enabling one!).

    Part 4: Install Nginx Proxy Manager (The Docker Way)

    Now for the fun part. Thanks to our Docker guide, this is identical on all systems.

    1. Create a new folder for your NPM configuration:

      Bash

      mkdir ~/npm-data
cd ~/npm-data
    2. Create a docker-compose.yml file:

      Bash

      nano docker-compose.yml
    3. Paste the following code into the file. This is the official file from the NPM website.

      YAML

      version: '3.8'
services:
  app:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped
    ports:
      # These are the ports you opened on your router
      - '80:8080'
      - '443:4443'
      # This is the port for the Admin Panel
      - '81:8181'
    volumes:
      - ./data:/data
      - ./letsencrypt:/etc/letsencrypt
    4. Save and exit (Ctrl+O, Enter, Ctrl+X).
    5. Launch Nginx Proxy Manager!

      Bash

      docker compose up -d

    That’s it! Your “receptionist” is now running.

    Part 5: Configuring Your First App (The “Magic”)

    This is the final step where it all comes together.

    1. Log in to NPM: Open your browser and go to your server’s IP on port 81:http://192.168.1.100:81
    2. Default Login:
      • Email: admin@example.com
      • Password: changeme
    3. The system will immediately force you to change your email and password. Do this.
    4. Set Up Your First Proxy Host (for Immich):
      • Click on “Hosts” in the top menu, then “Proxy Hosts”.
      • Click the big blue “Add Proxy Host” button.

      A new window will pop up. Fill it out in two tabs.

      In the “Details” Tab:

      • Domain Names: immich.mylinuxhomelab.duckdns.org (your domain from Part 1)
      • Scheme: http
      • Forward Hostname / IP: 192.168.1.100 (your server’s IP)
      • Forward Port: 2283 (the port Immich is running on)
      • Make sure “Block Common Exploits” is checked.

      In the “SSL” Tab:

      • SSL Certificate: Click the dropdown and select “Request a new SSL Certificate”.
      • Check the “Force SSL” box.
      • Check the “HTTP/2 Support” box.
      • Email Address: Enter your real email address (for Let’s Encrypt renewal notices).
      • Agree to the Terms of Service.
      • Click Save.

    You will see a “Working” spinner for a few seconds. NPM is contacting Let’s Encrypt, proving you own that domain (by using the open port 80), and grabbing a secure SSL certificate.

    You are done.

    You can now open your phone (even on mobile data), go to https://immich.mylinuxhomelab.duckdns.org, and you will see your Immich instance, fully secured with a green padlock. You can now enter this address into the mobile app, and it will work from anywhere in the world.

    Conclusion: You Are Now a Self-Hosting Pro

    This might seem like a lot of steps, but you only have to do this once. You now have a permanent, powerful, and easy-to-use “receptionist” for your home server.

    From now on, every time you install a new Docker app (Nextcloud, Home Assistant, etc.), the process is simple:

    1. docker compose up -d
    2. Go to NPM, add a new Proxy Host (e.g., nextcloud.mylinuxhomelab.duckdns.org), and click the SSL tab.
    3. Click Save.

    You have unlocked the most critical piece of the self-hosting puzzle.

    Did you run into any trouble with your router’s port forwarding? What’s the first app you’re going to set up with Nginx Proxy Manager? Let us know in the comments!

    Share.

    Related post

    Leave A Reply