Skip to content
View in the app

A better way to browse. Learn more.

Unraid

A full-screen app on your home screen with push notifications, badges and more.

To install this app on iOS and iPadOS
  1. Tap the Share icon in Safari
  2. Scroll the menu and tap Add to Home Screen.
  3. Tap Add in the top-right corner.
To install this app on Android
  1. Tap the 3-dot menu (⋮) in the top-right corner of the browser.
  2. Tap Add to Home screen or Install app.
  3. Confirm by tapping Install.

[Support] Nginx Proxy Manager (NPM) Official

Featured Replies

I have installed NPM with the following attributes:

image.png

I use pihole with unbound as DNS and Fritzbox as DHCP, this works well.

With NPM I have received LE cert for my domain.

I have registered some subdomains like dc.mydomain.xxx for Double Commander.

dc.mydomain.xxx is also registered in pihole as local DNS record with IP forwarding to NPM.

Host for dc.mydomain.xxx in NPM is forwarded to https://192.168.23.155:3001.

Double Commander is accessible with this IP/Port but not dc.mydomain.xxx.

Any hints waht's going wrong?

  • Replies 1.2k
  • Views 392.2k
  • Created
  • Last Reply

Top Posters In This Topic

Most Popular Posts

  • malghana
    malghana

    Solution: For easy access, copied this solution from Github user: "marcosvfc" GitHub Cannot Log into Admin After Upgrade to 2.12.4 · Issue #46... Checklist Have you pulled and found the error with j

  • No joke: I missed this part in the docs:   I will update the container and remove the external DB. SQLite is the easier option for the user.

  • I think this is false.   Try this in advanced: location / { add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;   proxy_set_header Upgrade $ht

Posted Images

No ideas what's going wrong?

On 7/31/2025 at 10:01 PM, PinkCarlos said:

is also registered in pihole as local DNS record with IP forwarding to NPM

what do you mean with "forwarding" ???

And which computers are asking pihole for an address?

  • 2 weeks later...

this might sounds silly, but i have installed, logged in, and configured nginx container a few times so far. however, every time, if i return after 2-3 days, it does not allow me to login (wrong username/password error).

i m 100% i am using the correct credentials, as i copy paste them from another document.

driving myself crazy here. any help welcome

thanks

  • Author

Sounds like your database gets corrupted. Is your app data share located on the cache only? (Best option is enabling exclusive shares and bring the cache completely on an SSD, but backups are mandatory)

Is there a env variable for setting log levels?

proxy-host-1_access.log, proxy-host-1_error.log, and fallback_error.log have no entries.

Logfiles and loglevel can be set via CLI, but also with env?

3 hours ago, PinkCarlos said:

Is there a env variable for setting log levels?

proxy-host-1_access.log, proxy-host-1_error.log, and fallback_error.log have no entries.

Logfiles and loglevel can be set via CLI, but also with env?

no longer relevant

For some reason when I try to run tailscale on this container recently it binds on port 443 which stops nginx from starting up, I've used this succesfully up until recently and am a bit unsure about what changed to break this. I did activate HTTPS on tailscale a couple of weeks back but it's been working up until just a day or two ago so don't know if it's related but also tried turning that off again.
From what I've understood Tailscale Serve Protocol uses port 443 and while that has been activated before without an issue I've tried to set Tailscale Serve to no but no luck.

Anyone has any idea on what to do from here, currently can't get NGINX up and running while using tailscale on the container which breaks my usecase for accessing some stuff when away from home.

Edit:

I found how to fix the issue

bild.png

As long as this field was populated with a port value it seems like serve is started no matter what you sett Tailscale Serve to.

When I set it to blank the issue dissapeared

Edited by Gronsak
Found solution to the issue

  • 2 weeks later...

Hey all. I successfully setup NPM two or three days ago. I linked an A-record from my custom domain to my ISP public ip address (which never changes), using my DNS provider where I manage the custom domain name. Hope all that makes sense. I spun up linkwarden and NPM on a custom network, got linkwarden setup properly, then setup NPM with SSL. Ports 80 and 443 are forwarded in my router to 180 and 1443 respectively, and my NPM container reflects this.

This setup WORKED FINE for the last two days. I could hit linkwarden.mycustomdomain.org from anywhere on any device. Then today, it stopped. DNS checker shows the hostname is resolving to my IP address, but when I test "server reachability" in NPM, I get this:

linkwarden.mycustomdomain.org: There is a server found at this domain but it returned an unexpected status code Connection timed out.. Is it the NPM server? Please make sure your domain points to the IP where your NPM instance is running.

I've checked NPM docker logs, and I don't see any errors. Again, nothing about my server has changed and this setup was working fine. I am not behind CGNAT or anything weird like that. My Plex server is still running fine using UPNP port forwarding. Any ideas?

It appears that my ISP has blocked ports 80 and 443 after a few days of using NPM. I used Tailscale via TSDProxy instead. Go figure

Hello, I'm using the NPM container in Unraid for quite a while and I'm quite happy with how it works.
However I do encounter a strange problem that I can't find a solution for:
Whenever I want to renew an existing certificat, I get this Error:
Error.png

This Error occurs when I try to manually renew a certificat via certbot. My container log just gave me an error while trying to auto-renew (referring to the letsencrypt log, that I don't understand. I can share it if you want).
Creating a new certificat for that same host however is no problem.

I checked the things you recommended.
My Port is reachable

Port.png

I get a result by entering my IPv4:

IPv4.png

And the target container is reachable via NPM:

Container Reachable.png

  • Author
20 hours ago, Qesaru said:

I checked the things you recommended.
My Port is reachable

Port.png

I get a result by entering my IPv4:

IPv4.png

Both are relevant for creating and updating certificates.

20 hours ago, Qesaru said:

And the target container is reachable via NPM:

That's irrelevant for certs.

20 hours ago, Qesaru said:

(referring to the letsencrypt log, that I don't understand. I can share it if you want).

We need the errors which are logged in this file. I still don't understand why they aren't forwarded to the container output, so we would be able to see them through the unraid gui. So please open the file in your npm appdata folder. A simple search for "error" or "fail" should show the relevant lines. Else remove your private information and post it here.

Thank you for your help!

2 hours ago, mgutt said:

A simple search for "error" or "fail" should show the relevant lines. Else remove your private information and post it here.

For readability I put the code at the end. I've also attached the anonymized file, but this seems to be the relevant part.
According to the hint letsencrypt needs some sort of file that's created by my certbot, however I don't know what I need to do in order to make it available.

{
  "identifier": {
    "type": "dns",
    "value": "sub.mydomain.com"
  },
  "status": "invalid",
  "expires": "2025-09-19T22:29:59Z",
  "challenges": [
    {
      "type": "http-01",
      "url": "https://acme-v02.api.letsencrypt.org/acme/chall/1951384786/582604934051/680gKQ",
      "status": "invalid",
      "validated": "2025-09-12T22:29:59Z",
      "error": {
        "type": "urn:ietf:params:acme:error:connection",
        "detail": "2001:###:####:####:####:####:####:3736: Fetching https://sub.mydomain.com/.well-known/acme-challenge/#########################: Error getting validation data",
        "status": 400
      },
      "token": "#########################",
      "validationRecord": [
        {
          "url": "http://sub.mydomain.com/.well-known/acme-challenge/#########################",
          "hostname": "sub.mydomain.com",
          "port": "80",
          "addressesResolved": [
            "46.###.###.###",
            "2001:###:####:####:####:####:####:3736"
          ],
          "addressUsed": "2001:###:####:####:####:####:####:3736"
        },
        {
          "url": "http://sub.mydomain.com/.well-known/acme-challenge/#########################",
          "hostname": "sub.mydomain.com",
          "port": "80",
          "addressesResolved": [
            "46.###.###.###",
            "2001:###:####:####:####:####:####:3736"
          ],
          "addressUsed": "46.###.###.###"
        },
        {
          "url": "https://sub.mydomain.com/.well-known/acme-challenge/#########################",
          "hostname": "sub.mydomain.com",
          "port": "443",
          "addressesResolved": [
            "46.###.###.###",
            "2001:###:####:####:####:####:####:3736"
          ],
          "addressUsed": "2001:###:####:####:####:####:####:3736"
        }
      ]
    }
  ]
}
2025-09-13 00:30:01,203:DEBUG:acme.client:Storing nonce: z38KXhlRljrs_ghQTq4a7sG4IqZVTPmWQ-0xnHhhaT3LR9gy4dw
2025-09-13 00:30:01,204:INFO:certbot._internal.auth_handler:Challenge failed for domain sub.mydomain.com
2025-09-13 00:30:01,204:INFO:certbot._internal.auth_handler:http-01 challenge for sub.mydomain.com
2025-09-13 00:30:01,204:DEBUG:certbot._internal.display.obj:Notifying user: 
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: sub.mydomain.com
  Type:   connection
  Detail: 2001:###:####:####:####:####:####:3736: Fetching https://sub.mydomain.com/.well-known/acme-challenge/#########################: Error getting validation data

Hint: The Certificate Authority failed to download the temporary challenge files created by Certbot. Ensure that the listed domains serve their content from the provided --webroot-path/-w and that files created there can be downloaded from the internet.

2025-09-13 00:30:01,205:DEBUG:certbot._internal.error_handler:Encountered exception:
Traceback (most recent call last):
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 108, in handle_authorizations
    self._poll_authorizations(authzrs, max_retries, max_time_mins, best_effort)
  File "/opt/certbot/lib/python3.11/site-packages/certbot/_internal/auth_handler.py", line 212, in _poll_authorizations
    raise errors.AuthorizationError('Some challenges have failed.')
certbot.errors.AuthorizationError: Some challenges have failed.
2 hours ago, mgutt said:

Both are relevant for creating and updating certificates.

That's irrelevant for certs.

We need the errors which are logged in this file. I still don't understand why they aren't forwarded to the container output, so we would be able to see them through the unraid gui. So please open the file in your npm appdata folder. A simple search for "error" or "fail" should show the relevant lines. Else remove your private information and post it here.

letsencrypt.log

  • Author

I think it's because the authority server tries to reach your domain through your IPv6, which is wrong:

5 minutes ago, Qesaru said:
Certbot failed to authenticate some domains (authenticator: webroot). The Certificate Authority reported these problems:
  Domain: sub.mydomain.com
  Type:   connection
  Detail: 2001:###:####:####:####:####:####:3736: Fetching https://sub.mydomain.com/.well-known/acme-challenge/#########################: Error getting validation data

How do you update the IPv6 of your domain and does it target your NPM container? Note: IPv6 must not be the one of your router as it is for IPv4.

You can test your IPv6 similar to IPv4 in your browser by adding brackets. Example:

http://[2001:4860:4860::8888]:80/

You must see the npm welcome page equal to your IPv4 tests.

IPv6 can be more challenging to setup. On the first page I showed one example by running npm in the host network, so it shares the same IPv6 as unraid. But you need to update your domains IPv6 everytime Unraids IPv6 changes.

Most people gave up and disable IPv6 😅

On 9/13/2025 at 1:17 AM, mgutt said:

How do you update the IPv6 of your domain and does it target your NPM container?

First of all, thanks for your replies.
I used to use DynDNS on my router, but because that led to difficulties, it's now running on my Unraid box via die qmcgaw/ddns-updater Docker container. My registrar is Strato, if that matters. I don't know what you mean by targeting the NPM container.

Note: IPv6 must not be the one of your router as it is for IPv4.

I don't quite understand what you mean with that. Could you reframe the quesion?

On 9/13/2025 at 1:17 AM, mgutt said:

You can test your IPv6 similar to IPv4 in your browser by adding brackets. [...]

You must see the npm welcome page equal to your IPv4 tests.

I can't figure out what my IPv6 is supposed to be. My router once ran IPv4 via DS-Lite, but I made my ISP set me to native IPv4 (as far as I know at least) because I couldn't get things working with DS-Lite. Interestingly my router doesn't show any IPv6 Interface-ID for my server and therefore doesn't let me do any IPv6 settings. I can also not forward any ports to IPv6, only to IPv4.
Other devices on my network however do have an IPv6 Interface-ID and have changable settings under the IPv6 section in the port forwarding menu.

On 9/13/2025 at 1:17 AM, mgutt said:

Most people gave up and disable IPv6 😅

That seems to be the best solution to me. How do I do this?

Thank you for your patience, I know my reply is probably not as helpful, but I hope you can help me fix this problem and get a better understanding of it.

I feel like I'm SO CLOSE to getting my setup right. Here's what I've done:

  • Running a docker app on port 300X that I want to expose.

  • Also running a PiHole

  • Installed and set up DDNS

  • Set up A name pointing to my IP

  • Created CNAME for app.example.com

  • Forwarded ports 80, 443, and 300X for my app

  • Created host in NPM for app.example.com on port 300X with a LetsEncrypt cert

When I visit app.example.com, I do not see my docker app. Instead, I see the Unraid login screen. That only happens when I forward port 80. When I do not forward port 80, I get a timeout 522 error.

Why am I being taken to the Unraid login screen? I definitely do NOT want to expose that, if possible. D

2 minutes ago, acdn01 said:

Why am I being taken to the Unraid login screen? I definitely do NOT want to expose that, if possible.

Because you forgot to add Step 1 :-)

1) MOVE UNRAID away from Port 80!

This can be done HERE

{EAE6D3CA-0471-483E-9176-52943A4BC685}.png

Change HTTP and HTTPS Port to a value that you like (and remember!).

Now NPM can run in Host mode and take over these ports.

Btw, you still cannot access Port 300x from the internet, NPM only tunnels 80 and 443.

Edited by MAM59

A basic thing that I completely forgot, thank you!!

I can now reach app.example.com. A few minutes after implementing the change, my app was available but some content (like images and some forms) were not rendering. I think this is a caching issue and will update this response if I figure out why the content did not render.

Edited by acdn01

  • 2 weeks later...

Could someone please help me directly via discord / voice chat to get my domain (atomicrhino.net on cloudflare) working and pointing to my unraid server nginx so I can do things like have a self hosted image upload thing etc? I really am struggling and could use the help. discord is sunwind.actual.

  • 1 month later...

Hi @mgutt,

I've been searching through the forum for help with this, but no replies yet. I came across your post (https://forums.unraid.net/topic/110245-support-nginx-proxy-manager-npm-official/#findComment-1011152) which I think is helpful in my situation but I am not so sure what changes I should make.

The issue that I'm having is posted here: https://forums.unraid.net/topic/76460-support-djoss-nginx-proxy-manager/page/78/#findComment-1588569.

My NPM is on a user created network and I need it to communicate with some containers on br1. Your chart below shows that I won't be able to communicate with anything on br0, does that apply to br1 as well? If so, what changes can I make to my docker network setup so that NPM can communicate to containers on br1 network? I'm not sure if I need to switch from ipvlan to macvlan or if its required to to allow host access to custom networks.

Thanks!

network-table.png

  • 4 weeks later...
  • Author

Maybe useful for others. This sets a bandwidth limit for nextcloud downloads (added through the advanced tab of the host settings):

# main rules adopted from nginx proxy manager
location / {
  add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload;";
  client_body_buffer_size 512k;
  client_max_body_size 32G;
  proxy_request_buffering off;
  proxy_read_timeout 600s;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_http_version 1.1;
  # Proxy!
  include conf.d/include/proxy.conf;
}

# bandwith limit for downloads
location ~ ^/(public\.php/dav/files|remote\.php/dav/files)/ {

  # ignore X-Accel-Buffering header (https://github.com/nextcloud/server/pull/25747)
  proxy_ignore_headers X-Accel-Buffering;

  # limit to 10 Mbit/s
  limit_rate 1280k;

  # make sure proxy buffering is enabled
  proxy_buffering on;

  # disable buffering to temporary files
  proxy_max_temp_file_size 0;

  # general proxy settings
  add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload;";
  client_body_buffer_size 512k;
  client_max_body_size 32G;
  proxy_request_buffering off;
  proxy_read_timeout 600s;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header Connection $http_connection;
  proxy_http_version 1.1;
  include conf.d/include/proxy.conf;
}

location /.well-known/carddav {
  return 301 /remote.php/dav/; 
}

location /.well-known/caldav  {
  return 301 /remote.php/dav/; 
}
  • 4 weeks later...
On 8/25/2025 at 6:36 AM, Gronsak said:

For some reason when I try to run tailscale on this container recently it binds on port 443 which stops nginx from starting up, I've used this succesfully up until recently and am a bit unsure about what changed to break this. I did activate HTTPS on tailscale a couple of weeks back but it's been working up until just a day or two ago so don't know if it's related but also tried turning that off again.
From what I've understood Tailscale Serve Protocol uses port 443 and while that has been activated before without an issue I've tried to set Tailscale Serve to no but no luck.

Anyone has any idea on what to do from here, currently can't get NGINX up and running while using tailscale on the container which breaks my usecase for accessing some stuff when away from home.

Edit:

I found how to fix the issue

bild.png

As long as this field was populated with a port value it seems like serve is started no matter what you sett Tailscale Serve to.

When I set it to blank the issue dissapeared

Running into this same issue and this is the closest I've found to a solution. However, it appears that between Aug and now, the TS implementation may have changed (?). See my screenshot below. If I leave the Serve port blank, it defaults to 443, which is the cause of the issue. Changing to any other port doesn't solve it. I even tried typing just a space in the field but it reverted back to default when the container was created.

Any guidance?

Untitled.png

hi
hope some one can give me some help i have moved to unraid and installed Nginx Proxy Manager to see how it works the only challenges i have for now is my plex sever and docker-uisp both is comming up as This page isn’t working but all the other containers is passing throug am i missing someting and yes i did do Let's Encrypt.
thanks in advance.

  • Author
1 minute ago, unraid.admin said:

This page isn’t working but all the other containers is passing throug

Did you make some of the checks of the first posts?

12 minutes ago, mgutt said:

Did you make some of the checks of the first posts?

yes i have read few of them seems to fail to understand what i am doing wrong

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

Account

Navigation

Search

Search

Configure browser push notifications

Chrome (Android)
  1. Tap the lock icon next to the address bar.
  2. Tap Permissions → Notifications.
  3. Adjust your preference.
Chrome (Desktop)
  1. Click the padlock icon in the address bar.
  2. Select Site settings.
  3. Find Notifications and adjust your preference.