Skip to content

Setting up a Web Proxy

NGINX Proxy Manager (NPM) acts as a middle-man between the wider Internet and your application servers which allows for those servers to be "hidden" from the public. NPM also lets you configure subdomains and SSL certificates for those services (terminating at the proxy).

For traffic to reach the application servers without a virtual private cloud (VPC), we forward that traffic though a Wireguard tunnel managed by Netbird.

This automated deployment is based on the guide at https://nginxproxymanager.com/setup/.

Deploying NGINX Proxy Manager (NPM) with Netbird agent

Prerequisites

You will need to create a couple DNS records for your domain. These steps will be uniquie to your domain registrar, but it should be simple to:

  1. Create an A record with the name "@" pointed to your server's IP address.
  2. Create an A record with the name "*" pointed to your server's IP address.

1. Edit Inventory file

The host group for web proxies is [proxy]. Place the following information under that group.

  • The server's IP address.
  • server_tag= - This could be "npm"
  • ansible_user= - The non-root user
  • ansible_become_pass="{{ proxy_become_pass }}" - or change variable to the appropriate value in the Vault.
  • ansible_ssh_private_key_file="~/.ssh/id_ed25519_<server_tag>_<nonroot_user>" - The SSH key used to authenticate onto the server.

Example:

[proxy]
203.0.113.74 server_tag=npm ansible_user=serveradmin ansible_become_pass="{{ proxy_become_pass }}" ansible_ssh_private_key_file="~/.ssh/id_ed25519_npm_serveradmin"

2. Edit Ansible Vault variables

Edit the Ansible Vault file.

ansible-vault edit group_vars/all/vaulted_vars.yml

Include the password for the non-root user and also include your Netbird mananagement server URL and setup key.

# NGINX Proxy Server
proxy_become_pass: <sudo password for non-root user>

# Netbird Agent Setup
nb_management_url: https://netbird.example.org
nb_setup_key: <setup_key>

3. Run Ansible playbook command

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags npm

Post-deployment setup

4. Connect to the NPM management interface

It's best practice to not expose management portals to the internet. Normally, the NGINX Proxy Manager web interface is accessible through http on port 81, but our Docker config is set to only make that port accessible to the machine itself.

So to access the management interface, we can map port 8181 on your local machine to port 81 on the server by creating an SSH tunnel.

ssh -L 127.0.0.1:8181:127.0.0.1:81 -i ~/.ssh/id_ed25519_<server_tag>_<nonroot_user> -p 22 <nonroot_user>@<server_ip>

After you run the command, put 127.0.0.1:8181 into your web browser and you're in!

Change default credentials

User the default credentials below to log in for the first time. 

Email:    admin@example.com
Password: changeme
Change the both the Email and Password and save them in your password manager.

Updating the containers

ansible-playbook lt_server_deploy.yml --ask-vault-pass --tags npm-update -vv

Adding services