bettertend/nginx-proxy-manager-setup.md

Nginx Proxy Manager Setup for Atlas CMMS

This guide explains how to configure Nginx Proxy Manager to handle SSL certificates and reverse proxy for the Atlas CMMS application.

Overview

Nginx Proxy Manager provides:

• SSL Certificate Management: Automatic Let's Encrypt certificates
• Reverse Proxy: Route traffic to backend services
• Web Interface: Easy configuration through GUI
• Access Control: IP filtering and basic authentication
• Custom SSL: Upload your own certificates

Initial Setup

1. Access Nginx Proxy Manager Admin Interface

After running docker-compose up, access the admin interface at:

• URL: http://localhost:81
• Default Credentials:
  • Email: admin@example.com
  • Password: changeme

Important: Change these credentials immediately after first login!

2. Create Proxy Hosts

Configure the following proxy hosts in Nginx Proxy Manager:

Frontend (Atlas CMMS Web Interface)

• Domain Names: your-domain.com, www.your-domain.com
• Scheme: http
• Forward Hostname/IP: atlas_frontend
• Forward Port: 80
• Cache Assets: ✅ Enabled
• Block Common Exploits: ✅ Enabled
• Websockets Support: ✅ Enabled

Backend API

• Domain Names: api.your-domain.com or your-domain.com/api
• Scheme: http
• Forward Hostname/IP: atlas_api
• Forward Port: 8080
• Block Common Exploits: ✅ Enabled

MinIO Console (Optional)

• Domain Names: minio.your-domain.com
• Scheme: http
• Forward Hostname/IP: atlas_minio
• Forward Port: 9001
• Block Common Exploits: ✅ Enabled

MinIO API (Optional)

• Domain Names: storage.your-domain.com
• Scheme: http
• Forward Hostname/IP: atlas_minio
• Forward Port: 9000
• Block Common Exploits: ✅ Enabled

3. SSL Certificates

For each proxy host, configure SSL:

Let's Encrypt (Recommended)

1. Go to SSL tab in proxy host settings
2. Select "Request a new SSL Certificate"
3. Enable "Force SSL"
4. Enable "HTTP/2 Support"
5. Enable "HSTS Enabled"
6. Click "Save"

Custom SSL Certificate

1. Upload your certificate files
2. Configure SSL settings
3. Enable "Force SSL"

Advanced Configuration

Custom Nginx Configuration

For advanced needs, add custom Nginx configuration:

Frontend Custom Config

# Add to Advanced > Custom Nginx Configuration
location /api/ {
    proxy_pass http://atlas_api:8080/api/;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_connect_timeout 60s;
    proxy_send_timeout 60s;
    proxy_read_timeout 60s;
}

# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;

API Custom Config

# Add to Advanced > Custom Nginx Configuration
client_max_body_size 100M;

# CORS headers for API
add_header Access-Control-Allow-Origin "$http_origin" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization" always;
add_header Access-Control-Expose-Headers "Content-Length,Content-Range" always;

if ($request_method = 'OPTIONS') {
    add_header Access-Control-Max-Age 1728000;
    add_header Content-Type 'text/plain; charset=utf-8';
    add_header Content-Length 0;
    return 204;
}

Access Control

Configure access control for sensitive endpoints:

1. Admin Interface Protection:

   • Create access list with your IP ranges
   • Apply to MinIO console proxy host

2. API Rate Limiting:

   • Use custom Nginx config for rate limiting
   • Example: limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;

Environment Variables Update

Update your .env file for proxy setup:

# Update these URLs to match your domain configuration
PUBLIC_API_URL=https://api.your-domain.com
PUBLIC_FRONT_URL=https://your-domain.com
VITE_API_BASE_URL=https://api.your-domain.com/api

# Or if using path-based routing
PUBLIC_API_URL=https://your-domain.com
PUBLIC_FRONT_URL=https://your-domain.com
VITE_API_BASE_URL=https://your-domain.com/api

Security Best Practices

1. Change Default Credentials

• Update Nginx Proxy Manager admin credentials
• Use strong passwords for all services

2. Configure Firewall

• Only expose ports 80, 443, and 81 (admin)
• Block direct access to service ports (5432, 8080, 9000, 9001)

3. Regular Updates

• Keep Nginx Proxy Manager updated
• Update SSL certificates before expiration

4. Monitoring

• Enable access logs
• Monitor failed login attempts
• Set up alerts for certificate expiration

Backup and Restore

Backup Nginx Proxy Manager Configuration

# Create backup
docker exec nginx-proxy-manager tar -czf /tmp/npm-backup.tar.gz /data

# Copy backup from container
docker cp nginx-proxy-manager:/tmp/npm-backup.tar.gz ./backups/

Restore Configuration

# Copy backup to container
docker cp ./backups/npm-backup.tar.gz nginx-proxy-manager:/tmp/

# Restore data
docker exec nginx-proxy-manager tar -xzf /tmp/npm-backup.tar.gz -C /

Troubleshooting

Common Issues

1. 502 Bad Gateway:

   • Check if backend service is running
   • Verify service names in proxy configuration
   • Check Docker network connectivity

2. SSL Certificate Issues:

   • Verify domain DNS points to your server
   • Check port 80/443 accessibility
   • Review Let's Encrypt rate limits

3. CORS Errors:

   • Configure proper CORS headers in custom config
   • Ensure API URLs match frontend configuration

Logs

View Nginx Proxy Manager logs:

docker logs nginx-proxy-manager

View service logs:

docker logs atlas_api
docker logs atlas_frontend

Additional Resources

• Nginx Proxy Manager Documentation
• Let's Encrypt Documentation
• Atlas CMMS Configuration Guide