I’m currently using NPM and upgrading to a new VPS for my business. I have a public website and am going to host a few more for friends, plus a few other services. Everything is on docker for ease. I use Cloudflare for DNS so would prefer using a DNS challenge. I will change this at some point but not yet ready to!
Should I:
- stick with Nginx Proxy Manager which I know well (is it really that insecure or outdated?)
- switch to NPM Plus (assuming this is the easiest)
- switch to Caddy (seems to be there most recommended but will be a learning curve for me)
- Try out Nginx (seems like a massive learning curve so I’m very reluctant)
Minor nitpick: NPM stands for nodejs package manager not Nginx proxy manager
Anyway I personally would recommend that you move to Caddy.
Another option would be Nginx/Apache with ACME.sh
NPM+ didn’t work worth a damn for me. No proxies would forward, I have no clue why and couldn’t figure it out. It was like I was turning knobs that weren’t connected to anything. But YMMV.
Actually this happened to me about 6 months ago too - I wanted to switch to add crowdsec support but just could not get it to work so gave up and switched back to npm. I just assumed I wasn’t doing it right and never got around to trying again
I thought it was pretty weird, so I tried again a while later; same result. I checked through issues and couldn’t see anything, I figured it was just me. I tried because NPM was just full of error logs and was having some sort of shitfit, so I blew it out and rebuilt from scratch, now all is fine. But the NPM+ defeated me. I might have to try again just because.
Please don’t confuse the nginx proxy manager (npm) with the node.js packet manager (npm). The latter is frequently in the news regarding security vulnerabilities.
For a moment I was really confuser as to how Caddy could replace nodejs’s package manager
I might have done exactly this, thanks for pointing it out. Is Nginx proxy manager considered secure enough to use on extremal sites?
Nginx is considered battle tested.
Very few products have this level of puic scrutiny and and a good record of being safe.
Once this is said, the majority of problems come from misconfigurations, so triple check the things
Personally, I would try to avoid publishing nginx proxy manager’s management web ui to the general public.
That is not published externally - I only forward ports 80 and 443, and only access the admin interface locally or through a vpn to my router. Would this be ok? Thanks for your input
Yes, that is exactly what I meant.
I can recommend Caddy myself, it is dead simple to configure
IMO the learning curve for caddy is almost non existent, and just about anything you might want to selfhost almost certainly has a quick simple caddy configuration you can copy paste with just updating the relevant domain. Personally learning curve for caddy was probably way lower than figuring out the edge cases of apache that I was using before
I use Cloudflare for DNS so would prefer using a DNS challenge. I will change this at some point but not yet ready to!
Since you are already using Cloudflare, and you are moving to an upgraded VPS, why not incorporate Cloudflare’s Tunnel/ZeroTrust? The nice thing about their ZeroTrust Tunnel is that you don’t have to punch holes in your UFW firewall, no port forwarding or NAT on your external firewall/router. It’s just one tunnel that handles your traffic, and Cloudflare takes care of the certs.There is a section that allows you to implement the DNS challenge/verification. You seem experienced so it’s fairly easy to deploy. The caveat is that you have to have a proper domain name, and use the issued Cloudflare nameservers. I picked up a domain name at NamesCheap for $1.75 USD.
Thanks for this. To be honest it just did not cross my mind! Horserace, I am not sure I want to rely on Cloudflare too much though in case they so something in the future like put those things behind paywalls. My domains are through someone else so can easily switch nameservers to them for DNS. It does sound much easier and safer though so will have to consider it
I am not sure I want to rely on Cloudflare too much
Totally understandable. It’s good to be aware of future pitfalls, etc. I realize there are those who frown on Cloudflare, and I can see their point. For me, I’ll use them for the time being, and monitor any policy changes, or future gotchas. Of course, it goes without saying, that we should be doing that anyways even for opensource software. Things change, motivations change, project direction changes.
There are similar alternatives to Cloudflare Tunnels/ZeroTrust. I have not tried every one of them so I cannot vouch for their usability. There is ngrok, which seems to be the most popular of the alternatives, and there is Pagekite, Zrok, Pinggy, Localtunnel. As far as selfhosted options, Nebula, SirTunnel, BoringProxy, Pangolin, and frp come to mind.
If it were me, and these were public facing businesses, I would go with something rock solid like Cloudflare, familiarize myself with the options, then monitor for policy changes.
Thank you, I really appreciate the responses and other options.
I used to use npm. If you know it and you’re happy, use it.
It took me 3 times until I understood and got caddy installed. First, I tried using it via podman and failed. In the end I just installef it via dnf and it worked without any problems. Learning a caddy file is easy. I’ll never look back. It’s so nice and easy. Easier than npm but no gui but that’s not needed
I’m a Nginx(SWAG) user. It looks like more and more tutorials are leaning towards Traefik or Caddy with some using NPM. If you rely on those to deploy new services I would consider that.
If you are using docker have you looked at Traefik to act as your reverse proxy to replace nginx proxy manager?
To be honest I forgot about it. I tried it two years ago when setting up my lab but struggled compared to NPM. Nowadays it seems like all the talk I used to hear about it is now about caddy.
Even back then caddy was being talked about. I don’t use caddy because, at least back then, it was only free for non commercial use (unless you compile it yourself).
I’ve been using Traefik for even longer though and haven’t ran into any major issues. Definitely recommend it.
Just use Nginx… It isn’t that difficult, after all.
Or try any one of the “simplified” other proxies out there. I never seen the need for NPM anyway, as it just obfuscate nginx configuration stuff from your eyes.
You can check my wiki at https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx
I wrote for my own benefit, and for others who might be interested.
