SkillHub

nginx-proxy-manager

v1.0.0

Manage Nginx Proxy Manager (NPM) for reverse proxy and SSL termination to internal services like staging/prod apps. Use when creating/updating proxy hosts, requesting or renewing Let's Encrypt certificates, enforcing HTTPS redirects, setting websocket support, or routing domains/subdomains to target...

Sourced from ClawHub, Authored by mw-slc

Installation

Please help me install the skill `nginx-proxy-manager` from SkillHub official store. npx skills add mw-slc/nginx-proxy-manager

Nginx Proxy Manager Workflow

Use this skill to terminate SSL at NPM and route traffic to backend services (staging/prod).

Required inputs

  • Domain/subdomain (e.g. staging.example.com)
  • Public DNS already pointing to NPM public IP
  • Upstream target host/IP + port (e.g. 10.10.10.227:3000)
  • Whether Cloudflare proxy is enabled (if used)

Authentication (do not hardcode secrets)

Store credentials outside this skill (local secret file or environment variables).

Recommended env vars: - NPM_BASE_URL (e.g. http://<npm-host>:81) - NPM_IDENTITY - NPM_SECRET

Example token request:

curl -sS -X POST "$NPM_BASE_URL/api/tokens" 
  -H 'Content-Type: application/json; charset=UTF-8' 
  --data "{"identity":"$NPM_IDENTITY","secret":"$NPM_SECRET"}"

Standard setup flow

  1. Confirm DNS resolves to NPM public IP.
  2. Create or update Proxy Host in NPM:
  3. Domain Names: requested host(s)
  4. Scheme: http (or https if upstream is TLS)
  5. Forward Hostname/IP: upstream IP/hostname
  6. Forward Port: app port
  7. Enable:
    • Block Common Exploits
    • Websockets Support
  8. SSL tab:
  9. Request new SSL certificate (Let's Encrypt)
  10. Enable Force SSL
  11. Enable HTTP/2 Support
  12. Enable HSTS only after validation
  13. Save and verify:
  14. curl -I https://<domain> returns 200/301
  15. Browser check for valid certificate and app reachability
  • Keep upstream as private IP where possible.
  • Use separate hostnames per environment:
  • app.example.com → production
  • staging.example.com → staging
  • Avoid wildcard certificates unless explicitly needed.

Troubleshooting

  • Certificate issuance fails:
  • Check DNS A/AAAA records
  • Ensure ports 80/443 reach NPM
  • Disable conflicting CDN TLS mode or set to Full/Strict appropriately
  • 502 Bad Gateway:
  • Verify upstream container/service is running
  • Verify correct target port and local firewall rules
  • Redirect loops:
  • Don’t double-force HTTPS (app + proxy misconfiguration)

Publication hygiene checklist

Before sharing/publishing this skill: - Remove all real IPs, domains, emails, and tokens. - Keep only placeholders like example.com and <npm-host>. - Ensure no local credential file paths or secret values are included.

Safety rules

  • Never remove existing production proxy hosts unless explicitly requested.
  • For changes on production domains, snapshot/export config or document previous values first.
  • Apply changes to staging first when possible.