Nginx Proxy Manager VS acme-dns

Nginx Proxy Manager — self-hosted reverse proxy with SSL built-in

Nginx Proxy Manager: if you want that dashboard life with SSL and subdomain routing.

NGINX Proxy Manager - GUI for NGINX proxy management

I've been running a tor relay relay on my static IP at my home for over a year now and haven't seen any trouble from it.

On the other hand, Nginx Proxy Manager got me blocked by brightcloud for the dumbest reason imaginable - the word "proxy" on the default "it works" page - https://github.com/NginxProxyManager/nginx-proxy-manager/dis...

I began to self-host a Minecraft server using Crafty Controller, an Excalidraw instance, Docmost to replace Notion, Plane to replace Jira, and Penpot to replace Figma. To be able to access them from the internet, I used Nginx Proxy Manager to set up reverse proxies with SSL. You can use Traefik or Caddy instead, but I enjoyed the ease-of-use of NPM. For a dashboard solution, I started with Homarr, but later switched to Homepage because I'm apparently incapable of making a decision and sticking with it.

In our case, since we use proxymanager to manage the different domains, the entry of this configuration is done in the advanced section

If anyone is looking for one, https://nginxproxymanager.com/

Been using it for years and it’s been solid.

Most people will use nginx-proxy [0] or Traefik [1] for front ending home labs with LetsEncrypt certs... Beyond that people will protect them with things like Tailscale [2], Cloudflare Tunnels [3] or even just mTLS [4] for protected access.

Home labbing today has a lot of amazing software and it's hard to keep up!

And as for dashboarding [5] on top of all this there are a lot of options.

[0] https://nginxproxymanager.com/

https://github.com/NginxProxyManager/nginx-proxy-manager/iss...

Great question. My first pass at the project was looking to conform to the ACME DNS API [1]. There are some tools for cert management that use that API, so it gave me broad tool support with very little effort. The getlocalcert subdomains don't permit user modification of A, MX, or CNAME records on the public DNS; you've got to do that with a private DNS server you provide.

I may consider extending the service to allow A/AAAA records to private IP ranges, and then I'd need a more full featured API, but this far there hasn't been demand for the feature.

Hit me up on email if you want to chat more (in profile), we're solving some similar problems.

[1] https://github.com/joohoi/acme-dns

there is also https://github.com/joohoi/acme-dns and LE clients like lego supporting it.

Getting a wildcard certificate from LE might be a better option, depending on how easy the extra bit of if plumbing is with your lab setup.

You need to use DNS based domain identification, and once you have a cert distribute it to all your services. The former can be automated using various common tools (look at https://github.com/joohoi/acme-dns, self-hosted unless you are only securing toys you don't really care about, if you self host DNS or your registrar doesn't have useful API access) or you can leave that as an every ~ten weeks manual job, the latter involves scripts to update you various services when a new certificate is available (either pushing from where you receive the certificate or picking up from elsewhere). I have a little VM that holds the couple of wildcard certificates (renewing them via DNS01 and acmedns on a separate machine so this one is impossible to see from the outside world), it pushes the new key and certificate out to other hosts (simple SSH to copy over then restart nginx/Apache/other).

Of course you may decide that the shin if your own CA is easier than setting all this up, as you can sign long lived certificates for yourself. I prefer this because I don't need to switch to something else if I decide to give friends/others access to something.

As someone else said, it’s a huge pain to run your own dns services. However, if you want some separation, I recently saw https://github.com/joohoi/acme-dns

v0.9.1 is out and natively supports both https://github.com/joohoi/acme-dns and any dns provider available in https://github.com/acmesh-official/acme.sh

I have set up an acme-dns server to answer ACME DNS Challenges: https://github.com/joohoi/acme-dns

The DNS challenge can be easily automated using https://github.com/joohoi/acme-dns - you do need an IP you can run a DNS server on though.

If your server is not accessible over the internet, you can still use Let's Encrypt or ZeroSSL to get a certificate. You'll just need to set up a DNS Challenge for things to work. This is a little more complicated, but can work even if your DNS provider doesn't have an API. For example, I use Google Domains and Google DNS (not cloud DNS) for my DNS server, but I've got an instance of acme-dns running on VPS box that handles the DNS auth for me. It's how every machine on my local network has valid certificates - but I annoyingly need to renew them every 90 days.