{"skill":{"slug":"nginx-proxy-manager","displayName":"Nginx Proxy Manager","summary":"Manage Nginx Proxy Manager (NPM) for reverse proxy and SSL termination to internal services like staging/prod apps. Use when creating/updating proxy hosts, r...","description":"---\nname: nginx-proxy-manager\ndescription: Manage Nginx Proxy Manager (NPM) for reverse proxy and SSL termination to internal services like staging/prod apps. Use when creating/updating proxy hosts, requesting or renewing Let's Encrypt certificates, enforcing HTTPS redirects, setting websocket support, or routing domains/subdomains to target servers.\n---\n\n# Nginx Proxy Manager Workflow\n\nUse this skill to terminate SSL at NPM and route traffic to backend services (staging/prod).\n\n## Required inputs\n\n- Domain/subdomain (e.g. `staging.example.com`)\n- Public DNS already pointing to NPM public IP\n- Upstream target host/IP + port (e.g. `10.10.10.227:3000`)\n- Whether Cloudflare proxy is enabled (if used)\n\n## Authentication (do not hardcode secrets)\n\nStore credentials outside this skill (local secret file or environment variables).\n\nRecommended env vars:\n- `NPM_BASE_URL` (e.g. `http://<npm-host>:81`)\n- `NPM_IDENTITY`\n- `NPM_SECRET`\n\nExample token request:\n\n```bash\ncurl -sS -X POST \"$NPM_BASE_URL/api/tokens\" \\\n  -H 'Content-Type: application/json; charset=UTF-8' \\\n  --data \"{\\\"identity\\\":\\\"$NPM_IDENTITY\\\",\\\"secret\\\":\\\"$NPM_SECRET\\\"}\"\n```\n\n## Standard setup flow\n\n1. Confirm DNS resolves to NPM public IP.\n2. Create or update Proxy Host in NPM:\n   - Domain Names: requested host(s)\n   - Scheme: `http` (or `https` if upstream is TLS)\n   - Forward Hostname/IP: upstream IP/hostname\n   - Forward Port: app port\n   - Enable:\n     - Block Common Exploits\n     - Websockets Support\n3. SSL tab:\n   - Request new SSL certificate (Let's Encrypt)\n   - Enable `Force SSL`\n   - Enable `HTTP/2 Support`\n   - Enable `HSTS` only after validation\n4. Save and verify:\n   - `curl -I https://<domain>` returns `200/301`\n   - Browser check for valid certificate and app reachability\n\n## Recommended defaults\n\n- Keep upstream as private IP where possible.\n- Use separate hostnames per environment:\n  - `app.example.com` → production\n  - `staging.example.com` → staging\n- Avoid wildcard certificates unless explicitly needed.\n\n## Troubleshooting\n\n- Certificate issuance fails:\n  - Check DNS A/AAAA records\n  - Ensure ports 80/443 reach NPM\n  - Disable conflicting CDN TLS mode or set to Full/Strict appropriately\n- 502 Bad Gateway:\n  - Verify upstream container/service is running\n  - Verify correct target port and local firewall rules\n- Redirect loops:\n  - Don’t double-force HTTPS (app + proxy misconfiguration)\n\n## Publication hygiene checklist\n\nBefore sharing/publishing this skill:\n- Remove all real IPs, domains, emails, and tokens.\n- Keep only placeholders like `example.com` and `<npm-host>`.\n- Ensure no local credential file paths or secret values are included.\n\n## Safety rules\n\n- Never remove existing production proxy hosts unless explicitly requested.\n- For changes on production domains, snapshot/export config or document previous values first.\n- Apply changes to staging first when possible.\n","tags":{"latest":"1.0.0"},"stats":{"comments":0,"downloads":756,"installsAllTime":4,"installsCurrent":4,"stars":0,"versions":1},"createdAt":1772377990309,"updatedAt":1778491681414},"latestVersion":{"version":"1.0.0","createdAt":1772377990309,"changelog":"Initial release: NPM reverse proxy + SSL workflow, auth guidance, and publication hygiene checklist.","license":null},"metadata":null,"owner":{"handle":"mw-slc","userId":"s174xs35pn613rhz4t2szahgad884aa1","displayName":"mw-slc","image":"https://avatars.githubusercontent.com/u/242990393?v=4"},"moderation":null}