NGINX PROXY MANAGER ยท SSL ยท HOME ASSISTANT ADD-ON

Nginx Proxy Manager in Cyan Glass.

Operations wiki for the Nginx Proxy Manager Home Assistant Add-on: installation, SSL setup, DNS-01 challenges, MariaDB integration and troubleshooting.

๐Ÿš€ Start Installation ๐Ÿ” SSL Setup ๐Ÿ›  Troubleshooting
Add-on Slugnginx_proxy_manager
Admin UIhttp://homeassistant.local:81
HTTP/HTTPS:80 / :443
Upstream Imagejc21/nginx-proxy-manager

โšก Default Credentials

Change immediately after first login.

Email:    admin@example.com
Password: changeme
URL:      http://homeassistant.local:81

๐Ÿงญ Port Requirements

Ports 80 and 443 must be free on the host.

Admin UI:  :81 (LAN only)
HTTP:      :80 (optional, HTTP-01 ACME)
HTTPS:     :443 (public proxy)
๐Ÿ 

Home

Overview

#home

Nginx Proxy Manager is a reverse proxy management UI with SSL automation. This add-on wraps the official jc21/nginx-proxy-manager image with HA Supervisor integration, secrets support and optional MariaDB backend.

#Wiki Pages

PagePurpose
InstallationAdd repository, install, start.
ConfigurationSQLite vs MariaDB, secrets, JWT.
First StartDefault login, change credentials.
SSL & Let's EncryptDNS-01, DuckDNS, wildcard certs.
TroubleshootingPort conflicts, cert failures, DB issues.

#Minimum Operating Model

Browser โ†’ NPM Admin UI :81
NPM     โ†’ manages nginx configs, SSL certs
nginx   โ†’ proxies :80/:443 to internal services
๐Ÿš€

Installation

Install the Add-on

#installation

#Step 1 โ€” Add Repository

  1. Open Home Assistant.
  2. Go to Settings โ†’ Add-ons โ†’ Add-on Store.
  3. Open โ‹ฎ โ†’ Repositories.
  4. Add:
https://github.com/pol4rfuchs/ha-apps

#Step 2 โ€” Install

  1. Search for Nginx Proxy Manager.
  2. Click Install.

#Step 3 โ€” Start

  1. Enable Start on boot.
  2. Click Start.
  3. Open the Admin UI at port 81.
Ports 80 and 443 must be free on the host. Disable any other service using these before starting.
โš™๏ธ

Configuration

Options & Secrets

#configuration

#SQLite (Default)

No configuration required. NPM creates its own SQLite database on first start.

#MariaDB Backend

use_mariadb: true
mariadb_host: "core-mariadb"
mariadb_port: 3306
mariadb_database: "npm"
mariadb_username: !secret npm_db_user
mariadb_password: !secret npm_db_password
npm_jwt_secret: !secret npm_jwt_secret
Create the MariaDB database and user before enabling this option. Use !secret references to keep credentials out of the add-on config.

#All Options

OptionDefaultDescription
use_mariadbfalseUse MariaDB instead of SQLite.
mariadb_hostcore-mariadbMariaDB add-on hostname.
mariadb_port3306MariaDB port.
mariadb_databasenpmDatabase name.
mariadb_usernameโ€”MariaDB user.
mariadb_passwordโ€”MariaDB password.
npm_jwt_secretโ€”JWT secret for session tokens.
โœ…

First Start

Default Credentials

#first-start

#Default Login

URL:      http://homeassistant.local:81
Email:    admin@example.com
Password: changeme
Change the email and password immediately after first login.

#Create Your First Proxy Host

  1. Click Proxy Hosts โ†’ Add Proxy Host.
  2. Set the domain name (e.g. ha.yourdomain.com).
  3. Set the forward hostname to homeassistant.local or HA IP.
  4. Set the forward port to 8123.
  5. Enable SSL under the SSL tab.
๐Ÿ”

SSL & Let's Encrypt

Certificate Management

#ssl

#HTTP-01 Challenge

Requires port 80 to be forwarded to your HA host. Works for standard domain certificates.

#DNS-01 Challenge (Recommended)

Works without port forwarding. Supports wildcard certificates. Available providers in NPM include Cloudflare, DuckDNS, Route53 and more.

  1. SSL Certificates โ†’ Add SSL Certificate โ†’ Let's Encrypt.
  2. Enable Use DNS Challenge.
  3. Select your DNS provider.
  4. Enter your API credentials.

#DuckDNS Setup

Provider:     DuckDNS
Token:        your-duckdns-token
Domain:       your-subdomain.duckdns.org
DuckDNS wildcard certs cover *.your-subdomain.duckdns.org โ€” useful for multiple subdomains on one certificate.

#Auto-Renewal

NPM renews certificates automatically before expiry. No manual action required after initial setup.

๐ŸŒ

Ports & Networking

Port Reference

#ports
PortProtocolPurposeExpose publicly?
80/tcpHTTPProxy + ACME HTTP-01 challengeYes (for HTTP)
443/tcpHTTPSProxy (SSL)Yes (for HTTPS)
81/tcpHTTPNPM Admin UINo โ€” LAN only
Never expose the Admin UI (port 81) to the internet. Keep it behind your LAN or VPN.
๐Ÿ’พ

Persistence

Data & Backup

#persistence 
/data/
โ”œโ”€โ”€ database.sqlite    # NPM database (if not using MariaDB)
โ”œโ”€โ”€ nginx/             # Generated nginx configurations
โ””โ”€โ”€ letsencrypt/       # Let's Encrypt certificates and ACME data
Important: The letsencrypt/ folder contains your private keys and certificates. HA backups include it automatically.

#Backup Workflow

  1. Settings โ†’ System โ†’ Backups โ†’ Create Backup.
  2. This captures NPM config, certificates and (if SQLite) the database.
  3. For MariaDB: also back up the MariaDB add-on data.
๐Ÿ› ๏ธ

Troubleshooting

Known Symptoms & Fixes

#troubleshooting
SymptomCauseFix
Port 81 not accessiblePort not mapped in Network tab.Add port mapping in add-on Network settings.
Port 80/443 conflictAnother service uses these ports.Stop conflicting service or change its port.
Let's Encrypt failsPort 80 not forwarded (HTTP-01).Use DNS-01 challenge or forward port 80 on router.
MariaDB connection refusedWrong credentials or MariaDB not running.Verify MariaDB add-on is running and credentials match.
White screen on UIBrowser cache issue.Clear cache and try direct URL: http://HA-IP:81
Proxy host returns 502Upstream service not running or wrong port.Verify the forwarded service is running and the port is correct.