Nginx Proxy Manager

Nginx Proxy Manager is a popular tool in the homelab community for managing reverse proxies. While it differs from Traefik and Caddy due to Nginx’s lack of native 302 redirect support in the auth_request module, Tinyauth provides API paths specifically designed to work with it.

Note

This guide assumes familiarity with Nginx Proxy Manager.

Example Docker Compose File

The following Docker Compose file demonstrates how to set up Nginx Proxy Manager, Whoami, and Tinyauth:

docker-compose.yml

services:
  npm:
    image: jc21/nginx-proxy-manager:2
    restart: unless-stopped
    ports:
      - 80:80
      - 443:443
      - 81:81
    volumes:
      - npm-data:/data
      - npm-letsencrypt:/etc/letsencrypt

  # Whoami is not required, but serves as a simple example app to demonstrate Tinyauth integration. You can replace it with any app of your choice.
  whoami:
    image: traefik/whoami:latest
    restart: unless-stopped

  tinyauth:
    image: ghcr.io/steveiliop56/tinyauth:v5
    restart: unless-stopped
    environment:
      - TINYAUTH_APPURL=http://tinyauth.example.com
      - TINYAUTH_AUTH_USERS=user:$$2a$$10$$UdLYoJ5lgPsC0RKqYH/jMua7zIn0g9kPqWmhYayJYLaZQ/FTmH2/u # user:password

volumes:
  npm-data:
  npm-letsencrypt:

OAuth and access controls can be configured using Docker labels and environment variables. All other configuration is managed through the Nginx Proxy Manager UI.

Configuring Nginx Proxy Manager

Creating the Tinyauth Host

Create a host for Tinyauth in Nginx Proxy Manager. Configure it as any other host:

SSL can be set up if certificates are available.

Caution

Ensure the “Block Common Exploits” option is disabled. If enabled, Nginx will block URLs in query parameters, which are required for Tinyauth to function.

Configuring Protected Hosts

For protected hosts, such as Whoami, configure the Details tab similarly to the Tinyauth host:

SSL can be configured as needed.

Note

The “Block Common Exploits” option can remain enabled for protected hosts.

Advanced Configuration

Add the following configuration in the Advanced tab to enable Tinyauth authentication:

# Root location
location / {
  # Pass the request to the app
  proxy_pass          http://whoami:80; # Replace with your app URL, e.g. http://10.10.10.25:80

  # Add other app-specific config here

  # Tinyauth auth request
  auth_request /tinyauth;
  auth_request_set $redirection_url $upstream_http_x_tinyauth_location;
  error_page 401 403 =302 $redirection_url;
}

# Tinyauth auth request
location /tinyauth {
  # Mark the location as internal to prevent direct access
  internal;

  # Pass request to Tinyauth, do not use the Tinyauth domain here, use the internal Docker network name and port or the IP and port of the Tinyauth instance
  proxy_pass http://tinyauth:3000/api/auth/nginx;

  # Pass the request headers
  proxy_set_header x-forwarded-proto $scheme;
  proxy_set_header x-forwarded-host $http_host;
  proxy_set_header x-forwarded-uri $request_uri;
}

Note

The /tinyauth path can be renamed for convenience.

Note

Additional configuration may be required under the / location for technologies like WebSockets.

Save the host configuration. Accessing the protected host will redirect to the Tinyauth login page if not already logged in. Repeat this process for each host to be protected by Tinyauth.