I spent way too long exposing my homelab services directly on weird ports. Port 8096 for Jellyfin, 8123 for Home Assistant, 8080 for something I’ve already forgotten. Every URL felt like a ransom note. Then I found Nginx Proxy Manager, and suddenly everything was clean subdomains with real HTTPS certificates — and it took about 20 minutes to set up. That’s the Nginx Proxy Manager homelab experience in a nutshell: enterprise-grade reverse proxying with a GUI so simple it almost feels like cheating.
If you’re running Docker on any server at home — Raspberry Pi, mini PC, Proxmox VM, doesn’t matter — you can have every service behind a proper domain with free Let’s Encrypt SSL by the time you finish reading this. No more remembering ports. No more browser security warnings. No more explaining to your family why the “Plex isn’t working” when they type the wrong IP.
What Is Nginx Proxy Manager and Why Does Your Homelab Need It?
Nginx Proxy Manager (NPM) is a Docker container that runs a web-based UI for managing Nginx reverse proxy configurations. Instead of editing config files and fighting with Let’s Encrypt’s ACME client in the terminal, you get a clean dashboard where you point a domain (like jellyfin.yourdomain.com) to an internal IP and port, click “Request SSL,” and watch it handle everything automatically. NPM is the Nginx Proxy Manager homelab solution that makes all your services feel like real websites.
The two big wins it gives you: clean URLs (no more ports) and free HTTPS (no more browser security warnings). It also centralizes all your proxy configs in one place, so when you spin up a new Docker container, adding it to NPM takes about 30 seconds. One home lab running 18 services behind a single NPM instance is entirely normal. The container itself barely uses any RAM — under 100MB typical — so it doesn’t compete with your actual services.
What You Need Before You Start
A few prerequisites before diving into the setup:
1. A domain name. You need a real domain for Let’s Encrypt SSL to work. Namecheap and Cloudflare both have cheap options — a .com runs about $10–$15/year. You can also use DuckDNS for a free subdomain if you don’t want to spend anything. If you’re going the Cloudflare route (recommended — it adds free DDoS protection and makes DNS challenges easy), sign up here.
2. A server running Docker. This can be a Raspberry Pi, a mini PC, a Proxmox VM, or any Linux machine with Docker installed. If you’re building your first homelab server and not sure what to buy, I’d point you to a Raspberry Pi 5 Starter Kit for a low-power, capable option, or a Beelink EQ14 Mini PC if you want more headroom for running multiple Docker services simultaneously.
3. Port forwarding on your router. You’ll need to forward TCP ports 80 and 443 from your router to the internal IP of your Docker host. This is what lets Let’s Encrypt validate your domain and what allows external HTTPS access to your services.
Setting Up Nginx Proxy Manager With Docker Compose
Drop this into a docker-compose.yml file on your server and run docker compose up -d:
services:
app:
image: 'jc21/nginx-proxy-manager:latest'
restart: unless-stopped
ports:
- '80:80'
- '81:81'
- '443:443'
volumes:
- ./data:/data
- ./letsencrypt:/etc/letsencryptThat’s the entire config. NPM uses SQLite internally (more than enough for a homelab with under 50 proxy hosts), so there’s no database container to manage. Once it’s running, access the admin panel at http://YOUR-SERVER-IP:81. Default credentials are admin@example.com / changeme — it’ll force you to change both immediately. Good.
Adding Your First Proxy Host and Getting SSL
This is where the magic is. In the NPM dashboard, go to Proxy Hosts → Add Proxy Host. Fill in:
— Domain Names: the subdomain you want (e.g., jellyfin.yourdomain.com)
— Forward Hostname/IP: the internal IP of the machine running Jellyfin (e.g., 192.168.1.50)
— Forward Port: the port Jellyfin listens on (e.g., 8096)
Then click the SSL tab, select “Request a new SSL Certificate,” check “Force SSL” and “HTTP/2 Support,” and hit Save. NPM fires a Let’s Encrypt challenge, validates your domain, pulls the certificate, and configures Nginx — all in about 30 seconds. You’ll see the padlock. Your service is now on clean HTTPS with a real certificate that auto-renews every 90 days.
Repeat for every service. Jellyfin, Home Assistant, Vaultwarden, Portainer, Grafana — each gets its own subdomain, its own cert, and you never think about port numbers again.
The Cloudflare DNS Challenge (For Local-Only Services)
Want HTTPS on services that you don’t want exposed to the internet? That’s where Cloudflare DNS challenge comes in. Instead of Let’s Encrypt validating through HTTP (which requires your ports open externally), it validates through a DNS TXT record that NPM creates automatically using your Cloudflare API token. Your service never has to be internet-accessible to get a valid SSL cert.
Setup: In NPM’s SSL tab, select “Use a DNS Challenge,” pick Cloudflare, and paste in your Cloudflare API token (Zones → DNS → Edit permission is all it needs). NPM handles the rest. This is how you get HTTPS on your internal Proxmox dashboard, your router admin panel, or anything else you’d rather not punch through to the internet.
It also pairs perfectly with Tailscale for remote access — Tailscale keeps your services reachable over VPN, and NPM makes them accessible over clean HTTPS locally. Best of both worlds.
- 💡【Compact Size & Blazing Smooth Performance】The Beelink EQ14 mini pc packs an Intel Twin Lake N150 (4C/4T, max 3.6GHz) and pre-installed W 11 Home, delivering snappy performance for daily tasks, this Beelink mini desktop computer saves desk space, ideal for light office work. Effortlessly handle Zoom/Skype meetings, run Office/PS, surf the web and stream videos simultaneously. Perfect for office, online education, home entertainment and industrial use
- 💡【Storage Expansion】The Beelink EQ14 mini pc comes with 16GB DDR4 3200MHz RAM (single-channel, max 16GB) and a 1TB PCIe 3.0 SSD. It features dual M.2 slots: one M.2 SATA3 2280 and one M.2 PCIe 3.0 x1 (NVMe), supporting up to 8TB total internal storage (retail unit includes NVMe SSD). High-speed storage ensures smooth multitasking and fast data access
- 💡【 Intel Graphics & Dual HDMI Output】 The Beelink EQ14 mini pc features Intel Graphics (24EUs, 1000MHz) that supports crisp 4K video playback and smooth web surfing. Its dual HDMI ports let you connect two monitors simultaneously, boosting multitasking efficiency for office work, streaming, and more.
- 💡【Versatile I/O & Wireless Connectivity】The Beelink EQ14 mini pc boasts rich I/O ports: 2*HDMI ports, 2*2.5G LAN ports, 3*USB 3.2 ports, 1*USB 2.0 ports, 1*type-c port(data). It supports dual 4K displays via HDMI. Built-in WiFi6 (802.11ax, AX101, dual-band 2.4/5GHz) and BT5.2 ensure stable signals with strong anti-interference.
- 💡【Reliable Lifetime Service】We have been devoting to the production and R&D of Mini PC. Please feel free to contact us if you have any questions. We offer lifetime technical support, 3-year worry-free warranty, and 24 hours customer service.
The Takeaway
The Nginx Proxy Manager homelab setup is one of those things that feels almost embarrassingly easy for what it gives you. Twenty minutes of setup — Docker Compose, a domain, port forwarding — and suddenly your entire homelab speaks HTTPS. Every service gets a clean subdomain. Every certificate auto-renews. And you never open a Nginx config file by hand.
If you’re new to homelabbing and haven’t set this up yet, it’s genuinely one of the first things I’d do on any new server. Build out your Docker stack, put NPM in front of it, and your homelab immediately feels like a professional operation.
What’s Your Proxy Setup?
Are you running NPM, or did you go with Traefik, Caddy, or something else? Drop your setup in the comments — especially if you’ve found a clever config or addon that changed the game for you. And if this helped you finally kill off those ugly port numbers, share it with a fellow homelabber who’s still living the :8096 life.