Nginx Proxy GuardNginx Proxy Guard

Configuration Guide

This guide covers the environment variables and initial setup for Nginx Proxy Guard.

Environment Variables

The only variables you set yourself in the .env file are the ones defined in env.example (below). Other runtime options (GeoIP, ACME, etc.) are managed in the Admin UI.

Required Settings

VariableDescriptionDefaultRequired
DB_PASSWORDDatabase password-O
JWT_SECRETJWT signing secret (32-char hex)-O

Optional Settings

VariableDescriptionDefault
TZTimezoneUTC
DB_USERDB userpostgres
DB_NAMEDB namenginx_proxy_guard
DOCKER_API_VERSIONDocker API version (only when auto-detection fails, e.g. Synology DSM)auto-detect

env.example also includes commented-out port/network variables such as UI_PORT, NGINX_HTTP_PORT, NGINX_HTTPS_PORT, API_HOST_PORT, and DNS_RESOLVER. Uncomment these only when the default ports (80/443/81) conflict with other services.

GeoIP / MaxMind

GeoIP is not configured through environment variables. Enter your MaxMind Account ID and license key under Settings > GeoIP in the Admin UI. They are stored in the system_settings DB table (maxmind_account_id, maxmind_license_key, geoip_enabled, geoip_auto_update, geoip_update_interval), and the app downloads and auto-updates the GeoIP database on a schedule.

ACME (Let's Encrypt)

ACME email, staging mode, and related options are managed in the Admin UI (Settings > SSL/ACME).

Database Structure

Core Tables

TableDescription
usersUser authentication (including TOTP 2FA)
api_tokensAPI authentication tokens
audit_logsAdministrator activity audit logs

Proxy Configuration Tables

TableDescription
proxy_hostsProxy host configuration (includes DDNS columns ddns_enabled, ddns_provider_id and Docker container columns forward_container_name, forward_container_network)
certificatesSSL/TLS certificates
dns_providersDNS Provider configuration (ACME DNS-01 / DDNS credentials)
ddns_recordsDDNS managed records (host-linked or manual)
upstreamsLoad-balancing upstream pools (per proxy host)
upstream_serversUpstream backend servers
access_listsIP access control lists
redirect_hostsURL redirect rules

Security Configuration Tables

TableDescription
rate_limitsRate limiting configuration
fail2ban_configsFail2ban configuration
bot_filtersBot filtering configuration
geo_restrictionsGeoIP regional restrictions
waf_rule_exclusionsWAF rule exclusions (per host)
global_waf_rule_exclusionsWAF rule exclusions (global)
banned_ipsBanned IPs
ip_ban_historyIP ban history
security_headersSecurity header configuration
uri_blocksURI block rules
global_uri_blocksGlobal URI blocks
challenge_configsCAPTCHA challenge configuration
challenge_tokensChallenge authentication tokens
cloud_provider_blocksCloud provider blocks
filter_subscriptionsExternal IP/CIDR blocklist subscriptions
filter_subscription_entriesIP/CIDR entries synced from subscriptions
filter_subscription_host_exclusionsHosts excluded from a subscription
filter_subscription_entry_exclusionsIndividual entries excluded from a subscription

Logging Tables

TableDescription
logsUnified logs (monthly partitions)
system_logsSystem logs (monthly partitions)
geoip_historyGeoIP update history

Configuration Tables

TableDescription
global_settingsGlobal Nginx settings
system_settingsSystem settings (includes DDNS refresh interval ddns_check_interval_minutes)
backupsBackup metadata
waf_rule_snapshotsWAF configuration snapshots

Troubleshooting

Certificate Issuance Failure

  1. Check DNS settings (whether the domain points to the server IP)
  2. Verify DNS Provider API token permissions
  3. Check Let's Encrypt rate limits
  4. Test in the staging environment (ACME_STAGING=true) first
# Check certificate logs
docker logs npg-api | grep -i cert

WAF False Positives

  1. Use the WAF test feature to identify which rule is triggered
  2. Add that rule ID to the per-host exclusion list
  3. Switch to detection mode, monitor, then apply blocking mode

GeoIP Not Working

  1. Verify the MaxMind Account ID + license key under Settings > GeoIP
  2. Verify the GeoIP database exists (/etc/nginx/geoip/)
  3. Check the status card under Settings > GeoIP (Country DB / ASN DB)
  4. Run a manual update with the "Update Now" button

Slow Log Queries

  1. Reduce the log retention period (system settings)
  2. Narrow the filter scope
  3. Check partition status
# Check partitions
docker exec -it npg-db psql -U postgres -d nginx_proxy_guard -c "SELECT tablename FROM pg_tables WHERE tablename LIKE 'logs_%';"

Backend Connection Failure

  1. Check backend server status
  2. Check network connectivity
  3. Check firewall settings
  4. Check the Docker network
# Test network connectivity
docker exec -it npg-proxy curl -v http://backend:port

High Memory Usage

  1. Reduce the log retention period
  2. Clean up old partitions
  3. Adjust the number of Nginx worker processes

Security Recommendations

Required Changes

  1. Change the default password: Change it immediately after first login

  2. Generate strong secrets:

    # DB password
    openssl rand -base64 24
    
    # JWT secret
    openssl rand -hex 32
    
  3. Enable 2FA: Set up TOTP-based two-factor authentication

Network Security

  1. Restrict access to the management port (81)
  2. Allow DB/Redis access only from the internal network
  3. Enforce HTTPS

API Security

  1. Configure IP restrictions for API tokens
  2. Apply the principle of least privilege
  3. Set token expiration dates