Key Features
NginxProxyGuard is an enterprise-grade reverse proxy management system that provides powerful security features and an intuitive web UI.
Feature Summary
| Category | Key Features |
|---|---|
| Proxy Management | Multi-domain, WebSocket, Host Clone, Docker Container Browser, Custom Config |
| Stream (L4) | TCP/UDP stream proxy, SSL preread (passthrough) / termination |
| Load Balancing | Upstream Servers, Health Check, Round Robin / Least Conn / IP Hash / Random |
| Security | WAF (OWASP CRS), ForwardAuth SSO (Authelia/Authentik), Bot Filter, GeoIP Blocking, Rate Limiting, Security Header Presets |
| Certificates | Let's Encrypt Auto-issue/Renewal, DNS-01, DDNS (Cloudflare/DuckDNS/Dynu), HTTP/2, HTTP/3 (QUIC) |
| Monitoring | Real-time Dashboard, World Map Visualization, Detailed Logs |
| Management | Backup/Restore, 2FA, API Tokens, Audit Logs, Filter Subscriptions, Config Rollback |
Main Menu Structure
NginxProxyGuard consists of 8 main sections:
1. Dashboard
Monitor real-time system status and traffic.
- 24-hour request statistics and bandwidth monitoring
- Security event summary (WAF blocks, Bot filter, IP blocks)
- Docker container status
- Hourly statistics charts
- World map GeoIP traffic visualization
2. Proxy Hosts
Manage reverse proxy configurations.
- Multi-domain support (multiple domains per host)
- HTTP/HTTPS forwarding and WebSocket support
- Host Cloning: Duplicate existing hosts with all security settings
- Docker Container Browser: Auto-discover Docker containers as proxy targets
- Upstream Load Balancing: Configure multiple backend servers with health checks
- TCP/UDP Stream (L4): TCP/UDP stream proxy in addition to HTTP mode (SSL preread / termination)
- Favorite/Pin: Pin frequently used hosts to the top of the list
- 7 configuration tabs:
- Basic: Proxy type (HTTP/Stream), domain, backend server, forwarding settings
- Upstream: Multiple backend servers, distribution method, health checks
- SSL: Certificate selection, Let's Encrypt integration
- Security: WAF, GeoIP restrictions, Bot filter
- Protection: Fail2ban, Rate Limiting
- Performance: Caching, compression (gzip, brotli, zstd)
- Advanced: Custom nginx configuration
3. Redirects
Configure URL redirections.
- HTTP → HTTPS automatic redirect
- Path-based redirects
- Multiple status code support (301, 302, 307, 308)
4. WAF / Blocking
Manage Web Application Firewall and blocking rules. 6 sub-tabs:
- WAF Policy: OWASP CRS rules, Detection/Blocking mode, Paranoia level (1-4)
- IP Ban Management: Manual/automatic IP blocking, ban history
- URI Blocking: Path pattern blocking (wp-login.php, etc.)
- Exploit Blocking: SQL Injection, XSS, RFI blocking rules
- Fail2ban: Automatic IP blocking configuration
- WAF Tester: Test attack patterns and verify rules
5. Access Control
Manage IP-based access control lists.
- Create IP whitelists / blacklists
- CIDR notation support
- Per-host access list assignment
6. Certificates
Manage SSL/TLS certificates and DDNS. 4 sub-tabs:
- Certificate List: Let's Encrypt auto-issue, custom certificate upload
- Issue/Renewal History: Certificate event tracking
- DNS Providers: DNS-01 challenge setup for Cloudflare, Route53, etc.
- DDNS: Dynamic DNS auto-update (Cloudflare, DuckDNS, Dynu)
7. Logs
View and analyze detailed logs. 7 sub-tabs:
- Access Logs: Real-time request logs, GeoIP info, advanced filtering
- WAF Events: ModSecurity block events
- Bot Filter: Blocked bot requests
- Exploit Blocks: SQL/XSS/RFI attack attempts
- System Logs: Docker container and API logs
- Admin Audit: All admin activity tracking
- Raw Files: Direct nginx log file access
8. Settings
Manage system-wide settings. 10 sub-tabs:
- Global Settings: Direct IP access handling, default error pages, security header presets
- CAPTCHA: reCAPTCHA, hCaptcha, Cloudflare Turnstile
- GeoIP: MaxMind integration, database updates
- Bot Filter: 80+ malicious bots, 50+ AI bot blocking rules
- Security: Auto IP blocking on WAF violations
- SSL / ACME: Let's Encrypt settings, DNS providers
- Maintenance: Maintenance mode settings
- Backups: System backup/restore, scheduled backups
- System Logs: Docker log collection settings
- Filter Subscriptions: Subscribe to external bot/IP block lists with auto-update
Detailed Documentation
For detailed information on each feature, see:
- Proxy Host Management - Reverse proxy configuration
- System & UI/UX - Interface and user experience
- SSL/TLS Certificate Management - Certificate automation
- Redirect Hosts - URL redirection
- Web Application Firewall (WAF) - Security rules
- Auth Providers (ForwardAuth) - Authelia/Authentik/Custom SSO protection
- Security Hardening - Advanced security settings
- Bot Protection & Access Control - Bot filter and access control
- Monitoring & Analytics - Logs and analytics
- Settings & Management - System settings