Application Infrastructure Azure

Nginx Proxy Manager on Ubuntu 24.04 on Azure User Guide

| Product: Nginx Proxy Manager on Ubuntu 24.04 LTS on Azure

Overview

Nginx Proxy Manager is a friendly, open source web UI that lets you run nginx as a reverse proxy in front of all your web apps without ever editing an nginx config file by hand. Point a domain at your Azure VM, add a proxy host that forwards to your backend, and request a free Let's Encrypt certificate in a couple of clicks - Nginx Proxy Manager manages the nginx configuration, the TLS certificates and their renewals for you. It also handles access lists, custom locations, redirections, TCP/UDP streams and a default landing site. The cloudimg image installs Docker CE from the official Docker repository and runs the official Nginx Proxy Manager 2.15.1 container (managed by Docker with a restart policy). Nginx Proxy Manager IS nginx: it binds ports 80 and 443 for proxied traffic and Let's Encrypt HTTP challenges, and port 81 for the admin web UI. Its database and issued certificates live on a dedicated Azure data disk, and a unique admin password is generated on the first boot of every VM. Backed by 24/7 cloudimg support.

What is included:

  • Nginx Proxy Manager 2.15.1 running as a container managed by Docker
  • Docker CE preinstalled from the official Docker apt repository
  • The admin web UI on port 81; proxied HTTP/HTTPS traffic on ports 80 and 443
  • A unique admin account created on first boot (no default changeme password ever ships)
  • Free Let's Encrypt certificate issuance and automatic renewal
  • A dedicated Azure data disk at /var/lib/npm holding the SQLite database, nginx configs and issued certificates
  • docker.service + nginx-proxy-manager-firstboot.service as systemd units, enabled and active
  • An unauthenticated health endpoint (GET :81/api/) for Azure Load Balancer health probes
  • 24/7 cloudimg support

Prerequisites

An active Azure subscription, an SSH key pair, and a VNet + subnet in the target region. Standard_B2s (2 vCPU / 4 GiB RAM) is a reasonable starting point. NSG inbound: allow 22/tcp from your management network, 80/tcp and 443/tcp for proxied traffic and Let's Encrypt challenges, and 81/tcp for the admin UI. For production, restrict 81/tcp to trusted source IPs so the admin console is not exposed to the whole internet.

Step 1 - Deploy from the Azure Marketplace

Sign in to the Azure Portal, choose Create a resource, search the Marketplace for Nginx Proxy Manager by cloudimg, and select Create. On Basics pick your subscription, resource group, region and size; under Administrator account choose SSH public key and paste your key; under Inbound port rules allow SSH (22), HTTP (80), HTTPS (443) and 81 (admin UI). Review the dedicated data disk on the Disks tab, then Review + create -> Create.

Step 2 - Deploy from the Azure CLI

az vm create \
  --resource-group <your-rg> \
  --name nginx-proxy-manager \
  --image <marketplace-image-urn> \
  --size Standard_B2s \
  --admin-username azureuser \
  --ssh-key-values ~/.ssh/id_ed25519.pub \
  --vnet-name <your-vnet> --subnet <your-subnet> \
  --public-ip-sku Standard

az vm open-port --resource-group <your-rg> --name nginx-proxy-manager --port 80 --priority 1010
az vm open-port --resource-group <your-rg> --name nginx-proxy-manager --port 443 --priority 1020
az vm open-port --resource-group <your-rg> --name nginx-proxy-manager --port 81 --priority 1030

Step 3 - Connect to your VM

ssh azureuser@<vm-public-ip>

Step 4 - Confirm the services are running

systemctl is-active docker.service nginx-proxy-manager-firstboot.service

Both report active. Docker manages the Nginx Proxy Manager container, which publishes ports 80 and 443 for proxied traffic and port 81 for the admin UI. The database, nginx configuration and issued certificates live on the dedicated Azure data disk mounted at /var/lib/npm.

docker.service and the firstboot service active, the Nginx Proxy Manager container running with ports 80, 443 and 81 published, and the dedicated data disk mounted at /var/lib/npm

Step 5 - Retrieve your admin credentials

Nginx Proxy Manager 2.15 ships no default password. A unique admin account is created on the first boot of your VM and written to a root-only file:

sudo cat /root/nginx-proxy-manager-credentials.txt

This file contains NPM_ADMIN_EMAIL (admin@example.com), the generated NPM_ADMIN_PASSWORD, and the admin URL. Store the password somewhere safe - you can change it in the UI at any time.

The Docker and Nginx Proxy Manager versions and the per-VM credentials file with the generated admin email, password and URL

Step 6 - Confirm the health endpoint

Nginx Proxy Manager exposes an unauthenticated health endpoint that also reports whether an admin has been set up:

curl -s http://localhost:81/api/

It returns {"status":"OK","setup":true,...}. The setup:true flag confirms your per-VM admin account already exists, so the admin console is protected the moment the VM is reachable. This endpoint never requires authentication, so it is safe for an Azure Load Balancer health probe.

Step 7 - Confirm the default password is rejected

No instance ships with the well-known default changeme password. You can prove the default is rejected before you ever open the UI:

curl -s -H 'Content-Type: application/json' -X POST \
  --data '{"identity":"admin@example.com","secret":"changeme"}' \
  http://localhost:81/api/tokens

It returns an Invalid email or password error - no token is issued. Only the per-VM password from Step 5 authenticates.

The health endpoint reporting setup true, the default changeme password rejected, the per-VM password accepted with a JWT, and the authenticated admin identity

Step 8 - Sign in to the admin console

Browse to http://<vm-public-ip>:81/. Nginx Proxy Manager shows a login page; enter the email and password from Step 5.

The Nginx Proxy Manager login page in the browser

Once signed in, the Dashboard is your home page. It shows how many Proxy Hosts, Redirection Hosts, Streams and 404 Hosts you have, with the Hosts, Access Lists, Certificates, Users, Audit Logs and Settings menus across the top.

The Nginx Proxy Manager dashboard showing the Proxy Hosts, Redirection Hosts, Streams and 404 Hosts tiles and the top navigation

Step 9 - Add a proxy host

Open Hosts -> Proxy Hosts and click Add Proxy Host. Enter the Domain Names that point at this VM, choose the forward Scheme (http/https), the Forward Hostname / IP and Forward Port of your backend, and optionally enable Block Common Exploits and Websockets Support. Click Save and Nginx Proxy Manager writes the nginx configuration for you.

The Add Proxy Host dialog with Domain Names, forward scheme, hostname, port, access list and options, and the Details, Custom Locations and SSL tabs

Step 10 - Request a free Let's Encrypt certificate

Open the Certificates tab and click Add Certificate -> Let's Encrypt, or turn on SSL directly in the SSL tab of a proxy host. Enter your domain, agree to the Let's Encrypt terms and Nginx Proxy Manager completes the HTTP-01 challenge over port 80 and installs the certificate, renewing it automatically before it expires.

The Certificates page where Let's Encrypt certificates are requested and managed

Step 11 - Confirm data lives on the dedicated disk

Nginx Proxy Manager's SQLite database, nginx configuration and issued certificates are stored under /var/lib/npm on the dedicated Azure data disk (bind-mounted into the container as /data and /etc/letsencrypt), so they survive OS changes and can be resized independently:

findmnt /var/lib/npm

The mount is backed by a separate Azure data disk captured into the image and re-provisioned on every VM.

Maintenance

  • Admin password: the admin account is created on first boot. To change it, sign in and use the user menu -> Edit (or manage users under Users).
  • Certificates: Let's Encrypt certificates are requested and renewed automatically from the Certificates tab; renewal needs port 80 reachable from the internet for the HTTP-01 challenge.
  • Admin UI security: restrict 81/tcp in your Azure NSG to trusted source IPs. The proxied traffic on ports 80/443 stays publicly reachable while the admin console is locked down.
  • Upgrades: Nginx Proxy Manager runs as the nginx-proxy-manager container from the pinned jc21/nginx-proxy-manager:2.15.1 image; to upgrade, pull a newer tag, remove the container and re-run it with the same -v /var/lib/npm/data:/data -v /var/lib/npm/letsencrypt:/etc/letsencrypt mounts so your data is preserved.
  • Storage: all state lives under /var/lib/npm on the data disk; back up that volume to protect your hosts and certificates.
  • Security patches: unattended-upgrades remains enabled so the OS continues to receive security updates automatically.

Support

cloudimg provides 24/7 expert support for this image. Contact support@cloudimg.co.uk.