Please don't confuse the nginx proxy manager (npm) with the node.js packet manager (npm). The latter is frequently in the news regarding security vulnerabilities.
this post was submitted on 01 Nov 2025
40 points (95.5% liked)
Selfhosted
52766 readers
462 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
For a moment I was really confuser as to how Caddy could replace nodejs's package manager
I might have done exactly this, thanks for pointing it out. Is Nginx proxy manager considered secure enough to use on extremal sites?
Nginx is considered battle tested.
Very few products have this level of puic scrutiny and and a good record of being safe.
Once this is said, the majority of problems come from misconfigurations, so triple check the things
Personally, I would try to avoid publishing nginx proxy manager's management web ui to the general public.
That is not published externally - I only forward ports 80 and 443, and only access the admin interface locally or through a vpn to my router. Would this be ok? Thanks for your input
Yes, that is exactly what I meant.
IMO the learning curve for caddy is almost non existent, and just about anything you might want to selfhost almost certainly has a quick simple caddy configuration you can copy paste with just updating the relevant domain. Personally learning curve for caddy was probably way lower than figuring out the edge cases of apache that I was using before
I used to use npm. If you know it and you're happy, use it.
It took me 3 times until I understood and got caddy installed. First, I tried using it via podman and failed. In the end I just installef it via dnf and it worked without any problems. Learning a caddy file is easy. I'll never look back. It's so nice and easy. Easier than npm but no gui but that's not needed
I'm a Nginx(SWAG) user. It looks like more and more tutorials are leaning towards Traefik or Caddy with some using NPM. If you rely on those to deploy new services I would consider that.
Minor nitpick: NPM stands for nodejs package manager not Nginx proxy manager
Anyway I personally would recommend that you move to Caddy.
Another option would be Nginx/Apache with ACME.sh
I use Cloudflare for DNS so would prefer using a DNS challenge. I will change this at some point but not yet ready to!
Since you are already using Cloudflare, and you are moving to an upgraded VPS, why not incorporate Cloudflare's Tunnel/ZeroTrust? The nice thing about their ZeroTrust Tunnel is that you don't have to punch holes in your UFW firewall, no port forwarding or NAT on your external firewall/router. It's just one tunnel that handles your traffic, and Cloudflare takes care of the certs.There is a section that allows you to implement the DNS challenge/verification. You seem experienced so it's fairly easy to deploy. The caveat is that you have to have a proper domain name, and use the issued Cloudflare nameservers. I picked up a domain name at NamesCheap for $1.75 USD.
Thanks for this. To be honest it just did not cross my mind! Horserace, I am not sure I want to rely on Cloudflare too much though in case they so something in the future like put those things behind paywalls. My domains are through someone else so can easily switch nameservers to them for DNS. It does sound much easier and safer though so will have to consider it
I am not sure I want to rely on Cloudflare too much
Totally understandable. It's good to be aware of future pitfalls, etc. I realize there are those who frown on Cloudflare, and I can see their point. For me, I'll use them for the time being, and monitor any policy changes, or future gotchas. Of course, it goes without saying, that we should be doing that anyways even for opensource software. Things change, motivations change, project direction changes.
There are similar alternatives to Cloudflare Tunnels/ZeroTrust. I have not tried every one of them so I cannot vouch for their usability. There is ngrok, which seems to be the most popular of the alternatives, and there is Pagekite, Zrok, Pinggy, Localtunnel. As far as selfhosted options, Nebula, SirTunnel, BoringProxy, Pangolin, and frp come to mind.
If it were me, and these were public facing businesses, I would go with something rock solid like Cloudflare, familiarize myself with the options, then monitor for policy changes.
Thank you, I really appreciate the responses and other options.
If you are using docker have you looked at Traefik to act as your reverse proxy to replace nginx proxy manager?
To be honest I forgot about it. I tried it two years ago when setting up my lab but struggled compared to NPM. Nowadays it seems like all the talk I used to hear about it is now about caddy.
Even back then caddy was being talked about. I don't use caddy because, at least back then, it was only free for non commercial use (unless you compile it yourself).
I've been using Traefik for even longer though and haven't ran into any major issues. Definitely recommend it.
I can recommend Caddy myself, it is dead simple to configure
NPM+ didn't work worth a damn for me. No proxies would forward, I have no clue why and couldn't figure it out. It was like I was turning knobs that weren't connected to anything. But YMMV.
Actually this happened to me about 6 months ago too - I wanted to switch to add crowdsec support but just could not get it to work so gave up and switched back to npm. I just assumed I wasn't doing it right and never got around to trying again
I thought it was pretty weird, so I tried again a while later; same result. I checked through issues and couldn't see anything, I figured it was just me. I tried because NPM was just full of error logs and was having some sort of shitfit, so I blew it out and rebuilt from scratch, now all is fine. But the NPM+ defeated me. I might have to try again just because.
Just use Nginx... It isn't that difficult, after all.
Or try any one of the "simplified" other proxies out there. I never seen the need for NPM anyway, as it just obfuscate nginx configuration stuff from your eyes.
You can check my wiki at https://wiki.gardiol.org/doku.php?id=selfhost%3Anginx
I wrote for my own benefit, and for others who might be interested.