This is an old revision of the document!
Nginx Proxy Manager (NPM)
Overview
Nginx Proxy Manager (NPM) is the public-facing HTTPS reverse proxy for the entire TorresVault ecosystem. It provides:
Centralized SSL termination (Letβs Encrypt)
Clean domain names under torresvault.com
Secure exposure of selected services to the internet
Internal forwarding to LAN IPs
Access control & auditing
Simple UI for rapid updates
NPM is hosted on its own dedicated VM to maintain failure domain isolation, matching your preferred architecture (one app β one VM).
Deployment Details
Server: npm.torresvault.com
Internal IP: 192.168.1.99
Network: Default VLAN (1)
Runs under Docker Compose on Ubuntu
Automatic SSL renewals enabled
All upstream services use private LAN IPs (never exposed directly)
DNS + Reverse Proxy Flow client β torresvault.com β Cloudflare β NPM (192.168.1.99) β internal service
Internal DNS uses Pi-hole for:
*.torresvault.com β LAN
in.torresvault.com β internal dashboard server
Services like ha.torresvault.com, jellyfin.torresvault.com, etc.
Configured Proxy Hosts
Below is the complete list of active reverse proxy entries extracted from your NPM UI:
Public Sites (HTTPS with Letβs Encrypt)
NPM is responsible for:
Public-facing web entry point for all apps
Consolidated HTTPS security
Hiding all backend VM IPs
Enforcing access policy
Giving you a single source of truth for every external URL
This setup allows the entire ecosystemβHome Assistant, Nextcloud, Jellyfin, FPP, dashboards, and internal servicesβto remain cleanly organized and easily maintainable.
Future TorresVault 2.0 Enhancements
(These can be added to the Roadmap page)
Migrate NPM into Kubernetes (eventually) while still keeping a dedicated VM as fallback
Add Cloudflare Zero Trust for external access
Add automatic failover of NPM using VRRP/Keepalived between two mini-PC nodes
Move logging to centralized Loki/Grafana
Add staged/blue-green reverse proxy routing for HA upgrades