forked from NginxProxyManager/nginx-proxy-manager
-
Notifications
You must be signed in to change notification settings - Fork 29
/
Copy pathcompose.yaml
183 lines (178 loc) · 14.8 KB
/
compose.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
services:
npmplus:
container_name: npmplus
image: docker.io/zoeyvid/npmplus:latest # or ghcr.io/zoeyvid/npmplus:latest
restart: always
network_mode: host
# ipc: service:openappsec-agent # required when you want to use the openappsec attachment module
# privileged: true # required if you set NGINX_QUIC_BPF to true
volumes:
- "/opt/npmplus:/data"
# - "/var/www:/var/www" # optional, if you want to use NPMplus directly as webserver for html/php
# - "/path/to/old/npm/letsencrypt/folder:/etc/letsencrypt" # Only needed for first time migration from original nginx-proxy-manager to this fork
environment:
- "TZ=your-timezone" # set timezone, required, set it to one of the values from the "TZ identifier" https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List
- "ACME_EMAIL=your-email" # email address which should be used for acme, currently optional, may be required in the future, so I recommend you to enter your email here, optional for letsencrypt, but required for zerossl and google public ca
# - "ACME_SERVER=https://dv.acme-v02.api.pki.goog/directory (google public ca) / https://acme.zerossl.com/v2/DV90 (zerossl)" # acme server used when requesting/renewing certs using certbot, default is set to: https://acme-v02.api.letsencrypt.org/directory (letsencrypt)
# - "ACME_EAB_KID=123456789abcdef" # Key Identifier for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
# - "ACME_EAB_HMAC_KEY=123456789abcdef" # HMAC key for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac
# - "ACME_MUST_STAPLE=true" # enables must-staple, default false, I recommend you to enable this if your CA supports it, supported by zerossl, google public ca ignores this, unsupported by letsencrypt (will fail)
# - "ACME_OCSP_STAPLING=false" # enables ocsp stapling, default true, I recommend you to enable this if your CA supports it, supported by zerossl and google public ca, unsupported by letsencrypt certs created after May 7, 2025 (will create warning in your log, default value will change then)
# - "ACME_KEY_TYPE=rsa" # which key type to use ecdsa or rsa, default and recommended: ecdsa
# - "ACME_SERVER_TLS_VERIFY=false" # enables checking if ACME_SERVER has a valid TLS cert, default true
# - "CUSTOM_OCSP_STAPLING=true" # enables ocsp stapling for custom certs, default false, I recommend you to enable this if your custom certs support it
# - "NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE=true" # loads the openappsec attachment module, you also need to set ipc for NPMplus in this composse file
# - "PUID=1000" # set group id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root)
# - "PGID=1000" # set user id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root), requires PUID to be not 0
# - "NIBEP=48682" # internal port of the NPMplus API, always bound to 127.0.0.1, default 48681, you need to change it, if you want to run multiple npm instances in network mode host
# - "GOAIWSP=48692" # internal port of goaccess, always bound to 127.0.0.1, default 48691, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
# - "NPM_PORT=82" # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host
# - "GOA_PORT=92" # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host
# - "IPV4_BINDING=127.0.0.1" # IPv4 address to bind, defaults to all
# - "NPM_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the NPM UI, defaults to all
# - "GOA_IPV4_BINDING=127.0.0.1" # IPv4 address to bind for the goaccess, defaults to all
# - "IPV6_BINDING=[::1]" # IPv6 address to bind, defaults to all
# - "NPM_IPV6_BINDING=[::1]" # IPv6 address to bind for the NPM UI, defaults to all
# - "GOA_IPV6_BINDING=[::1]" # IPv6 address to bind for goaccess, defaults to all
# - "DISABLE_IPV6=true" # fully disables listing on IPv6 and the IPv6 resolver of nginx, overrides IPV6_BINDING/NPM_IPV6_BINDING/GOA_IPV6_BINDING, default false
# - "NPM_LISTEN_LOCALHOST=true" # Binds the NPM UI only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
# - "GOA_LISTEN_LOCALHOST=true" # Binds goaccess only to localhost, overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false
# - "DEFAULT_CERT_ID=1" # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts
# - "HTTP_PORT=8080" # tcp port to use for http traffic, changing this may breaks certbot http challenge, default 80
# - "HTTPS_PORT=8443" # udp and tcp port to use for https traffic, this also needs to be changed if you don't use network_mode host to keep http3/quic working, changing this may breaks certbot http challenge, default 443
# - "DISABLE_HTTP=true" # disables nginx to listen on port 80, default false
# - "DISABLE_H3_QUIC=true" # disables nginx to listen on port 443 udp for default host and all your hosts, this will fully disable HTTP/3 and QUIC, even if you enable it inside the UI, not recommended, default false
# - "NGINX_QUIC_BPF=true" # enables nginxs quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you also need to to give the NPMplus container privileged permissions to use this, default false
# - "NGINX_LOG_NOT_FOUND=true" # Allow logging of 404 errors, default false
# - "NGINX_404_REDIRECT=true" # Redirect to / instead of showing a 404 error page, default false
# - "NGINX_HSTS_SUBDMAINS=false" # when enabling security headers, also enable hsts for subdomains, default true
# - "X_FRAME_OPTIONS=sameorigin" # value to use for the X-Frame-Options header when enabling security headers, valid is deny, sameorigin and none (means unset), default deny, since this applies to all hosts I recommend you to instead keep the default and only change it for hosts which need it using the advanced config and more_set_headers
# - "NGINX_DISABLE_PROXY_BUFFERING=true" # Disables the proxy_buffering/proxy_request_buffering options of nginx, default false, may not work if you use crowdsec/appsec
# - "NGINX_WORKER_PROCESSES=8" value of worker_processes, default and recommended: auto
# - "DISABLE_NGINX_BEAUTIFIER=true" # disables nginxbeautifier, useful when it fails parsing non-standard configs, default false
# - "FULLCLEAN=true" # Clean unused config folders, default false
# - "SKIP_IP_RANGES=true" # Skip feteching/whitelisting ip ranges from aws and cloudflare, default false
# - "LOGROTATE=true" # Enables writing http access logs to /opt/npmplus/nginx/access.log, stream access logs to /opt/npmplus/nginx/stream.log and enables daily logrotation, default false
# - "LOGROTATIONS=7" # Set how often the access.log should be rotated until it is deleted, default 3
# - "CRT=36" # Set how many hours should be between certbot trying to renew your certs, default 24
# - "IPRT=3" # Set how many hours should be between updating ip ranges from aws and cloudflare, default 1, ignored when SKIP_IP_RANGES is true
# - "GOA=true" # Enables goaccess, requires LOGROTATE, default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npmplus/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also enable the geoipupdate container below (please change the timezone)
# - "GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string" # Arguments that should be passed to goaccess, default: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string
# - "PHP82=true" # Activate PHP82, default false
# - "PHP82_APKS=php82-curl php82-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php82-*, default none, requires PHP82
# - "PHP83=true" # Activate PHP83, default false
# - "PHP83_APKS=php83-curl php83-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php83-*, default none, requires PHP83
# - "PHP84=true" # Activate PHP84, default false
# - "PHP84_APKS=php84-curl php84-openssl" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php84-*, default none, requires PHP84
# - "PHP_APKS=php-pecl-apcu php-pecl-redis" # Add php extensions, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php-*, default none, requires PHP82, PHP83 and/or PHP84, not recommended, please use PHP82_APKS, PHP83_APKS or PHP84_APKS
# - "INITIAL_ADMIN_EMAIL=initial-email" # email to use instead of [email protected] on first start of NPMplus for the initial user
# - "INITIAL_ADMIN_PASSWORD=initial-password" # password to use instead of iArhP1j7p1P6TA92FA2FMbbUGYqwcYzxC4AVEe12Wbi94FY9gNN62aKyF1shrvG4NycjjX9KfmDQiwkLZH1ZDR9xMjiG2QmoHXi on first start of NPMplus for the initial user
# - "INITIAL_DEFAULT_PAGE=444" # default page to set on first start of NPMplus for the initial user, default congratulations, can be one of: 404, 444, redirect, congratulations or html
# This can be used with DISABLE_HTTP=true, to force HTTPS redirects for every host
# npmplus-caddy:
# container_name: npmplus-caddy
# image: docker.io/zoeyvid/npmplus:caddy
# restart: always
# network_mode: bridge
# ports:
# - "80:80"
# environment:
# - "TZ=your-timezone"
# This can be used with GOA=true, to keep the geopip database updated, you need to change the envs to make it work
# geoipupdate:
# container_name: npmplus-geoipupdate
# image: docker.io/maxmindinc/geoipupdate:latest
# restart: always
# network_mode: bridge
# environment:
# - "TZ=your-timezone" # needs to be changed
# - "GEOIPUPDATE_EDITION_IDS=GeoLite2-Country GeoLite2-City GeoLite2-ASN"
# - "GEOIPUPDATE_ACCOUNT_ID=<your-account-id>" # needs to be changed
# - "GEOIPUPDATE_LICENSE_KEY=<your-license-key>" # needs to be changed
# - "GEOIPUPDATE_FREQUENCY=24"
# volumes:
# - "/opt/npmplus/goaccess/geoip:/usr/share/GeoIP"
# This can be used to enable crowdsec, see README for a guide
# crowdsec:
# container_name: crowdsec
# image: docker.io/crowdsecurity/crowdsec:latest
# restart: always
# network_mode: bridge
# ports:
# - "127.0.0.1:7422:7422"
# - "127.0.0.1:8080:8080"
# environment:
# - "TZ=your-timezone" # needs to be changed
# - "COLLECTIONS=ZoeyVid/npmplus"
# volumes:
# - "/opt/crowdsec/conf:/etc/crowdsec"
# - "/opt/crowdsec/data:/var/lib/crowdsec/data"
# - "/opt/npmplus/nginx:/opt/npmplus/nginx:ro"
# - "/var/run/docker.sock:/var/run/docker.sock:ro"
# This can be used to run openappsec, you also need to set NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE to true and set ipc for NPMplus
# openappsec-agent:
# container_name: openappsec-agent
# image: ghcr.io/openappsec/agent:latest
# restart: always
# ipc: shareable
# volumes:
# - "/opt/openappsec/conf:/etc/cp/conf"
# - "/opt/openappsec/data:/etc/cp/data"
# - "/opt/openappsec/logs:/var/log/nano_agent"
# - "/opt/openappsec/localconf:/ext/appsec" # if you don't set AGENT_TOKEN, then please put a local_policy.yaml in the /opt/openappsec/localconf folder before deploying
# - "/opt/openappsec/open-appsec-advanced-model.tgz:/advanced-model/open-appsec-advanced-model.tgz" # optional, if you want to use a different model
# environment:
# - "TZ=your-timezone" # needs to be changed
# - "autoPolicyLoad=true"
# - "registered_server=NPMplus"
# - "user_email=your-email" # optional, not sure what they do exactly with it, but it should work fine without it
# - "AGENT_TOKEN=abc" # optional, can be set if you use theier webinterface, if you leave this commented, please uncomment all other openappsec containers below, see: https://docs.openappsec.io/getting-started/using-the-web-ui-saas/create-a-profile
# - "SHARED_STORAGE_HOST=openappsec-shared-storage" # uncomment if you don't set AGENT_TOKEN
# - "LEARNING_HOST=openappsec-smartsync" # uncomment if you don't set AGENT_TOKEN
# - "TUNING_HOST=openappsec-tuning-svc" # uncomment if you don't set AGENT_TOKEN
# command: /cp-nano-agent
# uncomment if you don't set AGENT_TOKEN
# openappsec-smartsync:
# container_name: openappsec-smartsync
# image: ghcr.io/openappsec/smartsync:latest
# restart: always
# environment:
# - "TZ=your-timezone" # needs to be changed
# - "SHARED_STORAGE_HOST=openappsec-shared-storage"
# depends_on:
# - openappsec-shared-storage
# openappsec-shared-storage:
# container_name: openappsec-shared-storage
# image: ghcr.io/openappsec/smartsync-shared-files:latest
# restart: always
# ipc: service:openappsec-agent
# user: root # if you do not want to run this container as "root" user you can comment it out and instead run the following command after the deployment: docker exec -u root openappsec-shared-storage chown -R appuser:appuser /db
# environment:
# - "TZ=your-timezone" # needs to be changed
# volumes:
# - "/opt/openappsec/storage:/db"
# openappsec-tuning-svc:
# container_name: openappsec-tuning-svc
# image: ghcr.io/openappsec/smartsync-tuning:latest
# restart: always
# environment:
# - "TZ=your-timezone" # needs to be changed
# - "SHARED_STORAGE_HOST=openappsec-shared-storage"
# - "QUERY_DB_HOST=openappsec-db"
# - "QUERY_DB_PASSWORD=password" # replace with something secure, should match POSTGRES_PASSWORD from openappsec-db container
# - "QUERY_DB_USER=appsec"
# volumes:
# - "/opt/openappsec/conf:/etc/cp/conf"
# depends_on:
# - openappsec-shared-storage
# - openappsec-db
# openappsec-db:
# image: postgres
# container_name: openappsec-db
# restart: always
# environment:
# - "TZ=your-timezone" # needs to be changed
# - "POSTGRES_PASSWORD=password" # replace with something secure, should match QUERY_DB_PASSWORD from openappsec-tuning-svc container
# - "POSTGRES_USER=appsec"
# volumes:
# - "/opt/openappsec/pgdb:/var/lib/postgresql/data"