nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard
Published 2 months ago verified publisher icon NginxProxyManager

Is the docker network the best practice? Why would one want double NAT? How to change default ports

Open atais opened this issue 2 months ago • 1 comments

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug

Why is https://nginxproxymanager.com/advanced-config/#best-practice-use-a-docker-network considered "best practce"?

I am using now the docker network to connect all my internal services on a NAS, but actually this setup makes my life much harder because of docker networks NAT.

  1. My internal network is 192.168.100.0/24
  2. Docker internal netowrk is 172.29.16.0/24
  3. I can't use access list rules, because all the IPs are being translated to the docker IP
  4. I don't see correct IPs on audit log in my apps
  5. but the benefit is that its easier to connect the services :D

I am no network master but I have technical background. I have consulted chatgpt and the docker's network is essentially a double NAT and its "expected behaviour" but i would consider this as a major downside of this "best practice".

On the other hand, I can't run network_mode: host because the ports 80, 81, 443 are occupied on my system. So it would be extremely useful to me if I could change the default ports by using ENV values

Nginx Proxy Manager Version

2.13.5

Expected behavior

  • I'd like to see the original IP in my logs
  • Access List rules IPs should work
  • change default ports with ENV values

Operating System

QNAP nas

NAT References:

  • https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3671

Port References:

  • https://github.com/NginxProxyManager/nginx-proxy-manager/issues/4748
  • https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3671

atais avatar Dec 03 '25 08:12 atais

if u change the default 80/443 result that u always need to add the port... like "https://your.adress:4443" that's why i put my npm in macvlan. Have you already considered or tried this option?

i do it also on my Syno because 80/443 also occopied - works fine.

Lyxon1337 avatar Dec 06 '25 07:12 Lyxon1337

well, simpy reroute it properly on your router

incoming 80 -> your.npm.ip.here:480 incoming 443 -> your.npm.ip.here:4443

thats is the way to do so so you don't need the ports

that's why i put my npm in macvlan.

if you put it into macvlan NPM looses the original calling IP and all the access logs show the NAT IP (from the vlan) instead of the original callers IP, which is bad for security.

Also IP based security does not work

atais avatar Dec 11 '25 18:12 atais