GUIDE: Setting Up NGinX Proxy Manager and Authentik for 2 Factor

1

Hi All,

Thought I would share this, if you are wanting to implement better security than just normal username / password.

You will require 2 Projects for this to work, I recommend these 2 only because I help out with bugfixes and CVE fixes and Features on both of these projects.

  1. Authentik - https://goauthentik.io/
  2. NginX Proxy Manager - https://nginxproxymanager.com/

Follow the Documentation for Authentik and Nginx Proxy Manager, once you have these installed to make them work for Manager.IO you can do the following.

Nginx Proxy Manager Setup:

  1. Create a new Proxy Host.
  • Domain Names = external fqdn for manager.io
  • Forward Hostname / IP = Internal Host / port of your Manager.io Instance inside your network
  • No need for Websockets as Manager.IO doesn’t use these
  • No need to Cache Assets, this could cause issues with caching and stale data
    image
    image503×555 15.7 KB
  1. Setup your SSL as required, this also means no SSL is required on Manager.IO server as you have just offloaded Encryption to the Proxy Host
  • If enabling SSL ensure force SSL is checked and also HSTS is Enabled
  1. In the advanced tab there is where you copy and paste the NginX Proxy Manager Configuration that Authentik Generates.

Authentik Application Setup:

  1. Create a new Proxy Provider for Manager.IO, ensure you set the External Host to your Public FQDN for your manager instance.
    image
    image1114×874 45.1 KB
  2. Turn off Basic Authentication
  3. It will then show you configuration for NginX Proxy Manager in a TAB
  4. Copy and paste this to your NginX Proxy Manager Config for your manager.io instance

Let me know if you need any assistance, can help out.

Coming Soon i’ll turn Manager.IO Server Edition with NginX Proxy Manager into a full Docker Compose Solution for rolling out on a Kubernetes Cluster.

2

This looks interesting - many thanks for the pointer.
I’ll install Authentik and take a look (never used it before).
On the other hand I am familiar with the Nginx-Proxy-Manager.

Some people here have previously been minded to ‘dockerize’ Manager.io. I don’t know how successful those efforts were or not.

A couple of thoughts if I may please:
I find Kubernetes something of a expansive undertaking (for my use case anyway; a bit of a sledge-hammer to crack a nut if you follow me).

On the other-hand, simply using Docker Compose most certainly gets my vote.

If was to put Manager.io behind the Nginx-Proxy-Manager, then my preference would be to use a suitable Docker Network so that the Manager.io container resided within the same Docker Network as the Nginx-Proxy-Manager, as that way I would have no need to expose Manager.io’s open port to the outside world.

Finishing with a tangential question:
In your illustrations above, are you using a private network of some kind ? (Wireguard or Tailscale/Headscale or something along those lines) ?

3

Same, docker-compose makes it easy to rollout for people who just want a single docker host, and get running up in minutes. Those who want more advanced can just edit the compose file.

Correct, I would make a docker compose with this solution, using linked containers.

I just have them running as seperate VM’s within a Virtual Cluster at the moment using proxmox. We run Manager.IO server edition on a Debian 12 Virtual Machine, “Authentik and NGinX Proxy Manager” re just containers with their docker hosts running as VM’s, all networking in Bridged using Linux Bridges at the moment using QinQ (Vlan within Vlan), Same datacenter, Same network, for now!