Has anyone been able to get penpot to work with nginx proxy manager?.

Using:

• docker desktop on a mac
• default docker via the default docker-compose.yaml: tried updating the URI to my external URI
• Using Nginx Proxy Manager (GitHub - NginxProxyManager/nginx-proxy-manager: Docker container for managing Nginx proxy hosts with a simple, powerful interface) with a letsencrypt SSL cert for the URL.

I can access via http://localhost:9001, but not my external URL. It tries for a long time, but then gives me a 502: bad gateway. I have nginx proxy manager working successfully on 8 other docker containers. If anyone has this working, could you share the configuration you have that makes it work? TIA.

Could you share how the proxy host is set up (especially the internal IP and port), and whether the container is reachable from the proxy?

I removed the two recommended “disable” flags, Then, when preparing to gather the information you requested, I noticed the wrong IP address was in the configuration. I corrected it and now it works!

I’m running into a similiar issue trying to get this set-up in nginx proxy manager.

My docker compose file below:

docker-compose.yml

services:

  penpot-frontend:
    container_name: penpot-app
    image: "penpotapp/frontend:${PENPOT_VERSION:-latest}"
    volumes:
      - design_assets:/opt/data/assets
    depends_on:
      - penpot-backend
      - penpot-exporter
    networks:
      - penpot-net
      - nginx-proxy-manager
    environment:
      PENPOT_FLAGS: enable-prepl-server disable-email-verification disable-secure-session-cookies disable-csrf
      PENPOT_HTTP_SERVER_MAX_BODY_SIZE: 31457280
      PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE: 367001600
      PENPOT_PUBLIC_URI: https://domain.com
      PENPOT_BACKEND_URI: http://penpot-backend:6060
      PENPOT_EXPORTER_URI: http://penpot-exporter:6061
      PENPOT_HTTP_INSECURE: true
    restart: always

  penpot-backend:
    image: "penpotapp/backend:${PENPOT_VERSION:-latest}"
    container_name: penpot-backend
    volumes:
      - design_assets:/opt/data/assets
    depends_on:
      penpot-postgres:
        condition: service_healthy
      penpot-valkey:
        condition: service_healthy
    networks:
      - penpot-net
    environment:
      PENPOT_FLAGS: enable-prepl-server disable-email-verification disable-secure-session-cookies disable-csrf
      PENPOT_PUBLIC_URI: https://domain.com
      PENPOT_HTTP_SERVER_MAX_BODY_SIZE: 31457280
      PENPOT_HTTP_SERVER_MAX_MULTIPART_BODY_SIZE: 367001600
      PENPOT_SECRET_KEY: <redacted>
      PENPOT_DATABASE_URI: postgresql://penpot-postgres/penpot
      PENPOT_DATABASE_USERNAME: penpot
      PENPOT_DATABASE_PASSWORD: <redacted>
      PENPOT_REDIS_URI: redis://penpot-valkey/0
      PENPOT_ASSETS_STORAGE_BACKEND: assets-fs
      PENPOT_STORAGE_ASSETS_FS_DIRECTORY: /opt/data/assets
      PENPOT_TELEMETRY_ENABLED: true
      PENPOT_TELEMETRY_REFERER: compose
      PENPOT_HTTP_INSECURE: true
    restart: always

  penpot-exporter:
    image: "penpotapp/exporter:${PENPOT_VERSION:-latest}"
    container_name: penpot-exporter
    depends_on:
      penpot-valkey:
        condition: service_healthy
    networks:
      - penpot-net
    environment:
      PENPOT_PUBLIC_URI: https://domain.com
      PENPOT_REDIS_URI: redis://penpot-valkey/0
    restart: always

  penpot-postgres:
    image: postgres:15
    restart: always
    stop_signal: SIGINT
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U penpot"]
      interval: 2s
      timeout: 10s
      retries: 5
      start_period: 2s
    volumes:
      - design_db:/var/lib/postgresql/data
    networks:
      - penpot-net
    environment:
      - POSTGRES_INITDB_ARGS=--data-checksums
      - POSTGRES_DB=penpot
      - POSTGRES_USER=penpot
      - POSTGRES_PASSWORD=<redacted

  penpot-valkey:
    image: valkey/valkey:8.1
    container_name: penpot-valkey
    restart: always
    healthcheck:
      test: ["CMD-SHELL", "valkey-cli ping | grep PONG"]
      interval: 1s
      timeout: 3s
      retries: 5
      start_period: 3s
    networks:
      - penpot-net

volumes:
  design_assets:
  design_db:

networks:
  penpot-net:
    driver: bridge
    name: penpot-net
  nginx-proxy-manager:
    external: true

Proxy Host config in Nginx Proxy Manager:

In NPM Proxy Host → Details:

In Custom locations:

No Changes

In SSL:

• Valid cert (via Let’s Encrypt)
• Force SSL
• HTTP/2

In Advanced → Custom Nginx Cinfiguration:

client_max_body_size 31457280;

With this set-up I can reach pentpot at https://domain.com
but anything that tries to reach the api fails, i.e creating new user, trying to login. Main page does not redirect to login page instead I get:

I have to manually go to https://domain.com/#/auth/login login with manually created user from cli fails

Contents from report.txt:

Hint:    repository request error
Prof ID: --
Team ID: --

Data:
{:type :internal,
 :hint "repository request error",
 :headers
 {"content-length" "54958",
  "content-type" "text/html",
  "date" "Mon, 14 Jul 2025 09:17:50 GMT",
  "etag" "\"66c44d65-d6ae\"",
  "server" "openresty"},
 :status 401,
 :code :repository-access-error,
 :uri "https://domain/api/rpc/command/get-teams",
 :data "(...)"}

Trace:
Error: repository request error
  at new PENPOT.eh (https://domain/js/shared.accd5226d-1752136353.js:306:97)
  at PENPOT.fh (https://domain/js/shared.accd5226d-1752136353.js:306:419)
  at PENPOT.gh (https://domain/js/shared.accd5226d-1752136353.js:306:372)
  at PENPOT.z_a (https://domain/js/shared.accd5226d-1752136353.js:1496:461)
  at https://domain/js/shared.accd5226d-1752136353.js:1254:242
  at _ (https://domain/js/libs.js?ts=1752136907700:757:16436)
  at e.f [as _nextOverride] (https://domain/js/libs.js?ts=1752136907700:757:16386)
  at e.htr [as _next] (https://domain/js/libs.js?ts=1752136907700:757:1873)
  at e.next (https://domain/js/libs.js?ts=1752136907700:757:1370)
  at e.next [as _nextOverride] (https://domain/js/libs.js?ts=1752136907700:757:13985)
  at e.htr [as _next] (https://domain/js/libs.js?ts=1752136907700:757:1873)
  at e.next (https://domain.com/js/libs.js?ts=1752136907700:757:1370)
  at e.next [as _nextOverride] (https://domain.com/js/libs.js?ts=1752136907700:757:13985)
  at e.htr [as _next] (https://domain.com/js/libs.js?ts=1752136907700:757:1873)
  at e.next (https://domain.com/js/libs.js?ts=1752136907700:757:1370)
  at https://domain.com/js/libs.js?ts=1752136907700:757:4469

Last events:
[":app.plugins/initialize"
 ":app.main.data.profile/fetch-profile"
 ":app.main.data.profile/refresh-profile"
 ":app.main/initialize"
 ":app.main.data.profile/profile-fetched"
 ":app.main.router/initialize-router"
 ":app.main.router/initialize-history"
 ":app.main.ui.routes/init-routes"
 ":app.main.data.event/event"
 ":app.main.router/navigated"]

Trying to reach https://domain.com/api/rpc/command/get-teams gives 401: Unauthorized

Adding external port to my docker-compose.yml file allows me to:

ports:
  - 9999:8080

• Reach penpot at http://ip-address:9999 (Also forwarding to login page works).
• Reach api at http://ip-address:9999/api/rpc/command/get-teams
• Login at http://ip-address:9999/#/auth/login

I’ve tried copying some common template nginx configs into Nginx Proxy Manager without luck. Hopefully someone has an example out there I can use as a reference?

So after much hand-wringing, I solved the problem by turning the “websockets support” switch on. All issues solved.