# set timezone, required, set it to one of the values from the "TZ identifier" https://en.wikipedia.org/wiki/List_of_tz_database_time_zones#List TZ=Europe/Zagreb # email address which should be used for acme, currently optional, may be required in the future, so I recommend you to enter your email here, optional for letsencrypt, but required for zerossl and google public ca ACME_EMAIL=ssl@netst.org # acme server used when requesting/renewing certs using certbot, default is set to: https://acme-v02.api.letsencrypt.org/directory (letsencrypt) #ACME_SERVER=https://dv.acme-v02.api.pki.goog/directory (google public ca) / https://acme.zerossl.com/v2/DV90 (zerossl) # Key Identifier for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac #ACME_EAB_KID=123456789abcdef # HMAC key for External Account Binding for the acme server, not supported by letsencrypt, optional for zerossl (Login on theier site => Developer), but required for google public ca: https://cloud.google.com/certificate-manager/docs/public-ca-tutorial?hl=de#request-key-hmac #ACME_EAB_HMAC_KEY=123456789abcdef # enables must-staple, default false, I recommend you to enable this if your CA supports it, supported by zerossl, google public ca ignores this, unsupported by letsencrypt (will fail), overrides ACME_OCSP_STAPLING to true #ACME_MUST_STAPLE=true # enables ocsp stapling, default false, I recommend you to enable this if your CA supports it, supported by zerossl and google public ca #ACME_OCSP_STAPLING=true # sets the profile to be used from the acme server, default is "none" (so the default profile), supported by letsencrypt (https://letsencrypt.org/docs/profiles), if you use letsencrypt I would recommend the "shortlived" profile, until it is public you should use the "tlsserver" profile, note: both are limited to 25 domains per cert instead of 100 like the "classic" (default) profile #ACME_PROFILE=shortlived # which key type to use ecdsa or rsa, default and recommended: ecdsa #ACME_KEY_TYPE=rsa # enables checking if ACME_SERVER has a valid TLS cert, default and recommended true #ACME_SERVER_TLS_VERIFY=false # enables ocsp stapling for custom certs, default false, I recommend you to enable this if your custom certs support it #CUSTOM_OCSP_STAPLING=true # set user id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root) #PUID=1000 # set group id, needs to be a number greater or equal to 99, or equal to 0, default 0 (root), requires PUID to be not 0 #PGID=1000 # Port the NPM UI should be bound to, default 81, you need to change it, if you want to run multiple npm instances in network mode host #NPM_PORT=82 # Port the goaccess should be bound to, default 91, you need to change it, if you want to run multiple npm with goaccess instances in network mode host #GOA_PORT=92 # IPv4 address to bind, defaults to all #IPV4_BINDING=127.0.0.1 # IPv4 address to bind for the NPM UI, defaults to all #NPM_IPV4_BINDING=127.0.0.1 # IPv4 address to bind for the goaccess, defaults to all #GOA_IPV4_BINDING=127.0.0.1 # IPv6 address to bind, defaults to all #IPV6_BINDING=[::1] # IPv6 address to bind for the NPM UI, defaults to all #NPM_IPV6_BINDING=[::1] # IPv6 address to bind for goaccess, defaults to all #GOA_IPV6_BINDING=[::1] # fully disables listing on IPv6 and the IPv6 resolver of nginx, overrides IPV6_BINDING/NPM_IPV6_BINDING/GOA_IPV6_BINDING, default false #DISABLE_IPV6=true # Binds the NPM UI only to localhost (IPv4+IPv6), overrides NPM_IPV4_BINDING/NPM_IPV6_BINDING, default false #NPM_LISTEN_LOCALHOST=true # Binds goaccess only to localhost (IPv4+IPv6), overrides GOA_IPV4_BINDING/GOA_IPV6_BINDING, default false #GOA_LISTEN_LOCALHOST=true # ID of cert, which should be used instead of dummycerts, default 0/unset/dummycerts #DEFAULT_CERT_ID=1 # tcp port to use for http traffic, changing this may breaks certbot http challenge, default 80 #HTTP_PORT=8080 # udp and tcp port to use for https traffic, changing this may breaks certbot http challenge, default 443 #HTTPS_PORT=8443 # disables nginx to listen on port 80, default false #DISABLE_HTTP=true # should listeners of http(s) hosts (proxy/redirect/dead and default) use proxy protocol instead of http(s)? default false, overrides DISABLE_H3_QUIC to true #LISTEN_PROXY_PROTOCOL=true # use proxy protocol for http listeners only, default false #LISTEN_PROXY_PROTOCOL_HTTP=true # use proxy protocol for https listeners only, default false, overrides DISABLE_H3_QUIC to true #LISTEN_PROXY_PROTOCOL_HTTPS=true # disables nginx to listen on port 443 udp for default host and all your hosts, this will fully disable HTTP/3 and QUIC, even if you enable it inside the UI, not recommended, default false #DISABLE_H3_QUIC=true # enables nginxs quic_bpf (https://nginx.org/en/docs/http/ngx_http_v3_module.html#quic_bpf), you also need to add caps to the NPMplus container (BPF, PERFMON, NET_ADMIN) to use this, recommended, default false #NGINX_QUIC_BPF=true # Log 404 errors to the docker logs, unrelated to access logs, default false #NGINX_LOG_NOT_FOUND=true # value of worker_processes, default and recommended: auto #NGINX_WORKER_PROCESSES=8 # value of worker_connections, default: 512 #NGINX_WORKER_CONNECTIONS=1024 # forces X25519MLKEM768 as only key exchange, overrides NGINX_DISABLE_TLS12 to true and NGINX_TRUST_SECPR1 to false, default false #NGINX_FORCE_X25519MLKEM768=true # disables TLS 1.2, only TLS 1.3 will be available, default false #NGINX_DISABLE_TLS12=true # trust secp256r1 (prime256v1) curve, default true #NGINX_TRUST_SECPR1=false # disables nginxbeautifier, useful when it fails parsing non-standard custom/advanced configs, default false #DISABLE_NGINX_BEAUTIFIER=true # trust and whitelist cloudflare ip ranges, default false #TRUST_CLOUDFLARE=true # Enables writing http access logs to /opt/npmplus/nginx/access.log, stream access logs to /opt/npmplus/nginx/stream.log and enables daily logrotation, default false #LOGROTATE=true # Set how often the access.log should be rotated until it is deleted, default 3 #LOGROTATIONS=7 # Set how many hours should be between certbot trying to renew your certs, default 3 #CRT=72 # Enables goaccess (and overrides LOGROTATE to true), default false --- if you download the GeoLite2-Country.mmdb, GeoLite2-City.mmdb AND GeoLite2-ASN.mmdb file from MaxMind and place them in /opt/npmplus/goaccess/geoip it will automatically enable GeoIP in goaccess after restarting NPMplus (no need to change GOACLA below), you may also enable the geoipupdate container below (please change the timezone) #GOA=true # Arguments that should be passed to goaccess, default: --agent-list --real-os --double-decode --anonymize-ip --anonymize-level=1 --keep-last=30 --with-output-resolver --no-query-string #GOACLA=--agent-list --real-os --double-decode --anonymize-ip --anonymize-level=2 --keep-last=7 --with-output-resolver --no-query-string # Activate PHP83, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container #PHP83=true # Add php extensions, also enables PHP83, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php83-*, default none, requires PHP83 #PHP83_APKS=php83-curl php83-openssl # Activate PHP84, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container #PHP84=true # Add php extensions, also enables PHP84, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php84-*, default none, requires PHP84 #PHP84_APKS=php84-curl php84-openssl # Activate PHP85, default false, supported, but not recommended, you should prefer to use a dedicated php-fpm container #PHP85=true # Add php extensions, also enables PHP85, see available packages here: https://pkgs.alpinelinux.org/packages?branch=v3.21&repo=community&arch=x86_64&name=php85-*, default none, requires PHP85 #PHP85_APKS=php85-curl php85-openssl # Add php extensions, default none, requires PHP83, PHP84 and/or PHP85, not recommended, please use PHP83_APKS, PHP84_APKS or PHP85_APKS #PHP_APKS=php-pecl-apcu php-pecl-redis # email to use instead of admin@example.org on first start of NPMplus for the initial user #INITIAL_ADMIN_EMAIL= # password to use instead of a random password which is logged on first start of NPMplus for the initial user #INITIAL_ADMIN_PASSWORD= # default page to set on first start of NPMplus for the initial user, default congratulations, can be one of: 404, 444, redirect, congratulations or html #INITIAL_DEFAULT_PAGE=444 # disable gravatar, default false #DISABLE_GRAVATAR=true # see readme, default off #ENABLE_PRERUN=true # loads the openappsec attachment module, you also need to set ipc and enable the shm-volume for NPMplus, this will fully disable brotli, default false #NGINX_LOAD_OPENAPPSEC_ATTACHMENT_MODULE=true # loads the geoip2 module, you need to configure this yourself, default false #NGINX_LOAD_GEOIP2_MODULE=true # loads the njs module (nginx JavaScript module), you need to configure this yourself, default false #NGINX_LOAD_NJS_MODULE=true # loads the ldap module, you need to configure this yourself, default false #NGINX_LOAD_LDAP_MODULE=true # loads the ntlm module, you need to configure this yourself, default false #NGINX_LOAD_NTLM_MODULE=true # loads the virtual host traffic status module, you need to configure this yourself, default false #NGINX_LOAD_VHOST_TRAFFIC_STATUS_MODULE=true # OIDC login for NPMplus admin UI, all four are required together or none #OIDC_REDIRECT_DOMAIN=npm.example.com #OIDC_ISSUER_URL=https://auth.example.com #OIDC_CLIENT_ID=npmplus #OIDC_CLIENT_SECRET=secret # require verified email for OIDC login, default true #OIDC_REQUIRE_VERIFIED_EMAIL=true # disable password login when OIDC is configured, default false #OIDC_DISABLE_PASSWORD=true # Anubis bot challenge integration, upstream URL must not contain a path #AUTH_REQUEST_ANUBIS_UPSTREAM=http://127.0.0.1:8923 # use custom anubis challenge images from /data/anubis/, default false #AUTH_REQUEST_ANUBIS_USE_CUSTOM_IMAGES=true # Tinyauth integration, both upstream and domain are required together #AUTH_REQUEST_TINYAUTH_UPSTREAM=http://127.0.0.1:3000 #AUTH_REQUEST_TINYAUTH_DOMAIN=example.com # Authelia integration, upstream URL must not contain a path #AUTH_REQUEST_AUTHELIA_UPSTREAM=http://127.0.0.1:9091 # Authentik integration, upstream is required, domain is optional #AUTH_REQUEST_AUTHENTIK_UPSTREAM=http://127.0.0.1:9000 #AUTH_REQUEST_AUTHENTIK_DOMAIN=example.com