I’m having trouble getting the network setup right for Nginx Proxy Manager running in Docker inside a Proxmox LXC container.
My current setup works but I’m seeing wrong IP addresses in my logs. When I check Nextcloud or Pi-hole access logs, they show the Docker gateway IP (172.29.0.1) instead of the real client IPs.
I tried configuring trusted proxies in Nextcloud config.php file. Setting it to 172.29.0.1 made logs show my LXC IP (10.0.0.253). But when I use 10.0.0.253 as trusted proxy, it goes back to showing 172.29.0.1.
I also tested using macvlan network for the proxy container. This fixed the IP logging issue and shows correct client addresses. However, now my other Docker services become unreachable because of macvlan isolation.
What’s the proper network configuration for running Nginx Proxy Manager in this setup? Since it only comes as a Docker image, I need to make it work within the container environment.
This happens because Docker’s default bridge network doesn’t play nice with LXC environments. Here’s what works: create a custom Docker network that matches your LXC subnet. Run docker network create --driver bridge --subnet=10.0.1.0/24 proxy-net and connect NPM to it. Then tell your backend services to trust the entire 10.0.0.0/24 range in their proxy settings. This fixes the 172.29.0.1 gateway IP issue without breaking container communication like macvlan does. For Nextcloud, add both your Docker subnet and LXC IP to trusted_proxies, then set up forwarded_for_headers with the standard proxy headers. The trick is working with your LXC network instead of against it. I’ve been running this setup for two years - real client IPs show up properly and everything stays connected.
Check your npm proxy host settings under custom locations - add proxy_set_header Host $host;. Make sure you’re not double-proxying through the lxc. I run npm with --net=host flag and it works fine, just change the webui port so it doesn’t conflict with host services.
Running NPM in LXC containers is tricky because Docker’s networking doesn’t preserve real client IPs through proxy layers. Instead of messing with trusted proxy chains, just install Nginx Proxy Manager directly on your LXC host. Skip Docker entirely - compile nginx with the modules you need or grab a static binary. Problem solved. If you’re stuck with Docker, create a custom bridge network with a predictable subnet. Then configure your apps to trust the entire Docker network CIDR instead of individual gateway addresses. Set trusted_proxies to cover both your LXC and Docker subnets. Or try host networking mode with --network host on the NPM container. You’ll lose Docker’s network isolation, but you’ll get real client IPs without dealing with macvlan headaches. Your other containers can stay on the default bridge and talk through localhost.
Been through this exact pain. Docker networking + proxies in LXC containers = IP logging hell every time.
Skip the manual nginx configs and proxy chains - automate everything instead. I built a workflow that watches for container starts, pulls their network info, and sets proxy headers automatically.
The key is monitoring Docker events and updating proxy configs on the fly. New service starts? It adds the right X-Forwarded-For headers and trusted proxy settings without you touching anything.
I automated the macvlan isolation fix too. Creates custom iptables rules so your macvlan proxy can talk to other Docker services while keeping real client IPs. Watches container health and tweaks networking when needed.
Set it once, forget it. New services get proper IP logging without breaking container communication.
Try Docker Compose with a dedicated external network. Create a custom bridge network: docker network create --driver bridge --subnet=172.30.0.0/16 npm-network and connect both NPM and your backend services to it. You’ll get predictable IP ranges to work with. This happens because Docker creates multiple network layers between clients and apps. Don’t mess with trusted proxy configs - instead, add extra_hosts entries in your compose file to map your LXC container IP directly. What worked for me: use the NET_ADMIN capability and configure NPM to use the LXC container’s network interface directly with Docker’s --network container: option. This skips Docker’s network stack completely while keeping everything containerized. Skip host networking mode in LXC environments - it causes port conflicts and won’t fix your IP forwarding problem anyway.
Had this same problem last year. Don’t just mess with trusted proxy settings - you need to fix the proxy headers. Make sure Nginx Proxy Manager sends the right X-Forwarded-For and X-Real-IP headers to your backend. Go to your proxy host config, hit the Advanced tab, and add: proxy_set_header X-Real-IP $remote_addr; and proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;. Then tell your apps to read these headers instead of the connection IP. For Nextcloud, you’ll need both the trusted proxy setup AND the forwarded_for_headers setting in config.php. Skip the macvlan route - it just adds unnecessary complexity. Stick with the default bridge network and proper headers. You’ll get real client IPs without breaking container communication.