Mesh Central in Docker behind NGINX Proxy Manager Reverse Proxy


  1. Docker environment on Linux
  2. Portainer, docker-compose installed
  3. Ports 80/443 port forwarded to your Docker host
  4. Reverse proxy being Nginx Proxy Manager, not Traefik as I don't use it
  5. Nginx Proxy Manager listening for ports 80/443
  • We will be using an unofficial, but as of writing this article still maintained and community approved, Docker version of Mesh Central
  • I will be using Portainer in this guide, but you can use manual Docker Compose if you wish
  • Here is an example of my docker-compose.yml file
version: '3'

    external: true
        container_name: meshcentral_db
        restart: always
        image: mongo:latest
            - 27017
            - '/docker/containers/meshcentral/database:/data/db'
          - reverse_proxy
        restart: always
        container_name: meshcentral
            - 'mongodb'
        image: typhonragewind/meshcentral:mongodb-latest
            - 8786:443 #MeshCentral will moan and try everything not to use port 80, but you can also use it if you so desire, just change the config.json according to your needs
            -     #your hostname
            - REVERSE_PROXY=nginx-proxy-manager     #set to your reverse proxy IP if you want to put meshcentral behind a reverse proxy
            - REVERSE_PROXY_TLS_PORT=443 #internal https port, only change if you don't use 443 for your incoming HTTPS for some reason
            - IFRAME=false #set to true if you wish to enable iframe support
            - ALLOW_NEW_ACCOUNTS=false    #set to false if you want disable self-service creation of new accounts besides the first (admin)
            - WEBRTC=false  #set to true to enable WebRTC - per documentation it is not offically released with meshcentral, but is solid enough to work with. Use with caution
            - NODE_ENV=production
            - TZ=Europe/Prague
            - data:/opt/meshcentral/meshcentral-data
            - files:/opt/meshcentral/meshcentral-files
          - reverse_proxy
  • In this, Mesh Central will use a MongoDB instance to store everything, instead of SQLite
  • You must change:
    1. Network name to match what your NPM is using, in my case that name is “reverse_proxy”
    2. HOSTNAME - set your public FQDN
    3. REVERSE_PROXY - here put
      • IP address of your NGINX Proxy Manager if it is on a different server than where Mesh Central will live
      • internal docker Hostname if on the same Docker network ← My setup, “nginx-proxy-manager” is the Docker hostname. DO NOT USE DOCKER NETWORK IP ADDRESSES, they aren't static
  • You can change
    • TZ - timezone, so your logs have proper timestamps, follows standardized naming
      • For example, TZ=Europe/Prague, TZ=America/New_York, TZ=Australia/Sydney
    • Storage mounts (I had issues with MeshCentral Volume paths, so that is why I'm using volumes)
    • ALLOW_NEW_ACCOUNTS=false, setting true would allow users to register
      With FALSE on first start you can create an account, that will be your admin, after that registrations get disabled
      This can also be set in config.json
  • You will find the config file in the container's /opt/meshcentral/meshcentral-data folder
    • Since I used a Docker Volume, I can use Portainer to see where that is mounted on my server's filesystem
      For example: /var/lib/docker/volumes/meshcentral_data/_data
  • Open the config.json file with
     sudo nano /var/lib/docker/volumes/meshcentral_data/_data/config.json 
  • If this is your initial installation, the config file will be pretty barebones
  • Modify it according to this example, changing stuff like your FQDN
  "$schema": "",
  "settings": {
    "cert": "",
    "_WANonly": true,
    "_LANonly": true,
    "_sessionKey": "generate_password_here", 
    "port": 443,
    "_aliasPort": 443,
    "redirPort": 80,
    "_redirAliasPort": 80,
    "AgentPong": 300,
    "TLSOffload": "nginx-proxy-manager",
    "_ignoreAgentHashCheck": false,
    "SelfUpdate": false,
    "AllowFraming": "false",
    "mongodb": "mongodb://mongodb:27017/mesh",
    "mongodbcol": "mesh",
    "WebRTC": "false"
  "domains": {
        "": {
          "_title": "Mesh Central",
          "_title2": "Mesh Central",
          "_minify": true,
          "NewAccounts": "false",
          "_userNameIsEmail": true,
          "certUrl": ""
  "_letsencrypt": {
    "__comment__": "Requires NodeJS 8.x or better, Go to first before>",
    "_email": "[email protected]",
    "_names": "",
        "production": false
  • Note: I did not touch the letsencrypt section here at all, since we are handling our SSL certificate elsewhere
  • TLDR:
    • Mesh Central uses a self signed certificate to talk to clients.
    • Since ours is behind NPM it can't communicate directly and hashes won't match.
    • We need to tell it to instead use NPM's certificate
  1. “cert”: “” - to tell Mesh Central what certificate to use - works even if you use a wildcard certificate (*
  2. “_sessionKey”: “generate_password_here”, - please use a password manager to generate a random password here
  3. “TLSOffload”: “nginx-proxy-manager” - set Docker hostname or IP address of your NPM installation, don't put port here
  4. “port”: 443, - change if you don't use 443. If your NPM isn't on the same docker host this should be the exposed port (for example 8786) but I haven't tested it so I don't really know.
  5. “certUrl”: “” - Public FQDN of your Mesh Central server, including the port
  • Save the file (Press Ctrl+O and Enter to save changes and Ctrl+X to exit Nano)
  • Restart the container
  1. Add a new Proxy host as you would with any other Docker container
  2. Don't forget to check Websockets Support
  3. In SSL select your certificate, force SSL and enable HTTP/2
  4. In the Advanced tab paste the following
proxy_set_header CF-Connecting-IP $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
  1. This setup works fine through Cloudflare Proxy, assuming
  2. Cloudflare Dashboard → yourdomain.tld → SSL/TLS → Overview → FULL
  3. This is necessary so that the Cloudflare Proxy and your local certificate match and Cloudflare doesn't try to redirect
  1. If you get this error after logging into the Mesh Central WebUI do:
  2. Go to NPM
  3. In Proxy Host → your Mesh Central Host → Check Websockets Support

dustojnikhummer 30/07/2023 00:11

  • laptopwiki/guides/docker/meshcentral.txt
  • Last modified: 12/01/2024 21:14
  • by dustojnikhummer