A single curl command installs NyxGuard Manager 4.0.13 — a free self-hosted WAF, application firewall, and reverse proxy. Docker setup, image pull, environment generation, and stack launch are handled automatically.
Ubuntu 22.x / 24.x / 25.x
Debian 12 / 13
Docker Engine
Docker Compose v2
(installer can install both)
2 vCPU / 2 GB minimum
4 vCPU / 8 GB recommended
40 GB minimum
60 GB+ recommended
SSD strongly preferred
Port 80 — HTTP (redirect + ACME)
Port 443 — HTTPS proxy traffic
Port 8443 — Admin panel
Installer must run as root
or with sudo
On a fresh Ubuntu or Debian VM, run a quick OS update and ensure curl is present before running the installer. This takes under a minute and avoids any dependency issues.
Fetch the latest package index and upgrade installed packages to their newest versions.
sudo apt update && sudo apt -y upgrade
The installer is fetched via curl. Most systems have it already — this ensures it is present.
sudo apt install -y curl
The install script auto-detects the latest published image from Docker Hub, pulls it, creates the stack in /opt/nyxguardmanager, and enables reboot persistence via systemd.
curl -fsSL https://raw.githubusercontent.com/NyxCloudRO/NyxGuardManager/main/install.sh | sudo bash
sudo and end the command with | bash./opt/nyxguardmanager/ by default. Admin panel accessible at https://<your-ip>:8443/ after install.Here's exactly what happens when you run the install script, step by step.
If Docker Engine and Docker Compose v2 are not installed, the script adds the official Docker apt repository and installs them automatically. Then it enables the Docker daemon.
apt-get — Ubuntu and Debian are fully supported. Other distros: install Docker manually first.The installer queries Docker Hub (nyxmael/nyxguardmanager) for all published semantic version tags and selects the highest one automatically. No manual version tracking needed.
curl -fsSL https://raw.githubusercontent.com/NyxCloudRO/NyxGuardManager/main/install.sh | sudo env APP_TAG=4.0.13 bash
.env with random secretsIf no .env exists in the install directory, the script generates one with strong random passwords for the database. The file is set to chmod 600. If a .env already exists (upgrade), it is never overwritten.
.env file secure. Never commit it to version control — it contains your database credentials.docker-compose.yml and pull the imageThe script writes a ready-to-run Compose file referencing the detected image tag, then pulls the image from Docker Hub.
docker pull nyxmael/nyxguardmanager:<latest-tag>
The stack starts with Docker Compose. A systemd unit is installed and enabled so the stack auto-starts on every reboot.
# Installed automatically: /etc/systemd/system/nyxguardmanager.service # Enabled with: systemctl enable --now nyxguardmanager.service
Navigate to the admin panel URL. First boot runs the setup wizard — create your admin account and configure your first proxy host.
https://<your-server-ip>:8443/
Prefer to set it up yourself without running a script? Use the compose file below. No source code is needed — everything runs from the prebuilt Docker image.
sudo mkdir -p /opt/nyxguardmanager cd /opt/nyxguardmanager
docker-compose.ymlservices:
nyxguard-manager:
container_name: nyxguard-manager
image: nyxmael/nyxguardmanager:4.0.13
restart: unless-stopped
ports:
- "80:80"
- "443:443"
- "8443:8443"
environment:
TZ: "${TZ:-UTC}"
PUID: "${PUID:-1000}"
PGID: "${PGID:-1000}"
DB_MYSQL_HOST: "db"
DB_MYSQL_PORT: "3306"
DB_MYSQL_USER: "${DB_MYSQL_USER:-nyxguard}"
DB_MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD}"
DB_MYSQL_NAME: "${DB_MYSQL_NAME:-nyxguard}"
SKIP_CERTBOT_OWNERSHIP: "true"
NPM_BUILD_VERSION: "4.0.13"
NPM_BUILD_COMMIT: "release-4.0.13"
NPM_BUILD_DATE: "2026-07-13"
NYXGUARD_ACCESS_SESSION_TTL_SEC: "34560000"
healthcheck:
test: ["CMD", "curl", "-fs", "http://localhost:3000/"]
interval: 10s
timeout: 5s
retries: 5
start_period: 60s
group_add:
- "${DOCKER_SOCK_GID:-988}"
volumes:
- nyxguard_data:/data
- nyxguard_letsencrypt:/etc/letsencrypt
- /var/run/docker.sock:/var/run/docker.sock:ro
- /etc/localtime:/etc/localtime:ro
- /proc/1/net/arp:/host/proc/net/arp:ro
depends_on:
- db
db:
container_name: nyxguard-db
image: jc21/mariadb-aria:latest
restart: unless-stopped
environment:
TZ: "${TZ:-UTC}"
MYSQL_ROOT_PASSWORD: "${MYSQL_ROOT_PASSWORD}"
MYSQL_DATABASE: "${DB_MYSQL_NAME:-nyxguard}"
MYSQL_USER: "${DB_MYSQL_USER:-nyxguard}"
MYSQL_PASSWORD: "${DB_MYSQL_PASSWORD}"
volumes:
- nyxguard_db:/var/lib/mysql
- /etc/localtime:/etc/localtime:ro
volumes:
nyxguard_data:
name: nyxguard_data
nyxguard_letsencrypt:
name: nyxguard_letsencrypt
nyxguard_db:
name: nyxguard_db
.env with strong passwordsTZ=UTC PUID=1000 PGID=1000 DOCKER_SOCK_GID=988 DB_MYSQL_USER=nyxguard DB_MYSQL_NAME=nyxguard DB_MYSQL_PASSWORD=CHANGE_ME_STRONG_PASSWORD MYSQL_ROOT_PASSWORD=CHANGE_ME_STRONG_ROOT_PASSWORD
DOCKER_SOCK_GID to the result of stat -c '%g' /var/run/docker.sock when your Docker socket group is not 988. Never commit .env to version control.docker compose --env-file .env up -d docker compose logs -f # watch startup
The update script checks Docker Hub for the latest published tag, compares it to your running version, and if a newer release exists, prompts you and applies the update in-place. Your data and configuration live in Docker volumes and are never touched.
curl -fsSL https://raw.githubusercontent.com/NyxCloudRO/NyxGuardManager/main/update.sh | sudo bash
# 1. Read current image tag from docker-compose.yml # 2. Query Docker Hub for latest published semver tag # 3. If no newer release → print "No newer release found." and exit # 4. If newer → display current vs target, prompt y/N # 5. docker pull nyxmael/nyxguardmanager:<new-tag> # 6. Update image reference in docker-compose.yml # 7. docker compose up -d --remove-orphans (rolling restart) # 8. Print "Update complete."
curl -fsSL https://raw.githubusercontent.com/NyxCloudRO/NyxGuardManager/main/update.sh | sudo env FORCE_TAG=4.0.13 bash
curl -fsSL https://raw.githubusercontent.com/NyxCloudRO/NyxGuardManager/main/update.sh | sudo env NYXGUARD_AUTO_YES=1 bash
If you installed manually (without install.sh), update by pulling the new image and restarting:
cd /opt/nyxguardmanager docker pull nyxmael/nyxguardmanager:4.0.13 # Update the image: tag in docker-compose.yml, then: docker compose --env-file .env up -d
Verify your installation is running correctly.
docker ps # confirm containers are Up curl -kI https://127.0.0.1:8443/ # HTTP 308 or 200 curl -ksS https://127.0.0.1:8443/api/ | jq # API response docker logs --tail=100 nyxguard-manager # recent logs
All installer and runtime behaviour can be controlled via environment variables.
| Variable | Default | Description |
|---|---|---|
| INSTALL_DIR | /opt/nyxguardmanager | Where to create the stack and store compose/env files |
| IMAGE_REPO | nyxmael/nyxguardmanager | Docker image repository to pull from |
| APP_TAG | (auto-detect latest) | Pin a specific image version tag, e.g. 4.0.13 |
| Variable | Default | Description |
|---|---|---|
| INSTALL_DIR | /opt/nyxguardmanager | Location of the existing compose stack |
| IMAGE_REPO | nyxmael/nyxguardmanager | Docker image repository to check and pull from |
| FORCE_TAG | (auto-detect latest) | Force update to a specific version tag |
| NYXGUARD_AUTO_YES | 0 | Set to 1 to skip the confirmation prompt (non-interactive / CI use) |
| Variable | Default | Description |
|---|---|---|
| TZ | UTC | Timezone for the container |
| PUID / PGID | 1000 | User and group ID for file ownership |
| DB_MYSQL_PASSWORD | (generated) | Database password — set by installer, keep it secret |
| MYSQL_ROOT_PASSWORD | (generated) | MariaDB root password — set by installer, keep it secret |
| DOCKER_SOCK_GID | Docker socket GID | Grants the Manager process access to the read-only Docker socket |
| NYXGUARD_ACCESS_SESSION_TTL_SEC | 34560000 | Protected-application session lifetime: 400 days, the current Chromium persistent-cookie maximum |
| NYXGUARD_POLL_INTERVAL_MS | 15000 | Attack monitor poll interval in milliseconds (1000–60000) |
| SKIP_CERTBOT_OWNERSHIP | false | Set to true to skip slow certbot chown on startup. Recommended for production. |
| DISABLE_IPV6 | false | Set to true to disable IPv6 in nginx. |
.env file to version control.After your first successful login, go through these steps to harden your installation.
Go to your profile → Enable Two-Factor Authentication. Scan the QR code with your authenticator app and save the recovery codes.
Proxy Hosts → Add Host. Point it to your backend, request a Let's Encrypt certificate, and enable Force HTTPS.
NyxGuard → GlobalGate. Add your trusted IP ranges, configure country rules, and enable WAF on your proxy hosts.
Settings → LAN Access. Add your LAN CIDR and trusted MAC addresses to restrict admin panel access to local devices only.
NyxGuard → IPs & Locations → GeoIP DB. Upload a MaxMind GeoLite2 or IP2Location .mmdb file, or enter your MaxMind credentials for auto-updates.
Settings → Integrations → Create token. Configure Prometheus scrape job. Import the Grafana dashboard from Settings → Grafana.