Operations teams often need quick visibility into CPU pressure, memory saturation, disk contention, and network throughput without standing up a full observability platform on day one. Glances offers a lightweight monitoring interface that is fast to deploy and practical for small-to-mid infrastructure footprints. In this guide, you will build a production-oriented deployment of Glances using Docker Compose, expose it safely through Nginx Proxy Manager, terminate TLS, and add operational controls that keep the stack maintainable over time.
This pattern is especially useful for MSP teams, internal IT departments, SaaS startups, and DevOps engineers who want an opinionated monitoring entry point while preserving a clean migration path to larger systems later. We will cover architecture decisions, hardening measures, secrets handling, verification checks, and troubleshooting scenarios seen in real environments.
Architecture and flow overview
The deployment has three layers: (1) the Glances container that collects and presents host metrics, (2) a private Docker network boundary for service isolation, and (3) Nginx Proxy Manager as the public edge that handles HTTPS, host routing, and certificate lifecycle. Clients connect only to Nginx Proxy Manager on 443. NPM forwards allowed traffic to the Glances container over the internal network. This approach keeps Glances off direct internet exposure and centralizes access policy where teams already manage TLS and domains.
For reliability, we will use Compose restart policies, explicit health checks, pinned image tags, and deterministic volume mounts. For security, we apply strong credentials, optional IP allowlisting, and explicit header handling through NPM. For operations, we add verification commands that can be run after upgrades or incidents to quickly confirm service health and routing correctness.
Prerequisites
- A Linux host with Docker Engine and Docker Compose plugin installed.
- A running Nginx Proxy Manager instance reachable from your browser.
- A DNS record pointed to your NPM host.
- Ports 80/443 open on the proxy edge.
- Shell access with sudo privileges.
Step-by-step deployment
1) Prepare project directories
Create an isolated project directory so backups, upgrades, and audits remain straightforward.
mkdir -p /opt/glances-stack/glances/conf
cd /opt/glances-stackIf the copy button does not work in your browser, manually copy the command block above.
2) Write Docker Compose
Use a loopback port mapping so Glances is not publicly exposed.
services:
glances:
image: nicolargo/glances:latest-full
container_name: glances
restart: unless-stopped
pid: host
network_mode: bridge
environment:
- GLANCES_OPT=-w
- TZ=UTC
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /:/rootfs:ro
- ./glances/conf:/glances/conf:ro
ports:
- "127.0.0.1:61208:61208"
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:61208"]
interval: 30s
timeout: 5s
retries: 5
start_period: 20sIf the copy button does not work in your browser, manually copy the command block above.
cat > /opt/glances-stack/docker-compose.yml <<'YAML'
services:
glances:
image: nicolargo/glances:latest-full
container_name: glances
restart: unless-stopped
pid: host
network_mode: bridge
environment:
- GLANCES_OPT=-w
- TZ=UTC
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /:/rootfs:ro
- ./glances/conf:/glances/conf:ro
ports:
- "127.0.0.1:61208:61208"
healthcheck:
test: ["CMD", "wget", "-qO-", "http://127.0.0.1:61208"]
interval: 30s
timeout: 5s
retries: 5
start_period: 20s
YAMLIf the copy button does not work in your browser, manually copy the command block above.
3) Optional Glances configuration
cat > /opt/glances-stack/glances/conf/glances.conf <<'CONF'
[global]
check_update=False
refresh=2
[outputs]
csv=False
[network]
hide_no_address=True
CONFIf the copy button does not work in your browser, manually copy the command block above.
4) Launch stack
cd /opt/glances-stack
docker compose up -d
docker compose psIf the copy button does not work in your browser, manually copy the command block above.
5) Configure NPM
Create a Proxy Host for your monitoring domain and forward to 127.0.0.1:61208. Enable websocket support, request Letβs Encrypt, and enforce HTTPS redirect.
6) Add access controls
Protect the route with authentication and optionally IP allowlists for VPN and office ranges. Keep exposure intentionally narrow.
Configuration and secrets handling
Even lightweight stacks require disciplined credential handling around proxy administration, DNS APIs, and backup workflows. Store sensitive values in a secrets manager. Do not commit them into source control or paste them into ticket comments.
Use long unique admin credentials, rotate routinely, and enforce MFA where possible. Keep compose files versioned but secret-free, and mount only what the container requires. Monitor who can edit proxy routes because route-level changes can effectively bypass policy. Finally, create a small runbook for certificate renewals and emergency rollback so responders can act quickly during outages.
When integrating alerts, avoid hardcoding webhooks. Prefer environment injection from a vault-backed source and document ownership for each credential. Add quarterly access reviews to reduce stale privileges and reduce blast radius.
Verification
docker compose -f /opt/glances-stack/docker-compose.yml ps
docker inspect --format='{{json .State.Health}}' glancesIf the copy button does not work in your browser, manually copy the command block above.
curl -I http://127.0.0.1:61208
curl -I https://monitor.example.comIf the copy button does not work in your browser, manually copy the command block above.
docker logs --tail=100 glances
sudo ss -ltnp | grep 61208If the copy button does not work in your browser, manually copy the command block above.
Expected outcomes: local endpoint returns 200, external endpoint presents valid TLS, and reverse proxy does not emit 502/504.
Common issues and fixes
502 Bad Gateway in NPM
Validate forward target and confirm the container is healthy and listening on the mapped loopback port.
Slow page rendering
Check host CPU and I/O contention, then tune Glances refresh and verify DNS/TLS latency.
Missing Docker metrics
Ensure docker.sock is mounted read-only and permission model allows access.
Certificate issuance fails
Confirm DNS and inbound ports 80/443; review ACME logs in NPM.
Metrics gaps after host reboot
Verify restart policy and run post-boot health checks automatically.
Unexpected public exposure
Correct port binding to loopback and enforce host firewall rules.
Operations depth notes
This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process. This deployment pattern reduces mean-time-to-detect by giving operators immediate, actionable host-level telemetry, while preserving a controlled edge access model and repeatable change process.
FAQ
Can I run this without Docker Compose?
Yes, but Compose improves repeatability and rollback control.
Is this enough for enterprise monitoring?
It is a practical first layer; larger fleets should add centralized logs and long-term metrics.
Should I pin image tags?
Yes. Pin in production and upgrade during controlled windows.
How do I secure access for remote teams?
Combine VPN/SSO with proxy authentication and source-IP restrictions.
Can I monitor many servers?
Deploy per-host instances and use separate subdomains, or migrate to centralized tooling as scale grows.
What should I back up?
Back up Compose files, NPM proxy definitions, certificates, and DNS records.
Internal links
- Explore our latest technical Guides
- Read News analysis and platform updates
- Contact our engineering team for implementation support
Talk to us
If you want this deployed with hardened access controls, monitoring standards, and production runbooks tailored to your environment, our team can help end-to-end.