starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00

[GH-ISSUE #1560] HSTS always applied on port 81 #1182

New issue

Closed

opened 2026-02-26 06:36:07 +03:00 by kerem · 3 comments

kerem commented

2026-02-26 06:36:07 +03:00

Owner

Originally created by @lug-gh on GitHub (Nov 4, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1560

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
- Yes (I use tag 2)
Are you sure you're not using someone else's docker image?
- Yes
Have you searched for similar issues (both open and closed)?
- Yes

Describe the bug

To access my NPM Webinterface I created this proxy, should be self explaining so far.

So whenever something is wrong with NPM (which happens from time to time) I access the site from http://npm.example.org:81, but because I enabled "Force SSL" for this host, it redirect's to https://npm.example.org:81, which obviously results in an SSL error.

I think "Force SSL" should not be applied to Port 81, or Port 80 only. I'm not really sure if this should be handled like a bug or like a feature request.

Nginx Proxy Manager Version
2.9.11

To Reproduce
Steps to reproduce the behavior:

see description above

Expected behavior
see description above

Screenshots
see description above

Operating System
alpine linux x64

Additional context

Originally created by @lug-gh on GitHub (Nov 4, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1560 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes (I use tag 2) - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** ![image](https://user-images.githubusercontent.com/24546639/140294655-e7623744-da00-4891-a62c-aa0faf6301a7.png) To access my NPM Webinterface I created this proxy, should be self explaining so far. So whenever something is wrong with NPM (which happens from time to time) I access the site from http://npm.example.org:81, but because I enabled "Force SSL" for this host, it redirect's to http**s**://npm.example.org:81, which obviously results in an SSL error. I think "Force SSL" should not be applied to Port 81, or Port 80 only. I'm not really sure if this should be handled like a bug or like a feature request. **Nginx Proxy Manager Version** 2.9.11 **To Reproduce** Steps to reproduce the behavior: 1. see description above **Expected behavior** see description above **Screenshots** see description above **Operating System** alpine linux x64 **Additional context** -

kerem

2026-02-26 06:36:07 +03:00

closed this issue
added the
bug
label

kerem commented

2026-02-26 06:36:07 +03:00

Author

Owner

@chaptergy commented on GitHub (Nov 4, 2021):

So you are sure this has to do with the Force SSL config? Because I think this has to do with the HSTS config, not the Force SSL, since I am pretty sure it is not proxied at all when you request it on port 81. However since you have enabled HSTS, you browser remembers this HSTS instruction for this domain. So even when you request a different port, your browser still recognizes the the domain npm.example.org has sent a HSTS header a while ago and it should only be accessed via HTTPS (and that is what it's then doing). You could look up how to remove the HSTS entry for this domain in your browser and see if that works.

@chaptergy commented on GitHub (Nov 4, 2021): So you are sure this has to do with the _Force SSL_ config? Because I think this has to do with the _HSTS_ config, not the _Force SSL_, since I am pretty sure it is not proxied at all when you request it on port 81. However since you have enabled HSTS, you browser remembers this HSTS instruction for this domain. So even when you request a different port, your browser still recognizes the the domain `npm.example.org` has sent a HSTS header a while ago and it should only be accessed via HTTPS (and that is what it's then doing). You could look up how to remove the HSTS entry for this domain in your browser and see if that works.

kerem commented

2026-02-26 06:36:07 +03:00

Author

Owner

@lug-gh commented on GitHub (Nov 4, 2021):

So you are sure this has to do with the Force SSL config? Because I think this has to do with the HSTS config, not the Force SSL, since I am pretty sure it is not proxied at all when you request it on port 81. However since you have enabled HSTS, you browser remembers this HSTS instruction for this domain. So even when you request a different port, your browser still recognizes the the domain npm.example.org has sent a HSTS header a while ago and it should only be accessed via HTTPS (and that is what it's then doing). You could look up how to remove the HSTS entry for this domain in your browser and see if that works.

Forgot to mention, I do not have HSTS or HTTP2 enabled. Only "Force SSL"

This is set for every host. But it looks like hsts is still the issue, even if disabled?!

Go to chrome://net-internals/#hsts (only for chrome obviously)
Delete domain security policies for Domain "npm.example.org"
open http://npm.example.org:81 -> works
open httpS://npm.example.org -> works
open http://npm.example.org:81 again -> redirects to https with ERR_SSL_PROTOCOL_ERROR

PS: the root Domain has no hsts enabled either (so no includesubdomains hsts heaeder can be set)

@lug-gh commented on GitHub (Nov 4, 2021): > So you are sure this has to do with the _Force SSL_ config? Because I think this has to do with the _HSTS_ config, not the _Force SSL_, since I am pretty sure it is not proxied at all when you request it on port 81. However since you have enabled HSTS, you browser remembers this HSTS instruction for this domain. So even when you request a different port, your browser still recognizes the the domain `npm.example.org` has sent a HSTS header a while ago and it should only be accessed via HTTPS (and that is what it's then doing). You could look up how to remove the HSTS entry for this domain in your browser and see if that works. Forgot to mention, I do not have HSTS or HTTP2 enabled. Only "Force SSL" ![image](https://user-images.githubusercontent.com/24546639/140312170-6c2d665e-919c-4ff2-857a-943c6bfcc74f.png) This is set for every host. But it looks like hsts is still the issue, even if disabled?! 1. Go to chrome://net-internals/#hsts (only for chrome obviously) 2. Delete domain security policies for Domain "npm.example.org" 3. open http://npm.example.org:81 -> works 4. open http**S**://npm.example.org -> works 5. open http://npm.example.org:81 again -> redirects to https with ERR_SSL_PROTOCOL_ERROR PS: the root Domain has no hsts enabled either (so no includesubdomains hsts heaeder can be set)

kerem commented

2026-02-26 06:36:07 +03:00

Author

Owner

@chaptergy commented on GitHub (Nov 4, 2021):

Ah, the admin ui seems to always set the header. Not sure why it does though, I'll try to find out. but for now you could manually go into your container and edit the app.js file and remove that line.

@chaptergy commented on GitHub (Nov 4, 2021): Ah, the admin ui seems to [always set the header](https://github.com/jc21/nginx-proxy-manager/blob/b96c996a45b0a47b4ee98e7731d2c78b9d3ab514/backend/app.js#L43). Not sure why it does though, I'll try to find out. but for now you could manually go into your container and edit the `app.js` file and remove that line.

kerem referenced this issue

2026-02-26 08:30:28 +03:00

[PR #1182] [MERGED] Update ssl-ciphers.conf #3392

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1182

No description provided.

Rows
Columns