starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 09:55:51 +03:00

[GH-ISSUE #2271] Manage CA, verify and issue upstream server certificates #1618

New issue

Closed

opened 2026-02-26 07:31:47 +03:00 by kerem · 5 comments

kerem commented

2026-02-26 07:31:47 +03:00

Owner

Originally created by @simonlerpard on GitHub (Sep 18, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2271

Is your feature request related to a problem? Please describe.
When hosting web servers internally I would like to access an upstream server over https (which currently is possible), but nginx doesn't verify the server certificate by default. Which leaves it open for mitm attacks if my internal network is compromised. My current solution is to add custom nginx config to support this and mount a CA to the NPM docker container. But then I need to manage a CA and issue all upstream certificates manually via the terminal separately from NPM.

Describe the solution you'd like
I would love if it was possible (via NPM) to generate a CA, issue and download long lived certificates (with their private keys) so they can be used between NPM and each individual upstream server securely.

Describe alternatives you've considered
A first step could of course be to just make it possible to upload the CA and add an option when https is selected (of upstream server) to verify the certificate.

Additional context
Example nginx config to verify one or multiple CAs for the upstream servers:
proxy_ssl_trusted_certificate /config/trusted_ca_cert.crt;
proxy_ssl_verify on;
proxy_ssl_verify_depth 2;

I think it's kind of reasonable to have this functionality in NPM since it's already specifying upstream endpoints and managing other downstream certificates for the clients. It might be sort of inefficient to terminate SSL just to use it again for the upstream server, but then I can use a trusted certificate (Let's Encrypt) for all clients but still use https all the way.

And just to be clear, this is how I'm using NPM for internal web servers. And if I doesn't specify custom nginx config the self signed cert isn't verified at all:
Client -> HTTPS (Let's encrypt cert) -> Nginx Proxy Manager -> HTTPS (Self signed cert) -> Upstream server

Originally created by @simonlerpard on GitHub (Sep 18, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2271  **Is your feature request related to a problem? Please describe.** When hosting web servers internally I would like to access an upstream server over https (which currently is possible), but nginx doesn't verify the server certificate by default. Which leaves it open for mitm attacks if my internal network is compromised. My current solution is to add custom nginx config to support this and mount a CA to the NPM docker container. But then I need to manage a CA and issue all upstream certificates manually via the terminal separately from NPM.  **Describe the solution you'd like** I would love if it was possible (via NPM) to generate a CA, issue and download long lived certificates (with their private keys) so they can be used between NPM and each individual upstream server securely.  **Describe alternatives you've considered** A first step could of course be to just make it possible to upload the CA and add an option when https is selected (of upstream server) to verify the certificate.  **Additional context** Example nginx config to verify one or multiple CAs for the upstream servers: proxy_ssl_trusted_certificate /config/trusted_ca_cert.crt; proxy_ssl_verify on; proxy_ssl_verify_depth 2; I think it's kind of reasonable to have this functionality in NPM since it's already specifying upstream endpoints and managing other downstream certificates for the clients. It might be sort of inefficient to terminate SSL just to use it again for the upstream server, but then I can use a trusted certificate (Let's Encrypt) for all clients but still use https all the way. And just to be clear, this is how I'm using NPM for internal web servers. And if I doesn't specify custom nginx config the self signed cert isn't verified at all: Client -> HTTPS (Let's encrypt cert) -> Nginx Proxy Manager -> HTTPS (Self signed cert) -> Upstream server

kerem

2026-02-26 07:31:47 +03:00

closed this issue
added the
enhancement

stale
labels

kerem commented

2026-02-26 07:31:48 +03:00

Author

Owner

@FlorianFritz commented on GitHub (Apr 13, 2023):

This would be a nice addition I'd like to see as well.

To automate deployment, this would require an API to "download" the certificates and private keys on to the downstream servers.

This would also be beneficial to access the letsencrypt certificates which might be used for something other than http/https on downstream hosts (like smtp/imap):

mail.example.com:443 --> Router --> NPM --> https-service on Mailhost (Webmail)
mail.example.com:587 --> Router --> smtp-service on Mailhost (Send-Mailserver)
mail.example.com:993 --> Router --> imap-service on Mailhost (Receive-Mailserver)

Currently you have to copy the certs/keys from the container to the other server.

@FlorianFritz commented on GitHub (Apr 13, 2023): This would be a nice addition I'd like to see as well. To automate deployment, this would require an API to "download" the certificates and private keys on to the downstream servers. This would also be beneficial to access the letsencrypt certificates which might be used for something other than http/https on downstream hosts (like smtp/imap): mail.example.com:443 --> Router --> NPM --> https-service on Mailhost (Webmail) mail.example.com:587 --> Router --> smtp-service on Mailhost (Send-Mailserver) mail.example.com:993 --> Router --> imap-service on Mailhost (Receive-Mailserver) Currently you have to copy the certs/keys from the container to the other server.

kerem commented

2026-02-26 07:31:48 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Feb 9, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Feb 9, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented

2026-02-26 07:31:48 +03:00

Author

Owner

@FlorianFritz commented on GitHub (Feb 9, 2024):

Please implement this feature 🙋‍♂️

@FlorianFritz commented on GitHub (Feb 9, 2024): Please implement this feature 🙋‍♂️

kerem commented

2026-02-26 07:31:48 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Nov 21, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

@github-actions[bot] commented on GitHub (Nov 21, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented

2026-02-26 07:31:48 +03:00

Author

Owner

@github-actions[bot] commented on GitHub (Dec 3, 2025):

Issue was closed due to inactivity.

@github-actions[bot] commented on GitHub (Dec 3, 2025): Issue was closed due to inactivity.

kerem referenced this issue

2026-02-26 08:32:18 +03:00

[PR #4425] Adds feature to Edit Custom certificates. #3880

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1618

No description provided.

Rows
Columns