starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #34] [NOOB] Redirecting to proxy host with SSL #33

New issue
Closed
opened 2026-02-26 05:33:16 +03:00 by kerem · 10 comments
kerem commented 2026-02-26 05:33:16 +03:00
Owner
Copy link

Originally created by @Daxx13 on GitHub (Dec 12, 2018).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/34

Hi,

First of all, sorry because is very possible that I misunderstood something or I'm doing something wrong.

The problem is I have some apps that runs only over SSL-enabled connections, so I need to reverse proxy to a SSL server but I can't find a way in the WebUI for this, this is the scenario:

User <----> (Signed SSL) Proxy <----> (Self-signed SSL) Server

The problem comes when in the UI I can type a server and port, but no the protocol (HTTP/HTTPS). Inside the app container, I can see in /etc/nginx/conf.d/include/proxy.conf the following variable filling:

proxy_pass http://$server:$port;

So I think this is ready to enter only the IP and HTTP port in the WebUI, witch fills this variables in the proxy config, but in anyway this will be http://[whatever]

The workarround for us is delete the http:// in this file, and fill the server input with the protocol (http://[whatever] or https://[whatever]) in the Web UI. This workarround worked like a charm.

SO

Is possible to add a dropdown just at the left of server imput field in "New Proxy Host" modal, to pick the protocol, and fill the variables in this way?

proxy_pass $protocol://$server:$port;

Many thanks,

Aitor.

Originally created by @Daxx13 on GitHub (Dec 12, 2018). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/34 Hi, First of all, sorry because is very possible that I misunderstood something or I'm doing something wrong. The problem is I have some apps that runs only over SSL-enabled connections, so I need to reverse proxy to a SSL server but I can't find a way in the WebUI for this, this is the scenario: `User <----> (Signed SSL) Proxy <----> (Self-signed SSL) Server` The problem comes when in the UI I can type a server and port, but no the protocol (HTTP/HTTPS). Inside the app container, I can see in `/etc/nginx/conf.d/include/proxy.conf` the following variable filling: `proxy_pass http://$server:$port;` So I think this is ready to enter only the IP and HTTP port in the WebUI, witch fills this variables in the proxy config, but in anyway this will be `http://[whatever]` The workarround for us is delete the `http://` in this file, and fill the `server` input with the protocol (`http://[whatever]` or `https://[whatever]`) in the Web UI. This workarround worked like a charm. **SO** Is possible to add a dropdown just at the left of server imput field in "New Proxy Host" modal, to pick the protocol, and fill the variables in this way? `proxy_pass $protocol://$server:$port;` Many thanks, Aitor.
kerem 2026-02-26 05:33:16 +03:00
kerem commented 2026-02-26 05:33:18 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Dec 12, 2018):

Yep it's certainly a possible improvement. I've found myself wanting this in one scenario before as well. Just need to be careful when the upstream server is another http proxy that expects the destination hostname to be supplied and that might be different from the source hostname. Some testing scenarios would need to be considered.

In the meantime, if you want to hack things right now to get moving, find the specific nginx conf file in your data directory for the host you've set up, edit it and look at the location / { block. There will be a line that is:

  include conf.d/include/proxy.conf;

Replace that line with the following:

  add_header       X-Served-By $host;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-Scheme $scheme;
  proxy_set_header X-Forwarded-Proto  $scheme;
  proxy_set_header X-Forwarded-For    $remote_addr;
  proxy_pass https://$server:$port;

Save the file, then restart the docker container and it will pick up those changes. However, if you make changes to that proxy host inside Nginx Proxy Manager interface, it will overwrite your custom changes, so be careful there.

<!-- gh-comment-id:446771445 --> @jc21 commented on GitHub (Dec 12, 2018): Yep it's certainly a possible improvement. I've found myself wanting this in one scenario before as well. Just need to be careful when the upstream server is another http proxy that expects the destination hostname to be supplied and that might be different from the source hostname. Some testing scenarios would need to be considered. In the meantime, if you want to hack things right now to get moving, find the specific nginx conf file in your data directory for the host you've set up, edit it and look at the `location / {` block. There will be a line that is: ``` include conf.d/include/proxy.conf; ``` Replace that line with the following: ``` add_header X-Served-By $host; proxy_set_header Host $host; proxy_set_header X-Forwarded-Scheme $scheme; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $remote_addr; proxy_pass https://$server:$port; ``` Save the file, then restart the docker container and it will pick up those changes. However, if you make changes to that proxy host inside Nginx Proxy Manager interface, it will overwrite your custom changes, so be careful there.
kerem commented 2026-02-26 05:33:18 +03:00
Author
Owner
Copy link

@Daxx13 commented on GitHub (Dec 13, 2018):

  include conf.d/include/proxy.conf;

Replace that line with the following:

  add_header       X-Served-By $host;
  proxy_set_header Host $host;
  proxy_set_header X-Forwarded-Scheme $scheme;
  proxy_set_header X-Forwarded-Proto  $scheme;
  proxy_set_header X-Forwarded-For    $remote_addr;
  proxy_pass https://$server:$port;

Thanks for this workarround.

What needs to be tested? Maybe I can help here! About https:// I can say It works for IP address proxyed servers on SSL enabled ports with the workarround. I'll try to proxy to a named server but It should work while the proxy can resolve the DNS. I think this should not be related to the protocol anyway.

Thanks,

Aitor.

<!-- gh-comment-id:446792763 --> @Daxx13 commented on GitHub (Dec 13, 2018): > ``` > include conf.d/include/proxy.conf; > ``` > Replace that line with the following: > > ``` > add_header X-Served-By $host; > proxy_set_header Host $host; > proxy_set_header X-Forwarded-Scheme $scheme; > proxy_set_header X-Forwarded-Proto $scheme; > proxy_set_header X-Forwarded-For $remote_addr; > proxy_pass https://$server:$port; > ``` Thanks for this workarround. What needs to be tested? Maybe I can help here! About `https://` I can say It works for IP address proxyed servers on SSL enabled ports with the workarround. I'll try to proxy to a named server but It should work while the proxy can resolve the DNS. I think this should not be related to the protocol anyway. Thanks, Aitor.
kerem commented 2026-02-26 05:33:18 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Dec 13, 2018):

Yeah so I was more thinking the following scenario:

Edge proxy running NPM             Internal https server
https://myserver.com       =>      https://otherserver.com

NPM will resolve and find otherserver.com via dns, but when it hits that upstream web server in this scenario, the server is running multiple SSL sites on the same web server and differentiating them by the hostname (SNI).

With the workaround code above, when you hit https://myserver.com in your browser, it will send through the Host header as myserver.com to the upstream server when in fact it is expecting otherserver.com to be the host header value. While that is easy to code for in this application by changing the Host header to the upstream server name, it introduces a new problem where the upstream web application might be using fixed URLs in it's content instead of relative ones. So, you request https://myserver.com, the HTML returned has a link to https://otherserver.com because it doesn't know it's behind a reverse proxy.

  1. Nginx can rewrite the html response before returning it to the user to replace these paths using LUA scripts, but I don't feel that brave yet..
  2. Not sure how common this is going to be, so I'm not going to code for it yet. Just going to get the minimal viable product working for your particular problem
<!-- gh-comment-id:446795785 --> @jc21 commented on GitHub (Dec 13, 2018): Yeah so I was more thinking the following scenario: ``` Edge proxy running NPM Internal https server https://myserver.com => https://otherserver.com ``` NPM will resolve and find `otherserver.com` via dns, but when it hits that upstream web server in this scenario, the server is running multiple SSL sites on the same web server and differentiating them by the hostname (SNI). With the workaround code above, when you hit `https://myserver.com` in your browser, it will send through the `Host` header as `myserver.com` to the upstream server when in fact it is expecting `otherserver.com` to be the host header value. While that is easy to code for in this application by changing the `Host` header to the upstream server name, it introduces a new problem where the upstream web application _might_ be using fixed URLs in it's content instead of relative ones. So, you request `https://myserver.com`, the HTML returned has a link to `https://otherserver.com` because it doesn't know it's behind a reverse proxy. 1. Nginx _can_ rewrite the html response before returning it to the user to replace these paths using LUA scripts, but I don't feel that brave yet.. 2. Not sure how common this is going to be, so I'm not going to code for it yet. Just going to get the minimal viable product working for your particular problem
kerem commented 2026-02-26 05:33:18 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Dec 13, 2018):

I've pushed this https upstream proxy support to the jc21/nginx-proxy-manager:develop docker tag. Give it a try and see if it does what you need.

<!-- gh-comment-id:446843799 --> @jc21 commented on GitHub (Dec 13, 2018): I've pushed this https upstream proxy support to the `jc21/nginx-proxy-manager:develop` docker tag. Give it a try and see if it does what you need.
kerem commented 2026-02-26 05:33:18 +03:00
Author
Owner
Copy link

@Daxx13 commented on GitHub (Dec 20, 2018):

Hi!

First of all, thanks for the great explaination, you're totally right.

I've tested the dev branch and worked as expected with no vhosts on real servers, or when you're asking for a domain the real server can handle with root or vhost. I can see some issues when you're asking for a domain the real server don't know and you're forwarding to an IP address, but i should test this a bit more.

After all the HTTPS proxy hosts are working. Thanks!

Aitor.

<!-- gh-comment-id:449061450 --> @Daxx13 commented on GitHub (Dec 20, 2018): Hi! First of all, thanks for the great explaination, you're totally right. I've tested the dev branch and worked as expected with no vhosts on real servers, or when you're asking for a domain the real server can handle with root or vhost. I can see some issues when you're asking for a domain the real server don't know and you're forwarding to an IP address, but i should test this a bit more. After all the HTTPS proxy hosts are working. Thanks! Aitor.
kerem commented 2026-02-26 05:33:18 +03:00
Author
Owner
Copy link

@SaulGoodman1337 commented on GitHub (Dec 21, 2018):

Perfect. just wanted to open a feature request and then I came across this one. works perfectly, thanks a lot !

<!-- gh-comment-id:449309398 --> @SaulGoodman1337 commented on GitHub (Dec 21, 2018): Perfect. just wanted to open a feature request and then I came across this one. works perfectly, thanks a lot !
kerem commented 2026-02-26 05:33:19 +03:00
Author
Owner
Copy link

@jlesage commented on GitHub (Dec 21, 2018):

HTTPs upstream proxy support is a really good feature that covers a common scenario. Thanks! I hope this will be merged in an official release.

<!-- gh-comment-id:449466546 --> @jlesage commented on GitHub (Dec 21, 2018): HTTPs upstream proxy support is a really good feature that covers a common scenario. Thanks! I hope this will be merged in an official release.
kerem commented 2026-02-26 05:33:19 +03:00
Author
Owner
Copy link

@mackcoding commented on GitHub (Jan 1, 2019):

Looking forward to this feature as well!

<!-- gh-comment-id:450710333 --> @mackcoding commented on GitHub (Jan 1, 2019): Looking forward to this feature as well!
kerem commented 2026-02-26 05:33:19 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Jan 3, 2019):

Added in v2.0.7

<!-- gh-comment-id:451057655 --> @jc21 commented on GitHub (Jan 3, 2019): Added in v2.0.7
kerem commented 2026-02-26 05:33:19 +03:00
Author
Owner
Copy link

@jlesage commented on GitHub (Jan 3, 2019):

Thank you very much!

<!-- gh-comment-id:451133644 --> @jlesage commented on GitHub (Jan 3, 2019): Thank you very much!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#33
No description provided.