[GH-ISSUE #422] SSL on default site #356

New issue

Open

opened 2026-02-26 06:32:31 +03:00 by kerem · 16 comments

kerem commented 2026-02-26 06:32:31 +03:00

Owner

Copy link

Originally created by @dam57950 on GitHub (May 25, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/422

Hello, I would like tu use ssl certificate when trying to access unknow host.

I'm using safari so after getting the https one time, it always want to redirect http to https and when trying to access to unknown host error page, it can't connect because of the lack of certificate.

Thanks for all you work!

Originally created by @dam57950 on GitHub (May 25, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/422 Hello, I would like tu use ssl certificate when trying to access unknow host. I'm using safari so after getting the https one time, it always want to redirect http to https and when trying to access to unknown host error page, it can't connect because of the lack of certificate. Thanks for all you work!

kerem added the

enhancement

label 2026-02-26 06:32:31 +03:00

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@ItsEcholot commented on GitHub (Aug 26, 2021):

This would be especially useful, since nginx-proxy-manager supports (yay) letsencrypt wildcard certificates.

<!-- gh-comment-id:906292899 --> @ItsEcholot commented on GitHub (Aug 26, 2021): This would be especially useful, since nginx-proxy-manager supports (yay) letsencrypt wildcard certificates.

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@mriksman commented on GitHub (Oct 21, 2021):

+1. Very strange that we can't set the default page up like we set up a Proxy Host (Force SSL, set certificates etc).

<!-- gh-comment-id:948581226 --> @mriksman commented on GitHub (Oct 21, 2021): +1. Very strange that we can't set the default page up like we set up a Proxy Host (Force SSL, set certificates etc).

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@benjaminchodroff commented on GitHub (May 23, 2022):

Hitting this too, +1. Would love a feature to support a default site for https that allows a wildcard SSL certificate to be used to show a generic error page/redirect.

<!-- gh-comment-id:1134128554 --> @benjaminchodroff commented on GitHub (May 23, 2022): Hitting this too, +1. Would love a feature to support a default site for https that allows a wildcard SSL certificate to be used to show a generic error page/redirect.

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@user01010111 commented on GitHub (Sep 6, 2022):

+1 here -- I think this should be an option.

<!-- gh-comment-id:1237672765 --> @user01010111 commented on GitHub (Sep 6, 2022): +1 here -- I think this should be an option.

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@inthebrilliantblue commented on GitHub (Oct 3, 2022):

+1 here. SSL on default anything in the default site settings is horribly broken.

<!-- gh-comment-id:1265435724 --> @inthebrilliantblue commented on GitHub (Oct 3, 2022): +1 here. SSL on default anything in the default site settings is horribly broken.

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@jepcd commented on GitHub (Nov 17, 2022):

+1 again, would be really useful

<!-- gh-comment-id:1319029773 --> @jepcd commented on GitHub (Nov 17, 2022): +1 again, would be really useful

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@manfred-warta commented on GitHub (Nov 1, 2023):

Hello, in fact the default site is not able to answer with different certificates anyway you can use a nice workaround:

Just configure a Redirection Host with a wildcard domain name eg. *.mydomain.xy and do a 307 temporary redirect to you forward domain. On the SSL tab you can specify your prefered certificate.

If you host multiple domains with your NPM just do this for each domain and you are done.

Hope that helped a bit.

<!-- gh-comment-id:1788784404 --> @manfred-warta commented on GitHub (Nov 1, 2023): Hello, in fact the default site is not able to answer with different certificates anyway you can use a nice workaround: Just configure a Redirection Host with a wildcard domain name eg. *.mydomain.xy and do a 307 temporary redirect to you forward domain. On the SSL tab you can specify your prefered certificate. If you host multiple domains with your NPM just do this for each domain and you are done. Hope that helped a bit.

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (May 23, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2126046363 --> @github-actions[bot] commented on GitHub (May 23, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@gausie commented on GitHub (May 23, 2024):

Please keep it open!

On Thu, 23 May 2024 at 02:50, github-actions[bot] @.***>
wrote:

Issue is now considered stale. If you want to keep it open, please comment
👍

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/422#issuecomment-2126046363,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AABL4LTUBPLMYXWTYSM4WHTZDVDOVAVCNFSM4NJENUY2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJSGYYDINRTGYZQ
.
You are receiving this because you are subscribed to this thread.Message
ID: @.***
com>

<!-- gh-comment-id:2126289799 --> @gausie commented on GitHub (May 23, 2024): Please keep it open! On Thu, 23 May 2024 at 02:50, github-actions[bot] ***@***.***> wrote: > Issue is now considered stale. If you want to keep it open, please comment > 👍 > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/422#issuecomment-2126046363>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AABL4LTUBPLMYXWTYSM4WHTZDVDOVAVCNFSM4NJENUY2U5DIOJSWCZC7NNSXTN2JONZXKZKDN5WW2ZLOOQ5TEMJSGYYDINRTGYZQ> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.*** > com> >

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@BrammyS commented on GitHub (Jun 6, 2024):

+1

<!-- gh-comment-id:2151559690 --> @BrammyS commented on GitHub (Jun 6, 2024): +1

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@mrbaloghakos commented on GitHub (Jun 24, 2024):

Set up a 404 Host for *.yourdomain.com, then set the SSL certs as you like (I'm using my cert wildcard, and force SSL).
Now if I hit a non existent subdomain, then it will show the ususal 404 page with SSL.
All the existing subdomains (eg nas.mydomain.com) will still work as before, this only affects non existing subdomains.

You can't set a nice custom 404 page this way, but at least you can have SSL on your 404 page.

<!-- gh-comment-id:2186931860 --> @mrbaloghakos commented on GitHub (Jun 24, 2024): Set up a `404 Host` for `*.yourdomain.com`, then set the SSL certs as you like (I'm using my cert wildcard, and force SSL). Now if I hit a non existent subdomain, then it will show the ususal 404 page with SSL. All the existing subdomains (eg nas.mydomain.com) will still work as before, this only affects non existing subdomains. You can't set a nice custom 404 page this way, but at least you can have SSL on your 404 page. <img width="1218" alt="SCR-20240624-pwxh-2" src="https://github.com/NginxProxyManager/nginx-proxy-manager/assets/83340568/1e498b0e-2e36-486e-ba5a-c935a5531d84">

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@cptn-cosmo commented on GitHub (Dec 27, 2024):

+1

<!-- gh-comment-id:2564040947 --> @cptn-cosmo commented on GitHub (Dec 27, 2024): +1

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jul 22, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3100494169 --> @github-actions[bot] commented on GitHub (Jul 22, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@eastoncrafter commented on GitHub (Nov 16, 2025):

Can this issue be brought back to life? I'd like to be able to customize my default site, and I use cloudflare which will throw an error if its not over ssl

<!-- gh-comment-id:3537434443 --> @eastoncrafter commented on GitHub (Nov 16, 2025): Can this issue be brought back to life? I'd like to be able to customize my default site, and I use cloudflare which will throw an error if its not over ssl

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@hagih commented on GitHub (Nov 18, 2025):

This feature request (adding an SSL certificate to the default site) is absolutely necessary for the default site to work at all in certain circumstances. It's a shame it's not simply an option to pick an SSL certificate for the Default page like you can for all other services.

Why:

• HSTS domain - the "Default site" feature is completely unusable if the domain you purchased is HSTS enabled. For this domain, the default site will NEVER be served since unencrypted HTTP pages cannot be served on a HSTS domain.
• Cloudflare - as per @eastoncrafter, Cloudflare, presumably over a tunnel, also enforces SSL on the backend. I believe this can be disabled but that weakens security and shouldn't be a decision needed to simply serve a default site.
• Automatic forwards - default site will be hidden if the browser automatically replaces "http" with "https" as per the original request from @dam57950

Workarounds considered:

• 404 Host (mentioned by @mrbaloghakos). Depending on your requirements, this is ugly but it does work. You can serve a 404 page when trying to access an unknown host by creating a wildcard *.yourdomain.com 404 host. Unfortunately, an ugly 404 page is not nice when you already have a nice custom HTML setup ready for this circumstance and is still far less than the customisable functionality of the default site
• Wildcard proxy host. You can create a wildcard proxy host (*.yourdomain.com) but this needs to point to an external website. You could set up an external web server which hosts your custom default site code which NPM forwards to and is served when a service isn't set up but this is getting a bit extreme. NPM has built-in functionality for serving a default site when a servcie isn't connected, we just want to use it.

In short: please consider adding this feature - the ability to select an SSL certificate for the default site.

Thanks

<!-- gh-comment-id:3548350734 --> @hagih commented on GitHub (Nov 18, 2025): This feature request (adding an SSL certificate to the default site) is absolutely necessary for the default site to work at all in certain circumstances. It's a shame it's not simply an option to pick an SSL certificate for the Default page like you can for all other services. Why: - **HSTS domain** - the "Default site" feature is completely unusable if the domain you purchased is HSTS enabled. For this domain, the default site will NEVER be served since unencrypted HTTP pages cannot be served on a HSTS domain. - **Cloudflare** - as per @eastoncrafter, Cloudflare, presumably over a tunnel, also enforces SSL on the backend. I believe this can be disabled but that weakens security and shouldn't be a decision needed to simply serve a default site. - **Automatic forwards** - default site will be hidden if the browser automatically replaces "http" with "https" as per the original request from @dam57950 Workarounds considered: - 404 Host (mentioned by @mrbaloghakos). Depending on your requirements, this is ugly but it does work. You can serve a 404 page when trying to access an unknown host by creating a wildcard *.yourdomain.com 404 host. Unfortunately, an ugly 404 page is not nice when you already have a nice custom HTML setup ready for this circumstance and is still far less than the customisable functionality of the default site - Wildcard proxy host. You can create a wildcard proxy host (*.yourdomain.com) but this needs to point to an external website. You could set up an external web server which hosts your custom default site code which NPM forwards to and is served when a service isn't set up but this is getting a bit extreme. NPM has built-in functionality for serving a default site when a servcie isn't connected, we just want to use it. In short: please consider adding this feature - the ability to select an SSL certificate for the default site. Thanks

kerem commented 2026-02-26 06:32:32 +03:00

Author

Owner

Copy link

@hagih commented on GitHub (Nov 18, 2025):

After waaaay too long of messing around with this, I was able to setup a new webserver and file editor in docker containers and then use a wildcard proxy host in NPM to point any unknown clients to the new webserver. This bypasses the woefully limited "default site" settings and allows an SSL certificate to be applied.

Of course due to more limitations of Nginx Proxy Manager (Support for subfolders in proxy hosts #40: Closed as not planned), apparently it's not possible to point a proxy host a specific folder on that webserver, so I ended up just dunking the HTML in the root of the web server. So an entire web server dedicated to just serving the default page so that NPM can add SSL to it before serving. Urgh

<!-- gh-comment-id:3549268335 --> @hagih commented on GitHub (Nov 18, 2025): After waaaay too long of messing around with this, I was able to setup a new webserver and file editor in docker containers and then use a wildcard proxy host in NPM to point any unknown clients to the new webserver. This bypasses the woefully limited "default site" settings and allows an SSL certificate to be applied. Of course due to _more_ limitations of Nginx Proxy Manager ([Support for subfolders in proxy hosts #40: Closed as not planned](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/40)), apparently it's not possible to point a proxy host a specific folder on that webserver, so I ended up just dunking the HTML in the root of the web server. So an entire web server dedicated to just serving the default page so that NPM can add SSL to it before serving. Urgh

kerem referenced this issue 2026-02-26 07:38:32 +03:00

[PR #360] [MERGED] Client Access Lists #3228

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#356

No description provided.