starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[PR #2956] Client certificate support #3640

New issue
Open
opened 2026-02-26 08:31:24 +03:00 by kerem · 0 comments
kerem commented 2026-02-26 08:31:24 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956
Author: @wrouesnel
Created: 5/28/2023
Status: 🔄 Open

Base: developHead: client_certificate_support

📝 Commits (10+)

  • b19a272 Fix OpenSSL data parsing
  • c664e86 Add storing for Client CA certificates in the database
  • d5b3e53 Add frontend support for the new clientca type
  • e5bb50c Add support for adding Client Certificates to access-lists
  • fb766d1 Add support for writing client CAs when access-lists are updated
  • 366efc8 Add template support for all host types to do client CA authorization
  • 34305e0 Add authority count to access-list drop down in proxy host
  • f601105 Add a development docker-compose file for use with User Namespaces
  • 6cf91a2 Add drop_unauthorized parameter to proxy hosts
  • f3c7409 Adapt CI command scripts to also support podman

📊 Changes

45 files changed (+895 additions, -115 deletions)

View changed files

📝 backend/doc/api.swagger.json (+7 -0)
📝 backend/internal/access-list.js (+197 -20)
📝 backend/internal/certificate.js (+43 -16)
📝 backend/internal/nginx.js (+7 -1)
📝 backend/internal/proxy-host.js (+4 -4)
backend/migrations/20230526062132_add_clientcas_to_accesslists.js (+50 -0)
backend/migrations/20230529030411_add_drop_unauthorized_to_proxyhosts.js (+39 -0)
📝 backend/models/access_list.js (+15 -6)
backend/models/access_list_clientcas.js (+62 -0)
📝 backend/schema/definitions.json (+6 -1)
📝 backend/schema/endpoints/access-lists.json (+14 -0)
📝 backend/schema/endpoints/proxy-hosts.json (+12 -0)
📝 backend/templates/_access.conf (+36 -17)
📝 backend/templates/_certificates.conf (+7 -1)
backend/templates/access.conf (+12 -0)
docker/docker-compose.dev-user.yml (+70 -0)
📝 docker/rootfs/etc/nginx/nginx.conf (+1 -0)
📝 docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh (+2 -0)
📝 frontend/js/app/api.js (+31 -0)
📝 frontend/js/app/nginx/access/form.ejs (+30 -1)

...and 25 more files

📄 Description

This PR adds client-certificate support to nginx-proxy-manager. Closes #768. Relates to #622.

A new SSL certificate is defined - "client certificate authority" - which allows uploading client CA certificates. These can then be assigned to Access Lists via the UI or API, and finally the Access List assigned to a host, which will thus enable Client Certificate Authorization for mutual TLS connections to the host.

This includes a slight revamp of the access-list system to implement client IP checks as geo directives. This allows the "Drop Unauthorized" function to simply not respond to clients from the wrong IP address, as well as allowing "Satisfy All" and "Satisfy Any" to include Client CA functionality - namely, using Satisfy Any is it possible to selectively require client certificates from some networks but not others (in my household the primary use-case of this is for Home Assistant to require certificates from the internet but not the local network).

image

image

image

image

Known Issues

  • Upgrading with the new access-list code will lead to broken proxies because the new ACL files aren't initially generated. Should this be handled in the migration script?

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956 **Author:** [@wrouesnel](https://github.com/wrouesnel) **Created:** 5/28/2023 **Status:** 🔄 Open **Base:** `develop` ← **Head:** `client_certificate_support` --- ### 📝 Commits (10+) - [`b19a272`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/b19a2724031bc3d82b6e24158acb162bafd64787) Fix OpenSSL data parsing - [`c664e86`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/c664e864cea87a9dbd3bc0ba04f2018f4f729bcc) Add storing for Client CA certificates in the database - [`d5b3e53`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/d5b3e5314033ee9fede6795d3fc10ddd899c4705) Add frontend support for the new clientca type - [`e5bb50c`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/e5bb50c16481f26e8a77cd5390219ffa16251584) Add support for adding Client Certificates to access-lists - [`fb766d1`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/fb766d14e9e48e0a7d4fd297a08e2911d4ae4bad) Add support for writing client CAs when access-lists are updated - [`366efc8`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/366efc8ac2d446708a24ba61612c5a4849bfd578) Add template support for all host types to do client CA authorization - [`34305e0`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/34305e04e1b08baae5dd366ad4b7881c0c9c9058) Add authority count to access-list drop down in proxy host - [`f601105`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/f601105776b5adf333c3ffb4913fcb37e2f8eacc) Add a development docker-compose file for use with User Namespaces - [`6cf91a2`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/6cf91a2e708e9c7b4f519c56e8570226549a9a3a) Add drop_unauthorized parameter to proxy hosts - [`f3c7409`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/f3c740954b3f5c3e6adbd32b3106c0abd242fdc0) Adapt CI command scripts to also support podman ### 📊 Changes **45 files changed** (+895 additions, -115 deletions) <details> <summary>View changed files</summary> 📝 `backend/doc/api.swagger.json` (+7 -0) 📝 `backend/internal/access-list.js` (+197 -20) 📝 `backend/internal/certificate.js` (+43 -16) 📝 `backend/internal/nginx.js` (+7 -1) 📝 `backend/internal/proxy-host.js` (+4 -4) ➕ `backend/migrations/20230526062132_add_clientcas_to_accesslists.js` (+50 -0) ➕ `backend/migrations/20230529030411_add_drop_unauthorized_to_proxyhosts.js` (+39 -0) 📝 `backend/models/access_list.js` (+15 -6) ➕ `backend/models/access_list_clientcas.js` (+62 -0) 📝 `backend/schema/definitions.json` (+6 -1) 📝 `backend/schema/endpoints/access-lists.json` (+14 -0) 📝 `backend/schema/endpoints/proxy-hosts.json` (+12 -0) 📝 `backend/templates/_access.conf` (+36 -17) 📝 `backend/templates/_certificates.conf` (+7 -1) ➕ `backend/templates/access.conf` (+12 -0) ➕ `docker/docker-compose.dev-user.yml` (+70 -0) 📝 `docker/rootfs/etc/nginx/nginx.conf` (+1 -0) 📝 `docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh` (+2 -0) 📝 `frontend/js/app/api.js` (+31 -0) 📝 `frontend/js/app/nginx/access/form.ejs` (+30 -1) _...and 25 more files_ </details> ### 📄 Description This PR adds client-certificate support to nginx-proxy-manager. Closes #768. Relates to #622. A new SSL certificate is defined - "client certificate authority" - which allows uploading client CA certificates. These can then be assigned to Access Lists via the UI or API, and finally the Access List assigned to a host, which will thus enable Client Certificate Authorization for mutual TLS connections to the host. This includes a slight revamp of the access-list system to implement client IP checks as `geo` directives. This allows the "Drop Unauthorized" function to simply not respond to clients from the wrong IP address, as well as allowing "Satisfy All" and "Satisfy Any" to include Client CA functionality - namely, using `Satisfy Any` is it possible to selectively require client certificates from some networks but not others (in my household the primary use-case of this is for Home Assistant to require certificates from the internet but not the local network). ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/772445/287cc73e-4933-43cc-80aa-bacef3babe94) ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/772445/4d7fc2da-e1b7-4569-9aa1-af542ea904f7) ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/772445/5f32aca7-de94-4505-8915-6744d45f60bb) ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/772445/94cb9830-8669-433a-94ae-9aa39a06c8e6) # Known Issues * Upgrading with the new access-list code will lead to broken proxies because the new ACL files aren't initially generated. Should this be handled in the migration script? --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#3640
No description provided.