starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00

[PR #4794] [MERGED] Add basic MySQL TLS support #3960

New issue

Closed

opened 2026-02-26 08:32:36 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 08:32:36 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/4794
Author: @Johno-ACSLive
Created: 10/8/2025
Status: ✅ Merged
Merged: 11/3/2025
Merged by: @jc21

Base: develop ← Head: develop

📝 Commits (3)

e34206b Include SSL Options for MySQL
5acf287 Aligned Assignments and arrow-parens
71a2277 Replace spaces with tabs

📊 Changes

3 files changed (+26 additions, -5 deletions)

View changed files

📝 backend/db.js (+2 -1)
📝 backend/lib/config.js (+10 -4)
📝 docs/src/setup/index.md (+14 -0)

📄 Description

Summary

This PR adds minimal, opt‑in TLS support for MySQL connections in Nginx Proxy Manager. It introduces three environment variables:

Variable	Default	Purpose
`DB_MYSQL_SSL`	`false`	Enable SSL when set to true.
`DB_MYSQL_SSL_REJECT_UNAUTHORIZED`	`true`	Controls certificate chain validation.
`DB_MYSQL_SSL_VERIFY_IDENTITY`	`true`	Enables hostname verification.

No behavior changes for existing users unless DB_MYSQL_SSL is explicitly enabled. Does not impact other DB engine configuration.

Motivation

Environments such as:

Azure Database for MySQL (secure transport enforced)
Self-hosted MySQL with require_secure_transport=ON
Security baselines requiring encrypted DB connections

…currently cause startup failure (ER_SECURE_TRANSPORT_REQUIRED) because connection attempts are plaintext. This update allows secure connections while remaining completely backward compatible.

Backward Compatibility

Scenario	Before	After
No TLS vars set	Plain MySQL	Same
Server requires TLS; no vars set	Startup error	Same (user must enable SSL)
TLS enabled (`DB_MYSQL_SSL=true`)	N/A	Encrypted session
Self-signed cert (user sets `DB_MYSQL_SSL_REJECT_UNAUTHORIZED=false`)	N/A	Connects (user-accepted risk)
Hostname mismatch & `DB_MYSQL_SSL_VERIFY_IDENTITY=true`	N/A	Fails (correct security posture)

Out of Scope / Future Work

Optional CA / client certificate path variables
Min/Max Cipher and associated checks
Postgres TLS parity (could mirror same pattern)

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/NginxProxyManager/nginx-proxy-manager/pull/4794 **Author:** [@Johno-ACSLive](https://github.com/Johno-ACSLive) **Created:** 10/8/2025 **Status:** ✅ Merged **Merged:** 11/3/2025 **Merged by:** [@jc21](https://github.com/jc21) **Base:** `develop` ← **Head:** `develop` --- ### 📝 Commits (3) - [`e34206b`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/e34206b5265f9fe08e213322406887b2c472124c) Include SSL Options for MySQL - [`5acf287`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/5acf287ea74bb04851c925bdd24ec2cb0b5fced1) Aligned Assignments and arrow-parens - [`71a2277`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/71a2277b9b968fbe883e3a0df2bd0cb94e75bf29) Replace spaces with tabs ### 📊 Changes **3 files changed** (+26 additions, -5 deletions) <details> <summary>View changed files</summary> 📝 `backend/db.js` (+2 -1) 📝 `backend/lib/config.js` (+10 -4) 📝 `docs/src/setup/index.md` (+14 -0) </details> ### 📄 Description ### Summary This PR adds **minimal, opt‑in TLS support** for MySQL connections in Nginx Proxy Manager. It introduces three environment variables: | Variable | Default | Purpose | |----------|---------|---------| | `DB_MYSQL_SSL` | `false` | Enable SSL when set to true. | | `DB_MYSQL_SSL_REJECT_UNAUTHORIZED` | `true` | Controls certificate chain validation. | | `DB_MYSQL_SSL_VERIFY_IDENTITY` | `true` | Enables hostname verification. | No behavior changes for existing users unless `DB_MYSQL_SSL` is explicitly enabled. Does not impact other DB engine configuration. ### Motivation Environments such as: - Azure Database for MySQL (secure transport enforced) - Self-hosted MySQL with `require_secure_transport=ON` - Security baselines requiring encrypted DB connections …currently cause startup failure (`ER_SECURE_TRANSPORT_REQUIRED`) because connection attempts are plaintext. This update allows secure connections while remaining completely backward compatible. ### Backward Compatibility | Scenario | Before | After | |----------|--------|-------| | No TLS vars set | Plain MySQL | Same | | Server requires TLS; no vars set | Startup error | Same (user must enable SSL) | | TLS enabled (`DB_MYSQL_SSL=true`) | N/A | Encrypted session | | Self-signed cert (user sets `DB_MYSQL_SSL_REJECT_UNAUTHORIZED=false`) | N/A | Connects (user-accepted risk) | | Hostname mismatch & `DB_MYSQL_SSL_VERIFY_IDENTITY=true` | N/A | Fails (correct security posture) | ### Out of Scope / Future Work - Optional CA / client certificate path variables - Min/Max Cipher and associated checks - Postgres TLS parity (could mirror same pattern) --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem

2026-02-26 08:32:36 +03:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#3960

No description provided.

Rows
Columns