starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #564] Cannot specify ciphers? #472

New issue
Open
opened 2026-02-26 06:32:59 +03:00 by kerem · 15 comments
kerem commented 2026-02-26 06:32:59 +03:00
Owner
Copy link

Originally created by @sbazzell on GitHub (Aug 17, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/564

Whenever I try to specify ciphers the way I would normally do using nginx vanilla, the proxy host goes to offline status.

So does

ssl_ciphers 'insert cipher list here';

and

ssl_prefer_server_ciphers on;

not work?

Originally created by @sbazzell on GitHub (Aug 17, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/564 Whenever I try to specify ciphers the way I would normally do using nginx vanilla, the proxy host goes to offline status. So does > ssl_ciphers 'insert cipher list here'; and > ssl_prefer_server_ciphers on; not work?
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@dash74 commented on GitHub (Aug 27, 2020):

It looks like the only was too edit the ciphers would be to edit /etc/nginx/conf.d/include/ssl-ciphers.conf inside the docker container. You can do this by running docker exec -it "docker-name" bash. After editing the file you type exit. You'll have to commit the changes to a new file by running sudo docker commit [CONTAINER_ID] [new_image_name].

<!-- gh-comment-id:682183811 --> @dash74 commented on GitHub (Aug 27, 2020): It looks like the only was too edit the ciphers would be to edit /etc/nginx/conf.d/include/ssl-ciphers.conf inside the docker container. You can do this by running docker exec -it "docker-name" bash. After editing the file you type exit. You'll have to commit the changes to a new file by running sudo docker commit [CONTAINER_ID] [new_image_name].
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Mattie112 commented on GitHub (Sep 7, 2020):

Yes I also want to change the ciphers. Any chance we can have this also exported in a volume just like the (optional) config files.

<!-- gh-comment-id:688296203 --> @Mattie112 commented on GitHub (Sep 7, 2020): Yes I also want to change the ciphers. Any chance we can have this also exported in a volume just like the (optional) config files.
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Mattie112 commented on GitHub (Sep 7, 2020):

I did find a solution / workaround.

Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part.

Now simply mount this file into the container
/etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf

And now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date.

<!-- gh-comment-id:688365528 --> @Mattie112 commented on GitHub (Sep 7, 2020): I did find a solution / workaround. Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part. Now simply mount this file into the container `/etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf` And now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date.
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Kopernikus1979 commented on GitHub (Apr 5, 2022):

I did find a solution / workaround.

Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part.

Now simply mount this file into the container /etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf

And now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date.

@Mattie112

Could you help me mount /etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf?
I 'm using Unraid and tried it but I only seem to be able to mount a directory not a file.

Thx

<!-- gh-comment-id:1088476080 --> @Kopernikus1979 commented on GitHub (Apr 5, 2022): > I did find a solution / workaround. > > Simply create your own cipher file (outside of the container), for example generate it here https://ssl-config.mozilla.org/ but only use the protocols/ciphers part. > > Now simply mount this file into the container `/etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf` > > And now you have your own ciphers. Downside is that this no longer benefits from updates from the NPM itself. So you might want to check https://github.com/jc21/nginx-proxy-manager/blob/master/docker/rootfs/etc/nginx/conf.d/include/ssl-ciphers.conf from time to time to check your file is up to date. @Mattie112 Could you help me mount /etc/nginx/conf.d/include/ssl-ciphers.conf:/path/to/local/file/myown-custom-ssl-ciphers.conf? I 'm using Unraid and tried it but I only seem to be able to mount a directory not a file. Thx
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Mattie112 commented on GitHub (Apr 5, 2022):

image

You should be able to just type it in :)

<!-- gh-comment-id:1088490718 --> @Mattie112 commented on GitHub (Apr 5, 2022): ![image](https://user-images.githubusercontent.com/662896/161726289-880b8bd5-7985-4866-ad65-8da1e8481ace.png) You should be able to just type it in :)
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Kopernikus1979 commented on GitHub (Apr 5, 2022):

image

You should be able to just type it in :)

Hi,

Tried it, but I get this error in my docker log:

Schermafbeelding 2022-04-05 153922

If I go to /etc/nginx/conf.d/include/ssl-ciphers.conf I see it's my new modded file, however settings are not loaded when doing cryptcheck.fr for my domain

<!-- gh-comment-id:1088720773 --> @Kopernikus1979 commented on GitHub (Apr 5, 2022): > ![image](https://user-images.githubusercontent.com/662896/161726289-880b8bd5-7985-4866-ad65-8da1e8481ace.png) > > You should be able to just type it in :) Hi, Tried it, but I get this error in my docker log: ![Schermafbeelding 2022-04-05 153922](https://user-images.githubusercontent.com/53930186/161767121-7febcca0-7e75-4df4-9c23-e673aab6f034.jpg) If I go to /etc/nginx/conf.d/include/ssl-ciphers.conf I see it's my new modded file, however settings are not loaded when doing cryptcheck.fr for my domain
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Mattie112 commented on GitHub (Apr 5, 2022):

Can you run docker inspect NginxProxyManager

And check the following part:

        "HostConfig": {
            "Binds": [
                "/mnt/user/appdata/NginxProxyManager/matthijs-custom-ssl-ciphers.conf:/etc/nginx/conf.d/include/ssl-ciphers.conf:rw",
                "/mnt/user/appdata/NginxProxyManager:/config:rw"
            ],

You can see how I have it and that does work. Does it look different for you?

<!-- gh-comment-id:1088789230 --> @Mattie112 commented on GitHub (Apr 5, 2022): Can you run `docker inspect NginxProxyManager` And check the following part: ``` "HostConfig": { "Binds": [ "/mnt/user/appdata/NginxProxyManager/matthijs-custom-ssl-ciphers.conf:/etc/nginx/conf.d/include/ssl-ciphers.conf:rw", "/mnt/user/appdata/NginxProxyManager:/config:rw" ], ``` You can see how I have it and that does work. Does it look different for you?
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Kopernikus1979 commented on GitHub (Apr 5, 2022):

I got this:

"Mounts": [
           {
               "Type": "bind",
               "Source": "/tmp/Nginx-Proxy-Manager-Official/var/log",
               "Destination": "/var/log",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"
           },
           {
               "Type": "bind",
               "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/custom-ssl-ciphers.conf",
               "Destination": "/etc/nginx/conf.d/include/ssl-ciphers.conf",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"
           },
           {
               "Type": "bind",
               "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/data",
               "Destination": "/data",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"
           },
           {
               "Type": "bind",
               "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/letsencrypt",
               "Destination": "/etc/letsencrypt",
               "Mode": "rw",
               "RW": true,
               "Propagation": "rprivate"
<!-- gh-comment-id:1088798032 --> @Kopernikus1979 commented on GitHub (Apr 5, 2022): I got this: ``` "Mounts": [ { "Type": "bind", "Source": "/tmp/Nginx-Proxy-Manager-Official/var/log", "Destination": "/var/log", "Mode": "rw", "RW": true, "Propagation": "rprivate" }, { "Type": "bind", "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/custom-ssl-ciphers.conf", "Destination": "/etc/nginx/conf.d/include/ssl-ciphers.conf", "Mode": "rw", "RW": true, "Propagation": "rprivate" }, { "Type": "bind", "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/data", "Destination": "/data", "Mode": "rw", "RW": true, "Propagation": "rprivate" }, { "Type": "bind", "Source": "/mnt/user/appdata/Nginx-Proxy-Manager-Official/letsencrypt", "Destination": "/etc/letsencrypt", "Mode": "rw", "RW": true, "Propagation": "rprivate" ```
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Kopernikus1979 commented on GitHub (Apr 5, 2022):

Just found something strange seems in the lastest version of NPM the ciphers are already compliant with the latest mozilla recommends, however when doing a check it still uses old ciphers, can you do a cryptcheck to see your result?

<!-- gh-comment-id:1088876274 --> @Kopernikus1979 commented on GitHub (Apr 5, 2022): Just found something strange seems in the lastest version of NPM the ciphers are already compliant with the latest mozilla recommends, however when doing a check it still uses old ciphers, can you do a cryptcheck to see your result?
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Mattie112 commented on GitHub (Apr 5, 2022):

Ah yeah might be fair to say I use this repo:

https://github.com/Mattie112/docker-nginx-proxy-manager (and that is a fork of https://github.com/jlesage/docker-nginx-proxy-manager)

I think it uses / used to use this project but yeah that was a while ago..... So it could be that here the paths are changed, sorry can't keep track on what repo I use exactly :p

Anyway, my file:

ssl_session_timeout 5m;
ssl_session_cache shared:SSL:50m;

# intermediate configuration. tweak to your needs.
    # intermediate configuration
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers off;

I always use https://www.ssllabs.com/ssltest/ for checking (A+ for me) but here is the output from your site:

image

<!-- gh-comment-id:1089108636 --> @Mattie112 commented on GitHub (Apr 5, 2022): Ah yeah might be fair to say I use this repo: https://github.com/Mattie112/docker-nginx-proxy-manager (and that is a fork of https://github.com/jlesage/docker-nginx-proxy-manager) I think it uses / used to use this project but yeah that was a while ago..... So it could be that here the paths are changed, sorry can't keep track on what repo I use exactly :p Anyway, my file: ``` ssl_session_timeout 5m; ssl_session_cache shared:SSL:50m; # intermediate configuration. tweak to your needs. # intermediate configuration ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; ssl_prefer_server_ciphers off; ``` I always use https://www.ssllabs.com/ssltest/ for checking (A+ for me) but here is the output from your site: ![image](https://user-images.githubusercontent.com/662896/161817981-3552ea58-345a-49e5-9d63-5ae30113b505.png)
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Kopernikus1979 commented on GitHub (Apr 7, 2022):

@Mattie112

Hi,

I found the problem.
See my bug report:

https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1982

<!-- gh-comment-id:1091425745 --> @Kopernikus1979 commented on GitHub (Apr 7, 2022): @Mattie112 Hi, I found the problem. See my bug report: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1982
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Mattie112 commented on GitHub (Apr 7, 2022):

Yeah I'm doing that manually from time to time XD Have to look into github pipelines (or whatever it is called) at some point.

I just pushed mattie112/docker-nginx-proxy-manager:latest (and :master and :v1.26.0) to be up-to-date with jlesage again :)

(And the reason I made my own fork because I kinda liked the all-in-one solution but I needed 80/443 so yeah I just choose this solution).

edit:
You can always drop me a message if you need some changes to be merged just open an issue on my fork :)

<!-- gh-comment-id:1091727329 --> @Mattie112 commented on GitHub (Apr 7, 2022): Yeah I'm doing that manually from time to time XD Have to look into github pipelines (or whatever it is called) at some point. I just pushed `mattie112/docker-nginx-proxy-manager:latest` (and `:master` and `:v1.26.0`) to be up-to-date with jlesage again :) (And the reason I made my own fork because I kinda liked the all-in-one solution but I needed 80/443 so yeah I just choose this solution). edit: You can always drop me a message if you need some changes to be merged just open an issue on my fork :)
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Mar 26, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2019240221 --> @github-actions[bot] commented on GitHub (Mar 26, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@Xyz00777 commented on GitHub (Dec 13, 2024):

this is as far as i know still not working :(
when does these can be fixed?

<!-- gh-comment-id:2541827378 --> @Xyz00777 commented on GitHub (Dec 13, 2024): this is as far as i know still not working :( when does these can be fixed?
kerem commented 2026-02-26 06:32:59 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jun 22, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2993884555 --> @github-actions[bot] commented on GitHub (Jun 22, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#472
No description provided.