starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 01:15:51 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #646] Running non-ssl protocols over ssl port (i.e. using SSH over Nginx using $ssl_preread_protocol ) #549

New issue
Open
opened 2026-02-26 06:33:21 +03:00 by kerem · 9 comments
kerem commented 2026-02-26 06:33:21 +03:00
Owner
Copy link

Originally created by @maltokyo on GitHub (Oct 10, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/646

This article describes exactly what I want to do:

https://www.nginx.com/blog/running-non-ssl-protocols-over-ssl-port-nginx-1-15-2/

Basically, for one of my domain names (vhost), I would like port 443 to be accepted and redirect connections to my SSH server, rather than a http/https service.

The code to do it is in the article and pasted below (checks if the 443 packets are destined for https or SSH and redirects accordingly, but I am unsure where to insert this or how to use it with NPM). Could someone please give me a hint, what I would need to do to get this working for just one domain name?

stream {
    upstream ssh {
        server 192.0.2.1:22;
    }

    upstream web {
        server 192.0.2.2:443;
    }

    map $ssl_preread_protocol $upstream {
        default ssh;
        "TLSv1.2" web;
    }

    # SSH and SSL on the same port
    server {
        listen 443;

        proxy_pass $upstream;
        ssl_preread on;
    }
}

Any advice or help would be really appreciated.

Originally created by @maltokyo on GitHub (Oct 10, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/646 This article describes exactly what I want to do: https://www.nginx.com/blog/running-non-ssl-protocols-over-ssl-port-nginx-1-15-2/ Basically, for one of my domain names (vhost), I would like port 443 to be accepted and redirect connections to my SSH server, rather than a http/https service. The code to do it is in the article and pasted below (checks if the 443 packets are destined for https or SSH and redirects accordingly, but I am unsure where to insert this or how to use it with NPM). Could someone please give me a hint, what I would need to do to get this working for just one domain name? ``` stream { upstream ssh { server 192.0.2.1:22; } upstream web { server 192.0.2.2:443; } map $ssl_preread_protocol $upstream { default ssh; "TLSv1.2" web; } # SSH and SSL on the same port server { listen 443; proxy_pass $upstream; ssl_preread on; } } ``` Any advice or help would be really appreciated.
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@maltokyo commented on GitHub (Oct 10, 2020):

At first it seems that NPM can do this with "Add Stream" (in this section):
image

However, the implementation here seems to NOT use $ssl_preread_protocol - so if there is another service already listening on 443, the above does not work. So it leaves a couple more questions:

  • Can I add for just requests coming to one vhost rather than all?
  • NPM is running on docker, so what to add in the "IP address" field if I want it to forward the connection above outside of the docker network (to another bare metal IP on the LAN, for example)?
<!-- gh-comment-id:706519428 --> @maltokyo commented on GitHub (Oct 10, 2020): At first it seems that NPM can do this with "Add Stream" (in this section): ![image](https://user-images.githubusercontent.com/1388507/95651563-8fbc3280-0aeb-11eb-8b99-55e6accd77e3.png) However, the implementation here seems to NOT use $ssl_preread_protocol - so if there is another service already listening on 443, the above does not work. So it leaves a couple more questions: - Can I add for just requests coming to one vhost rather than all? - NPM is running on docker, so what to add in the "IP address" field if I want it to forward the connection above outside of the docker network (to another bare metal IP on the LAN, for example)?
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@litio2001 commented on GitHub (Jun 8, 2021):

At first it seems that NPM can do this with "Add Stream" (in this section):
image

However, the implementation here seems to NOT use $ssl_preread_protocol - so if there is another service already listening on 443, the above does not work. So it leaves a couple more questions:

* Can I add for just requests coming to one vhost rather than all?

* NPM is running on docker, so what to add in the "IP address" field if I want it to forward the connection above outside of the docker network (to another bare metal IP on the LAN, for example)?

I think your query is related precisely to this issue that I just read. #344

<!-- gh-comment-id:856475176 --> @litio2001 commented on GitHub (Jun 8, 2021): > > > At first it seems that NPM can do this with "Add Stream" (in this section): > ![image](https://user-images.githubusercontent.com/1388507/95651563-8fbc3280-0aeb-11eb-8b99-55e6accd77e3.png) > > However, the implementation here seems to NOT use $ssl_preread_protocol - so if there is another service already listening on 443, the above does not work. So it leaves a couple more questions: > > * Can I add for just requests coming to one vhost rather than all? > > * NPM is running on docker, so what to add in the "IP address" field if I want it to forward the connection above outside of the docker network (to another bare metal IP on the LAN, for example)? I think your query is related precisely to this issue that I just read. #344
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Mar 24, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2016661967 --> @github-actions[bot] commented on GitHub (Mar 24, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@maltokyo commented on GitHub (Mar 24, 2024):

Any help from anyone?

<!-- gh-comment-id:2016718873 --> @maltokyo commented on GitHub (Mar 24, 2024): Any help from anyone?
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@litio2001 commented on GitHub (Mar 28, 2024):

Any help from anyone?

Have you tried the alternative mentioned here?: #344
Due to lack of time I have not been able to try it.

<!-- gh-comment-id:2025117031 --> @litio2001 commented on GitHub (Mar 28, 2024): > Any help from anyone? Have you tried the alternative mentioned here?: #344 Due to lack of time I have not been able to try it.
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Dec 18, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2550131621 --> @github-actions[bot] commented on GitHub (Dec 18, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@maltokyo commented on GitHub (Dec 18, 2024):

Bump

On Wed, Dec 18, 2024, 3:06 AM github-actions[bot] @.***>
wrote:

Issue is now considered stale. If you want to keep it open, please comment
👍


Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/646#issuecomment-2550131621,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AAKS7W6N6FLZVDCIFWOZGBL2GDKCZAVCNFSM6AAAAABTZVQDT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJQGEZTCNRSGE
.
You are receiving this because you authored the thread.Message ID:
@.***>

<!-- gh-comment-id:2550176159 --> @maltokyo commented on GitHub (Dec 18, 2024): Bump On Wed, Dec 18, 2024, 3:06 AM github-actions[bot] ***@***.***> wrote: > Issue is now considered stale. If you want to keep it open, please comment > 👍 > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/646#issuecomment-2550131621>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AAKS7W6N6FLZVDCIFWOZGBL2GDKCZAVCNFSM6AAAAABTZVQDT6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDKNJQGEZTCNRSGE> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@albeec13 commented on GitHub (Jan 24, 2025):

@maltokyo I'm pretty sure you can make this work by using this method: https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations

Essentially, create a /data/nginx/custom/ directory in your NPM docker data directory if it doesn't already exist, then create a file called /data/nginx/custom/stream.conf and paste the contents of your stream directive in there, without the outer stream block, something like:

    upstream ssh {
        server 192.0.2.1:22;
    }

    upstream web {
        server 192.0.2.2:443;
    }

    map $ssl_preread_protocol $upstream {
        default ssh;
        "TLSv1.2" web;
    }

    # SSH and SSL on the same port
    server {
        listen 443;

        proxy_pass $upstream;
        ssl_preread on;
    }

There is a caveat, however, which is this will only work if you have nothing else listening on port 443, meaning if you have any standard proxy hosts assigned to HTTPS, this will conflict and cause NPM to complain about 0.0.0.0:443 already being bound at startup.

Unfortunately, NPM doesn't allow you to set the incoming port for proxy hosts, as the only options are HTTP/HTTPS from the "scheme" dropdown box. Therefore, you can't forward to a different internal port from the stream directive which is already listening on 443.

There is a way to do this using a standard nginx install, if you choose to go that route, but you'll lose the pretty GUI of NPM and the built-in SSL cert renewal functionality. For example, I have a setup similar to this running on a standard non-NPM nginx install on a linux server, and what I did there was something like this:

stream {
    upstream ssh {
        server 127.0.0.1:12345;
    }

    upstream web {
        server 127.0.0.1:444;
    }

    map $ssl_preread_protocol $upstream {
        default ssh;
        "TLSv1.2" web;
        "TLSv1.3" web;
    }

    # SSH and SSL on the same port
    server {
        listen 443;
        proxy_pass $upstream;
        ssl_preread on;
    }
}

In this case, the stream listens to port 443, and uses ssl_preread_protocol to determine whether it's TLS (I only check for 1.2 or 1.3, as the others are deprecated and I don't allow them to be used, but change this to your preference), and if it does not return a TLS version, it assumes it's an SSH connection.

Notice, the upstreams are both using localhost (127.0.0.1). The ssh server, is the same machine as the nginx service, but running on port 12345, while all other HTTPS requests are forwarded back to the same machine via localhost, but using port 444, which is not exposed beyond the firewall. However, all subsequent HTTPS directives in my nginx.conf look to port 444 instead of 443, like so:

server {
        listen 444 ssl;
        ssl_certificate /etc/nginx/certs/wildcard/fullchain.pem;
        ssl_certificate_key /etc/nginx/certs/wildcard/privkey.pem;

        server_name subdomain.some.tld some.tld;
        root    /usr/share/nginx/html/some.tld;

        location / {
            try_files $uri $uri/ $uri.html =404;
        }
    }

In other words, a request from a public IP would go like this:

  • Hits my firewall, which has only exposed 443
  • Firewall forwards to internal IP running nginx, also at 443
  • stream directive determines if TLS or not (i.e. ssh, or something else)
    • if ssh forward to ssh_server_ip:port
    • if TLS proxy_pass to localhost at 127.0.0.1:444, which will hit the same nginx service, but does not need to be exposed publicly on the firewall
  • http directive containing servers with listen directives for port 444 can be used to host internal services and forward via proxy_pass

More details here: https://blog.thewalr.us/2019/04/05/using-nginx-stream-directive-to-host-ssh-and-multiple-https-servers-on-the-same-port/

<!-- gh-comment-id:2613387551 --> @albeec13 commented on GitHub (Jan 24, 2025): @maltokyo I'm pretty sure you can make this work by using this method: https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations Essentially, create a `/data/nginx/custom/` directory in your NPM docker data directory if it doesn't already exist, then create a file called `/data/nginx/custom/stream.conf` and paste the contents of your `stream` directive in there, without the outer `stream` block, something like: ``` upstream ssh { server 192.0.2.1:22; } upstream web { server 192.0.2.2:443; } map $ssl_preread_protocol $upstream { default ssh; "TLSv1.2" web; } # SSH and SSL on the same port server { listen 443; proxy_pass $upstream; ssl_preread on; } ``` There is a caveat, however, which is this will only work if you have nothing else listening on port 443, meaning if you have any standard proxy hosts assigned to HTTPS, this will conflict and cause NPM to complain about 0.0.0.0:443 already being bound at startup. Unfortunately, NPM doesn't allow you to set the incoming port for proxy hosts, as the only options are HTTP/HTTPS from the "scheme" dropdown box. Therefore, you can't forward to a different internal port from the stream directive which is already listening on 443. There is a way to do this using a standard nginx install, if you choose to go that route, but you'll lose the pretty GUI of NPM and the built-in SSL cert renewal functionality. For example, I have a setup similar to this running on a standard non-NPM nginx install on a linux server, and what I did there was something like this: ``` stream { upstream ssh { server 127.0.0.1:12345; } upstream web { server 127.0.0.1:444; } map $ssl_preread_protocol $upstream { default ssh; "TLSv1.2" web; "TLSv1.3" web; } # SSH and SSL on the same port server { listen 443; proxy_pass $upstream; ssl_preread on; } } ``` In this case, the stream listens to port 443, and uses `ssl_preread_protocol` to determine whether it's TLS (I only check for 1.2 or 1.3, as the others are deprecated and I don't allow them to be used, but change this to your preference), and if it does not return a TLS version, it assumes it's an SSH connection. Notice, the upstreams are both using localhost (127.0.0.1). The ssh server, is the same machine as the nginx service, but running on port 12345, while all other HTTPS requests are forwarded back to the same machine via localhost, but using port 444, which is not exposed beyond the firewall. However, all subsequent HTTPS directives in my nginx.conf look to port 444 instead of 443, like so: ``` server { listen 444 ssl; ssl_certificate /etc/nginx/certs/wildcard/fullchain.pem; ssl_certificate_key /etc/nginx/certs/wildcard/privkey.pem; server_name subdomain.some.tld some.tld; root /usr/share/nginx/html/some.tld; location / { try_files $uri $uri/ $uri.html =404; } } ``` In other words, a request from a public IP would go like this: * Hits my firewall, which has only exposed 443 * Firewall forwards to internal IP running nginx, also at 443 * stream directive determines if TLS or not (i.e. ssh, or something else) * if ssh forward to ssh_server_ip:port * if TLS proxy_pass to localhost at 127.0.0.1:444, which will hit the same nginx service, but does not need to be exposed publicly on the firewall * http directive containing servers with listen directives for port 444 can be used to host internal services and forward via proxy_pass More details here: https://blog.thewalr.us/2019/04/05/using-nginx-stream-directive-to-host-ssh-and-multiple-https-servers-on-the-same-port/
kerem commented 2026-02-26 06:33:21 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Nov 11, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3514689749 --> @github-actions[bot] commented on GitHub (Nov 11, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#549
No description provided.