starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #657] Settings -> Default Site -> Redirect not working with HTTPS #556

New issue
Closed
opened 2026-02-26 06:33:22 +03:00 by kerem · 6 comments
kerem commented 2026-02-26 06:33:22 +03:00
Owner
Copy link

Originally created by @rezzorix on GitHub (Oct 15, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/657

Hi, this is about an obstacle (error?) I came across when setting the default site in NPM:

Settings -> Default Site -> Redirect not working with HTTPS

Example:
Lets say my WAN IP address which has port 80 open to NPM is 123.123.123.123

The "Default Site" is set to "Redirect to" https://www.google.com (or any other external URL).

When you then open the IP address in a browser the following happens:

  1. http://123.123.123.123 -> successful redirect
  2. https://123.123.123.123 -> certificate error/warning, not redirect

If I understand correctly then the certificate error will come anyway because the IP cannot be secured with a certificate.
However, if the certificate error is ignored in browser... shouldnt then still be a redirect possible?

Originally created by @rezzorix on GitHub (Oct 15, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/657 Hi, this is about an obstacle (error?) I came across when setting the default site in NPM: _Settings -> Default Site -> Redirect not working with HTTPS_ Example: Lets say my WAN IP address which has port 80 open to NPM is 123.123.123.123 The "Default Site" is set to "Redirect to" https://www.google.com (or any other external URL). When you then open the IP address in a browser the following happens: 1. **http**://123.123.123.123 -> successful redirect 2. **https**://123.123.123.123 -> certificate error/warning, not redirect If I understand correctly then the certificate error will come anyway because the IP cannot be secured with a certificate. However, if the certificate error is ignored in browser... shouldnt then still be a redirect possible?
kerem 2026-02-26 06:33:22 +03:00
  • closed this issue
  • added the
    bug
         label
kerem commented 2026-02-26 06:33:23 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Oct 15, 2020):

The decision was made not to support this and to instead return a 444. I don't want to support clients that skip SSL security. I can't think of any valid use case to do this for the default site.

<!-- gh-comment-id:709632107 --> @jc21 commented on GitHub (Oct 15, 2020): The decision was made not to support this and to instead return a 444. I don't want to support clients that skip SSL security. I can't think of any valid use case to do this for the default site.
kerem commented 2026-02-26 06:33:23 +03:00
Author
Owner
Copy link

@rezzorix commented on GitHub (Oct 16, 2020):

Thanks for the quick answer.

Understood. Just as a background why I would use this feature.

I am having subdomains pointed to my WAN IP at home via DDNS...

So if someone is trying to directly enter the WAN IP with http://wan.ip - the NPM is hit with an unknown host and redirected to e.g. Google.

Since most browsers automatically use https:// there would not be a redirect at all, exposing that there might be something other than a redirect...

Anyway, maybe I am thinking about this the wrong way?

<!-- gh-comment-id:709883841 --> @rezzorix commented on GitHub (Oct 16, 2020): Thanks for the quick answer. Understood. Just as a background why I would use this feature. I am having subdomains pointed to my WAN IP at home via DDNS... So if someone is trying to directly enter the WAN IP with http://wan.ip - the NPM is hit with an unknown host and redirected to e.g. Google. Since most browsers automatically use https:// there would not be a redirect at all, exposing that there might be something other than a redirect... Anyway, maybe I am thinking about this the wrong way?
kerem commented 2026-02-26 06:33:23 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Oct 16, 2020):

It's good to think defensively. From an attack point of view though, if port 443 is open then it's a given that there's a https server running on it. An attacker doesn't need to get a SSL cert working or otherwise in order to know that.

So in this case the security of your hosts starts with obscurity, the attacker would need to know the exact DNS names to use.

Let's assume that your DNS names are somehow known to the public either through forums or google search results. I would suggest that everyone assumes this and puts measures in place to protect their hosts further. At the end of the day the last security measures have to come from the hosts that NPM is forwarding to.

<!-- gh-comment-id:710697586 --> @jc21 commented on GitHub (Oct 16, 2020): It's good to think defensively. From an attack point of view though, if port 443 is open then it's a given that there's a https server running on it. An attacker doesn't need to get a SSL cert working or otherwise in order to know that. So in this case the security of your hosts starts with obscurity, the attacker would need to know the exact DNS names to use. Let's assume that your DNS names are somehow known to the public either through forums or google search results. I would suggest that everyone assumes this and puts measures in place to protect their hosts further. At the end of the day the last security measures have to come from the hosts that NPM is forwarding to.
kerem commented 2026-02-26 06:33:23 +03:00
Author
Owner
Copy link

@ghostersk commented on GitHub (Sep 2, 2021):

I think I have solution for HTTPS Redirect, I created 404 host where i used domain name with wildcard: *.MyDomainName.com
I enabled SSL, unfortunately I use Namecheap provider for DNS and It does not allow me create wildcard certificate, so everytime they must confirm certificate. But now I have custom error page on HTTP and HTTPS, the example bellow points to the Custom Html file what can be created from the Nginx Proxy manager > Settings > Default site: Custom

Just add this bellow to the 404 Hosts for any Domain you want, you can use the Wildcard mentioned (*.domain.com)

 location / {
    root   /data/nginx/default_www;
    index index.html;
    rewrite ^/$ /index.html break;
  }
<!-- gh-comment-id:911749015 --> @ghostersk commented on GitHub (Sep 2, 2021): I think I have solution for HTTPS Redirect, I created 404 host where i used domain name with wildcard: *.MyDomainName.com I enabled SSL, unfortunately I use Namecheap provider for DNS and It does not allow me create wildcard certificate, so everytime they must confirm certificate. But now I have custom error page on HTTP and HTTPS, the example bellow points to the Custom Html file what can be created from the Nginx Proxy manager > Settings > Default site: Custom Just add this bellow to the 404 Hosts for any Domain you want, you can use the Wildcard mentioned (*.domain.com) ``` location / { root /data/nginx/default_www; index index.html; rewrite ^/$ /index.html break; } ```
kerem commented 2026-02-26 06:33:23 +03:00
Author
Owner
Copy link

@ljlongwing commented on GitHub (Mar 21, 2023):

Do you have suggestions for this scenario, which brought me here today?

I am using Technitium DNS server and am using it primarily for DNS level add blocking. By default when a user on my home network tries to go to a 'blocked' site, it gives them a DNS error...that's not very friendly.

They have an addon app for custom block page, which allows you to display a simple message to the user (very basic html page) letting them know that it's blocked, instead of throwing a DNS error....BUT, their built in little page doesn't have an SSL certificate, so any HTTPS traffic that goes there needs to accept an unsigned certificate before they see the blocked page...which is just as bad as the dns error...my home users are not techy types....so, I thought to myself, self...how do I easily have a properly signed certificate....well, through NPM of course....so, I setup a proxy redirect with ssl, and then pointed my default page to that redirect, so any time someone hits my NPM without a proper name (like ANY blocked URL from my DNS server, NPM will redirect to the site I have defined and get the 'blocked' message I have setup.....except....http works, but https doesn't.....

So, do you have any suggestions on how to do the redirect that I'm trying to do?
...but within the settings there is an option to give it an alternate IP.

<!-- gh-comment-id:1478515005 --> @ljlongwing commented on GitHub (Mar 21, 2023): Do you have suggestions for this scenario, which brought me here today? I am using Technitium DNS server and am using it primarily for DNS level add blocking. By default when a user on my home network tries to go to a 'blocked' site, it gives them a DNS error...that's not very friendly. They have an addon app for custom block page, which allows you to display a simple message to the user (very basic html page) letting them know that it's blocked, instead of throwing a DNS error....BUT, their built in little page doesn't have an SSL certificate, so any HTTPS traffic that goes there needs to accept an unsigned certificate before they see the blocked page...which is just as bad as the dns error...my home users are not techy types....so, I thought to myself, self...how do I easily have a properly signed certificate....well, through NPM of course....so, I setup a proxy redirect with ssl, and then pointed my default page to that redirect, so any time someone hits my NPM without a proper name (like ANY blocked URL from my DNS server, NPM will redirect to the site I have defined and get the 'blocked' message I have setup.....except....http works, but https doesn't..... So, do you have any suggestions on how to do the redirect that I'm trying to do? ...but within the settings there is an option to give it an alternate IP.
kerem commented 2026-02-26 06:33:23 +03:00
Author
Owner
Copy link

@dnviti commented on GitHub (Oct 27, 2023):

This problem is still happening, our client in the Aerospace Industry is lowering our security class cause of that...
Would not be better to simply disable the default https host? Https on ip:443 is totally useless anyway.

<!-- gh-comment-id:1782436844 --> @dnviti commented on GitHub (Oct 27, 2023): This problem is still happening, our client in the Aerospace Industry is lowering our security class cause of that... Would not be better to simply disable the default https host? Https on ip:443 is totally useless anyway.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#556
No description provided.