starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 01:45:54 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #69] oauth or client certificate authentication #64

New issue
Open
opened 2026-02-26 05:34:02 +03:00 by kerem · 26 comments
kerem commented 2026-02-26 05:34:02 +03:00
Owner
Copy link

Originally created by @strongy on GitHub (Feb 13, 2019).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/69

i was wondering if its possible to use OAuth or Client Certificate for authentication like the OAuth Proxy docker is doing except with your nice gui.

Originally created by @strongy on GitHub (Feb 13, 2019). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/69 i was wondering if its possible to use OAuth or Client Certificate for authentication like the OAuth Proxy docker is doing except with your nice gui.
kerem commented 2026-02-26 05:34:03 +03:00
Author
Owner
Copy link

@walthowd commented on GitHub (Mar 1, 2019):

I would like to see this too!

<!-- gh-comment-id:468705891 --> @walthowd commented on GitHub (Mar 1, 2019): I would like to see this too!
kerem commented 2026-02-26 05:34:03 +03:00
Author
Owner
Copy link

@hallveticapro commented on GitHub (Mar 3, 2019):

OAuth would be nice to see, I don't really trust the login forms of applications like Sonarr or Radarr that much but OAuth would be okay in my book.

<!-- gh-comment-id:469072611 --> @hallveticapro commented on GitHub (Mar 3, 2019): OAuth would be nice to see, I don't really trust the login forms of applications like Sonarr or Radarr that much but OAuth would be okay in my book.
kerem commented 2026-02-26 05:34:03 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Mar 3, 2019):

What services do you want to oauth with though?

On the topic of login security, passwords are stored in an encrypted state against the database and login tokens are not stored in cookies, they are stored in localstorage. The login token is in JWT format and can be revoked for all users by removing the generated encryption keys in your config file.

<!-- gh-comment-id:469074512 --> @jc21 commented on GitHub (Mar 3, 2019): What services do you want to oauth with though? On the topic of login security, passwords are stored in an encrypted state against the database and login tokens are not stored in cookies, they are stored in localstorage. The login token is in JWT format and can be revoked for all users by removing the generated encryption keys in your config file.
kerem commented 2026-02-26 05:34:03 +03:00
Author
Owner
Copy link

@hallveticapro commented on GitHub (Mar 3, 2019):

One of the biggest reasons I would like OAuth is 2FA. My Google account is secured not only with a complex password but a YubiKey as well. It would be nice to be able to place access to any host behind that to ensure that I am the only able to access them. I'm not saying the included Access Lists is bad but if someone were to get access to a password, they'd have access until I realize and am able to revoke it.

<!-- gh-comment-id:469075021 --> @hallveticapro commented on GitHub (Mar 3, 2019): One of the biggest reasons I would like OAuth is 2FA. My Google account is secured not only with a complex password but a YubiKey as well. It would be nice to be able to place access to any host behind that to ensure that I am the only able to access them. I'm not saying the included Access Lists is bad but if someone were to get access to a password, they'd have access until I realize and am able to revoke it.
kerem commented 2026-02-26 05:34:03 +03:00
Author
Owner
Copy link

@maciekish commented on GitHub (Apr 10, 2019):

+1 for client cert auth please

<!-- gh-comment-id:481846348 --> @maciekish commented on GitHub (Apr 10, 2019): +1 for client cert auth please
kerem commented 2026-02-26 05:34:03 +03:00
Author
Owner
Copy link

@misse commented on GitHub (May 2, 2019):

I would also like to se 2FA and client certificate auth.

<!-- gh-comment-id:488798640 --> @misse commented on GitHub (May 2, 2019): I would also like to se 2FA and client certificate auth.
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@jeroenpardon commented on GitHub (May 31, 2019):

It's definitely needed for me too +1

<!-- gh-comment-id:497770444 --> @jeroenpardon commented on GitHub (May 31, 2019): It's definitely needed for me too +1
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@Elmardus commented on GitHub (Apr 29, 2020):

Is there a way to use the auth_request Nginx module, so a service like Vouch could be used?

If I understood correctly, this would require auth_request /validate; to be set in the 'server' block, the other required config could be entered in the Custom Nginx Configuration in the Advanced tab using the NPM gui.

<!-- gh-comment-id:621240514 --> @Elmardus commented on GitHub (Apr 29, 2020): Is there a way to use the auth_request Nginx module, so a service like [Vouch](https://github.com/vouch/vouch-proxy) could be used? If I understood correctly, this would require `auth_request /validate;` to be set in the 'server' block, the other required config could be entered in the _Custom Nginx Configuration_ in the _Advanced_ tab using the NPM gui.
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@Simon-CR commented on GitHub (May 25, 2020):

I to would love for an easy way to add google 2fa auth in front.

<!-- gh-comment-id:633707987 --> @Simon-CR commented on GitHub (May 25, 2020): I to would love for an easy way to add google 2fa auth in front.
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@cammurray commented on GitHub (Jul 22, 2020):

Certificate authentication would be amazing, but with the projects mentality of keeping the barrier for entry low, you could; automate the generation of the CA certificate (so this is hidden from the user), and just tie the user certificates to the ACLs some how, resulting in simple SSO provided by certs, no third-party auth providers, all integrated.

<!-- gh-comment-id:662234690 --> @cammurray commented on GitHub (Jul 22, 2020): Certificate authentication would be amazing, but with the projects mentality of keeping the barrier for entry low, you could; automate the generation of the CA certificate (so this is hidden from the user), and just tie the user certificates to the ACLs some how, resulting in simple SSO provided by certs, no third-party auth providers, all integrated.
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@hlidar85 commented on GitHub (Jun 28, 2021):

+1 for client cert auth please

<!-- gh-comment-id:869644664 --> @hlidar85 commented on GitHub (Jun 28, 2021): +1 for client cert auth please
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@cammurray commented on GitHub (Jun 29, 2021):

I needed this functionality (it makes it easy and more secure to expose internal services when they're behind a cert auth mechanism), so I created a proxy manager like nginx proxy manager however with caddy instead. Sharing how I went about this for info sharing purposes because I think it would be useful to do a similar approach in nginx proxy manager. I'd personally prefer to use Nginx Proxy Manager if there was cert auth in it.

Certificate Auth Providers (essentially a certificate authority) can be set up from within the proxy manager. You can download the root CA public cert from the proxy manager, and you can generate client certificates (that go on the devices) from the same page.

You can generate as many Root CA's as you want so that you can have different proxy hosts require different certificates.

image

When creating the proxy host itself, under the auth page you select the Root CA you want to authenticate users against

image

<!-- gh-comment-id:870156816 --> @cammurray commented on GitHub (Jun 29, 2021): I needed this functionality (it makes it easy and more secure to expose internal services when they're behind a cert auth mechanism), so I created a proxy manager like nginx proxy manager however with caddy instead. Sharing how I went about this for info sharing purposes because I think it would be useful to do a similar approach in nginx proxy manager. I'd personally prefer to use Nginx Proxy Manager if there was cert auth in it. Certificate Auth Providers (essentially a certificate authority) can be set up from within the proxy manager. You can download the root CA public cert from the proxy manager, and you can generate client certificates (that go on the devices) from the same page. You can generate as many Root CA's as you want so that you can have different proxy hosts require different certificates. ![image](https://user-images.githubusercontent.com/26195772/123722573-f4aef700-d8cb-11eb-8bac-11d1eea3641a.png) When creating the proxy host itself, under the auth page you select the Root CA you want to authenticate users against ![image](https://user-images.githubusercontent.com/26195772/123722846-7d2d9780-d8cc-11eb-8b21-58a840b6697e.png)
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@dmwilson1990 commented on GitHub (Sep 5, 2021):

I tinkered around for a bit and figured out how to add certificate authentication. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put include. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack:

      - /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro
      - /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:ro

Inside the custom nginx configuration section I added include conf.d/include/cac_auth.conf;

You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf.

ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") {
  return 403;
}

Hope this helps someone!

<!-- gh-comment-id:913086803 --> @dmwilson1990 commented on GitHub (Sep 5, 2021): I tinkered around for a bit and figured out how to add certificate authentication. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put **include**. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack: ``` - /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro - /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:ro ``` Inside the custom nginx configuration section I added `include conf.d/include/cac_auth.conf;` You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf. ``` ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem; ssl_verify_client on; if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") { return 403; } ``` Hope this helps someone!
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@felix-exon commented on GitHub (Sep 15, 2022):

How about integrating with keycloak? That would be super-awesome!

<!-- gh-comment-id:1247927684 --> @felix-exon commented on GitHub (Sep 15, 2022): How about integrating with keycloak? That would be super-awesome!
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@marekful commented on GitHub (Feb 24, 2023):

FYI https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2630 @deibertf

<!-- gh-comment-id:1444588231 --> @marekful commented on GitHub (Feb 24, 2023): FYI https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2630 @deibertf
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@cammurray commented on GitHub (Aug 15, 2023):

On top of #2630
@wrouesnel has done the work for client certificate auth in #2956

So there are active PR's in for this feature ask - would be great to see if we can get some commitment to pull both of those :)

<!-- gh-comment-id:1678334184 --> @cammurray commented on GitHub (Aug 15, 2023): On top of #2630 @wrouesnel has done the work for client certificate auth in #2956 So there are active PR's in for this feature ask - would be great to see if we can get some commitment to pull both of those :)
kerem commented 2026-02-26 05:34:04 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Apr 3, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2033392927 --> @github-actions[bot] commented on GitHub (Apr 3, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@strongy commented on GitHub (Apr 3, 2024):

So what’s happening

<!-- gh-comment-id:2034198152 --> @strongy commented on GitHub (Apr 3, 2024): So what’s happening
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@GregTheHun commented on GitHub (Sep 13, 2024):

I would also like this feature

<!-- gh-comment-id:2349119705 --> @GregTheHun commented on GitHub (Sep 13, 2024): I would also like this feature
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@metahertz commented on GitHub (Sep 24, 2024):

Please add your support to @wrouesnel's PR here. Have a current build working for testing: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956

<!-- gh-comment-id:2372509284 --> @metahertz commented on GitHub (Sep 24, 2024): Please add your support to @wrouesnel's PR here. Have a current build working for testing: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@sametflo commented on GitHub (Nov 17, 2024):

Yes, please add your support to @wrouesnel's PR. He did most of the work and we've been waiting since May 28th. We all know it require some verification, but it would be a great feature.

<!-- gh-comment-id:2481186155 --> @sametflo commented on GitHub (Nov 17, 2024): Yes, please add your support to @wrouesnel's PR. He did most of the work and we've been waiting since May 28th. We all know it require some verification, but it would be a great feature.
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Jun 22, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2993884748 --> @github-actions[bot] commented on GitHub (Jun 22, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@sametflo commented on GitHub (Jun 22, 2025):

This feature should not be considered obsolete !
This would still be a great feature for npm.
Please consider adding it.

<!-- gh-comment-id:2994008558 --> @sametflo commented on GitHub (Jun 22, 2025): This feature should not be considered obsolete ! This would still be a great feature for npm. Please consider adding it.
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@felix-exon commented on GitHub (Jun 22, 2025):

👍

<!-- gh-comment-id:2994024060 --> @felix-exon commented on GitHub (Jun 22, 2025): 👍
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@RonarPS commented on GitHub (Oct 23, 2025):

Whats with this feature? @cammurray is this a feature, which is already implemented in Caddy Proxy Manager? Does Caddy Proxy Manager also exists docker-compose ready?

<!-- gh-comment-id:3437400444 --> @RonarPS commented on GitHub (Oct 23, 2025): Whats with this feature? @cammurray is this a feature, which is already implemented in Caddy Proxy Manager? Does Caddy Proxy Manager also exists docker-compose ready?
kerem commented 2026-02-26 05:34:05 +03:00
Author
Owner
Copy link

@cammurray commented on GitHub (Oct 23, 2025):

Hi @RonarPS, some time ago I recreated nginx proxy manager but with caddy as the backend, that's what those screenshots are.

The screenshots were just provided to help with direction, if needed, for this feature - which to my understanding, is not implemented in nginx proxy manager today and seems as if there is no plan to implement it.

<!-- gh-comment-id:3439216007 --> @cammurray commented on GitHub (Oct 23, 2025): Hi @RonarPS, some time ago I recreated nginx proxy manager but with caddy as the backend, that's what those screenshots are. The screenshots were just provided to help with direction, if needed, for this feature - which to my understanding, is not implemented in nginx proxy manager today and seems as if there is no plan to implement it.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#64
No description provided.