starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #768] Add client certificate support #653

New issue
Open
opened 2026-02-26 06:33:51 +03:00 by kerem · 22 comments
kerem commented 2026-02-26 06:33:51 +03:00
Owner
Copy link

Originally created by @Likqez on GitHub (Dec 11, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/768

Implement client certificates

Is your feature request related to a problem? Please describe.
I am securing my web applications with Cloudflare access. I did all the proxing through manual configuration of a nginx server.
But because I am running more and more applications, I wanted to have a nice GUI like this from npm.
As long npm does not support client certificates, I can not protect my website from unwanted access.

Describe the solution you'd like
I would like a feature to upload an SSL Cert without a key. Which is currently not possible. And then use it inside a proxy host, to verify the clients certificate.

Originally created by @Likqez on GitHub (Dec 11, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/768 ### Implement client certificates **Is your feature request related to a problem? Please describe.** I am securing my web applications with Cloudflare access. I did all the proxing through manual configuration of a nginx server. But because I am running more and more applications, I wanted to have a nice GUI like this from npm. As long npm does not support client certificates, I can not protect my website from unwanted access. **Describe the solution you'd like** I would like a feature to upload an SSL Cert without a key. Which is currently not possible. And then use it inside a proxy host, to verify the clients certificate.
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@dmwilson1990 commented on GitHub (Sep 5, 2021):

With a bit of a workaround it is possible to do this. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put include. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack:

      - /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro
      - /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:ro

Inside the custom nginx configuration section I added include conf.d/include/cac_auth.conf;

You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf.

ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") {
  return 403;
}
<!-- gh-comment-id:913086595 --> @dmwilson1990 commented on GitHub (Sep 5, 2021): With a bit of a workaround it is possible to do this. For whatever reason you're very limited in what you can add to the Edit Proxy Host >> Advance >> Custom Nginx Configuration section. However, you can put **include**. I wanted to authenticate with my smart card so I added two read only binds to the docker-compose stack: ``` - /docker/proxy/DoD_CAs.pem:/etc/ssl/certs/DoD_CAs.pem:ro - /docker/proxy/cac_auth.conf:/etc/nginx/conf.d/include/cac_auth.conf:ro ``` Inside the custom nginx configuration section I added `include conf.d/include/cac_auth.conf;` You should be able to add any custom nginx config using this method that would otherwise be unsupported in NPM. Here's what is inside my cac_auth.conf. ``` ssl_client_certificate /etc/ssl/certs/DoD_CAs.pem; ssl_verify_client on; if ($ssl_client_s_dn !~ "CN=YOURCERTCOMMONNAMEHERE") { return 403; } ```
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@Likqez commented on GitHub (Sep 5, 2021):

Thanks for the tip!
Native support would be awesome tho :)

<!-- gh-comment-id:913202565 --> @Likqez commented on GitHub (Sep 5, 2021): Thanks for the tip! Native support would be awesome tho :)
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@ybizeul commented on GitHub (Nov 4, 2023):

Tried @dmwilson1990 recommendation :

Command failed: /usr/sbin/nginx -t -g "error_log off;" nginx: [emerg] invalid condition "!~" in /etc/nginx/conf.d/include/client_cert.conf:3 nginx: configuration file /etc/nginx/nginx.conf test failed

That's the file content :

ssl_client_certificate /data/custom_ssl/tynsoe_ca.pem;
ssl_verify_client on;
if ($ssl_client_s_dn !~ "CN=yann") {
  return 403;
}

EDIT: It might have been that I didn't have Safari sending the certificate, because I didn't have it in my keychain yet. I removed the block totally though, as I'm assuming it'll trust any CA generated certificate in that case

<!-- gh-comment-id:1793502263 --> @ybizeul commented on GitHub (Nov 4, 2023): Tried @dmwilson1990 recommendation : ``` Command failed: /usr/sbin/nginx -t -g "error_log off;" nginx: [emerg] invalid condition "!~" in /etc/nginx/conf.d/include/client_cert.conf:3 nginx: configuration file /etc/nginx/nginx.conf test failed ``` That's the file content : ``` ssl_client_certificate /data/custom_ssl/tynsoe_ca.pem; ssl_verify_client on; if ($ssl_client_s_dn !~ "CN=yann") { return 403; } ``` EDIT: It might have been that I didn't have Safari sending the certificate, because I didn't have it in my keychain yet. I removed the block totally though, as I'm assuming it'll trust any CA generated certificate in that case
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (May 19, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2119059784 --> @github-actions[bot] commented on GitHub (May 19, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@CsBigDataHub commented on GitHub (Aug 15, 2024):

Yes this is a desired feature.

<!-- gh-comment-id:2292466278 --> @CsBigDataHub commented on GitHub (Aug 15, 2024): Yes this is a desired feature.
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@kintoxo commented on GitHub (Sep 9, 2024):

Please add built-in support for using user certificates in nginx-proxy-manager.

<!-- gh-comment-id:2337256474 --> @kintoxo commented on GitHub (Sep 9, 2024): Please add built-in support for using user certificates in nginx-proxy-manager.
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@GregTheHun commented on GitHub (Sep 13, 2024):

I would also like this as well

<!-- gh-comment-id:2349102689 --> @GregTheHun commented on GitHub (Sep 13, 2024): I would also like this as well
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@metahertz commented on GitHub (Sep 24, 2024):

Please add your support for a working PR for this feature w/full UI support by @wrouesnel here: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956

<!-- gh-comment-id:2372510188 --> @metahertz commented on GitHub (Sep 24, 2024): Please add your support for a working PR for this feature w/full UI support by @wrouesnel here: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@xpire commented on GitHub (Dec 7, 2024):

How can we support this PR further? Do you mean take over the PR and fix the broken tests?

<!-- gh-comment-id:2524715899 --> @xpire commented on GitHub (Dec 7, 2024): How can we support this PR further? Do you mean take over the PR and fix the broken tests?
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@lerra commented on GitHub (Dec 8, 2024):

I would also like to see the support for client certificate, I would then be able to use resources directly out in the public internet instead of having it behind my vpn, I would implement the workaround mean while :)

Btw thanks for a great open source project

<!-- gh-comment-id:2526419271 --> @lerra commented on GitHub (Dec 8, 2024): I would also like to see the support for client certificate, I would then be able to use resources directly out in the public internet instead of having it behind my vpn, I would implement the workaround mean while :) Btw thanks for a great open source project
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@kylmp commented on GitHub (Jan 7, 2025):

Will also +1 support for this feature. This application seems like it is well made, but that's a feature I need so for me I will switch to regular old nginx for now. I don't really see the point in figuring out work arounds thru this app when the regular old config files way exists.

<!-- gh-comment-id:2574343663 --> @kylmp commented on GitHub (Jan 7, 2025): Will also +1 support for this feature. This application seems like it is well made, but that's a feature I need so for me I will switch to regular old nginx for now. I don't really see the point in figuring out work arounds thru this app when the regular old config files way exists.
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@cgfrost commented on GitHub (Mar 16, 2025):

I'd love to see support for this. Sorry to see a great PR exists but has been ignored. https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956

<!-- gh-comment-id:2727354899 --> @cgfrost commented on GitHub (Mar 16, 2025): I'd love to see support for this. Sorry to see a great PR exists but has been ignored. https://github.com/NginxProxyManager/nginx-proxy-manager/pull/2956
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Sep 21, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3315439209 --> @github-actions[bot] commented on GitHub (Sep 21, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@lerra commented on GitHub (Sep 21, 2025):

I still see a big value to get this feature

<!-- gh-comment-id:3315509450 --> @lerra commented on GitHub (Sep 21, 2025): I still see a big value to get this feature
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@StoyanBorisovBG commented on GitHub (Oct 13, 2025):

If that becomes a feature, it'd be awesome!

<!-- gh-comment-id:3396481586 --> @StoyanBorisovBG commented on GitHub (Oct 13, 2025): If that becomes a feature, it'd be awesome!
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@Psantos commented on GitHub (Oct 14, 2025):

+1

<!-- gh-comment-id:3400318596 --> @Psantos commented on GitHub (Oct 14, 2025): +1
kerem commented 2026-02-26 06:33:51 +03:00
Author
Owner
Copy link

@RonarPS commented on GitHub (Oct 23, 2025):

+1 - would love such a feature via Webgui

<!-- gh-comment-id:3436793371 --> @RonarPS commented on GitHub (Oct 23, 2025): +1 - would love such a feature via Webgui
kerem commented 2026-02-26 06:33:52 +03:00
Author
Owner
Copy link

@Drakulos commented on GitHub (Nov 21, 2025):

Please implement that feature. Would love it.

<!-- gh-comment-id:3561610725 --> @Drakulos commented on GitHub (Nov 21, 2025): Please implement that feature. Would love it.
kerem commented 2026-02-26 06:33:52 +03:00
Author
Owner
Copy link

@Rukkrym commented on GitHub (Jan 6, 2026):

+1

<!-- gh-comment-id:3714852051 --> @Rukkrym commented on GitHub (Jan 6, 2026): +1
kerem commented 2026-02-26 06:33:52 +03:00
Author
Owner
Copy link

@andreasalbertmail-arch commented on GitHub (Jan 8, 2026):

+1

<!-- gh-comment-id:3723754916 --> @andreasalbertmail-arch commented on GitHub (Jan 8, 2026): +1
kerem commented 2026-02-26 06:33:52 +03:00
Author
Owner
Copy link

@kar-vi-nen commented on GitHub (Jan 27, 2026):

+1

<!-- gh-comment-id:3805161618 --> @kar-vi-nen commented on GitHub (Jan 27, 2026): +1
kerem commented 2026-02-26 06:33:52 +03:00
Author
Owner
Copy link

@RonarPS commented on GitHub (Jan 27, 2026):

+1
Go for it! such feature would be really nice!

<!-- gh-comment-id:3805619499 --> @RonarPS commented on GitHub (Jan 27, 2026): +1 Go for it! such feature would be really nice!
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#653
No description provided.