starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-26 01:45:54 +03:00

[GH-ISSUE #817] Status of "Strict" HTTPS Support (e.g., at Cloudflare) #692

New issue

Closed

opened 2026-02-26 06:34:00 +03:00 by kerem · 6 comments

kerem commented

2026-02-26 06:34:00 +03:00

Owner

Originally created by @johntdavis84 on GitHub (Jan 10, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/817

What is troubling you?

Hello, I wanted to clarify whether it was still a bad idea or not to use the "strict" TLS option available e.g., from Cloudflare. Cloudflare wants me to use it:

"Thanks for enabling SSL/TLS Recommender in the dashboard. You’re receiving this email because our security service observed the SSL/TLS mode for sinisterpisces.com is Full but would benefit from the additional security provided by Strict."

The installation and setup tutorial videos for NPM I watched recommended leaving this off, as Strict mode could cause some issues with NPM that might cause it not to work correctly. I got the impression it might work fine sometimes and might not work fine other times, so leaving it on could sort of create a ¯_(ツ)_/¯ situation.

These tutorial videos were at least 6 months old, and there've been at least a couple bug fix releases since then, so I wanted to clarify whether sticking with Full vs. Strict is still the best practice.

(Yes, I could just experiment and figure this out myself, but I couldn't find anything on this when I searched so I thought it might be useful to post.)

Originally created by @johntdavis84 on GitHub (Jan 10, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/817 **What is troubling you?** Hello, I wanted to clarify whether it was still a bad idea or not to use the "strict" TLS option available e.g., from Cloudflare. Cloudflare wants me to use it: > "Thanks for enabling SSL/TLS Recommender in the dashboard. You’re receiving this email because our security service observed the SSL/TLS mode for sinisterpisces.com is Full but would benefit from the additional security provided by Strict." The installation and setup tutorial videos for NPM I watched recommended leaving this off, as Strict mode could cause some issues with NPM that might cause it not to work correctly. I got the impression it might work fine sometimes and might not work fine other times, so leaving it on could sort of create a ¯\_(ツ)_/¯ situation. **These tutorial videos were at least 6 months old, and there've been at least a couple bug fix releases since then, so I wanted to clarify whether sticking with Full vs. Strict is still the best practice.** (Yes, I could just experiment and figure this out myself, but I couldn't find anything on this when I searched so I thought it might be useful to post.)

kerem

2026-02-26 06:34:00 +03:00

closed this issue
added the
product-support
label

kerem commented

2026-02-26 06:34:01 +03:00

Author

Owner

@henkisdabro commented on GitHub (Jan 11, 2021):

I'm using Cloudflare's strict settings after creating letsencrypt SSL certificates used on all my Proxy Hosts in npm, works fine for me.

@henkisdabro commented on GitHub (Jan 11, 2021): I'm using Cloudflare's strict settings after creating letsencrypt SSL certificates used on all my Proxy Hosts in npm, works fine for me.

kerem commented

2026-02-26 06:34:01 +03:00

Author

Owner

@johntdavis84 commented on GitHub (Jan 11, 2021):

I'm using Cloudflare's strict settings after creating letsencrypt SSL certificates used on all my Proxy Hosts in npm, works fine for me.

Thanks! Did you switch to strict after creation of the certs because it would have been a problem to use strict during creation?

I'm not done rolling out proxy hosts yet, so I'm curious if I should wait.

@johntdavis84 commented on GitHub (Jan 11, 2021): > I'm using Cloudflare's strict settings after creating letsencrypt SSL certificates used on all my Proxy Hosts in npm, works fine for me. Thanks! Did you switch to strict after creation of the certs because it would have been a problem to use strict during creation? I'm not done rolling out proxy hosts yet, so I'm curious if I should wait.

kerem commented

2026-02-26 06:34:01 +03:00

Author

Owner

@henkisdabro commented on GitHub (Jan 11, 2021):

Well, you can leave the Cloudflare SSL setting at stric all the time, but on the individual A or CNAME record for your subdomain or domain you need them set the "DNS only" - the grey color cloud - temporarily during initial SSL issuing on npm. Once issued, then switch the A or CNAME record over to orange cloud to become proxied which effectively take on the SSL settings of strict that you have set on your zone.

@henkisdabro commented on GitHub (Jan 11, 2021): Well, you can leave the Cloudflare SSL setting at stric all the time, but on the individual A or CNAME record for your subdomain or domain you need them set the "DNS only" - the grey color cloud - temporarily during initial SSL issuing on npm. Once issued, then switch the A or CNAME record over to orange cloud to become proxied which effectively take on the SSL settings of strict that you have set on your zone.

kerem commented

2026-02-26 06:34:01 +03:00

Author

Owner

@johntdavis84 commented on GitHub (Jan 11, 2021):

Excellent! This is perfect.

Thanks!

John T Davis

On Jan 10, 2021, at 6:56 PM, Henrik Söderlund notifications@github.com wrote:

Well, you can leave the Cloudflare SSL setting at stric all the time, but on the individual A or CNAME record for your subdomain or domain you need them set the "DNS only" - the grey color cloud - temporarily during initial SSL issuing on npm. Once issued, then switch the A or CNAME record over to orange cloud to become proxied which effectively take on the SSL settings of strict that you have set on your zone.

—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub https://github.com/jc21/nginx-proxy-manager/issues/817#issuecomment-757576831, or unsubscribe https://github.com/notifications/unsubscribe-auth/AGI5CYWQGN3E7MP5WLFGHY3SZJED5ANCNFSM4V42NX3A.

@johntdavis84 commented on GitHub (Jan 11, 2021): Excellent! This is perfect. Thanks! -- -- -- John T Davis > On Jan 10, 2021, at 6:56 PM, Henrik Söderlund <notifications@github.com> wrote: > > > Well, you can leave the Cloudflare SSL setting at stric all the time, but on the individual A or CNAME record for your subdomain or domain you need them set the "DNS only" - the grey color cloud - temporarily during initial SSL issuing on npm. Once issued, then switch the A or CNAME record over to orange cloud to become proxied which effectively take on the SSL settings of strict that you have set on your zone. > > — > You are receiving this because you authored the thread. > Reply to this email directly, view it on GitHub <https://github.com/jc21/nginx-proxy-manager/issues/817#issuecomment-757576831>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AGI5CYWQGN3E7MP5WLFGHY3SZJED5ANCNFSM4V42NX3A>. >

kerem commented

2026-02-26 06:34:01 +03:00

Author

Owner

@henkisdabro commented on GitHub (Jan 12, 2021):

That said, I can't confirm whether there are any other issues with Cloudflare's "Strict" SSL settings like you mentioned in all use cases within NPM, I'm just using simple proxy hosts to internal (docker container) services that I'm running, including; nginx webserver, wordpress, media server related, pi-hole and other things – and in these cases I have not experienced problems – hope other people can chime in as well with their results.

@henkisdabro commented on GitHub (Jan 12, 2021): That said, I can't confirm whether there are any other issues with Cloudflare's "Strict" SSL settings like you mentioned in all use cases within NPM, I'm just using simple proxy hosts to internal (docker container) services that I'm running, including; nginx webserver, wordpress, media server related, pi-hole and other things – and in these cases I have not experienced problems – hope other people can chime in as well with their results.

kerem commented

2026-02-26 06:34:01 +03:00

Author

Owner

@johntdavis84 commented on GitHub (Jan 14, 2021):

That said, I can't confirm whether there are any other issues with Cloudflare's "Strict" SSL settings like you mentioned in all use cases within NPM, I'm just using simple proxy hosts to internal (docker container) services that I'm running, including; nginx webserver, wordpress, media server related, pi-hole and other things – and in these cases I have not experienced problems – hope other people can chime in as well with their results.

I appreciate the warning. I'm doing the exact same thing (NPM --> internal containerized services). It seems to be working fine with strict TLS.

I still don't completely understand the other options (e.g., stream), so I haven't experimented with them yet.

@johntdavis84 commented on GitHub (Jan 14, 2021): > That said, I can't confirm whether there are any other issues with Cloudflare's "Strict" SSL settings like you mentioned in all use cases within NPM, I'm just using simple proxy hosts to internal (docker container) services that I'm running, including; nginx webserver, wordpress, media server related, pi-hole and other things – and in these cases I have not experienced problems – hope other people can chime in as well with their results. I appreciate the warning. I'm doing the exact same thing (NPM --> internal containerized services). It seems to be working fine with strict TLS. I still don't completely understand the other options (e.g., stream), so I haven't experimented with them yet.

kerem referenced this issue

2026-02-26 07:38:44 +03:00

[PR #692] [MERGED] v2.6.2 #3283

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#692

No description provided.

Rows
Columns