starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1114] Support for PROXY Protocol #918

New issue
Open
opened 2026-02-26 06:34:57 +03:00 by kerem · 16 comments
kerem commented 2026-02-26 06:34:57 +03:00
Owner
Copy link

Originally created by @furgoose on GitHub (May 21, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1114

Is it possible to accept PROXY Protocol traffic from within the UI?
If I go in and manually edit the files it works, but requesting certs resets the files so it's not really a viable alternative.

https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/

Originally created by @furgoose on GitHub (May 21, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1114 Is it possible to accept PROXY Protocol traffic from within the UI? If I go in and manually edit the files it works, but requesting certs resets the files so it's not really a viable alternative. https://docs.nginx.com/nginx/admin-guide/load-balancer/using-proxy-protocol/
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@gtmadev commented on GitHub (Aug 24, 2021):

Lack of proxy protocol is a non-starter.

You can't be running this stuff in a cluster behind a cloud load balancer and then not be able to listen with proxy protocol. Without it, the applications lose the IP information from the origin client. Geo-based content becomes impossible.

I'm going to look at the source code to see if this is an easy fix. Seems like a checkbox or toggle is all that would be needed as proxy_protocol is just a single directive that goes with the listener line in NGINX.

<!-- gh-comment-id:904700119 --> @gtmadev commented on GitHub (Aug 24, 2021): Lack of proxy protocol is a non-starter. You can't be running this stuff in a cluster behind a cloud load balancer and then not be able to listen with proxy protocol. Without it, the applications lose the IP information from the origin client. Geo-based content becomes impossible. I'm going to look at the source code to see if this is an easy fix. Seems like a checkbox or toggle is all that would be needed as proxy_protocol is just a single directive that goes with the listener line in NGINX.
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@jc21 commented on GitHub (Aug 24, 2021):

Correct yes a simple toggle in the UI would be enough to get this moving, saved to the db table and the backend template just needs to know about that value.

This kind of thing wasn't part of the project's goal. It's generally not expected that people using this for their home gateway would be using a load balancer or HA.

<!-- gh-comment-id:905029253 --> @jc21 commented on GitHub (Aug 24, 2021): Correct yes a simple toggle in the UI would be enough to get this moving, saved to the db table and the backend template just needs to know about that value. This kind of thing wasn't part of the project's goal. It's generally not expected that people using this for their home gateway would be using a load balancer or HA.
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@gtmadev commented on GitHub (Aug 25, 2021):

I did some digging through the source code and I can see how to add support for this. There are models to update, etc. But.. you are correct. I also reviewed a few other things and concluded that this is a good system for a home lab, but it can't do things like setup backend streams or sets of target servers for load balancing. And without that, it would be pretty senseless to add proxy protocol because anyone utilizing proxy protocol is most certainly doing so to load balance their services.

I wouldn't mind using this in a homelab environment myself, but the problem is that I usually need to mimic the production environment as closely as possible so that I can see how things will (hopefully) work in the real world.

I think I will still spin this up though and play with it.

<!-- gh-comment-id:905547618 --> @gtmadev commented on GitHub (Aug 25, 2021): I did some digging through the source code and I can see how to add support for this. There are models to update, etc. But.. you are correct. I also reviewed a few other things and concluded that this is a good system for a home lab, but it can't do things like setup backend streams or sets of target servers for load balancing. And without that, it would be pretty senseless to add proxy protocol because anyone utilizing proxy protocol is most certainly doing so to load balance their services. I wouldn't mind using this in a homelab environment myself, but the problem is that I usually need to mimic the production environment as closely as possible so that I can see how things will (hopefully) work in the real world. I think I will still spin this up though and play with it.
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@ylx2016 commented on GitHub (Mar 7, 2022):

I would like to support adding listen ssl proxy_protocol,
Thanks.
like this:
listen 443 ssl http2 proxy_protocol;

<!-- gh-comment-id:1060439664 --> @ylx2016 commented on GitHub (Mar 7, 2022): I would like to support adding listen ssl proxy_protocol, Thanks. like this: listen 443 ssl http2 proxy_protocol;
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@openncomp commented on GitHub (Jun 24, 2022):

I'm looking forward to adding this option!

<!-- gh-comment-id:1165550515 --> @openncomp commented on GitHub (Jun 24, 2022): I'm looking forward to adding this option!
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@capthndsme commented on GitHub (Sep 30, 2022):

Hopefully I'd see this feature get supported soon.
I can think of one instance where support of proxy protocol is great for home settings: Users with two or more WANs.
Personally my old test setup with dual-wan + proxy is like this:
image

<!-- gh-comment-id:1263101411 --> @capthndsme commented on GitHub (Sep 30, 2022): Hopefully I'd see this feature get supported soon. I can think of one instance where support of proxy protocol is great for home settings: Users with two or more WANs. Personally my old test setup with dual-wan + proxy is like this: ![image](https://user-images.githubusercontent.com/4083123/193192896-4573097b-a3d3-46dd-94be-697e9d5aba7d.png)
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@foxy82 commented on GitHub (Sep 30, 2022):

This also works well if you have multiple domains that you want to serve from different machines.

You can use a load balancer that splits the traffic using SNI (so it doesn't need to know about the certificate) and then proxies it on so originating IP data isn't lost.

<!-- gh-comment-id:1263127758 --> @foxy82 commented on GitHub (Sep 30, 2022): This also works well if you have multiple domains that you want to serve from different machines. You can use a load balancer that splits the traffic using SNI (so it doesn't need to know about the certificate) and then proxies it on so originating IP data isn't lost.
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@msalman-91 commented on GitHub (Apr 13, 2023):

Hello @jc21

Is there any update is it going to be added?

<!-- gh-comment-id:1507594114 --> @msalman-91 commented on GitHub (Apr 13, 2023): Hello @jc21 Is there any update is it going to be added?
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@Ador-able commented on GitHub (Mar 29, 2024):

Strongly needed, can this feature be included in the development plan

<!-- gh-comment-id:2026650773 --> @Ador-able commented on GitHub (Mar 29, 2024): Strongly needed, can this feature be included in the development plan
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@julianq commented on GitHub (Jun 9, 2024):

Is this still going to be added? I need proxy protocol support for my setup, really don't want to move off of NPM.

<!-- gh-comment-id:2156241175 --> @julianq commented on GitHub (Jun 9, 2024): Is this still going to be added? I need proxy protocol support for my setup, really don't want to move off of NPM.
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@xenadmin commented on GitHub (Oct 12, 2024):

I want to setup https://github.com/stalwartlabs/mail-server in my home environment, and I only have 1 public IP. Therefore, NPM handles all my traffic. But for stalwart mail server, I need the proxy to be able to speak PROXY protocol: https://stalw.art/docs/server/reverse-proxy/proxy-protocol

<!-- gh-comment-id:2408699991 --> @xenadmin commented on GitHub (Oct 12, 2024): I want to setup https://github.com/stalwartlabs/mail-server in my home environment, and I only have 1 public IP. Therefore, NPM handles all my traffic. But for stalwart mail server, I need the proxy to be able to speak PROXY protocol: https://stalw.art/docs/server/reverse-proxy/proxy-protocol
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@julianq commented on GitHub (Oct 12, 2024):

I want to setup https://github.com/stalwartlabs/mail-server in my home environment, and I only have 1 public IP. Therefore, NPM handles all my traffic. But for stalwart mail server, I need the proxy to be able to speak PROXY protocol: https://stalw.art/docs/server/reverse-proxy/proxy-protocol

Have you checked out SWAG? Since there seems to be no movement on this I migrated to SWAG since you get more flexibility; it's essentially nginx with some pre-configurations (you lose the GUI). I still prefer NPM but needed proxy protocol support, may be worth checking out if you need it also.

<!-- gh-comment-id:2408700853 --> @julianq commented on GitHub (Oct 12, 2024): > I want to setup https://github.com/stalwartlabs/mail-server in my home environment, and I only have 1 public IP. Therefore, NPM handles all my traffic. But for stalwart mail server, I need the proxy to be able to speak PROXY protocol: https://stalw.art/docs/server/reverse-proxy/proxy-protocol Have you checked out SWAG? Since there seems to be no movement on this I migrated to SWAG since you get more flexibility; it's essentially nginx with some pre-configurations (you lose the GUI). I still prefer NPM but needed proxy protocol support, may be worth checking out if you need it also.
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@sclu1034 commented on GitHub (Oct 16, 2024):

I want to setup stalwartlabs/mail-server in my home environment, and I only have 1 public IP. Therefore, NPM handles all my traffic. But for stalwart mail server, I need the proxy to be able to speak PROXY protocol: stalw.art/docs/server/reverse-proxy/proxy-protocol

Do you need NPM to proxy all ports explicitly?
I'm running docker-mailserver next to NPM just fine, with the latter listening on 80+443 and the former on all the mail stuff like 25 or 143.

Unless you have things like custom load balancing set up in your NPM config that you want to leverage by setting up a stream module, you shouldn't need NPM as a middle-man on mail ports.

<!-- gh-comment-id:2418051363 --> @sclu1034 commented on GitHub (Oct 16, 2024): > I want to setup [stalwartlabs/mail-server](https://github.com/stalwartlabs/mail-server) in my home environment, and I only have 1 public IP. Therefore, NPM handles all my traffic. But for stalwart mail server, I need the proxy to be able to speak PROXY protocol: [stalw.art/docs/server/reverse-proxy/proxy-protocol](https://stalw.art/docs/server/reverse-proxy/proxy-protocol) Do you need NPM to proxy all ports explicitly? I'm running docker-mailserver next to NPM just fine, with the latter listening on 80+443 and the former on all the mail stuff like 25 or 143. Unless you have things like custom load balancing set up in your NPM config that you want to leverage by setting up a `stream` module, you shouldn't need NPM as a middle-man on mail ports.
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@lastsamurai26 commented on GitHub (Oct 18, 2024):

You can theoretically send the smtp imap ports directly to stalwart and only send the port 8080 for the gui via NPM, but then you have to include the certificates I think

<!-- gh-comment-id:2423056031 --> @lastsamurai26 commented on GitHub (Oct 18, 2024): You can theoretically send the smtp imap ports directly to stalwart and only send the port 8080 for the gui via NPM, but then you have to include the certificates I think
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Apr 23, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2822884983 --> @github-actions[bot] commented on GitHub (Apr 23, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 06:34:57 +03:00
Author
Owner
Copy link

@ysenner commented on GitHub (Oct 23, 2025):

I found a usable workaround for this issue.
You can add

#use proxy protocol
listen 4443 ssl proxy_protocol;
set_real_ip_from YOUR_PROXY_IP_OR_CIDR;
real_ip_header proxy_protocol;

to /data/nginx/custom/server_proxy.conf and then have all your ssl traffic come in on port 4443 (e.g. via Docker port mapping).
A different port is needed since there already is a listen 443 in the vanilla .conf we can't remove, so it is easiest to just leave it there and move to a different port.

<!-- gh-comment-id:3439450675 --> @ysenner commented on GitHub (Oct 23, 2025): I found a usable workaround for this issue. You can add ``` #use proxy protocol listen 4443 ssl proxy_protocol; set_real_ip_from YOUR_PROXY_IP_OR_CIDR; real_ip_header proxy_protocol; ``` to `/data/nginx/custom/server_proxy.conf` and then have all your ssl traffic come in on port 4443 (e.g. via Docker port mapping). A different port is needed since there already is a `listen 443` in the vanilla .conf we can't remove, so it is easiest to just leave it there and move to a different port.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#918
No description provided.