Auto-select a matching SSL certificate from typed domains (opt-in secure defaults via NPM_SECURE_DEFAULTS)#5716
Open
Grasfer wants to merge 1 commit into
Open
Conversation
…URE_DEFAULTS Closes NginxProxyManager#2. When adding a proxy host, typing a domain auto-selects a certificate covering ALL entered domains (exact > one-label wildcard), tracked as auto-picked so it re-matches or clears as domains change and never overrides a manual choice (including an explicit "None"). New env var NPM_SECURE_DEFAULTS (default off = stock behavior), exposed via the health endpoint: new proxy hosts default Block Common Exploits and Websockets Support on, and Force SSL + HTTP/2 flip on when a cert is first selected. Applies to new hosts only — editing existing hosts never changes stored values. SSLCertificateField's select is now controlled so programmatic certificateId changes render correctly. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
10 tasks
Author
|
As the AI mentioned i just wanted these features myself, i do not know coding at all, but it works as i wanted on my own system. |
|
Docker Image for build 1 is available on DockerHub: Note Ensure you backup your NPM instance before testing this image! Especially if there are database changes. Warning Changes and additions to DNS Providers require verification by at least 2 members of the community! |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
When adding a new proxy host you type the domain names, then have to hunt through the certificate dropdown for the cert that covers them — error-prone on installs with many certificates, and picking the wrong one silently breaks SSL on the host.
Certificate auto-pick. With this change, typing domains on a NEW proxy host auto-selects a certificate covering all entered domains, preferring an exact match over a one-label wildcard match. The selection is tracked as auto-picked, so it re-matches or clears as the domains change — but it never overrides a manual choice, including an explicit manual "None" (detected via the field's touched state). Editing existing hosts is untouched. As part of this,
SSLCertificateField's select becomes a controlled component so programmaticcertificateIdchanges render correctly.Opt-in secure defaults. New env var
NPM_SECURE_DEFAULTS(default off = exactly stock behavior), exposed to the frontend via a newsecure_defaultsfield in the health endpoint payload. When enabled, new proxy hosts default Block Common Exploits and Websockets Support on, and Force SSL + HTTP/2 Support flip on when a certificate is first selected. New hosts only — editing an existing host never changes stored values. Unset, nothing changes for anyone. This part is separable — happy to split it into its own PR if you'd rather take the auto-pick alone.API surface: one additive, optional field (
secure_defaults) in the health response, schema updated accordingly. No breaking changes. Unit tests included for the certificate matching logic (CertificateMatch.test.ts).Full disclosure: this was AI-written (boxes checked below) — I made it because I wanted the feature myself. It's been running on my own NPM instance and works for my day-to-day use, but that's the extent of the real-world testing, so review accordingly.
Type of Change
AI Usage