Skip to content

Auto-select a matching SSL certificate from typed domains (opt-in secure defaults via NPM_SECURE_DEFAULTS)#5716

Open
Grasfer wants to merge 1 commit into
NginxProxyManager:developfrom
Grasfer:upstream-pr/cert-auto-pick
Open

Auto-select a matching SSL certificate from typed domains (opt-in secure defaults via NPM_SECURE_DEFAULTS)#5716
Grasfer wants to merge 1 commit into
NginxProxyManager:developfrom
Grasfer:upstream-pr/cert-auto-pick

Conversation

@Grasfer

@Grasfer Grasfer commented Jul 18, 2026

Copy link
Copy Markdown

Why

When adding a new proxy host you type the domain names, then have to hunt through the certificate dropdown for the cert that covers them — error-prone on installs with many certificates, and picking the wrong one silently breaks SSL on the host.

Certificate auto-pick. With this change, typing domains on a NEW proxy host auto-selects a certificate covering all entered domains, preferring an exact match over a one-label wildcard match. The selection is tracked as auto-picked, so it re-matches or clears as the domains change — but it never overrides a manual choice, including an explicit manual "None" (detected via the field's touched state). Editing existing hosts is untouched. As part of this, SSLCertificateField's select becomes a controlled component so programmatic certificateId changes render correctly.

Opt-in secure defaults. New env var NPM_SECURE_DEFAULTS (default off = exactly stock behavior), exposed to the frontend via a new secure_defaults field in the health endpoint payload. When enabled, new proxy hosts default Block Common Exploits and Websockets Support on, and Force SSL + HTTP/2 Support flip on when a certificate is first selected. New hosts only — editing an existing host never changes stored values. Unset, nothing changes for anyone. This part is separable — happy to split it into its own PR if you'd rather take the auto-pick alone.

API surface: one additive, optional field (secure_defaults) in the health response, schema updated accordingly. No breaking changes. Unit tests included for the certificate matching logic (CertificateMatch.test.ts).

Full disclosure: this was AI-written (boxes checked below) — I made it because I wanted the feature myself. It's been running on my own NPM instance and works for my day-to-day use, but that's the extent of the real-world testing, so review accordingly.

Type of Change

  • Bug fix (non-breaking change that fixes an issue)
  • New feature (non-breaking change that adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Documentation update
  • Code refactoring
  • API changes
  • Performance improvement
  • Test addition or update

AI Usage

  • AI was used to write this
  • AI was used to review this

…URE_DEFAULTS

Closes NginxProxyManager#2. When adding a proxy host, typing a domain auto-selects a
certificate covering ALL entered domains (exact > one-label wildcard),
tracked as auto-picked so it re-matches or clears as domains change and
never overrides a manual choice (including an explicit "None").

New env var NPM_SECURE_DEFAULTS (default off = stock behavior), exposed
via the health endpoint: new proxy hosts default Block Common Exploits
and Websockets Support on, and Force SSL + HTTP/2 flip on when a cert is
first selected. Applies to new hosts only — editing existing hosts never
changes stored values.

SSLCertificateField's select is now controlled so programmatic
certificateId changes render correctly.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@Grasfer

Grasfer commented Jul 18, 2026

Copy link
Copy Markdown
Author

As the AI mentioned i just wanted these features myself, i do not know coding at all, but it works as i wanted on my own system.
Feels bad(i dont know why) doing ai pr's but maybe someone else find this useful.

@nginxproxymanagerci

Copy link
Copy Markdown

Docker Image for build 1 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5716

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!

@rajubepari980-oss rajubepari980-oss left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Off

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants