Merge pull request #5276 from NginxProxyManager/develop

v2.13.7

backend/internal/certificate.js

@@ -660,8 +660,8 @@ const internalCertificate = {
 	 * @param {Boolean} [throwExpired]  Throw when the certificate is out of date
 	 */
 	getCertificateInfo: async (certificate, throwExpired) => {
-		const filepath = await tempWrite(certificate, "/tmp");
 		try {
+			const filepath = await tempWrite(certificate, "/tmp");
 			const certData = await internalCertificate.getCertificateInfoFromFile(filepath, throwExpired);
 			fs.unlinkSync(filepath);
 			return certData;

backend/migrations/20260131163528_trust_forwarded_proto.js

@@ -1,43 +0,0 @@
-import { migrate as logger } from "../logger.js";
-
-const migrateName = "trust_forwarded_proto";
-
-/**
- * Migrate
- *
- * @see http://knexjs.org/#Schema
- *
- * @param   {Object} knex
- * @returns {Promise}
- */
-const up = function (knex) {
-    logger.info(`[${migrateName}] Migrating Up...`);
-
-    return knex.schema
-        .alterTable('proxy_host', (table) => {
-            table.tinyint('trust_forwarded_proto').notNullable().defaultTo(0);
-        })
-        .then(() => {
-            logger.info(`[${migrateName}] proxy_host Table altered`);
-        });
-};
-
-/**
- * Undo Migrate
- *
- * @param   {Object} knex
- * @returns {Promise}
- */
-const down = function (knex) {
-    logger.info(`[${migrateName}] Migrating Down...`);
-
-    return knex.schema
-        .alterTable('proxy_host', (table) => {
-            table.dropColumn('trust_forwarded_proto');
-        })
-        .then(() => {
-            logger.info(`[${migrateName}] proxy_host Table altered`);
-        });
-};
-
-export { up, down };

backend/models/proxy_host.js

@@ -21,7 +21,6 @@ const boolFields = [
 	"enabled",
 	"hsts_enabled",
 	"hsts_subdomains",
-	"trust_forwarded_proto",
 ];
 
 class ProxyHost extends Model {

backend/schema/components/proxy-host-object.json

@@ -22,8 +22,7 @@
 		"enabled",
 		"locations",
 		"hsts_enabled",
-		"hsts_subdomains",
+		"hsts_subdomains"
-		"trust_forwarded_proto"
 	],
 	"properties": {
 		"id": {
@@ -142,11 +141,6 @@
 		"hsts_subdomains": {
 			"$ref": "../common.json#/properties/hsts_subdomains"
 		},
-		"trust_forwarded_proto":{
-			"type": "boolean",
-			"description": "Trust the forwarded headers",
-			"example": false
-		},
 		"certificate": {
 			"oneOf": [
 				{

backend/schema/paths/nginx/proxy-hosts/get.json

@@ -58,8 +58,7 @@
 									"enabled": true,
 									"locations": [],
 									"hsts_enabled": false,
-									"hsts_subdomains": false,
+									"hsts_subdomains": false
-									"trust_forwarded_proto": false
 								}
 							]
 						}

backend/schema/paths/nginx/proxy-hosts/hostID/get.json

@@ -56,7 +56,6 @@
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
-								"trust_forwarded_proto": false,
 								"owner": {
 									"id": 1,
 									"created_on": "2025-10-28T00:50:24.000Z",

backend/schema/paths/nginx/proxy-hosts/hostID/put.json

@@ -56,9 +56,6 @@
 						"hsts_subdomains": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/hsts_subdomains"
 						},
-						"trust_forwarded_proto": {
-    						"$ref": "../../../../components/proxy-host-object.json#/properties/trust_forwarded_proto"
-						},
 						"http2_support": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/http2_support"
 						},
@@ -125,7 +122,6 @@
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
-								"trust_forwarded_proto": false,
 								"owner": {
 									"id": 1,
 									"created_on": "2025-10-28T00:50:24.000Z",

backend/schema/paths/nginx/proxy-hosts/post.json

@@ -48,9 +48,6 @@
 						"hsts_subdomains": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/hsts_subdomains"
 						},
-						"trust_forwarded_proto": {
-    						"$ref": "../../../components/proxy-host-object.json#/properties/trust_forwarded_proto"
-						},
 						"http2_support": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/http2_support"
 						},
@@ -122,7 +119,6 @@
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
-								"trust_forwarded_proto": false,
 								"certificate": null,
 								"owner": {
 									"id": 1,

backend/templates/_forced_ssl.conf

@@ -1,11 +1,6 @@
 {% if certificate and certificate_id > 0 -%}
 {% if ssl_forced == 1 or ssl_forced == true %}
     # Force SSL
-    {% if trust_forwarded_proto == true %}
-    set $trust_forwarded_proto "T";
-    {% else %}
-    set $trust_forwarded_proto "F";
-    {% endif %}
     include conf.d/include/force-ssl.conf;
 {% endif %}
 {% endif %}

docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf

@@ -5,28 +5,9 @@ if ($scheme = "http") {
 if ($request_uri = /.well-known/acme-challenge/test-challenge) {
 	set $test "${test}T";
 }
-
-# Check if the ssl staff has been handled
-set $test_ssl_handled "";
-if ($trust_forwarded_proto = "") {
-	set $trust_forwarded_proto "F";
-}
-if ($trust_forwarded_proto = "T") {
-	set $test_ssl_handled "${test_ssl_handled}T";
-}
 if ($http_x_forwarded_proto = "https") {
-	set $test_ssl_handled "${test_ssl_handled}S";
-}
-if ($http_x_forwarded_scheme = "https") {
-	set $test_ssl_handled "${test_ssl_handled}S";
-}
-if ($test_ssl_handled = "TSS") {
-	set $test_ssl_handled "TS";
-}
-if ($test_ssl_handled = "TS") {
 	set $test "${test}S";
 }
-
 if ($test = H) {
 	return 301 https://$host$request_uri;
 }

docker/rootfs/etc/nginx/conf.d/include/proxy.conf

@@ -1,7 +1,7 @@
 add_header       X-Served-By $host;
 proxy_set_header Host $host;
-proxy_set_header X-Forwarded-Scheme $x_forwarded_scheme;
+proxy_set_header X-Forwarded-Scheme $scheme;
-proxy_set_header X-Forwarded-Proto  $x_forwarded_proto;
+proxy_set_header X-Forwarded-Proto  $scheme;
 proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP          $remote_addr;
 proxy_pass       $forward_scheme://$server:$port$request_uri;

docker/rootfs/etc/nginx/nginx.conf

@@ -57,18 +57,6 @@ http {
 		default http;
 	}
 
-	# Handle upstream X-Forwarded-Proto and X-Forwarded-Scheme header
-	map $http_x_forwarded_proto $x_forwarded_proto {
-		"http" "http";
-		"https" "https";
-		default $scheme;
-	}
-	map $http_x_forwarded_scheme $x_forwarded_scheme {
-		"http" "http";
-		"https" "https";
-		default $scheme;
-	} 
-
 	# Real IP Determination
 
 	# Local subnets:

frontend/src/api/backend/models.ts

@@ -127,7 +127,6 @@ export interface ProxyHost {
 	locations?: ProxyLocation[];
 	hstsEnabled: boolean;
 	hstsSubdomains: boolean;
-	trustForwardedProto: boolean;
 	// Expansions:
 	owner?: User;
 	accessList?: AccessList;

frontend/src/components/Form/SSLOptionsFields.tsx

@@ -5,18 +5,17 @@ import { T } from "src/locale";
 
 interface Props {
 	forHttp?: boolean; // the sslForced, http2Support, hstsEnabled, hstsSubdomains fields
-	forProxyHost?: boolean; // the advanced fields
 	forceDNSForNew?: boolean;
 	requireDomainNames?: boolean; // used for streams
 	color?: string;
 }
-export function SSLOptionsFields({ forHttp = true, forProxyHost = false, forceDNSForNew, requireDomainNames, color = "bg-cyan" }: Props) {
+export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomainNames, color = "bg-cyan" }: Props) {
 	const { values, setFieldValue } = useFormikContext();
 	const v: any = values || {};
 
 	const newCertificate = v?.certificateId === "new";
 	const hasCertificate = newCertificate || (v?.certificateId && v?.certificateId > 0);
-	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, trustForwardedProto, meta } = v;
+	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, meta } = v;
 	const { dnsChallenge } = meta || {};
 
 	if (forceDNSForNew && newCertificate && !dnsChallenge) {
@@ -116,34 +115,6 @@ export function SSLOptionsFields({ forHttp = true, forProxyHost = false, forceDN
 		</div>
 	);
 
-	const getHttpAdvancedOptions = () =>(
-		<div>
-			<details>
-				<summary className="mb-1"><T id="domains.advanced" /></summary>
-				<div className="row">
-					<div className="col-12">
-						<Field name="trustForwardedProto">
-							{({ field }: any) => (
-								<label className="form-check form-switch mt-1">
-									<input
-										className={trustForwardedProto ? toggleEnabled : toggleClasses}
-										type="checkbox"
-										checked={!!trustForwardedProto}
-										onChange={(e) => handleToggleChange(e, field.name)}
-										disabled={!hasCertificate || !sslForced}
-									/>
-									<span className="form-check-label">
-										<T id="domains.trust-forwarded-proto" />
-									</span>
-								</label>
-							)}
-						</Field>
-					</div>
-				</div>
-			</details>
-		</div>
-	);
-
 	return (
 		<div>
 			{forHttp ? getHttpOptions() : null}
@@ -169,7 +140,6 @@ export function SSLOptionsFields({ forHttp = true, forProxyHost = false, forceDN
 					{dnsChallenge ? <DNSProviderFields showBoundaryBox /> : null}
 				</>
 			) : null}
-			{forProxyHost && forHttp ? getHttpAdvancedOptions() : null}
 		</div>
 	);
 }

frontend/src/hooks/useProxyHost.ts

@@ -24,7 +24,6 @@ const fetchProxyHost = (id: number | "new") => {
 			enabled: true,
 			hstsEnabled: false,
 			hstsSubdomains: false,
-			trustForwardedProto: false,
 		} as ProxyHost);
 	}
 	return getProxyHost(id, ["owner"]);

frontend/src/locale/src/en.json

@@ -347,9 +347,6 @@
 	"domain-names.wildcards-not-supported": {
 		"defaultMessage": "Wildcards not supported for this CA"
 	},
-	"domains.advanced": {
-		"defaultMessage": "Advanced"
-	},
 	"domains.force-ssl": {
 		"defaultMessage": "Force SSL"
 	},
@@ -362,9 +359,6 @@
 	"domains.http2-support": {
 		"defaultMessage": "HTTP/2 Support"
 	},
-	"domains.trust-forwarded-proto": {
-		"defaultMessage": "Trust Upstream Forwarded Proto Headers"
-	},
 	"domains.use-dns": {
 		"defaultMessage": "Use DNS Challenge"
 	},

frontend/src/locale/src/zh.json

@@ -275,9 +275,6 @@
 	"domain-names.wildcards-not-supported": {
 		"defaultMessage": "此 CA 不支持通配符"
 	},
-	"domains.advanced": {
-		"defaultMessage": "高级选项"
-	},
 	"domains.force-ssl": {
 		"defaultMessage": "强制 SSL"
 	},
@@ -290,9 +287,6 @@
 	"domains.http2-support": {
 		"defaultMessage": "HTTP/2 支持"
 	},
-	"domains.trust-forwarded-proto": {
-		"defaultMessage": "信任上游代理传递的协议类型头"
-	},
 	"domains.use-dns": {
 		"defaultMessage": "使用DNS验证"
 	},

frontend/src/modals/ProxyHostModal.tsx

@@ -88,7 +88,6 @@ const ProxyHostModal = EasyModal.create(({ id, visible, remove }: Props) => {
 							http2Support: data?.http2Support || false,
 							hstsEnabled: data?.hstsEnabled || false,
 							hstsSubdomains: data?.hstsSubdomains || false,
-							trustForwardedProto: data?.trustForwardedProto || false,
 							// Advanced tab
 							advancedConfig: data?.advancedConfig || "",
 							meta: data?.meta || {},
@@ -340,7 +339,7 @@ const ProxyHostModal = EasyModal.create(({ id, visible, remove }: Props) => {
 													label="ssl-certificate"
 													allowNew
 												/>
-												<SSLOptionsFields color="bg-lime" forProxyHost={true} />
+												<SSLOptionsFields color="bg-lime" />
 											</div>
 											<div className="tab-pane" id="tab-advanced" role="tabpanel">
 												<NginxConfigField />

test/yarn.lock

@@ -424,12 +424,12 @@ aws4@^1.8.0:
   integrity sha512-Uvq6hVe90D0B2WEnUqtdgY1bATGz3mw33nH9Y+dmA+w5DHvUmBgkr5rM/KCHpCsiFNRUfokW/szpPPgMK2hm4A==
 
 axios@^1.13.1, axios@^1.7.7:
-  version "1.13.5"
+  version "1.13.4"
-  resolved "https://registry.yarnpkg.com/axios/-/axios-1.13.5.tgz#5e464688fa127e11a660a2c49441c009f6567a43"
+  resolved "https://registry.yarnpkg.com/axios/-/axios-1.13.4.tgz#15d109a4817fb82f73aea910d41a2c85606076bc"
-  integrity sha512-cz4ur7Vb0xS4/KUN0tPWe44eqxrIu31me+fbang3ijiNscE129POzipJJA6zniq2C/Z6sJCjMimjS8Lc/GAs8Q==
+  integrity sha512-1wVkUaAO6WyaYtCkcYCOx12ZgpGf9Zif+qXa4n+oYzK558YryKqiL6UWwd5DqiH3VRW0GYhTZQ/vlgJrCoNQlg==
   dependencies:
-    follow-redirects "^1.15.11"
+    follow-redirects "^1.15.6"
-    form-data "^4.0.5"
+    form-data "^4.0.4"
     proxy-from-env "^1.1.0"
 
 balanced-match@^1.0.0:
@@ -1150,10 +1150,10 @@ flatted@^3.2.9:
   resolved "https://registry.yarnpkg.com/flatted/-/flatted-3.3.1.tgz#21db470729a6734d4997002f439cb308987f567a"
   integrity sha512-X8cqMLLie7KsNUDSdzeN8FYK9rEt4Dt67OsG/DNGnYTSDBG4uFAJFBnUeiV+zCVAvwFy56IjM9sH51jVaEhNxw==
 
-follow-redirects@^1.15.11:
+follow-redirects@^1.15.6:
-  version "1.15.11"
+  version "1.15.9"
-  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.11.tgz#777d73d72a92f8ec4d2e410eb47352a56b8e8340"
+  resolved "https://registry.yarnpkg.com/follow-redirects/-/follow-redirects-1.15.9.tgz#a604fa10e443bf98ca94228d9eebcc2e8a2c8ee1"
-  integrity sha512-deG2P0JfjrTxl50XGCDyfI97ZGVCxIpfKYmfyrQ54n5FO/0gfIES8C/Psl6kWVDolizcaaxZJnTS0QSMxvnsBQ==
+  integrity sha512-gew4GsXizNgdoRyqmyfMHyAmXsZDk6mHkSxZFCzW9gwlbtOW44CDtYavM+y+72qD/Vq2l550kMF52DT8fOLJqQ==
 
 foreground-child@^3.1.0:
   version "3.3.1"
@@ -1168,7 +1168,7 @@ forever-agent@~0.6.1:
   resolved "https://registry.yarnpkg.com/forever-agent/-/forever-agent-0.6.1.tgz#fbc71f0c41adeb37f96c577ad1ed42d8fdacca91"
   integrity sha1-+8cfDEGt6zf5bFd60e1C2P2sypE=
 
-form-data@^4.0.4, form-data@^4.0.5, form-data@~4.0.4:
+form-data@^4.0.4, form-data@~4.0.4:
   version "4.0.5"
   resolved "https://registry.yarnpkg.com/form-data/-/form-data-4.0.5.tgz#b49e48858045ff4cbf6b03e1805cebcad3679053"
   integrity sha512-8RipRLol37bNs2bhoV67fiTEvdTrbMUYcFTiy3+wuuOnUog2QBHCZWXDRijWQfAkhBj2Uf5UnVaiWwA5vdd82w==