Bump basic-ftp from 5.1.0 to 5.2.0 in /backend

Bumps [basic-ftp](https://github.com/patrickjuchli/basic-ftp) from 5.1.0 to 5.2.0.
- [Release notes](https://github.com/patrickjuchli/basic-ftp/releases)
- [Changelog](https://github.com/patrickjuchli/basic-ftp/blob/master/CHANGELOG.md)
- [Commits](https://github.com/patrickjuchli/basic-ftp/compare/v5.1.0...v5.2.0)

---
updated-dependencies:
- dependency-name: basic-ftp
  dependency-version: 5.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>

.github/dependabot.yml

@@ -0,0 +1,104 @@
+version: 2
+updates:
+  - package-ecosystem: "npm"
+    directory: "/backend"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "npm"
+    directory: "/frontend"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "npm"
+    directory: "/docs"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "npm"
+    directory: "/test"
+    schedule:
+      interval: "weekly"
+    groups:
+      dev-patch-updates:
+        dependency-type: "development"
+        update-types:
+          - "patch"
+      dev-minor-updates:
+        dependency-type: "development"
+        update-types:
+          - "minor"
+      prod-patch-updates:
+        dependency-type: "production"
+        update-types:
+          - "patch"
+      prod-minor-updates:
+        dependency-type: "production"
+        update-types:
+          - "minor"
+
+  - package-ecosystem: "docker"
+    directory: "/docker"
+    schedule:
+      interval: "weekly"
+    groups:
+      updates:
+        update-types:
+          - "patch"
+          - "minor"
+
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "weekly"

.github/workflows/stale.yml

@@ -8,7 +8,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v9
+      - uses: actions/stale@v10
         with:
           stale-issue-label: 'stale'
           stale-pr-label: 'stale'

.version

@@ -1 +1 @@
-2.13.5
+2.14.0

README.md

@@ -1,7 +1,7 @@
 <p align="center">
 	<img src="https://nginxproxymanager.com/github.png">
 	<br><br>
-	<img src="https://img.shields.io/badge/version-2.13.5-green.svg?style=for-the-badge">
+	<img src="https://img.shields.io/badge/version-2.14.0-green.svg?style=for-the-badge">
 	<a href="https://hub.docker.com/repository/docker/jc21/nginx-proxy-manager">
 		<img src="https://img.shields.io/docker/stars/jc21/nginx-proxy-manager.svg?style=for-the-badge">
 	</a>
@@ -36,6 +36,10 @@ so that the barrier for entry here is low.
 - Advanced Nginx configuration available for super users
 - User management, permissions and audit log
 
+::: warning
+`armv7` is no longer supported in version 2.14+. This is due to Nodejs dropping support for armhf. Please
+use the `2.13.7` image tag if this applies to you.
+:::
 
 ## Hosting your home network
 
@@ -43,16 +47,15 @@ I won't go in to too much detail here but here are the basics for someone new to
 
 1. Your home router will have a Port Forwarding section somewhere. Log in and find it
 2. Add port forwarding for port 80 and 443 to the server hosting this project
-3. Configure your domain name details to point to your home, either with a static ip or a service like DuckDNS or [Amazon Route53](https://github.com/jc21/route53-ddns)
+3. Configure your domain name details to point to your home, either with a static ip or a service like
+   - DuckDNS
+   - [Amazon Route53](https://github.com/jc21/route53-ddns)
+   - [Cloudflare](https://github.com/jc21/cloudflare-ddns)
 4. Use the Nginx Proxy Manager as your gateway to forward to your other web based services
 
 ## Quick Setup
 
-1. Install Docker and Docker-Compose
-
-- [Docker Install documentation](https://docs.docker.com/install/)
-- [Docker-Compose Install documentation](https://docs.docker.com/compose/install/)
-
+1. [Install Docker](https://docs.docker.com/install/)
 2. Create a docker-compose.yml file similar to this:
 
 ```yml

backend/biome.json

@@ -1,5 +1,5 @@
 {
-    "$schema": "https://biomejs.dev/schemas/2.3.2/schema.json",
+    "$schema": "https://biomejs.dev/schemas/2.4.3/schema.json",
     "vcs": {
         "enabled": true,
         "clientKind": "git",

backend/certbot/dns-plugins.json

@@ -23,6 +23,14 @@
 		"credentials": "dns_aliyun_access_key = 12345678\ndns_aliyun_access_key_secret = 1234567890abcdef1234567890abcdef",
 		"full_plugin_name": "dns-aliyun"
 	},
+	"arvan": {
+        "name": "ArvanCloud",
+        "package_name": "certbot-dns-arvan",
+        "version": ">=0.1.0",
+        "dependencies": "",
+        "credentials": "dns_arvan_key = Apikey xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
+        "full_plugin_name": "dns-arvan"
+    },
 	"azure": {
 		"name": "Azure",
 		"package_name": "certbot-dns-azure",
@@ -74,7 +82,7 @@
 	"cloudns": {
 		"name": "ClouDNS",
 		"package_name": "certbot-dns-cloudns",
-		"version": "~=0.6.0",
+		"version": "~=0.7.0",
 		"dependencies": "",
 		"credentials": "# Target user ID (see https://www.cloudns.net/api-settings/)\n\tdns_cloudns_auth_id=1234\n\t# Alternatively, one of the following two options can be set:\n\t# dns_cloudns_sub_auth_id=1234\n\t# dns_cloudns_sub_auth_user=foobar\n\n\t# API password\n\tdns_cloudns_auth_password=password1",
 		"full_plugin_name": "dns-cloudns"
@@ -255,6 +263,14 @@
 		"credentials": "dns_gcore_apitoken = 0123456789abcdef0123456789abcdef01234567",
 		"full_plugin_name": "dns-gcore"
 	},
+	"glesys": {
+		"name": "Glesys",
+		"package_name": "certbot-dns-glesys",
+		"version": "~=2.1.0",
+		"dependencies": "",
+		"credentials": "dns_glesys_user = CL00000\ndns_glesys_password = apikeyvalue",
+		"full_plugin_name": "dns-glesys"
+	},
 	"godaddy": {
 		"name": "GoDaddy",
 		"package_name": "certbot-dns-godaddy",
@@ -287,6 +303,14 @@
 		"credentials": "dns_he_user = Me\ndns_he_pass = my HE password",
 		"full_plugin_name": "dns-he"
 	},
+	"he-ddns": {
+		"name": "Hurricane Electric - DDNS",
+		"package_name": "certbot-dns-he-ddns",
+		"version": "~=0.1.0",
+		"dependencies": "",
+		"credentials": "dns_he_ddns_password = verysecurepassword",
+		"full_plugin_name": "dns-he-ddns"
+	},
 	"hetzner": {
 		"name": "Hetzner",
 		"package_name": "certbot-dns-hetzner",
@@ -367,6 +391,14 @@
 		"credentials": "dns_joker_username = <Dynamic DNS Authentication Username>\ndns_joker_password = <Dynamic DNS Authentication Password>\ndns_joker_domain = <Dynamic DNS Domain>",
 		"full_plugin_name": "dns-joker"
 	},
+	"kas": {
+        "name": "All-Inkl",
+        "package_name": "certbot-dns-kas",
+        "version": "~=0.1.1",
+        "dependencies": "kasserver",
+        "credentials": "dns_kas_user = your_kas_user\ndns_kas_password = your_kas_password",
+        "full_plugin_name": "dns-kas"
+    },
 	"leaseweb": {
 		"name": "LeaseWeb",
 		"package_name": "certbot-dns-leaseweb",
@@ -527,6 +559,14 @@
 		"credentials": "[default]\naws_access_key_id=AKIAIOSFODNN7EXAMPLE\naws_secret_access_key=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
 		"full_plugin_name": "dns-route53"
 	},
+	"simply": {
+		"name": "Simply",
+		"package_name": "certbot-dns-simply",
+		"version": "~=0.1.2",
+		"dependencies": "",
+		"credentials": "dns_simply_account_name = UExxxxxx\ndns_simply_api_key = DsHJdsjh2812872sahj",
+		"full_plugin_name": "dns-simply"
+	},
 	"spaceship": {
 		"name": "Spaceship",
 		"package_name": "certbot-dns-spaceship",

backend/config/sqlite-test-db.json

@@ -2,7 +2,7 @@
   "database": {
       "engine": "knex-native",
       "knex": {
-        "client": "sqlite3",
+        "client": "better-sqlite3",
         "connection": {
           "filename": "/app/config/mydb.sqlite"
         },

backend/internal/2fa.js

@@ -0,0 +1,305 @@
+import crypto from "node:crypto";
+import bcrypt from "bcrypt";
+import { createGuardrails, generateSecret, generateURI, verify } from "otplib";
+import errs from "../lib/error.js";
+import authModel from "../models/auth.js";
+import internalUser from "./user.js";
+
+const APP_NAME = "Nginx Proxy Manager";
+const BACKUP_CODE_COUNT = 8;
+
+/**
+ * Generate backup codes
+ * @returns {Promise<{plain: string[], hashed: string[]}>}
+ */
+const generateBackupCodes = async () => {
+	const plain = [];
+	const hashed = [];
+
+	for (let i = 0; i < BACKUP_CODE_COUNT; i++) {
+		const code = crypto.randomBytes(4).toString("hex").toUpperCase();
+		plain.push(code);
+		const hash = await bcrypt.hash(code, 10);
+		hashed.push(hash);
+	}
+
+	return { plain, hashed };
+};
+
+const internal2fa = {
+	/**
+	 * Check if user has 2FA enabled
+	 * @param {number} userId
+	 * @returns {Promise<boolean>}
+	 */
+	isEnabled: async (userId) => {
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		return auth?.meta?.totp_enabled === true;
+	},
+
+	/**
+	 * Get 2FA status for user
+	 * @param   {Access}  access
+	 * @param   {number}  userId
+	 * @returns {Promise<{enabled: boolean, backup_codes_remaining: number}>}
+	 */
+	getStatus: async (access, userId) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const enabled = auth?.meta?.totp_enabled === true;
+		let backup_codes_remaining = 0;
+
+		if (enabled) {
+			const backupCodes = auth.meta.backup_codes || [];
+			backup_codes_remaining = backupCodes.length;
+		}
+
+		return {
+			enabled,
+			backup_codes_remaining,
+		};
+	},
+
+	/**
+	 * Start 2FA setup - store pending secret
+	 *
+	 * @param   {Access}  access
+	 * @param   {number} userId
+	 * @returns {Promise<{secret: string, otpauth_url: string}>}
+	 */
+	startSetup: async (access, userId) => {
+		await access.can("users:password", userId);
+		const user = await internalUser.get(access, { id: userId });
+		const secret = generateSecret();
+		const otpauth_url = generateURI({
+			issuer: APP_NAME,
+			label: user.email,
+			secret: secret,
+		});
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+
+		// ensure user isn't already setup for 2fa
+		const enabled = auth?.meta?.totp_enabled === true;
+		if (enabled) {
+			throw new errs.ValidationError("2FA is already enabled");
+		}
+
+		const meta = auth.meta || {};
+		meta.totp_pending_secret = secret;
+
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+
+		return { secret, otpauth_url };
+	},
+
+	/**
+	 * Enable 2FA after verifying code
+	 *
+	 * @param   {Access}  access
+	 * @param   {number}  userId
+	 * @param   {string}  code
+	 * @returns {Promise<{backup_codes: string[]}>}
+	 */
+	enable: async (access, userId, code) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const secret = auth?.meta?.totp_pending_secret || false;
+
+		if (!secret) {
+			throw new errs.ValidationError("No pending 2FA setup found");
+		}
+
+		const result = await verify({ token: code, secret });
+		if (!result.valid) {
+			throw new errs.ValidationError("Invalid verification code");
+		}
+
+		const { plain, hashed } = await generateBackupCodes();
+
+		const meta = {
+			...auth.meta,
+			totp_secret: secret,
+			totp_enabled: true,
+			totp_enabled_at: new Date().toISOString(),
+			backup_codes: hashed,
+		};
+		delete meta.totp_pending_secret;
+
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+
+		return { backup_codes: plain };
+	},
+
+	/**
+	 * Disable 2FA
+	 *
+	 * @param   {Access}  access
+	 * @param   {number} userId
+	 * @param   {string} code
+	 * @returns {Promise<void>}
+	 */
+	disable: async (access, userId, code) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+
+		const enabled = auth?.meta?.totp_enabled === true;
+		if (!enabled) {
+			throw new errs.ValidationError("2FA is not enabled");
+		}
+
+		const result = await verify({
+            token: code,
+            secret: auth.meta.totp_secret,
+            guardrails: createGuardrails({
+                MIN_SECRET_BYTES: 10,
+            }),
+        });
+
+		if (!result.valid) {
+			throw new errs.AuthError("Invalid verification code");
+		}
+
+		const meta = { ...auth.meta };
+		delete meta.totp_secret;
+		delete meta.totp_enabled;
+		delete meta.totp_enabled_at;
+		delete meta.backup_codes;
+
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+	},
+
+	/**
+	 * Verify 2FA code for login
+	 *
+	 * @param   {number} userId
+	 * @param   {string} token
+	 * @returns {Promise<boolean>}
+	 */
+	verifyForLogin: async (userId, token) => {
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const secret = auth?.meta?.totp_secret || false;
+
+		if (!secret) {
+			return false;
+		}
+
+		// Try TOTP code first, if it's 6 chars. it will throw errors if it's not 6 chars
+		// and the backup codes are 8 chars.
+		if (token.length === 6) {
+			const result = await verify({
+				token,
+				secret,
+				// These guardrails lower the minimum length requirement for secrets.
+				// In v12 of otplib the default minimum length is 10 and in v13 it is 16.
+				// Since there are 2fa secrets in the wild generated with v12 we need to allow shorter secrets
+				// so people won't be locked out when upgrading.
+				guardrails: createGuardrails({
+					MIN_SECRET_BYTES: 10,
+				}),
+			});
+
+			if (result.valid) {
+				return true;
+			}
+		}
+
+		// Try backup codes
+		const backupCodes = auth?.meta?.backup_codes || [];
+		for (let i = 0; i < backupCodes.length; i++) {
+			const match = await bcrypt.compare(token.toUpperCase(), backupCodes[i]);
+			if (match) {
+				// Remove used backup code
+				const updatedCodes = [...backupCodes];
+				updatedCodes.splice(i, 1);
+				const meta = { ...auth.meta, backup_codes: updatedCodes };
+				await authModel
+					.query()
+					.where("id", auth.id)
+					.andWhere("user_id", userId)
+					.andWhere("type", "password")
+					.patch({ meta });
+				return true;
+			}
+		}
+
+		return false;
+	},
+
+	/**
+	 * Regenerate backup codes
+	 *
+	 * @param   {Access}  access
+	 * @param   {number}  userId
+	 * @param   {string}  token
+	 * @returns {Promise<{backup_codes: string[]}>}
+	 */
+	regenerateBackupCodes: async (access, userId, token) => {
+		await access.can("users:password", userId);
+		await internalUser.get(access, { id: userId });
+		const auth = await internal2fa.getUserPasswordAuth(userId);
+		const enabled = auth?.meta?.totp_enabled === true;
+		const secret = auth?.meta?.totp_secret || false;
+
+		if (!enabled) {
+			throw new errs.ValidationError("2FA is not enabled");
+		}
+		if (!secret) {
+			throw new errs.ValidationError("No 2FA secret found");
+		}
+
+		const result = await verify({
+			token,
+			secret,
+		});
+
+		if (!result.valid) {
+			throw new errs.ValidationError("Invalid verification code");
+		}
+
+		const { plain, hashed } = await generateBackupCodes();
+
+		const meta = { ...auth.meta, backup_codes: hashed };
+		await authModel
+			.query()
+			.where("id", auth.id)
+			.andWhere("user_id", userId)
+			.andWhere("type", "password")
+			.patch({ meta });
+
+		return { backup_codes: plain };
+	},
+
+	getUserPasswordAuth: async (userId) => {
+		const auth = await authModel
+			.query()
+			.where("user_id", userId)
+			.andWhere("type", "password")
+			.first();
+
+		if (!auth) {
+			throw new errs.ItemNotFoundError("Auth not found");
+		}
+
+		return auth;
+	},
+};
+
+export default internal2fa;

backend/internal/certificate.js

@@ -630,7 +630,7 @@ const internalCertificate = {
 	 * @param {String}  privateKey    This is the entire key contents as a string
 	 */
 	checkPrivateKey: async (privateKey) => {
-		const filepath = await tempWrite(privateKey, "/tmp");
+		const filepath = await tempWrite(privateKey);
 		const failTimeout = setTimeout(() => {
 			throw new error.ValidationError(
 				"Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.",
@@ -660,8 +660,8 @@ const internalCertificate = {
 	 * @param {Boolean} [throwExpired]  Throw when the certificate is out of date
 	 */
 	getCertificateInfo: async (certificate, throwExpired) => {
+		const filepath = await tempWrite(certificate);
 		try {
-			const filepath = await tempWrite(certificate, "/tmp");
 			const certData = await internalCertificate.getCertificateInfoFromFile(filepath, throwExpired);
 			fs.unlinkSync(filepath);
 			return certData;
@@ -798,6 +798,11 @@ const internalCertificate = {
 			certificate.domain_names.join(","),
 		];
 
+		// Add key-type parameter if specified
+		if (certificate.meta?.key_type) {
+			args.push("--key-type", certificate.meta.key_type);
+		}
+
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id);
 		args.push(...adds.args);
 
@@ -858,6 +863,11 @@ const internalCertificate = {
 			);
 		}
 
+		// Add key-type parameter if specified
+		if (certificate.meta?.key_type) {
+			args.push("--key-type", certificate.meta.key_type);
+		}
+
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
 		args.push(...adds.args);
 
@@ -938,6 +948,11 @@ const internalCertificate = {
 			"--disable-hook-validation",
 		];
 
+		// Add key-type parameter if specified
+		if (certificate.meta?.key_type) {
+			args.push("--key-type", certificate.meta.key_type);
+		}
+
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
 		args.push(...adds.args);
 
@@ -979,6 +994,11 @@ const internalCertificate = {
 			"--no-random-sleep-on-renew",
 		];
 
+		// Add key-type parameter if specified
+		if (certificate.meta?.key_type) {
+			args.push("--key-type", certificate.meta.key_type);
+		}
+
 		const adds = internalCertificate.getAdditionalCertbotArgs(certificate.id, certificate.meta.dns_provider);
 		args.push(...adds.args);
 

backend/internal/report.js

@@ -15,10 +15,10 @@ const internalReport = {
 				const userId = access.token.getUserId(1);
 
 				const promises = [
-					internalProxyHost.getCount(userId, access_data.visibility),
-					internalRedirectionHost.getCount(userId, access_data.visibility),
-					internalStream.getCount(userId, access_data.visibility),
-					internalDeadHost.getCount(userId, access_data.visibility),
+					internalProxyHost.getCount(userId, access_data.permission_visibility),
+					internalRedirectionHost.getCount(userId, access_data.permission_visibility),
+					internalStream.getCount(userId, access_data.permission_visibility),
+					internalDeadHost.getCount(userId, access_data.permission_visibility),
 				];
 
 				return Promise.all(promises);

backend/internal/token.js

@@ -4,9 +4,12 @@ import { parseDatePeriod } from "../lib/helpers.js";
 import authModel from "../models/auth.js";
 import TokenModel from "../models/token.js";
 import userModel from "../models/user.js";
+import twoFactor from "./2fa.js";
 
 const ERROR_MESSAGE_INVALID_AUTH = "Invalid email or password";
 const ERROR_MESSAGE_INVALID_AUTH_I18N = "error.invalid-auth";
+const ERROR_MESSAGE_INVALID_2FA = "Invalid verification code";
+const ERROR_MESSAGE_INVALID_2FA_I18N = "error.invalid-2fa";
 
 export default {
 	/**
@@ -59,6 +62,25 @@ export default {
 			throw new errs.AuthError(`Invalid scope: ${data.scope}`);
 		}
 
+		// Check if 2FA is enabled
+		const has2FA = await twoFactor.isEnabled(user.id);
+		if (has2FA) {
+			// Return challenge token instead of full token
+			const challengeToken = await Token.create({
+				iss: issuer || "api",
+				attrs: {
+					id: user.id,
+				},
+				scope: ["2fa-challenge"],
+				expiresIn: "5m",
+			});
+
+			return {
+				requires_2fa: true,
+				challenge_token: challengeToken.token,
+			};
+		}
+
 		// Create a moment of the expiry expression
 		const expiry = parseDatePeriod(data.expiry);
 		if (expiry === null) {
@@ -129,6 +151,65 @@ export default {
 		throw new error.AssertionFailedError("Existing token contained invalid user data");
 	},
 
+	/**
+	 * Verify 2FA code and return full token
+	 * @param {string} challengeToken
+	 * @param {string} code
+	 * @param {string} [expiry]
+	 * @returns {Promise}
+	 */
+	verify2FA: async (challengeToken, code, expiry) => {
+		const Token = TokenModel();
+		const tokenExpiry = expiry || "1d";
+
+		// Verify challenge token
+		let tokenData;
+		try {
+			tokenData = await Token.load(challengeToken);
+		} catch {
+			throw new errs.AuthError("Invalid or expired challenge token");
+		}
+
+		// Check scope
+		if (!tokenData.scope || tokenData.scope[0] !== "2fa-challenge") {
+			throw new errs.AuthError("Invalid challenge token");
+		}
+
+		const userId = tokenData.attrs?.id;
+		if (!userId) {
+			throw new errs.AuthError("Invalid challenge token");
+		}
+
+		// Verify 2FA code
+		const valid = await twoFactor.verifyForLogin(userId, code);
+		if (!valid) {
+			throw new errs.AuthError(
+				ERROR_MESSAGE_INVALID_2FA,
+				ERROR_MESSAGE_INVALID_2FA_I18N,
+			);
+		}
+
+		// Create full token
+		const expiryDate = parseDatePeriod(tokenExpiry);
+		if (expiryDate === null) {
+			throw new errs.AuthError(`Invalid expiry time: ${tokenExpiry}`);
+		}
+
+		const signed = await Token.create({
+			iss: "api",
+			attrs: {
+				id: userId,
+			},
+			scope: ["user"],
+			expiresIn: tokenExpiry,
+		});
+
+		return {
+			token: signed.token,
+			expires: expiryDate.toISOString(),
+		};
+	},
+
 	/**
 	 * @param   {Object} user
 	 * @returns {Promise}

backend/lib/config.js

@@ -2,10 +2,13 @@ import fs from "node:fs";
 import NodeRSA from "node-rsa";
 import { global as logger } from "../logger.js";
 
-const keysFile         = '/data/keys.json';
-const mysqlEngine      = 'mysql2';
-const postgresEngine   = 'pg';
-const sqliteClientName = 'sqlite3';
+const keysFile               = '/data/keys.json';
+const mysqlEngine            = 'mysql2';
+const postgresEngine         = 'pg';
+const sqliteClientName       = 'better-sqlite3';
+
+// Not used for new setups anymore but may exist in legacy setups
+const legacySqliteClientName = 'sqlite3';
 
 let instance = null;
 
@@ -84,6 +87,7 @@ const configure = () => {
 	}
 
 	const envSqliteFile = process.env.DB_SQLITE_FILE || "/data/database.sqlite";
+
 	logger.info(`Using Sqlite: ${envSqliteFile}`);
 	instance = {
 		database: {
@@ -183,7 +187,7 @@ const configGet = (key) => {
  */
 const isSqlite = () => {
 	instance === null && configure();
-	return instance.database.knex && instance.database.knex.client === sqliteClientName;
+	return instance.database.knex && [sqliteClientName, legacySqliteClientName].includes(instance.database.knex.client);
 };
 
 /**

backend/migrations/20260131163528_trust_forwarded_proto.js

@@ -0,0 +1,43 @@
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "trust_forwarded_proto";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const up = function (knex) {
+    logger.info(`[${migrateName}] Migrating Up...`);
+
+    return knex.schema
+        .alterTable('proxy_host', (table) => {
+            table.tinyint('trust_forwarded_proto').notNullable().defaultTo(0);
+        })
+        .then(() => {
+            logger.info(`[${migrateName}] proxy_host Table altered`);
+        });
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object} knex
+ * @returns {Promise}
+ */
+const down = function (knex) {
+    logger.info(`[${migrateName}] Migrating Down...`);
+
+    return knex.schema
+        .alterTable('proxy_host', (table) => {
+            table.dropColumn('trust_forwarded_proto');
+        })
+        .then(() => {
+            logger.info(`[${migrateName}] proxy_host Table altered`);
+        });
+};
+
+export { up, down };

backend/models/proxy_host.js

@@ -21,6 +21,7 @@ const boolFields = [
 	"enabled",
 	"hsts_enabled",
 	"hsts_subdomains",
+	"trust_forwarded_proto",
 ];
 
 class ProxyHost extends Model {

backend/package.json

@@ -9,39 +9,42 @@
 	"scripts": {
 		"lint": "biome lint",
 		"prettier": "biome format --write .",
-		"validate-schema": "node validate-schema.js"
+		"validate-schema": "node validate-schema.js",
+		"regenerate-config": "node scripts/regenerate-config"
 	},
 	"dependencies": {
-		"@apidevtools/json-schema-ref-parser": "^11.7.0",
-		"ajv": "^8.17.1",
-		"archiver": "^5.3.0",
+		"@apidevtools/json-schema-ref-parser": "^15.2.2",
+		"ajv": "^8.18.0",
+		"archiver": "^7.0.1",
 		"batchflow": "^0.4.0",
-		"bcrypt": "^5.0.0",
-		"body-parser": "^1.20.3",
-		"compression": "^1.7.4",
-		"express": "^4.20.0",
+		"bcrypt": "^6.0.0",
+		"better-sqlite3": "^12.6.2",
+		"body-parser": "^2.2.2",
+		"compression": "^1.8.1",
+		"express": "^5.2.1",
 		"express-fileupload": "^1.5.2",
 		"gravatar": "^1.8.2",
-		"jsonwebtoken": "^9.0.2",
-		"knex": "2.4.2",
-		"liquidjs": "10.6.1",
-		"lodash": "^4.17.21",
+		"jsonwebtoken": "^9.0.3",
+		"knex": "3.1.0",
+		"liquidjs": "10.24.0",
+		"lodash": "^4.17.23",
 		"moment": "^2.30.1",
-		"mysql2": "^3.15.3",
+		"mysql2": "^3.17.5",
 		"node-rsa": "^1.1.1",
-		"objection": "3.0.1",
+		"objection": "3.1.5",
+		"otplib": "^13.3.0",
 		"path": "^0.12.7",
-		"pg": "^8.16.3",
+		"pg": "^8.18.0",
 		"proxy-agent": "^6.5.0",
 		"signale": "1.4.0",
 		"sqlite3": "^5.1.7",
-		"temp-write": "^4.0.0"
+		"temp-write": "^6.0.1"
 	},
 	"devDependencies": {
-		"@apidevtools/swagger-parser": "^10.1.0",
-		"@biomejs/biome": "^2.3.2",
-		"chalk": "4.1.2",
-		"nodemon": "^2.0.2"
+		"@apidevtools/swagger-parser": "^12.1.0",
+		"@biomejs/biome": "^2.4.3",
+		"chalk": "5.6.2",
+		"nodemon": "^3.1.14"
 	},
 	"signale": {
 		"displayDate": true,

backend/routes/tokens.js

@@ -53,4 +53,26 @@ router
 		}
 	});
 
+router
+	.route("/2fa")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+
+	/**
+	 * POST /tokens/2fa
+	 *
+	 * Verify 2FA code and get full token
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const { challenge_token, code } = await apiValidator(getValidationSchema("/tokens/2fa", "post"), req.body);
+			const result = await internalToken.verify2FA(challenge_token, code);
+			res.status(200).send(result);
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
 export default router;

backend/routes/users.js

@@ -1,4 +1,5 @@
 import express from "express";
+import internal2FA from "../internal/2fa.js";
 import internalUser from "../internal/user.js";
 import Access from "../lib/access.js";
 import { isCI } from "../lib/config.js";
@@ -325,4 +326,130 @@ router
 		}
 	});
 
+/**
+ * User 2FA status
+ *
+ * /api/users/123/2fa
+ */
+router
+	.route("/:user_id/2fa")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+	.all(userIdFromMe)
+
+	/**
+	 * POST /api/users/123/2fa
+	 *
+	 * Start 2FA setup, returns QR code URL
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const result = await internal2FA.startSetup(res.locals.access, req.params.user_id);
+			res.status(200).send(result);
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
+	/**
+	 * GET /api/users/123/2fa
+	 *
+	 * Get 2FA status for a user
+	 */
+	.get(async (req, res, next) => {
+		try {
+			const status = await internal2FA.getStatus(res.locals.access, req.params.user_id);
+			res.status(200).send(status);
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	})
+
+	/**
+	 * DELETE /api/users/123/2fa?code=XXXXXX
+	 *
+	 * Disable 2FA for a user
+	 */
+	.delete(async (req, res, next) => {
+		try {
+			const code = typeof req.query.code === "string" ? req.query.code : null;
+			if (!code) {
+				throw new errs.ValidationError("Missing required parameter: code");
+			}
+			await internal2FA.disable(res.locals.access, req.params.user_id, code);
+			res.status(200).send(true);
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * User 2FA enable
+ *
+ * /api/users/123/2fa/enable
+ */
+router
+	.route("/:user_id/2fa/enable")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+	.all(userIdFromMe)
+
+	/**
+	 * POST /api/users/123/2fa/enable
+	 *
+	 * Verify code and enable 2FA
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const { code } = await apiValidator(
+				getValidationSchema("/users/{userID}/2fa/enable", "post"),
+				req.body,
+			);
+			const result = await internal2FA.enable(res.locals.access, req.params.user_id, code);
+			res.status(200).send(result);
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
+/**
+ * User 2FA backup codes
+ *
+ * /api/users/123/2fa/backup-codes
+ */
+router
+	.route("/:user_id/2fa/backup-codes")
+	.options((_, res) => {
+		res.sendStatus(204);
+	})
+	.all(jwtdecode())
+	.all(userIdFromMe)
+
+	/**
+	 * POST /api/users/123/2fa/backup-codes
+	 *
+	 * Regenerate backup codes
+	 */
+	.post(async (req, res, next) => {
+		try {
+			const { code } = await apiValidator(
+				getValidationSchema("/users/{userID}/2fa/backup-codes", "post"),
+				req.body,
+			);
+			const result = await internal2FA.regenerateBackupCodes(res.locals.access, req.params.user_id, code);
+			res.status(200).send(result);
+		} catch (err) {
+			debug(logger, `${req.method.toUpperCase()} ${req.path}: ${err}`);
+			next(err);
+		}
+	});
+
 export default router;

backend/schema/components/certificate-object.json

@@ -71,6 +71,11 @@
 				"propagation_seconds": {
 					"type": "integer",
 					"minimum": 0
+				},
+				"key_type": {
+					"type": "string",
+					"enum": ["rsa", "ecdsa"],
+					"default": "rsa"
 				}
 			},
 			"example": {

backend/schema/components/proxy-host-object.json

@@ -22,7 +22,8 @@
 		"enabled",
 		"locations",
 		"hsts_enabled",
-		"hsts_subdomains"
+		"hsts_subdomains",
+		"trust_forwarded_proto"
 	],
 	"properties": {
 		"id": {
@@ -141,6 +142,11 @@
 		"hsts_subdomains": {
 			"$ref": "../common.json#/properties/hsts_subdomains"
 		},
+		"trust_forwarded_proto":{
+			"type": "boolean",
+			"description": "Trust the forwarded headers",
+			"example": false
+		},
 		"certificate": {
 			"oneOf": [
 				{

backend/schema/components/token-challenge.json

@@ -0,0 +1,18 @@
+{
+	"type": "object",
+	"description": "Token object",
+	"required": ["requires_2fa", "challenge_token"],
+	"additionalProperties": false,
+	"properties": {
+		"requires_2fa": {
+			"description": "Whether this token request requires two-factor authentication",
+			"example": true,
+			"type": "boolean"
+		},
+		"challenge_token": {
+			"description": "Challenge Token used in subsequent 2FA verification",
+			"example": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4",
+			"type": "string"
+		}
+	}
+}

backend/schema/paths/nginx/proxy-hosts/get.json

@@ -58,7 +58,8 @@
 									"enabled": true,
 									"locations": [],
 									"hsts_enabled": false,
-									"hsts_subdomains": false
+									"hsts_subdomains": false,
+									"trust_forwarded_proto": false
 								}
 							]
 						}

backend/schema/paths/nginx/proxy-hosts/hostID/get.json

@@ -56,6 +56,7 @@
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
+								"trust_forwarded_proto": false,
 								"owner": {
 									"id": 1,
 									"created_on": "2025-10-28T00:50:24.000Z",

backend/schema/paths/nginx/proxy-hosts/hostID/put.json

@@ -56,6 +56,9 @@
 						"hsts_subdomains": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/hsts_subdomains"
 						},
+						"trust_forwarded_proto": {
+    						"$ref": "../../../../components/proxy-host-object.json#/properties/trust_forwarded_proto"
+						},
 						"http2_support": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/http2_support"
 						},
@@ -122,6 +125,7 @@
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
+								"trust_forwarded_proto": false,
 								"owner": {
 									"id": 1,
 									"created_on": "2025-10-28T00:50:24.000Z",

backend/schema/paths/nginx/proxy-hosts/post.json

@@ -48,6 +48,9 @@
 						"hsts_subdomains": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/hsts_subdomains"
 						},
+						"trust_forwarded_proto": {
+    						"$ref": "../../../components/proxy-host-object.json#/properties/trust_forwarded_proto"
+						},
 						"http2_support": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/http2_support"
 						},
@@ -119,6 +122,7 @@
 								"locations": [],
 								"hsts_enabled": false,
 								"hsts_subdomains": false,
+								"trust_forwarded_proto": false,
 								"certificate": null,
 								"owner": {
 									"id": 1,

backend/schema/paths/tokens/2fa/post.json

@@ -0,0 +1,55 @@
+{
+	"operationId": "loginWith2FA",
+	"summary": "Verify 2FA code and get full token",
+	"tags": ["tokens"],
+	"requestBody": {
+		"description": "2fa Challenge Payload",
+		"required": true,
+		"content": {
+			"application/json": {
+				"schema": {
+					"additionalProperties": false,
+					"properties": {
+						"challenge_token": {
+							"minLength": 1,
+							"type": "string",
+							"example": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4"
+						},
+						"code": {
+							"minLength": 6,
+							"maxLength": 8,
+							"type": "string",
+							"example": "012345"
+						}
+					},
+					"required": ["challenge_token", "code"],
+					"type": "object"
+				},
+				"example": {
+					"challenge_token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4",
+					"code": "012345"
+				}
+			}
+		}
+	},
+	"responses": {
+		"200": {
+			"content": {
+				"application/json": {
+					"examples": {
+						"default": {
+							"value": {
+								"expires": "2025-02-04T20:40:46.340Z",
+								"token": "eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCJ9.ey...xaHKYr3Kk6MvkUjcC4"
+							}
+						}
+					},
+					"schema": {
+						"$ref": "../../../components/token-object.json"
+					}
+				}
+			},
+			"description": "200 response"
+		}
+	}
+}

backend/schema/paths/tokens/post.json

@@ -50,7 +50,14 @@
 						}
 					},
 					"schema": {
-						"$ref": "../../components/token-object.json"
+						"oneOf": [
+							{
+								"$ref": "../../components/token-object.json"
+							},
+							{
+								"$ref": "../../components/token-challenge.json"
+							}
+						]
 					}
 				}
 			},

backend/schema/paths/users/userID/2fa/backup-codes/post.json

@@ -0,0 +1,92 @@
+{
+	"operationId": "regenUser2faCodes",
+	"summary": "Regenerate 2FA backup codes",
+	"tags": ["users"],
+	"parameters": [
+		{
+			"in": "path",
+			"name": "userID",
+			"schema": {
+				"type": "integer",
+				"minimum": 1
+			},
+			"required": true,
+			"description": "User ID",
+			"example": 2
+		}
+	],
+	"requestBody": {
+		"description": "Verification Payload",
+		"required": true,
+		"content": {
+			"application/json": {
+				"schema": {
+					"additionalProperties": false,
+					"properties": {
+						"code": {
+							"minLength": 6,
+							"maxLength": 8,
+							"type": "string",
+							"example": "123456"
+						}
+					},
+					"required": ["code"],
+					"type": "object"
+				},
+				"example": {
+					"code": "123456"
+				}
+			}
+		}
+	},
+	"responses": {
+		"200": {
+			"content": {
+				"application/json": {
+					"examples": {
+						"default": {
+							"value": {
+								"backup_codes": [
+									"6CD7CB06",
+									"495302F3",
+									"D8037852",
+									"A6FFC956",
+									"BC1A1851",
+									"A05E644F",
+									"A406D2E8",
+									"0AE3C522"
+								]
+							}
+						}
+					},
+					"schema": {
+						"type": "object",
+						"required": ["backup_codes"],
+						"additionalProperties": false,
+						"properties": {
+							"backup_codes": {
+								"description": "Backup codes",
+								"example": [
+									"6CD7CB06",
+									"495302F3",
+									"D8037852",
+									"A6FFC956",
+									"BC1A1851",
+									"A05E644F",
+									"A406D2E8",
+									"0AE3C522"
+								],
+								"type": "array",
+								"items": {
+									"type": "string",
+									"example": "6CD7CB06"
+								}
+							}
+						}
+					}
+				}
+			},
+			"description": "200 response"
+		}
+	}
+}

backend/schema/paths/users/userID/2fa/delete.json

@@ -0,0 +1,48 @@
+{
+	"operationId": "disableUser2fa",
+	"summary": "Disable 2fa for user",
+	"tags": ["users"],
+	"parameters": [
+		{
+			"in": "path",
+			"name": "userID",
+			"schema": {
+				"type": "integer",
+				"minimum": 1
+			},
+			"required": true,
+			"description": "User ID",
+			"example": 2
+		},
+		{
+			"in": "query",
+			"name": "code",
+			"schema": {
+				"type": "string",
+				"minLength": 6,
+				"maxLength": 6,
+				"example": "012345"
+			},
+			"required": true,
+			"description": "2fa Code",
+			"example": "012345"
+		}
+	],
+	"responses": {
+		"200": {
+			"content": {
+				"application/json": {
+					"examples": {
+						"default": {
+							"value": true
+						}
+					},
+					"schema": {
+						"type": "boolean"
+					}
+				}
+			},
+			"description": "200 response"
+		}
+	}
+}

backend/schema/paths/users/userID/2fa/enable/post.json

@@ -0,0 +1,92 @@
+{
+	"operationId": "enableUser2fa",
+	"summary": "Verify code and enable 2FA",
+	"tags": ["users"],
+	"parameters": [
+		{
+			"in": "path",
+			"name": "userID",
+			"schema": {
+				"type": "integer",
+				"minimum": 1
+			},
+			"required": true,
+			"description": "User ID",
+			"example": 2
+		}
+	],
+	"requestBody": {
+		"description": "Verification Payload",
+		"required": true,
+		"content": {
+			"application/json": {
+				"schema": {
+					"additionalProperties": false,
+					"properties": {
+						"code": {
+							"minLength": 6,
+							"maxLength": 8,
+							"type": "string",
+							"example": "123456"
+						}
+					},
+					"required": ["code"],
+					"type": "object"
+				},
+				"example": {
+					"code": "123456"
+				}
+			}
+		}
+	},
+	"responses": {
+		"200": {
+			"content": {
+				"application/json": {
+					"examples": {
+						"default": {
+							"value": {
+								"backup_codes": [
+									"6CD7CB06",
+									"495302F3",
+									"D8037852",
+									"A6FFC956",
+									"BC1A1851",
+									"A05E644F",
+									"A406D2E8",
+									"0AE3C522"
+								]
+							}
+						}
+					},
+					"schema": {
+						"type": "object",
+						"required": ["backup_codes"],
+						"additionalProperties": false,
+						"properties": {
+							"backup_codes": {
+								"description": "Backup codes",
+								"example": [
+									"6CD7CB06",
+									"495302F3",
+									"D8037852",
+									"A6FFC956",
+									"BC1A1851",
+									"A05E644F",
+									"A406D2E8",
+									"0AE3C522"
+								],
+								"type": "array",
+								"items": {
+									"type": "string",
+									"example": "6CD7CB06"
+								}
+							}
+						}
+					}
+				}
+			},
+			"description": "200 response"
+		}
+	}
+}

backend/schema/paths/users/userID/2fa/get.json

@@ -0,0 +1,57 @@
+{
+	"operationId": "getUser2faStatus",
+	"summary": "Get user 2fa Status",
+	"tags": ["users"],
+	"security": [
+		{
+			"bearerAuth": []
+		}
+	],
+	"parameters": [
+		{
+			"in": "path",
+			"name": "userID",
+			"schema": {
+				"type": "integer",
+				"minimum": 1
+			},
+			"required": true,
+			"description": "User ID",
+			"example": 2
+		}
+	],
+	"responses": {
+		"200": {
+			"description": "200 response",
+			"content": {
+				"application/json": {
+					"examples": {
+						"default": {
+							"value": {
+								"enabled": false,
+								"backup_codes_remaining": 0
+							}
+						}
+					},
+					"schema": {
+						"type": "object",
+						"additionalProperties": false,
+						"required": ["enabled", "backup_codes_remaining"],
+						"properties": {
+							"enabled": {
+								"type": "boolean",
+								"description": "Is 2FA enabled for this user",
+								"example": true
+							},
+							"backup_codes_remaining": {
+								"type": "integer",
+								"description": "Number of remaining backup codes for this user",
+								"example": 5
+							}
+						}
+					}
+				}
+			}
+		}
+	}
+}

backend/schema/paths/users/userID/2fa/post.json

@@ -0,0 +1,52 @@
+{
+	"operationId": "setupUser2fa",
+	"summary": "Start 2FA setup, returns QR code URL",
+	"tags": ["users"],
+	"parameters": [
+		{
+			"in": "path",
+			"name": "userID",
+			"schema": {
+				"type": "integer",
+				"minimum": 1
+			},
+			"required": true,
+			"description": "User ID",
+			"example": 2
+		}
+	],
+	"responses": {
+		"200": {
+			"content": {
+				"application/json": {
+					"examples": {
+						"default": {
+							"value": {
+								"secret": "JZYCEBIEEJYUGPQM",
+								"otpauth_url": "otpauth://totp/Nginx%20Proxy%20Manager:jc%40jc21.com?secret=JZYCEBIEEJYUGPQM&period=30&digits=6&algorithm=SHA1&issuer=Nginx%20Proxy%20Manager"
+							}
+						}
+					},
+					"schema": {
+						"type": "object",
+						"required": ["secret", "otpauth_url"],
+						"additionalProperties": false,
+						"properties": {
+							"secret": {
+								"description": "TOTP Secret",
+								"example": "JZYCEBIEEJYUGPQM",
+								"type": "string"
+							},
+							"otpauth_url": {
+								"description": "OTP Auth URL for QR Code generation",
+								"example": "otpauth://totp/Nginx%20Proxy%20Manager:jc%40jc21.com?secret=JZYCEBIEEJYUGPQM&period=30&digits=6&algorithm=SHA1&issuer=Nginx%20Proxy%20Manager",
+								"type": "string"
+							}
+						}
+					}
+				}
+			},
+			"description": "200 response"
+		}
+	}
+}

backend/schema/swagger.json

@@ -293,6 +293,11 @@
 				"$ref": "./paths/tokens/post.json"
 			}
 		},
+		"/tokens/2fa": {
+			"post": {
+				"$ref": "./paths/tokens/2fa/post.json"
+			}
+		},
 		"/version/check": {
 			"get": {
 				"$ref": "./paths/version/check/get.json"
@@ -317,6 +322,27 @@
 				"$ref": "./paths/users/userID/delete.json"
 			}
 		},
+		"/users/{userID}/2fa": {
+			"post": {
+				"$ref": "./paths/users/userID/2fa/post.json"
+			},
+			"get": {
+				"$ref": "./paths/users/userID/2fa/get.json"
+			},
+			"delete": {
+				"$ref": "./paths/users/userID/2fa/delete.json"
+			}
+		},
+		"/users/{userID}/2fa/enable": {
+			"post": {
+				"$ref": "./paths/users/userID/2fa/enable/post.json"
+			}
+		},
+		"/users/{userID}/2fa/backup-codes": {
+			"post": {
+				"$ref": "./paths/users/userID/2fa/backup-codes/post.json"
+			}
+		},
 		"/users/{userID}/auth": {
 			"put": {
 				"$ref": "./paths/users/userID/auth/put.json"

backend/scripts/regenerate-config

@@ -0,0 +1,104 @@
+#!/usr/bin/env node
+
+import * as process from "node:process"; // Use the node: protocol for built-ins
+import internalNginx from "../internal/nginx.js";
+import { castJsonIfNeed } from "../lib/helpers.js";
+import { global as logger } from "../logger.js";
+import deadHostModel from "../models/dead_host.js";
+import proxyHostModel from "../models/proxy_host.js";
+import redirectionHostModel from "../models/redirection_host.js";
+import streamModel from "../models/stream.js";
+
+const args = process.argv.slice(2);
+const UNATTENDED = args.includes("-y") || args.includes("--yes");
+if (args.includes("--help")) {
+	console.log("Usage: ./regenerate-config [--help] [-y|--yes]");
+}
+
+// ask for the user to confirm the action if not in unattended mode
+if (!UNATTENDED) {
+	const readline = await import("node:readline");
+	const rl = readline.createInterface({
+		input: process.stdin,
+		output: process.stdout,
+	});
+
+	const question = (query) =>
+		new Promise((resolve) => rl.question(query, resolve));
+
+	const answer = await question(
+		"This will iterate over all Hosts and regnerate their Nginx configs.\n\nAre you sure you want to proceed? (y/N) ",
+	);
+	rl.close();
+
+	if (answer.toLowerCase() !== "y") {
+		console.log("Aborting.");
+		process.exit(0);
+	}
+}
+
+// Let's do it.
+
+// Proxy hosts
+const proxyRows = await proxyHostModel
+	.query()
+	.where("is_deleted", 0)
+	.andWhere("enabled", 1)
+	.groupBy("id")
+	.allowGraph("[owner,access_list,certificate]")
+	.orderBy(castJsonIfNeed("domain_names"), "ASC");
+
+for (const row of proxyRows) {
+	logger.info(
+		`Regenerating config for Proxy Host #${row.id}: ${row.domain_names.join(", ")}`,
+	);
+	await internalNginx.configure(proxyHostModel, "proxy_host", row);
+}
+
+// Redirection hosts
+const redirectionRows = await redirectionHostModel
+	.query()
+	.where("is_deleted", 0)
+	.andWhere("enabled", 1)
+	.groupBy("id")
+	.allowGraph("[owner,access_list,certificate]")
+	.orderBy(castJsonIfNeed("domain_names"), "ASC");
+
+for (const row of redirectionRows) {
+	logger.info(
+		`Regenerating config for Redirection Host #${row.id}: ${row.domain_names.join(", ")}`,
+	);
+	await internalNginx.configure(redirectionHostModel, "redirection_host", row);
+}
+
+// 404 hosts
+const deadRows = await deadHostModel
+	.query()
+	.where("is_deleted", 0)
+	.andWhere("enabled", 1)
+	.groupBy("id")
+	.allowGraph("[owner,access_list,certificate]")
+	.orderBy(castJsonIfNeed("domain_names"), "ASC");
+
+for (const row of deadRows) {
+	logger.info(
+		`Regenerating config for 404 Host #${row.id}: ${row.domain_names.join(", ")}`,
+	);
+	await internalNginx.configure(deadHostModel, "dead_host", row);
+}
+
+// Streams
+const streamRows = await streamModel
+	.query()
+	.where("is_deleted", 0)
+	.andWhere("enabled", 1)
+	.groupBy("id")
+	.allowGraph("[owner,access_list,certificate]");
+
+for (const row of streamRows) {
+	logger.info(`Regenerating config for Stream #${row.id}: ${row.incoming_port} -> ${row.forwarding_host}:${row.forwarding_port}`);
+	await internalNginx.configure(deadHostModel, "stream", row);
+}
+
+logger.success("Completed");
+process.exit(0);

backend/templates/_forced_ssl.conf

@@ -1,6 +1,11 @@
 {% if certificate and certificate_id > 0 -%}
 {% if ssl_forced == 1 or ssl_forced == true %}
     # Force SSL
+    {% if trust_forwarded_proto == true %}
+    set $trust_forwarded_proto "T";
+    {% else %}
+    set $trust_forwarded_proto "F";
+    {% endif %}
     include conf.d/include/force-ssl.conf;
 {% endif %}
 {% endif %}

backend/templates/stream.conf

@@ -12,6 +12,9 @@ server {
 
   proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
 
+  access_log /data/logs/stream-{{ id }}_access.log stream;
+  error_log /data/logs/stream-{{ id }}_error.log warn;
+
   # Custom
   include /data/nginx/custom/server_stream[.]conf;
   include /data/nginx/custom/server_stream_tcp[.]conf;
@@ -25,9 +28,12 @@ server {
 
   proxy_pass {{ forwarding_host }}:{{ forwarding_port }};
 
+  access_log /data/logs/stream-{{ id }}_access.log stream;
+  error_log /data/logs/stream-{{ id }}_error.log warn;
+
   # Custom
   include /data/nginx/custom/server_stream[.]conf;
   include /data/nginx/custom/server_stream_udp[.]conf;
 }
 {% endif %}
-{% endif %}
+{% endif %}

docker/docker-compose.ci.yml

@@ -109,7 +109,7 @@ services:
       - "cypress_logs:/test/results"
       - "./dev/resolv.conf:/etc/resolv.conf:ro"
       - "/etc/localtime:/etc/localtime:ro"
-    command: cypress run --browser chrome --config-file=cypress/config/ci.js
+    command: cypress run --browser chrome --config-file=cypress/config/ci.mjs
     networks:
       - fulltest
 

docker/docker-compose.dev.yml

@@ -192,7 +192,7 @@ services:
       - "../test/results:/results"
       - "./dev/resolv.conf:/etc/resolv.conf:ro"
       - "/etc/localtime:/etc/localtime:ro"
-    command: cypress run --browser chrome --config-file=cypress/config/ci.js
+    command: cypress run --browser chrome --config-file=cypress/config/ci.mjs
     networks:
       - nginx_proxy_manager
 

docker/rootfs/etc/nginx/conf.d/default.conf

@@ -8,8 +8,8 @@ server {
 	set $port "80";
 
 	server_name localhost-nginx-proxy-manager;
-	access_log /data/logs/fallback_access.log standard;
-	error_log /data/logs/fallback_error.log warn;
+	access_log /data/logs/fallback_http_access.log standard;
+	error_log /data/logs/fallback_http_error.log warn;
 	include conf.d/include/assets.conf;
 	include conf.d/include/block-exploits.conf;
 	include conf.d/include/letsencrypt-acme-challenge.conf;
@@ -30,7 +30,7 @@ server {
 	set $port "443";
 
 	server_name localhost;
-	access_log /data/logs/fallback_access.log standard;
+	access_log /data/logs/fallback_http_access.log standard;
 	error_log /dev/null crit;
 	include conf.d/include/ssl-ciphers.conf;
 	ssl_reject_handshake on;

docker/rootfs/etc/nginx/conf.d/include/force-ssl.conf

@@ -5,6 +5,28 @@ if ($scheme = "http") {
 if ($request_uri = /.well-known/acme-challenge/test-challenge) {
 	set $test "${test}T";
 }
+
+# Check if the ssl staff has been handled
+set $test_ssl_handled "";
+if ($trust_forwarded_proto = "") {
+	set $trust_forwarded_proto "F";
+}
+if ($trust_forwarded_proto = "T") {
+	set $test_ssl_handled "${test_ssl_handled}T";
+}
+if ($http_x_forwarded_proto = "https") {
+	set $test_ssl_handled "${test_ssl_handled}S";
+}
+if ($http_x_forwarded_scheme = "https") {
+	set $test_ssl_handled "${test_ssl_handled}S";
+}
+if ($test_ssl_handled = "TSS") {
+	set $test_ssl_handled "TS";
+}
+if ($test_ssl_handled = "TS") {
+	set $test "${test}S";
+}
+
 if ($test = H) {
 	return 301 https://$host$request_uri;
 }

docker/rootfs/etc/nginx/conf.d/include/log-proxy.conf

@@ -1,4 +1,4 @@
 log_format proxy '[$time_local] $upstream_cache_status $upstream_status $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] [Sent-to $server] "$http_user_agent" "$http_referer"';
 log_format standard '[$time_local] $status - $request_method $scheme $host "$request_uri" [Client $remote_addr] [Length $body_bytes_sent] [Gzip $gzip_ratio] "$http_user_agent" "$http_referer"';
 
-access_log /data/logs/fallback_access.log proxy;
+access_log /data/logs/fallback_http_access.log proxy;

docker/rootfs/etc/nginx/conf.d/include/log-stream.conf

@@ -0,0 +1,3 @@
+log_format stream '[$time_local] [Client $remote_addr:$remote_port] $protocol $status $bytes_sent $bytes_received $session_time [Sent-to $upstream_addr] [Sent $upstream_bytes_sent] [Received $upstream_bytes_received] [Time $upstream_connect_time] $ssl_protocol $ssl_cipher';
+
+access_log /data/logs/fallback_stream_access.log stream;

docker/rootfs/etc/nginx/conf.d/include/proxy.conf

@@ -1,7 +1,7 @@
 add_header       X-Served-By $host;
 proxy_set_header Host $host;
-proxy_set_header X-Forwarded-Scheme $scheme;
-proxy_set_header X-Forwarded-Proto  $scheme;
+proxy_set_header X-Forwarded-Scheme $x_forwarded_scheme;
+proxy_set_header X-Forwarded-Proto  $x_forwarded_proto;
 proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
 proxy_set_header X-Real-IP          $remote_addr;
 proxy_pass       $forward_scheme://$server:$port$request_uri;

docker/rootfs/etc/nginx/nginx.conf

@@ -47,16 +47,28 @@ http {
 	proxy_cache_path              /var/lib/nginx/cache/private levels=1:2 keys_zone=private-cache:5m max_size=1024m;
 
 	# Log format and fallback log file
-	include /etc/nginx/conf.d/include/log.conf;
+	include /etc/nginx/conf.d/include/log-proxy[.]conf;
 
 	# Dynamically generated resolvers file
-	include /etc/nginx/conf.d/include/resolvers.conf;
+	include /etc/nginx/conf.d/include/resolvers[.]conf;
 
 	# Default upstream scheme
 	map $host $forward_scheme {
 		default http;
 	}
 
+	# Handle upstream X-Forwarded-Proto and X-Forwarded-Scheme header
+	map $http_x_forwarded_proto $x_forwarded_proto {
+		"http" "http";
+		"https" "https";
+		default $scheme;
+	}
+	map $http_x_forwarded_scheme $x_forwarded_scheme {
+		"http" "http";
+		"https" "https";
+		default $scheme;
+	}
+
 	# Real IP Determination
 
 	# Local subnets:
@@ -64,7 +76,7 @@ http {
 	set_real_ip_from 172.16.0.0/12; # Includes Docker subnet
 	set_real_ip_from 192.168.0.0/16;
 	# NPM generated CDN ip ranges:
-	include conf.d/include/ip_ranges.conf;
+	include conf.d/include/ip_ranges[.]conf;
 	# always put the following 2 lines after ip subnets:
 	real_ip_header X-Real-IP;
 	real_ip_recursive on;
@@ -85,6 +97,9 @@ http {
 }
 
 stream {
+	# Log format and fallback log file
+	include /etc/nginx/conf.d/include/log-stream[.]conf;
+
 	# Files generated by NPM
 	include /data/nginx/stream/*.conf;
 

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/40-dynamic.sh

@@ -7,8 +7,10 @@ log_info 'Dynamic resolvers ...'
 
 # Dynamically generate resolvers file, if resolver is IPv6, enclose in `[]`
 # thanks @tfmm
-if [ "$(is_true "$DISABLE_IPV6")" = '1' ]; then
-	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
-else
-	echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
+if [ "$(is_true "${DISABLE_RESOLVER:-}")" = '0' ]; then
+	if [ "$(is_true "${DISABLE_IPV6:-}")" = '1' ]; then
+		echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) ipv6=off valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
+	else
+		echo resolver "$(awk 'BEGIN{ORS=" "} $1=="nameserver" { sub(/%.*$/,"",$2); print ($2 ~ ":")? "["$2"]": $2}' /etc/resolv.conf) valid=10s;" > /etc/nginx/conf.d/include/resolvers.conf
+	fi
 fi

docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/50-ipv6.sh

@@ -12,7 +12,7 @@ process_folder () {
 	FILES=$(find "$1" -type f -name "*.conf")
 	SED_REGEX=
 
-	if [ "$(is_true "$DISABLE_IPV6")" = '1' ]; then
+	if [ "$(is_true "${DISABLE_IPV6:-}")" = '1' ]; then
 		# IPV6 is disabled
 		echo "Disabling IPV6 in hosts in: $1"
 		SED_REGEX='s/^([^#]*)listen \[::\]/\1#listen [::]/g'
@@ -25,7 +25,13 @@ process_folder () {
 	for FILE in $FILES
 	do
 		echo "- ${FILE}"
-		echo "$(sed -E "$SED_REGEX" "$FILE")" > $FILE
+		TMPFILE="${FILE}.tmp"
+		if sed -E "$SED_REGEX" "$FILE" > "$TMPFILE" && [ -s "$TMPFILE" ]; then
+			mv "$TMPFILE" "$FILE"
+		else
+			echo "WARNING: skipping ${FILE} — sed produced empty output" >&2
+			rm -f "$TMPFILE"
+		fi
 	done
 
 	# ensure the files are still owned by the npm user

docker/scripts/install-s6

@@ -17,10 +17,6 @@ case $TARGETPLATFORM in
 		S6_ARCH=aarch64
 		;;
 
-	linux/arm/v7)
-		S6_ARCH=armhf
-		;;
-
 	*)
 		S6_ARCH=x86_64
 		;;

docs/package.json

@@ -2,7 +2,8 @@
   "scripts": {
     "dev": "vitepress dev --host",
     "build": "vitepress build",
-    "preview": "vitepress preview"
+    "preview": "vitepress preview",
+    "set-version": "./scripts/set-version.sh"
   },
   "devDependencies": {
     "vitepress": "^1.6.4"

docs/scripts/set-version.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -euf
+
+# this script accepts a version number as an argument
+# and replaces {{VERSION}} in src/*.md with the provided version number.
+
+if [ "$#" -ne 1 ]; then
+	echo "Usage: $0 <version>"
+	exit 1
+fi
+
+DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+cd "$DIR/.." || exit 1
+
+VERSION="$1"
+# find all .md files in src/ and replace {{VERSION}} with the provided version number
+find src/ -type f -name "*.md" -exec sed -i "s/{{VERSION}}/$VERSION/g" {} \;

docs/src/advanced-config/index.md

@@ -14,7 +14,7 @@ on the `data` and `letsencrypt` folders at startup.
 ```yml
 services:
   app:
-    image: 'jc21/nginx-proxy-manager:latest'
+    image: 'jc21/nginx-proxy-manager:{{VERSION}}'
     environment:
       PUID: 1000
       PGID: 1000
@@ -101,7 +101,7 @@ secrets:
 
 services:
   app:
-    image: 'jc21/nginx-proxy-manager:latest'
+    image: 'jc21/nginx-proxy-manager:{{VERSION}}'
     restart: unless-stopped
     ports:
       # Public HTTP Port:
@@ -130,18 +130,16 @@ services:
       - db
 
   db:
-    image: jc21/mariadb-aria
+    image: 'linuxserver/mariadb'
     restart: unless-stopped
     environment:
-      # MYSQL_ROOT_PASSWORD: "npm"  # use secret instead
       MYSQL_ROOT_PASSWORD__FILE: /run/secrets/DB_ROOT_PWD
-      MYSQL_DATABASE: "npm"
-      MYSQL_USER: "npm"
-      # MYSQL_PASSWORD: "npm"  # use secret instead
+      MYSQL_DATABASE: 'npm'
+      MYSQL_USER: 'npm'
       MYSQL_PASSWORD__FILE: /run/secrets/MYSQL_PWD
-      MARIADB_AUTO_UPGRADE: '1'
+      TZ: 'Australia/Brisbane'
     volumes:
-      - ./mysql:/var/lib/mysql
+      - ./mariadb:/config
     secrets:
       - DB_ROOT_PWD
       - MYSQL_PWD
@@ -233,8 +231,20 @@ load_module /usr/lib/nginx/modules/ngx_stream_geoip2_module.so;
 
 Setting these environment variables will create the default user on startup, skipping the UI first user setup screen:
 
-```
+```yml
     environment:
       INITIAL_ADMIN_EMAIL: my@example.com
       INITIAL_ADMIN_PASSWORD: mypassword1
 ```
+
+## Disable Nginx Resolver
+
+On startup, we generate a resolvers directive for Nginx unless this is defined:
+
+```yml
+    environment:
+      DISABLE_RESOLVER: true
+```
+
+In this configuration, all DNS queries performed by Nginx will fall to the `/etc/hosts` file
+and then the `/etc/resolv.conf`.

docs/src/guide/index.md

@@ -64,7 +64,7 @@ I won't go in to too much detail here but here are the basics for someone new to
 ```yml
 services:
   app:
-    image: 'jc21/nginx-proxy-manager:latest'
+    image: 'jc21/nginx-proxy-manager:{{VERSION}}'
     restart: unless-stopped
     environment:
       TZ: "Australia/Brisbane"

docs/src/setup/index.md

@@ -11,7 +11,7 @@ Create a `docker-compose.yml` file:
 ```yml
 services:
   app:
-    image: 'jc21/nginx-proxy-manager:latest'
+    image: 'jc21/nginx-proxy-manager:{{VERSION}}'
     restart: unless-stopped
 
     ports:
@@ -45,10 +45,7 @@ docker compose up -d
 
 ## Using MySQL / MariaDB Database
 
-If you opt for the MySQL configuration you will have to provide the database server yourself. You can also use MariaDB. Here are the minimum supported versions:
-
-- MySQL v5.7.8+
-- MariaDB v10.2.7+
+If you opt for the MySQL configuration you will have to provide the database server yourself.
 
 It's easy to use another docker container for your database also and link it as part of the docker stack, so that's what the following examples
 are going to use.
@@ -58,7 +55,7 @@ Here is an example of what your `docker-compose.yml` will look like when using a
 ```yml
 services:
   app:
-    image: 'jc21/nginx-proxy-manager:latest'
+    image: 'jc21/nginx-proxy-manager:{{VERSION}}'
     restart: unless-stopped
     ports:
       # These ports are in format <host-port>:<container-port>
@@ -88,31 +85,29 @@ services:
       - db
 
   db:
-    image: 'jc21/mariadb-aria:latest'
+    image: 'linuxserver/mariadb'
     restart: unless-stopped
     environment:
       MYSQL_ROOT_PASSWORD: 'npm'
       MYSQL_DATABASE: 'npm'
       MYSQL_USER: 'npm'
       MYSQL_PASSWORD: 'npm'
-      MARIADB_AUTO_UPGRADE: '1'
+      TZ: 'Australia/Brisbane'
     volumes:
-      - ./mysql:/var/lib/mysql
+      - ./mariadb:/config
 ```
 
 ::: warning
-
 Please note, that `DB_MYSQL_*` environment variables will take precedent over `DB_SQLITE_*` variables. So if you keep the MySQL variables, you will not be able to use SQLite.
-
 :::
 
 ### Optional: MySQL / MariaDB SSL
 
 You can enable TLS for the MySQL/MariaDB connection with these environment variables:
 
-- DB_MYSQL_SSL: Enable SSL when set to true. If unset or false, SSL disabled (previous default behaviour).
-- DB_MYSQL_SSL_REJECT_UNAUTHORIZED: (default: true) Validate the server certificate chain. Set to false to allow self‑signed/unknown CA.
-- DB_MYSQL_SSL_VERIFY_IDENTITY: (default: true) Performs host name / identity verification.
+- `DB_MYSQL_SSL`: Enable SSL when set to true. If unset or false, SSL disabled (previous default behaviour).
+- `DB_MYSQL_SSL_REJECT_UNAUTHORIZED`: (default: true) Validate the server certificate chain. Set to false to allow self‑signed/unknown CA.
+- `DB_MYSQL_SSL_VERIFY_IDENTITY`: (default: true) Performs host name / identity verification.
 
 Enabling SSL using a self-signed cert (not recommended for production).
 
@@ -123,7 +118,7 @@ Similar to the MySQL server setup:
 ```yml
 services:
   app:
-    image: 'jc21/nginx-proxy-manager:latest'
+    image: 'jc21/nginx-proxy-manager:{{VERSION}}'
     restart: unless-stopped
     ports:
       # These ports are in format <host-port>:<container-port>
@@ -169,7 +164,11 @@ Custom Postgres schema is not supported, as such `public` will be used.
 The docker images support the following architectures:
 - amd64
 - arm64
-- armv7
+
+::: warning
+`armv7` is no longer supported in version 2.14+. This is due to Nodejs dropping support for armhf. Please
+use the `2.13.7` image tag if this applies to you.
+:::
 
 The docker images are a manifest of all the architecture docker builds supported, so this means
 you don't have to worry about doing anything special and you can follow the common instructions above.
@@ -181,8 +180,6 @@ for a list of supported architectures and if you want one that doesn't exist,
 Also, if you don't know how to already, follow [this guide to install docker and docker-compose](https://manre-universe.net/how-to-run-docker-and-docker-compose-on-raspbian/)
 on Raspbian.
 
-Please note that the `jc21/mariadb-aria:latest` image might have some problems on some ARM devices, if you want a separate database container, use the `yobasystems/alpine-mariadb:latest` image.
-
 ## Initial Run
 
 After the app is running for the first time, the following will happen:

frontend/biome.json

@@ -1,5 +1,5 @@
 {
-    "$schema": "https://biomejs.dev/schemas/2.3.2/schema.json",
+    "$schema": "https://biomejs.dev/schemas/2.4.3/schema.json",
     "vcs": {
         "enabled": true,
         "clientKind": "git",

frontend/check-locales.cjs

@@ -7,22 +7,30 @@
 // - Also checks the error messages returned by the backend
 
 const allLocales = [
-	["en", "en-US"],
-	["de", "de-DE"],
-	["es", "es-ES"],
-	["it", "it-IT"],
-	["ja", "ja-JP"],
-	["nl", "nl-NL"],
-	["pl", "pl-PL"],
-	["ru", "ru-RU"],
-	["sk", "sk-SK"],
-	["vi", "vi-VN"],
-	["zh", "zh-CN"],
+  ["en", "en-US"],
+  ["de", "de-DE"],
+  ["pt", "pt-PT"],
+  ["es", "es-ES"],
+  ["et", "et-EE"],
+  ["fr", "fr-FR"],
+  ["it", "it-IT"],
+  ["ja", "ja-JP"],
+  ["nl", "nl-NL"],
+  ["pl", "pl-PL"],
+  ["ru", "ru-RU"],
+  ["sk", "sk-SK"],
+  ["cs", "cs-CZ"],
+  ["vi", "vi-VN"],
+  ["zh", "zh-CN"],
+  ["ko", "ko-KR"],
+  ["bg", "bg-BG"],
+  ["id", "id-ID"],
+  ["tr", "tr-TR"],
+  ["hu", "hu-HU"],
+  ["no", "no-NO"],
 ];
 
-const ignoreUnused = [
-	/^.*$/,
-];
+const ignoreUnused = [/^.*$/];
 
 const { spawnSync } = require("child_process");
 const fs = require("fs");
@@ -63,105 +71,95 @@ const allWarnings = [];
 const allKeys = [];
 
 const checkLangList = (fullCode) => {
-	const key = "locale-" + fullCode;
-	if (typeof langList[key] === "undefined") {
-		allErrors.push(
-			"ERROR: `" + key + "` language does not exist in lang-list.json",
-		);
-	}
+  const key = "locale-" + fullCode;
+  if (typeof langList[key] === "undefined") {
+    allErrors.push("ERROR: `" + key + "` language does not exist in lang-list.json");
+  }
 };
 
 const compareLocale = (locale) => {
-	const projectLocaleKeys = Object.keys(allLocalesInProject);
-	// Check that locale contains the items used in the codebase
-	projectLocaleKeys.map((key) => {
-		if (typeof locale.data[key] === "undefined") {
-			allErrors.push(
-				"ERROR: `" + locale[0] + "` does not contain item: `" + key + "`",
-			);
-		}
-		return null;
-	});
-	// Check that locale contains all error.* items
-	BACKEND_ERRORS.forEach((key) => {
-		if (typeof locale.data[key] === "undefined") {
-			allErrors.push(
-				"ERROR: `" + locale[0] + "` does not contain item: `" + key + "`",
-			);
-		}
-		return null;
-	});
+  const projectLocaleKeys = Object.keys(allLocalesInProject);
+  // Check that locale contains the items used in the codebase
+  projectLocaleKeys.map((key) => {
+    if (typeof locale.data[key] === "undefined") {
+      allErrors.push("ERROR: `" + locale[0] + "` does not contain item: `" + key + "`");
+    }
+    return null;
+  });
+  // Check that locale contains all error.* items
+  BACKEND_ERRORS.forEach((key) => {
+    if (typeof locale.data[key] === "undefined") {
+      allErrors.push("ERROR: `" + locale[0] + "` does not contain item: `" + key + "`");
+    }
+    return null;
+  });
 
-	// Check that locale does not contain items not used in the codebase
-	const localeKeys = Object.keys(locale.data);
-	localeKeys.map((key) => {
-		let ignored = false;
-		ignoreUnused.map((regex) => {
-			if (key.match(regex)) {
-				ignored = true;
-			}
-			return null;
-		});
+  // Check that locale does not contain items not used in the codebase
+  const localeKeys = Object.keys(locale.data);
+  localeKeys.map((key) => {
+    let ignored = false;
+    ignoreUnused.map((regex) => {
+      if (key.match(regex)) {
+        ignored = true;
+      }
+      return null;
+    });
 
-		if (!ignored && typeof allLocalesInProject[key] === "undefined") {
-			// ensure this key doesn't exist in the backend errors either
-			if (!BACKEND_ERRORS.includes(key)) {
-				allErrors.push(
-					"ERROR: `" + locale[0] + "` contains unused item: `" + key + "`",
-				);
-			}
-		}
+    if (!ignored && typeof allLocalesInProject[key] === "undefined") {
+      // ensure this key doesn't exist in the backend errors either
+      if (!BACKEND_ERRORS.includes(key)) {
+        allErrors.push("ERROR: `" + locale[0] + "` contains unused item: `" + key + "`");
+      }
+    }
 
-		// Add this key to allKeys
-		if (allKeys.indexOf(key) === -1) {
-			allKeys.push(key);
-		}
-		return null;
-	});
+    // Add this key to allKeys
+    if (allKeys.indexOf(key) === -1) {
+      allKeys.push(key);
+    }
+    return null;
+  });
 };
 
 // Checks for any keys missing from this locale, that
 // have been defined in any other locales
 const checkForMissing = (locale) => {
-	allKeys.forEach((key) => {
-		if (typeof locale.data[key] === "undefined") {
-			allWarnings.push(
-				"WARN: `" + locale[0] + "` does not contain item: `" + key + "`",
-			);
-		}
-		return null;
-	});
+  allKeys.forEach((key) => {
+    if (typeof locale.data[key] === "undefined") {
+      allWarnings.push("WARN: `" + locale[0] + "` does not contain item: `" + key + "`");
+    }
+    return null;
+  });
 };
 
 // Local all locale data
 allLocales.map((locale, idx) => {
-	checkLangList(locale[1]);
-	allLocales[idx].data = require("./src/locale/src/" + locale[0] + ".json");
-	return null;
+  checkLangList(locale[1]);
+  allLocales[idx].data = require("./src/locale/src/" + locale[0] + ".json");
+  return null;
 });
 
 // Verify all locale data
 allLocales.map((locale) => {
-	compareLocale(locale);
-	checkForMissing(locale);
-	return null;
+  compareLocale(locale);
+  checkForMissing(locale);
+  return null;
 });
 
 if (allErrors.length) {
-	allErrors.map((err) => {
-		console.log("\x1b[31m%s\x1b[0m", err);
-		return null;
-	});
+  allErrors.map((err) => {
+    console.log("\x1b[31m%s\x1b[0m", err);
+    return null;
+  });
 }
 if (allWarnings.length) {
-	allWarnings.map((err) => {
-		console.log("\x1b[33m%s\x1b[0m", err);
-		return null;
-	});
+  allWarnings.map((err) => {
+    console.log("\x1b[33m%s\x1b[0m", err);
+    return null;
+  });
 }
 
 if (allErrors.length) {
-	process.exit(1);
+  process.exit(1);
 }
 
 console.log("\x1b[32m%s\x1b[0m", "Locale check passed");

frontend/package.json

@@ -17,50 +17,50 @@
 	},
 	"dependencies": {
 		"@tabler/core": "^1.4.0",
-		"@tabler/icons-react": "^3.35.0",
-		"@tanstack/react-query": "^5.90.6",
+		"@tabler/icons-react": "^3.37.1",
+		"@tanstack/react-query": "^5.90.21",
 		"@tanstack/react-table": "^8.21.3",
 		"@uiw/react-textarea-code-editor": "^3.1.1",
 		"classnames": "^2.5.1",
-		"country-flag-icons": "^1.5.21",
+		"country-flag-icons": "^1.6.14",
 		"date-fns": "^4.1.0",
 		"ez-modal-react": "^1.0.5",
-		"formik": "^2.4.6",
+		"formik": "^2.4.9",
 		"generate-password-browser": "^1.1.0",
 		"humps": "^2.0.1",
 		"query-string": "^9.3.1",
-		"react": "^19.2.0",
+		"react": "^19.2.4",
 		"react-bootstrap": "^2.10.10",
-		"react-dom": "^19.2.0",
-		"react-intl": "^7.1.14",
+		"react-dom": "^19.2.4",
+		"react-intl": "^8.1.3",
 		"react-markdown": "^10.1.0",
-		"react-router-dom": "^7.9.5",
+		"react-router-dom": "^7.13.0",
 		"react-select": "^5.10.2",
 		"react-toastify": "^11.0.5",
-		"rooks": "^9.3.0"
+		"rooks": "^9.5.0"
 	},
 	"devDependencies": {
-		"@biomejs/biome": "^2.3.2",
-		"@formatjs/cli": "^6.7.4",
-		"@tanstack/react-query-devtools": "^5.90.2",
+		"@biomejs/biome": "^2.4.3",
+		"@formatjs/cli": "^6.13.0",
+		"@tanstack/react-query-devtools": "^5.91.3",
 		"@testing-library/dom": "^10.4.1",
 		"@testing-library/jest-dom": "^6.9.1",
-		"@testing-library/react": "^16.3.0",
+		"@testing-library/react": "^16.3.2",
 		"@types/country-flag-icons": "^1.2.2",
 		"@types/humps": "^2.0.6",
-		"@types/react": "^19.2.2",
-		"@types/react-dom": "^19.2.2",
+		"@types/react": "^19.2.14",
+		"@types/react-dom": "^19.2.3",
 		"@types/react-table": "^7.7.20",
-		"@vitejs/plugin-react": "^5.1.0",
-		"happy-dom": "^20.0.10",
+		"@vitejs/plugin-react": "^5.1.4",
+		"happy-dom": "^20.7.0",
 		"postcss": "^8.5.6",
 		"postcss-simple-vars": "^7.0.1",
-		"sass": "^1.93.3",
+		"sass": "^1.97.3",
 		"tmp": "^0.2.5",
 		"typescript": "5.9.3",
-		"vite": "^7.1.12",
-		"vite-plugin-checker": "^0.11.0",
-		"vite-tsconfig-paths": "^5.1.4",
-		"vitest": "^4.0.6"
+		"vite": "^7.3.1",
+		"vite-plugin-checker": "^0.12.0",
+		"vite-tsconfig-paths": "^6.1.1",
+		"vitest": "^4.0.18"
 	}
 }

frontend/src/api/backend/base.ts

@@ -156,7 +156,6 @@ export async function del({ url, params }: DeleteArgs, abortController?: AbortCo
 	const method = "DELETE";
 	const headers = {
 		...buildAuthHeader(),
-		[contentTypeHeader]: "application/json",
 	};
 	const signal = abortController?.signal;
 	const response = await fetch(apiUrl, { method, headers, signal });

frontend/src/api/backend/getToken.ts

@@ -1,9 +1,22 @@
 import * as api from "./base";
-import type { TokenResponse } from "./responseTypes";
+import type { TokenResponse, TwoFactorChallengeResponse } from "./responseTypes";
 
-export async function getToken(identity: string, secret: string): Promise<TokenResponse> {
+export type LoginResponse = TokenResponse | TwoFactorChallengeResponse;
+
+export function isTwoFactorChallenge(response: LoginResponse): response is TwoFactorChallengeResponse {
+	return "requires2fa" in response && response.requires2fa === true;
+}
+
+export async function getToken(identity: string, secret: string): Promise<LoginResponse> {
 	return await api.post({
 		url: "/tokens",
 		data: { identity, secret },
 	});
 }
+
+export async function verify2FA(challengeToken: string, code: string): Promise<TokenResponse> {
+	return await api.post({
+		url: "/tokens/2fa",
+		data: { challengeToken, code },
+	});
+}

frontend/src/api/backend/index.ts

@@ -60,3 +60,4 @@ export * from "./updateStream";
 export * from "./updateUser";
 export * from "./uploadCertificate";
 export * from "./validateCertificate";
+export * from "./twoFactor";

frontend/src/api/backend/models.ts

@@ -127,6 +127,7 @@ export interface ProxyHost {
 	locations?: ProxyLocation[];
 	hstsEnabled: boolean;
 	hstsSubdomains: boolean;
+	trustForwardedProto: boolean;
 	// Expansions:
 	owner?: User;
 	accessList?: AccessList;

frontend/src/api/backend/responseTypes.ts

@@ -25,3 +25,22 @@ export interface VersionCheckResponse {
 	latest: string | null;
 	updateAvailable: boolean;
 }
+
+export interface TwoFactorChallengeResponse {
+	requires2fa: boolean;
+	challengeToken: string;
+}
+
+export interface TwoFactorStatusResponse {
+	enabled: boolean;
+	backupCodesRemaining: number;
+}
+
+export interface TwoFactorSetupResponse {
+	secret: string;
+	otpauthUrl: string;
+}
+
+export interface TwoFactorEnableResponse {
+	backupCodes: string[];
+}

frontend/src/api/backend/twoFactor.ts

@@ -0,0 +1,37 @@
+import * as api from "./base";
+import type { TwoFactorEnableResponse, TwoFactorSetupResponse, TwoFactorStatusResponse } from "./responseTypes";
+
+export async function get2FAStatus(userId: number | "me"): Promise<TwoFactorStatusResponse> {
+	return await api.get({
+		url: `/users/${userId}/2fa`,
+	});
+}
+
+export async function start2FASetup(userId: number | "me"): Promise<TwoFactorSetupResponse> {
+	return await api.post({
+		url: `/users/${userId}/2fa`,
+	});
+}
+
+export async function enable2FA(userId: number | "me", code: string): Promise<TwoFactorEnableResponse> {
+	return await api.post({
+		url: `/users/${userId}/2fa/enable`,
+		data: { code },
+	});
+}
+
+export async function disable2FA(userId: number | "me", code: string): Promise<boolean> {
+	return await api.del({
+		url: `/users/${userId}/2fa`,
+		params: {
+			code,
+		},
+	});
+}
+
+export async function regenerateBackupCodes(userId: number | "me", code: string): Promise<TwoFactorEnableResponse> {
+	return await api.post({
+		url: `/users/${userId}/2fa/backup-codes`,
+		data: { code },
+	});
+}

frontend/src/components/Form/AccessField.tsx

@@ -3,6 +3,7 @@ import { Field, useFormikContext } from "formik";
 import type { ReactNode } from "react";
 import Select, { type ActionMeta, components, type OptionProps } from "react-select";
 import type { AccessList } from "src/api/backend";
+import { useLocaleState } from "src/context";
 import { useAccessLists } from "src/hooks";
 import { formatDateTime, intl, T } from "src/locale";
 
@@ -32,6 +33,7 @@ interface Props {
 	label?: string;
 }
 export function AccessField({ name = "accessListId", label = "access-list", id = "accessListId" }: Props) {
+	const { locale } = useLocaleState();
 	const { isLoading, isError, error, data } = useAccessLists(["owner", "items", "clients"]);
 	const { setFieldValue } = useFormikContext();
 
@@ -48,7 +50,7 @@ export function AccessField({ name = "accessListId", label = "access-list", id =
 				{
 					users: item?.items?.length,
 					rules: item?.clients?.length,
-					date: item?.createdOn ? formatDateTime(item?.createdOn) : "N/A",
+					date: item?.createdOn ? formatDateTime(item?.createdOn, locale) : "N/A",
 				},
 			),
 			icon: <IconLock size={14} className="text-lime" />,

frontend/src/components/Form/DNSProviderFields.tsx

@@ -116,7 +116,7 @@ export function DNSProviderFields({ showBoundaryBox = false }: Props) {
 									type="number"
 									className="form-control"
 									min={0}
-									max={600}
+									max={7200}
 									{...field}
 								/>
 								<small className="text-muted">

frontend/src/components/Form/SSLCertificateField.tsx

@@ -2,6 +2,7 @@ import { IconShield } from "@tabler/icons-react";
 import { Field, useFormikContext } from "formik";
 import Select, { type ActionMeta, components, type OptionProps } from "react-select";
 import type { Certificate } from "src/api/backend";
+import { useLocaleState } from "src/context";
 import { useCertificates } from "src/hooks";
 import { formatDateTime, intl, T } from "src/locale";
 
@@ -41,6 +42,7 @@ export function SSLCertificateField({
 	allowNew,
 	forHttp = true,
 }: Props) {
+	const { locale } = useLocaleState();
 	const { isLoading, isError, error, data } = useCertificates();
 	const { values, setFieldValue } = useFormikContext();
 	const v: any = values || {};
@@ -75,7 +77,7 @@ export function SSLCertificateField({
 		data?.map((cert: Certificate) => ({
 			value: cert.id,
 			label: cert.niceName,
-			subLabel: `${cert.provider === "letsencrypt" ? intl.formatMessage({ id: "lets-encrypt" }) : cert.provider} — ${intl.formatMessage({ id: "expires.on" }, { date: cert.expiresOn ? formatDateTime(cert.expiresOn) : "N/A" })}`,
+			subLabel: `${cert.provider === "letsencrypt" ? intl.formatMessage({ id: "lets-encrypt" }) : cert.provider} — ${intl.formatMessage({ id: "expires.on" }, { date: cert.expiresOn ? formatDateTime(cert.expiresOn, locale) : "N/A" })}`,
 			icon: <IconShield size={14} className="text-pink" />,
 		})) || [];
 

frontend/src/components/Form/SSLOptionsFields.tsx

@@ -5,17 +5,18 @@ import { T } from "src/locale";
 
 interface Props {
 	forHttp?: boolean; // the sslForced, http2Support, hstsEnabled, hstsSubdomains fields
+	forProxyHost?: boolean; // the advanced fields
 	forceDNSForNew?: boolean;
 	requireDomainNames?: boolean; // used for streams
 	color?: string;
 }
-export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomainNames, color = "bg-cyan" }: Props) {
+export function SSLOptionsFields({ forHttp = true, forProxyHost = false, forceDNSForNew, requireDomainNames, color = "bg-cyan" }: Props) {
 	const { values, setFieldValue } = useFormikContext();
 	const v: any = values || {};
 
 	const newCertificate = v?.certificateId === "new";
 	const hasCertificate = newCertificate || (v?.certificateId && v?.certificateId > 0);
-	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, meta } = v;
+	const { sslForced, http2Support, hstsEnabled, hstsSubdomains, trustForwardedProto, meta } = v;
 	const { dnsChallenge } = meta || {};
 
 	if (forceDNSForNew && newCertificate && !dnsChallenge) {
@@ -115,6 +116,34 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain
 		</div>
 	);
 
+	const getHttpAdvancedOptions = () =>(
+		<div>
+			<details>
+				<summary className="mb-1"><T id="domains.advanced" /></summary>
+				<div className="row">
+					<div className="col-12">
+						<Field name="trustForwardedProto">
+							{({ field }: any) => (
+								<label className="form-check form-switch mt-1">
+									<input
+										className={trustForwardedProto ? toggleEnabled : toggleClasses}
+										type="checkbox"
+										checked={!!trustForwardedProto}
+										onChange={(e) => handleToggleChange(e, field.name)}
+										disabled={!hasCertificate || !sslForced}
+									/>
+									<span className="form-check-label">
+										<T id="domains.trust-forwarded-proto" />
+									</span>
+								</label>
+							)}
+						</Field>
+					</div>
+				</div>
+			</details>
+		</div>
+	);
+
 	return (
 		<div>
 			{forHttp ? getHttpOptions() : null}
@@ -140,6 +169,7 @@ export function SSLOptionsFields({ forHttp = true, forceDNSForNew, requireDomain
 					{dnsChallenge ? <DNSProviderFields showBoundaryBox /> : null}
 				</>
 			) : null}
+			{forProxyHost && forHttp ? getHttpAdvancedOptions() : null}
 		</div>
 	);
 }

frontend/src/components/SiteHeader.tsx

@@ -1,9 +1,9 @@
-import { IconLock, IconLogout, IconUser } from "@tabler/icons-react";
+import { IconLock, IconLogout, IconShieldLock, IconUser } from "@tabler/icons-react";
 import { LocalePicker, NavLink, ThemeSwitcher } from "src/components";
 import { useAuthState } from "src/context";
 import { useUser } from "src/hooks";
 import { T } from "src/locale";
-import { showChangePasswordModal, showUserModal } from "src/modals";
+import { showChangePasswordModal, showTwoFactorModal, showUserModal } from "src/modals";
 import styles from "./SiteHeader.module.css";
 
 export function SiteHeader() {
@@ -108,6 +108,17 @@ export function SiteHeader() {
 									<IconLock width={18} />
 									<T id="user.change-password" />
 								</a>
+								<a
+									href="?"
+									className="dropdown-item"
+									onClick={(e) => {
+										e.preventDefault();
+										showTwoFactorModal("me");
+									}}
+								>
+									<IconShieldLock width={18} />
+									<T id="user.two-factor" />
+								</a>
 								<div className="dropdown-divider" />
 								<a
 									href="?"

frontend/src/components/Table/Formatter/DateFormatter.tsx

@@ -1,5 +1,6 @@
 import cn from "classnames";
 import { differenceInDays, isPast } from "date-fns";
+import { useLocaleState } from "src/context";
 import { formatDateTime, parseDate } from "src/locale";
 
 interface Props {
@@ -8,6 +9,7 @@ interface Props {
 	highlistNearlyExpired?: boolean;
 }
 export function DateFormatter({ value, highlightPast, highlistNearlyExpired }: Props) {
+	const { locale } = useLocaleState();
 	const d = parseDate(value);
 	const dateIsPast = d ? isPast(d) : false;
 	const days = d ? differenceInDays(d, new Date()) : 0;
@@ -15,5 +17,5 @@ export function DateFormatter({ value, highlightPast, highlistNearlyExpired }: P
 		"text-danger": highlightPast && dateIsPast,
 		"text-warning": highlistNearlyExpired && !dateIsPast && days <= 30 && days >= 0,
 	});
-	return <span className={cl}>{formatDateTime(value)}</span>;
+	return <span className={cl}>{formatDateTime(value, locale)}</span>;
 }

frontend/src/components/Table/Formatter/DomainsFormatter.tsx

@@ -1,5 +1,6 @@
 import cn from "classnames";
 import type { ReactNode } from "react";
+import { useLocaleState } from "src/context";
 import { formatDateTime, T } from "src/locale";
 
 interface Props {
@@ -37,7 +38,9 @@ const DomainLink = ({ domain, color }: { domain?: string; color?: string }) => {
 };
 
 export function DomainsFormatter({ domains, createdOn, niceName, provider, color }: Props) {
+	const { locale } = useLocaleState();
 	const elms: ReactNode[] = [];
+
 	if ((!domains || domains.length === 0) && !niceName) {
 		elms.push(
 			<span key="nice-name" className="badge bg-danger-lt me-2">
@@ -62,7 +65,7 @@ export function DomainsFormatter({ domains, createdOn, niceName, provider, color
 			<div className="font-weight-medium">{...elms}</div>
 			{createdOn ? (
 				<div className="text-secondary mt-1">
-					<T id="created-on" data={{ date: formatDateTime(createdOn) }} />
+					<T id="created-on" data={{ date: formatDateTime(createdOn, locale) }} />
 				</div>
 			) : null}
 		</div>

frontend/src/components/Table/Formatter/EventFormatter.tsx

@@ -1,6 +1,7 @@
 import { IconArrowsCross, IconBolt, IconBoltOff, IconDisc, IconLock, IconShield, IconUser } from "@tabler/icons-react";
 import cn from "classnames";
 import type { AuditLog } from "src/api/backend";
+import { useLocaleState } from "src/context";
 import { formatDateTime, T } from "src/locale";
 
 const getEventValue = (event: AuditLog) => {
@@ -66,6 +67,7 @@ interface Props {
 	row: AuditLog;
 }
 export function EventFormatter({ row }: Props) {
+	const { locale } = useLocaleState();
 	return (
 		<div className="flex-fill">
 			<div className="font-weight-medium">
@@ -73,7 +75,7 @@ export function EventFormatter({ row }: Props) {
 				<T id={`object.event.${row.action}`} tData={{ object: row.objectType }} />
 				&nbsp; &mdash; <span className="badge">{getEventValue(row)}</span>
 			</div>
-			<div className="text-secondary mt-1">{formatDateTime(row.createdOn)}</div>
+			<div className="text-secondary mt-1">{formatDateTime(row.createdOn, locale)}</div>
 		</div>
 	);
 }

frontend/src/components/Table/Formatter/ValueWithDateFormatter.tsx

@@ -1,3 +1,4 @@
+import { useLocaleState } from "src/context";
 import { formatDateTime, T } from "src/locale";
 
 interface Props {
@@ -6,6 +7,7 @@ interface Props {
 	disabled?: boolean;
 }
 export function ValueWithDateFormatter({ value, createdOn, disabled }: Props) {
+	const { locale } = useLocaleState();
 	return (
 		<div className="flex-fill">
 			<div className="font-weight-medium">
@@ -13,7 +15,7 @@ export function ValueWithDateFormatter({ value, createdOn, disabled }: Props) {
 			</div>
 			{createdOn ? (
 				<div className={`text-secondary mt-1 ${disabled ? "text-red" : ""}`}>
-					<T id={disabled ? "disabled" : "created-on"} data={{ date: formatDateTime(createdOn) }} />
+					<T id={disabled ? "disabled" : "created-on"} data={{ date: formatDateTime(createdOn, locale) }} />
 				</div>
 			) : null}
 		</div>

frontend/src/context/AuthContext.tsx

@@ -1,13 +1,28 @@
 import { useQueryClient } from "@tanstack/react-query";
 import { createContext, type ReactNode, useContext, useState } from "react";
 import { useIntervalWhen } from "rooks";
-import { getToken, loginAsUser, refreshToken, type TokenResponse } from "src/api/backend";
+import {
+	getToken,
+	isTwoFactorChallenge,
+	loginAsUser,
+	refreshToken,
+	verify2FA,
+	type TokenResponse,
+} from "src/api/backend";
 import AuthStore from "src/modules/AuthStore";
 
+// 2FA challenge state
+export interface TwoFactorChallenge {
+	challengeToken: string;
+}
+
 // Context
 export interface AuthContextType {
 	authenticated: boolean;
+	twoFactorChallenge: TwoFactorChallenge | null;
 	login: (username: string, password: string) => Promise<void>;
+	verifyTwoFactor: (code: string) => Promise<void>;
+	cancelTwoFactor: () => void;
 	loginAs: (id: number) => Promise<void>;
 	logout: () => void;
 	token?: string;
@@ -24,17 +39,35 @@ interface Props {
 function AuthProvider({ children, tokenRefreshInterval = 5 * 60 * 1000 }: Props) {
 	const queryClient = useQueryClient();
 	const [authenticated, setAuthenticated] = useState(AuthStore.hasActiveToken());
+	const [twoFactorChallenge, setTwoFactorChallenge] = useState<TwoFactorChallenge | null>(null);
 
 	const handleTokenUpdate = (response: TokenResponse) => {
 		AuthStore.set(response);
 		setAuthenticated(true);
+		setTwoFactorChallenge(null);
 	};
 
 	const login = async (identity: string, secret: string) => {
 		const response = await getToken(identity, secret);
+		if (isTwoFactorChallenge(response)) {
+			setTwoFactorChallenge({ challengeToken: response.challengeToken });
+			return;
+		}
 		handleTokenUpdate(response);
 	};
 
+	const verifyTwoFactor = async (code: string) => {
+		if (!twoFactorChallenge) {
+			throw new Error("No 2FA challenge pending");
+		}
+		const response = await verify2FA(twoFactorChallenge.challengeToken, code);
+		handleTokenUpdate(response);
+	};
+
+	const cancelTwoFactor = () => {
+		setTwoFactorChallenge(null);
+	};
+
 	const loginAs = async (id: number) => {
 		const response = await loginAsUser(id);
 		AuthStore.add(response);
@@ -69,7 +102,15 @@ function AuthProvider({ children, tokenRefreshInterval = 5 * 60 * 1000 }: Props)
 		true,
 	);
 
-	const value = { authenticated, login, logout, loginAs };
+	const value = {
+		authenticated,
+		twoFactorChallenge,
+		login,
+		verifyTwoFactor,
+		cancelTwoFactor,
+		loginAs,
+		logout,
+	};
 
 	return <AuthContext.Provider value={value}>{children}</AuthContext.Provider>;
 }

frontend/src/hooks/useProxyHost.ts

@@ -24,6 +24,7 @@ const fetchProxyHost = (id: number | "new") => {
 			enabled: true,
 			hstsEnabled: false,
 			hstsSubdomains: false,
+			trustForwardedProto: false,
 		} as ProxyHost);
 	}
 	return getProxyHost(id, ["owner"]);

frontend/src/locale/IntlProvider.tsx

@@ -1,73 +1,98 @@
 import { createIntl, createIntlCache } from "react-intl";
+import langBg from "./lang/bg.json";
 import langDe from "./lang/de.json";
+import langPt from "./lang/pt.json";
 import langEn from "./lang/en.json";
 import langEs from "./lang/es.json";
+import langEt from "./lang/et.json";
+import langFr from "./lang/fr.json";
+import langGa from "./lang/ga.json";
+import langId from "./lang/id.json";
 import langIt from "./lang/it.json";
 import langJa from "./lang/ja.json";
-import langList from "./lang/lang-list.json";
+import langKo from "./lang/ko.json";
 import langNl from "./lang/nl.json";
 import langPl from "./lang/pl.json";
 import langRu from "./lang/ru.json";
 import langSk from "./lang/sk.json";
+import langCs from "./lang/cs.json";
 import langVi from "./lang/vi.json";
 import langZh from "./lang/zh.json";
+import langTr from "./lang/tr.json";
+import langHu from "./lang/hu.json";
+import langNo from "./lang/no.json";
+import langList from "./lang/lang-list.json";
 
 // first item of each array should be the language code,
 // not the country code
 // Remember when adding to this list, also update check-locales.js script
 const localeOptions = [
-	["en", "en-US", langEn],
-	["de", "de-DE", langDe],
-	["es", "es-ES", langEs],
-	["ja", "ja-JP", langJa],
-	["it", "it-IT", langIt],
-	["nl", "nl-NL", langNl],
-	["pl", "pl-PL", langPl],
-	["ru", "ru-RU", langRu],
-	["sk", "sk-SK", langSk],
-	["vi", "vi-VN", langVi],
-	["zh", "zh-CN", langZh],
+  ["en", "en-US", langEn],
+  ["de", "de-DE", langDe],
+  ["es", "es-ES", langEs],
+  ["et", "et-EE", langEt],
+  ["pt", "pt-PT", langPt],
+  ["fr", "fr-FR", langFr],
+  ["ga", "ga-IE", langGa],
+  ["ja", "ja-JP", langJa],
+  ["it", "it-IT", langIt],
+  ["nl", "nl-NL", langNl],
+  ["pl", "pl-PL", langPl],
+  ["ru", "ru-RU", langRu],
+  ["sk", "sk-SK", langSk],
+  ["cs", "cs-CZ", langCs],
+  ["vi", "vi-VN", langVi],
+  ["zh", "zh-CN", langZh],
+  ["ko", "ko-KR", langKo],
+  ["bg", "bg-BG", langBg],
+  ["id", "id-ID", langId],
+  ["tr", "tr-TR", langTr],
+  ["hu", "hu-HU", langHu],
+  ["no", "no-NO", langNo],
 ];
 
 const loadMessages = (locale?: string): typeof langList & typeof langEn => {
-	const thisLocale = (locale || "en").slice(0, 2);
+  const thisLocale = (locale || "en").slice(0, 2);
 
-	// ensure this lang exists in localeOptions above, otherwise fallback to en
-	if (thisLocale === "en" || !localeOptions.some(([code]) => code === thisLocale)) {
-		return Object.assign({}, langList, langEn);
-	}
+  // ensure this lang exists in localeOptions above, otherwise fallback to en
+  if (thisLocale === "en" || !localeOptions.some(([code]) => code === thisLocale)) {
+    return Object.assign({}, langList, langEn);
+  }
 
-	return Object.assign({}, langList, langEn, localeOptions.find(([code]) => code === thisLocale)?.[2]);
+  return Object.assign({}, langList, langEn, localeOptions.find(([code]) => code === thisLocale)?.[2]);
 };
 
 const getFlagCodeForLocale = (locale?: string) => {
-	const thisLocale = (locale || "en").slice(0, 2);
+  const thisLocale = (locale || "en").slice(0, 2);
 
-	// only add to this if your flag is different from the locale code
-	const specialCases: Record<string, string> = {
-		ja: "jp", // Japan
-		zh: "cn", // China
-	};
+  // only add to this if your flag is different from the locale code
+  const specialCases: Record<string, string> = {
+    ja: "jp", // Japan
+    zh: "cn", // China
+    vi: "vn", // Vietnam
+    ko: "kr", // Korea
+    cs: "cz", // Czechia
+  };
 
-	if (specialCases[thisLocale]) {
-		return specialCases[thisLocale].toUpperCase();
-	}
-	return thisLocale.toUpperCase();
+  if (specialCases[thisLocale]) {
+    return specialCases[thisLocale].toUpperCase();
+  }
+  return thisLocale.toUpperCase();
 };
 
 const getLocale = (short = false) => {
-	let loc = window.localStorage.getItem("locale");
-	if (!loc) {
-		loc = document.documentElement.lang;
-	}
-	if (short) {
-		return loc.slice(0, 2);
-	}
-	// finally, fallback
-	if (!loc) {
-		loc = "en";
-	}
-	return loc;
+  let loc = window.localStorage.getItem("locale");
+  if (!loc) {
+    loc = document.documentElement.lang;
+  }
+  if (short) {
+    return loc.slice(0, 2);
+  }
+  // finally, fallback
+  if (!loc) {
+    loc = "en";
+  }
+  return loc;
 };
 
 const cache = createIntlCache();
@@ -76,43 +101,43 @@ const initialMessages = loadMessages(getLocale());
 let intl = createIntl({ locale: getLocale(), messages: initialMessages }, cache);
 
 const changeLocale = (locale: string): void => {
-	const messages = loadMessages(locale);
-	intl = createIntl({ locale, messages }, cache);
-	window.localStorage.setItem("locale", locale);
-	document.documentElement.lang = locale;
+  const messages = loadMessages(locale);
+  intl = createIntl({ locale, messages }, cache);
+  window.localStorage.setItem("locale", locale);
+  document.documentElement.lang = locale;
 };
 
 // This is a translation component that wraps the translation in a span with a data
 // attribute so devs can inspect the element to see the translation ID
 const T = ({
-	id,
-	data,
-	tData,
+  id,
+  data,
+  tData,
 }: {
-	id: string;
-	data?: Record<string, string | number | undefined>;
-	tData?: Record<string, string>;
+  id: string;
+  data?: Record<string, string | number | undefined>;
+  tData?: Record<string, string>;
 }) => {
-	const translatedData: Record<string, string> = {};
-	if (tData) {
-		// iterate over tData and translate each value
-		Object.entries(tData).forEach(([key, value]) => {
-			translatedData[key] = intl.formatMessage({ id: value });
-		});
-	}
-	return (
-		<span data-translation-id={id}>
-			{intl.formatMessage(
-				{ id },
-				{
-					...data,
-					...translatedData,
-				},
-			)}
-		</span>
-	);
+  const translatedData: Record<string, string> = {};
+  if (tData) {
+    // iterate over tData and translate each value
+    Object.entries(tData).forEach(([key, value]) => {
+      translatedData[key] = intl.formatMessage({ id: value });
+    });
+  }
+  return (
+    <span data-translation-id={id}>
+      {intl.formatMessage(
+        { id },
+        {
+          ...data,
+          ...translatedData,
+        },
+      )}
+    </span>
+  );
 };
 
-console.log("L:", localeOptions);
+//console.log("L:", localeOptions);
 
 export { localeOptions, getFlagCodeForLocale, getLocale, createIntl, changeLocale, intl, T };

frontend/src/locale/README.md

@@ -40,6 +40,7 @@ not be complete by the time you're reading this:
 - frontend/src/locale/src/[yourlang].json
 - frontend/src/locale/src/lang-list.json
 - frontend/src/locale/src/HelpDoc/[yourlang]/*
+- frontend/src/locale/src/HelpDoc/index.tsx
 - frontend/src/locale/IntlProvider.tsx
 - frontend/check-locales.cjs
 

frontend/src/locale/Utils.test.tsx

@@ -39,19 +39,19 @@ describe("DateFormatter", () => {
 	it("format date from iso date", () => {
 		const value = "2024-01-01T00:00:00.000Z";
 		const text = formatDateTime(value);
-		expect(text).toBe("Monday, 01/01/2024, 12:00:00 am");
+		expect(text).toBe("1 Jan 2024, 12:00:00 am");
 	});
 
 	it("format date from unix timestamp number", () => {
 		const value = 1762476112;
 		const text = formatDateTime(value);
-		expect(text).toBe("Friday, 07/11/2025, 12:41:52 am");
+		expect(text).toBe("7 Nov 2025, 12:41:52 am");
 	});
 
 	it("format date from unix timestamp string", () => {
 		const value = "1762476112";
 		const text = formatDateTime(value);
-		expect(text).toBe("Friday, 07/11/2025, 12:41:52 am");
+		expect(text).toBe("7 Nov 2025, 12:41:52 am");
 	});
 
 	it("catch bad format from string", () => {

frontend/src/locale/Utils.ts

@@ -1,4 +1,9 @@
-import { fromUnixTime, intlFormat, parseISO } from "date-fns";
+import {
+	fromUnixTime,
+	type IntlFormatFormatOptions,
+	intlFormat,
+	parseISO,
+} from "date-fns";
 
 const isUnixTimestamp = (value: unknown): boolean => {
 	if (typeof value !== "number" && typeof value !== "string") return false;
@@ -20,20 +25,19 @@ const parseDate = (value: string | number): Date | null => {
 	}
 };
 
-const formatDateTime = (value: string | number): string => {
+const formatDateTime = (value: string | number, locale = "en-US"): string => {
 	const d = parseDate(value);
 	if (!d) return `${value}`;
 	try {
-		return intlFormat(d, {
-			weekday: "long",
-			year: "numeric",
-			month: "numeric",
-			day: "numeric",
-			hour: "numeric",
-			minute: "numeric",
-			second: "numeric",
-			hour12: true,
-		});
+		return intlFormat(
+			d,
+			{
+				dateStyle: "medium",
+				timeStyle: "medium",
+				hourCycle: "h12",
+			} as IntlFormatFormatOptions,
+			{ locale },
+		);
 	} catch {
 		return `${value}`;
 	}

frontend/src/locale/scripts/locale-sort.cjs

@@ -0,0 +1,69 @@
+#!/usr/bin/env node
+
+const fs = require("fs");
+const path = require("path");
+
+const DIR = path.resolve(__dirname, "../src");
+
+// Function to sort object keys recursively
+function sortKeys(obj) {
+	if (obj === null || typeof obj !== "object" || obj instanceof Array) {
+		return obj;
+	}
+
+	const sorted = {};
+	const keys = Object.keys(obj).sort();
+	for (const key of keys) {
+		const value = obj[key];
+		if (typeof value === "object" && value !== null && !(value instanceof Array)) {
+			sorted[key] = sortKeys(value);
+		} else {
+			sorted[key] = value;
+		}
+	}
+	return sorted;
+}
+
+// Get all JSON files in the directory
+const files = fs.readdirSync(DIR).filter((file) => {
+	return file.endsWith(".json") && file !== "lang-list.json";
+});
+
+files.forEach((file) => {
+	const filePath = path.join(DIR, file);
+	const stats = fs.statSync(filePath);
+
+	if (!stats.isFile()) {
+		return;
+	}
+
+	if (stats.size === 0) {
+		console.log(`Skipping empty file ${file}`);
+		return;
+	}
+
+	try {
+		// Read original content
+		const originalContent = fs.readFileSync(filePath, "utf8");
+		const originalJson = JSON.parse(originalContent);
+
+		// Sort keys
+		const sortedJson = sortKeys(originalJson);
+
+		// Convert back to string with tabs
+		const sortedContent = JSON.stringify(sortedJson, null, "\t") + "\n";
+
+		// Compare (normalize whitespace)
+		if (originalContent.trim() === sortedContent.trim()) {
+			console.log(`${file} is already sorted`);
+			return;
+		}
+
+		// Write sorted content
+		fs.writeFileSync(filePath, sortedContent, "utf8");
+		console.log(`Sorted ${file}`);
+	} catch (error) {
+		console.error(`Error processing ${file}:`, error.message);
+	}
+});
+

frontend/src/locale/scripts/locale-sort.sh

@@ -31,6 +31,6 @@ for file in *.json; do
 		fi
 
 		echo "Sorting $file"
-		jq --tab --sort-keys . "$file" | sponge "$file"
+		tmp=$(mktemp) && jq --tab --sort-keys . "$file" > "$tmp" && mv "$tmp" "$file"
 	fi
 done

frontend/src/locale/src/HelpDoc/bg/AccessLists.md

@@ -0,0 +1,7 @@
+## Какво представлява Списъкът за достъп?
+
+Списъците за достъп предоставят черен или бял списък от конкретни клиентски IP адреси, както и удостоверяване за Прокси хостове чрез базова HTTP автентикация.
+
+Можете да конфигурирате множество клиентски правила, потребителски имена и пароли в един Списък за достъп и след това да го приложите към един или повече _Прокси хостове_.
+
+Това е най-полезно при препращани уеб услуги, които нямат вградени механизми за удостоверяване, или когато искате да защитите достъпа от неизвестни клиенти.

frontend/src/locale/src/HelpDoc/bg/Certificates.md

@@ -0,0 +1,21 @@
+## Помощ за сертификати
+
+### HTTP сертификат
+
+HTTP валидираният сертификат означава, че сървърите на Let’s Encrypt ще се опитат да достигнат вашите домейни по HTTP (не по HTTPS!) и ако успеят, ще издадат сертификата.
+
+За този метод трябва да имате създаден _Прокси хост_ за вашия/вашите домейни, който да е достъпен по HTTP и да сочи към тази Nginx инсталация. След като бъде издаден сертификат, можете да промените _Прокси хоста_ така, че да използва сертификата и за HTTPS връзки. Въпреки това, _Прокси хостът_ трябва да остане конфигуриран за достъп по HTTP, за да може сертификатът да се подновява.
+
+Този процес _не_ поддържа wildcard домейни.
+
+### DNS сертификат
+
+DNS валидираният сертификат изисква използването на DNS Provider плъгин. Този DNS Provider ще бъде използван за временно създаване на записи във вашия домейн, след което Let’s Encrypt ще ги провери, за да се увери, че сте собственикът, и при успех ще издаде сертификата.
+
+Не е необходимо да имате _Прокси хост_, създаден предварително, за да заявите този тип сертификат. Нито е нужно вашият _Прокси хост_ да бъде конфигуриран за достъп по HTTP.
+
+Този процес _поддържа_ wildcard домейни.
+
+### Персонализиран сертификат
+
+Използвайте тази опция, за да качите собствен SSL сертификат, предоставен от ваша сертификатна агенция.

frontend/src/locale/src/HelpDoc/bg/DeadHosts.md

@@ -0,0 +1,10 @@
+## Какво представлява 404 хост?
+
+404 хост е просто конфигурация на хост, който показва страница с грешка 404.
+
+Това може да е полезно, когато вашият домейн е индексиран в търсачките и искате
+да предоставите по-приятна страница за грешка или да уведомите индексиращите системи,
+че страниците на домейна вече не съществуват.
+
+Допълнително предимство на този хост е възможността да проследявате логовете на заявките
+към него и да виждате реферерите.

frontend/src/locale/src/HelpDoc/bg/ProxyHosts.md

@@ -0,0 +1,7 @@
+## Какво представлява Прокси хост?
+
+Прокси хост е входна точка за уеб услуга, която искате да препращате.
+
+Той предоставя възможност за SSL терминaция на услуга, която може да няма вградена поддръжка на SSL.
+
+Прокси хостовете са най-често използваната функция в Nginx Proxy Manager.

frontend/src/locale/src/HelpDoc/bg/RedirectionHosts.md

@@ -0,0 +1,7 @@
+## Какво представлява Хост за пренасочване?
+
+Хостът за пренасочване пренасочва заявките от входящия домейн и прехвърля
+потребителя към друг домейн.
+
+Най-честата причина за използване на този тип хост е, когато вашият уебсайт
+промени домейна си, но все още има линкове от търсачки или реферери, които сочат към стария домейн.

frontend/src/locale/src/HelpDoc/bg/Streams.md

@@ -0,0 +1,6 @@
+## Какво представлява Потокът (Stream)?
+
+Относително нова функция за Nginx, Потокът позволява препращане на TCP/UDP
+трафик директно към друг компютър в мрежата.
+
+Това е полезно, ако хоствате игрови сървъри, FTP или SSH сървъри.

frontend/src/locale/src/HelpDoc/bg/index.ts

@@ -0,0 +1,6 @@
+export * as AccessLists from "./AccessLists.md";
+export * as Certificates from "./Certificates.md";
+export * as DeadHosts from "./DeadHosts.md";
+export * as ProxyHosts from "./ProxyHosts.md";
+export * as RedirectionHosts from "./RedirectionHosts.md";
+export * as Streams from "./Streams.md";

frontend/src/locale/src/HelpDoc/cs/AccessLists.md

@@ -0,0 +1,7 @@
+## Co je seznam přístupů?
+
+Seznamy přístupů poskytují blacklist nebo whitelist konkrétních IP adres klientů spolu s ověřením pro proxy hostitele prostřednictvím základního ověřování HTTP.
+
+Můžete nakonfigurovat více pravidel pro klienty, uživatelská jména a hesla pro jeden seznam přístupu a poté ho použít na jednoho nebo více proxy hostitelů.
+
+Toto je nejužitečnější pro přesměrované webové služby, které nemají vestavěné ověřovací mechanismy, nebo pokud se chcete chránit před neznámými klienty.

frontend/src/locale/src/HelpDoc/cs/Certificates.md

@@ -0,0 +1,32 @@
+## Pomoc s certifikáty
+
+### Certifikát HTTP
+
+Certifikát ověřený prostřednictvím protokolu HTTP znamená, že servery Let's Encrypt se
+pokusí připojit k vašim doménám přes protokol HTTP (nikoli HTTPS!) a v případě úspěchu
+vydají váš certifikát.
+
+Pro tuto metodu budete muset mít pro své domény vytvořeného _Proxy Host_, který
+je přístupný přes HTTP a směruje na tuto instalaci Nginx. Po vydání certifikátu
+můžete změnit _Proxy Host_ tak, aby tento certifikát používal i pro HTTPS
+připojení. _Proxy Host_ však bude stále potřeba nakonfigurovat pro přístup přes HTTP,
+aby se certifikát mohl obnovit.
+
+Tento proces _nepodporuje_ domény se zástupnými znaky.
+
+### Certifikát DNS
+
+Certifikát ověřený DNS vyžaduje použití pluginu DNS Provider. Tento DNS
+Provider se použije na vytvoření dočasných záznamů ve vaší doméně a poté Let's
+Encrypt ověří tyto záznamy, aby se ujistil, že jste vlastníkem, a pokud bude úspěšný,
+vydá váš certifikát.
+
+Před požádáním o tento typ certifikátu není potřeba vytvořit _Proxy Host_.
+Není také potřeba mít _Proxy Host_ nakonfigurovaný pro přístup HTTP.
+
+Tento proces _podporuje_ domény se zástupnými znaky.
+
+### Vlastní certifikát
+
+Tuto možnost použijte na nahrání vlastního SSL certifikátu, který vám poskytla vaše
+certifikační autorita.

frontend/src/locale/src/HelpDoc/cs/DeadHosts.md

@@ -0,0 +1,10 @@
+## Co je to 404 Host?
+
+404 Host je jednoduše nastavení hostitele, které zobrazuje stránku 404.
+
+To může být užitečné, pokud je vaše doména uvedena ve vyhledávačích a chcete
+poskytnout hezčí chybovou stránku nebo konkrétně oznámit vyhledávačům, že
+stránky domény již neexistují.
+
+Další výhodou tohoto hostitele je sledování protokolů o návštěvách a
+zobrazení odkazů.

frontend/src/locale/src/HelpDoc/cs/ProxyHosts.md

@@ -0,0 +1,7 @@
+## Co je proxy hostitel?
+
+Proxy hostitel je příchozí koncový bod pro webovou službu, kterou chcete přesměrovat.
+
+Poskytuje volitelné ukončení SSL pro vaši službu, která nemusí mít zabudovanou podporu SSL.
+
+Proxy hostitelé jsou nejběžnějším použitím pro Nginx Proxy Manager.

frontend/src/locale/src/HelpDoc/cs/RedirectionHosts.md

@@ -0,0 +1,7 @@
+## Co je přesměrovací hostitel?
+
+Přesměrovací hostitel přesměruje požadavky z příchozí domény a přesměruje
+návštěvníka na jinou doménu.
+
+Nejčastějším důvodem pro použití tohoto typu hostitele je situace, kdy vaše webová stránka změní
+doménu, ale stále máte odkazy ve vyhledávačích nebo referenční odkazy směřující na starou doménu.

frontend/src/locale/src/HelpDoc/cs/Streams.md

@@ -0,0 +1,6 @@
+## Co je stream?
+
+Stream je relativně nová funkce pro Nginx, která slouží na přesměrování TCP/UDP
+datového toku přímo do jiného počítače v síti.
+
+Pokud provozujete herní servery, FTP nebo SSH servery, tato funkce se vám může hodit.

frontend/src/locale/src/HelpDoc/cs/index.ts

@@ -0,0 +1,6 @@
+export * as AccessLists from "./AccessLists.md";
+export * as Certificates from "./Certificates.md";
+export * as DeadHosts from "./DeadHosts.md";
+export * as ProxyHosts from "./ProxyHosts.md";
+export * as RedirectionHosts from "./RedirectionHosts.md";
+export * as Streams from "./Streams.md";

frontend/src/locale/src/HelpDoc/et/AccessLists.md

@@ -0,0 +1,7 @@
+## Mis on juurdepääsuloend?
+
+Ligipääsuloendid pakuvad konkreetsete klientide IP-aadresside musta või valget nimekirja koos puhverserverite autentimisega põhilise HTTP-autentimise kaudu.
+
+Saate ühe juurdepääsuloendi jaoks konfigureerida mitu kliendireeglit, kasutajanime ja parooli ning seejärel rakendada neid ühele või mitmele _puhverserverile_.
+
+See on kõige kasulikum edastatud veebiteenuste puhul, millel pole sisseehitatud autentimismehhanisme või kui soovite kaitsta tundmatute klientide eest.

frontend/src/locale/src/HelpDoc/et/Certificates.md

@@ -0,0 +1,26 @@
+## Sertifikaatide abi
+
+### HTTP-sertifikaat
+
+HTTP-valideeritud sertifikaat tähendab, et Let's Encrypti serverid
+
+proovivad teie domeenidega ühendust luua HTTP (mitte HTTPS!) kaudu ja kui see õnnestub,
+väljastavad nad teile sertifikaadi.
+
+Selle meetodi jaoks peate oma domeeni(de) jaoks looma _Proxy Host_, millele pääseb ligi HTTP kaudu ja mis osutab sellele Nginxi installile. Pärast sertifikaadi väljastamist saate muuta _Proxy Host_'i, et seda sertifikaati ka HTTPS
+ühenduste jaoks kasutada. Sertifikaadi uuendamiseks tuleb aga _Proxy Host_ ikkagi HTTP-juurdepääsu jaoks konfigureerida.
+
+See protsess _ei_ toeta metamärke kasutavaid domeene.
+
+### DNS-sertifikaat
+
+DNS-i poolt valideeritud sertifikaadi saamiseks peate kasutama DNS-pakkuja pistikprogrammi. Seda DNS-teenuse pakkujat kasutatakse teie domeenis ajutiste kirjete loomiseks ja seejärel pärib Let's
+Encrypt nende kirjete kohta päringu, et veenduda, et olete omanik, ja kui see õnnestub, väljastavad nad teile sertifikaadi.
+
+Selle tüüpi sertifikaadi taotlemiseks ei ole vaja luua _Proxy Host_'i. Samuti ei pea teie _Proxy Host_ olema HTTP-juurdepääsu jaoks konfigureeritud.
+
+See protsess _toetab_ metamärke kasutavaid domeene.
+
+### Kohandatud sertifikaat
+
+Kasutage seda valikut oma SSL-sertifikaadi üleslaadimiseks, mille on esitanud teie enda sertifitseerimisasutus.

frontend/src/locale/src/HelpDoc/et/DeadHosts.md

@@ -0,0 +1,9 @@
+## Mis on 404 host?
+
+404 host on lihtsalt hosti seadistus, mis kuvab 404 lehte.
+
+See võib olla kasulik, kui teie domeen on otsingumootorites loetletud ja soovite
+esitada kenama vealehe või konkreetselt otsingu indekseerijatele öelda, et
+domeenilehed enam ei eksisteeri.
+
+Selle hosti teine eelis on selle külastatavuste logide jälgimine ja suunajate vaatamine.

frontend/src/locale/src/HelpDoc/et/ProxyHosts.md

@@ -0,0 +1,7 @@
+## Mis on puhverserver?
+
+Puhverserver on veebiteenuse sissetuleva andmevoo lõpp-punkt, mida soovite edastada.
+
+See pakub valikulist SSL-i lõpetamist teie teenusele, millel ei pruugi olla sisseehitatud SSL-tuge.
+
+Puhverserverid on Nginxi puhverserveri halduri kõige levinum kasutusala.

frontend/src/locale/src/HelpDoc/et/RedirectionHosts.md

@@ -0,0 +1,5 @@
+## Mis on ümbersuunamishost?
+
+Ümbersuunamishost suunab sissetuleva domeeni päringud ümber ja suunab vaataja teisele domeenile.
+
+Kõige levinum põhjus seda tüüpi hosti kasutamiseks on see, kui teie veebisaidi domeenid muutuvad, kuid otsingumootori või suunaja lingid osutavad endiselt vanale domeenile.

frontend/src/locale/src/HelpDoc/et/Streams.md

@@ -0,0 +1,5 @@
+## Mis on voog?
+
+Nginxi suhteliselt uus funktsioon, voog, edastab TCP/UDP liiklust otse võrgus olevale teisele arvutile.
+
+Kui sul on mänguserverid, FTP- või SSH-serverid, võib see kasuks tulla.

frontend/src/locale/src/HelpDoc/et/index.ts

@@ -0,0 +1,6 @@
+export * as AccessLists from "./AccessLists.md";
+export * as Certificates from "./Certificates.md";
+export * as DeadHosts from "./DeadHosts.md";
+export * as ProxyHosts from "./ProxyHosts.md";
+export * as RedirectionHosts from "./RedirectionHosts.md";
+export * as Streams from "./Streams.md";