NginxProxyManager · kylhuk · Feb 5, 2026 · Feb 8, 2026 · Feb 9, 2026 · Feb 17, 2026
diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
@@ -630,7 +630,7 @@ const internalCertificate = {
 	 * @param {String}  privateKey    This is the entire key contents as a string
 	 */
 	checkPrivateKey: async (privateKey) => {
-		const filepath = await tempWrite(privateKey, "/tmp");
+		const filepath = await tempWrite(privateKey);
 		const failTimeout = setTimeout(() => {
 			throw new error.ValidationError(
 				"Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.",
@@ -660,7 +660,7 @@ const internalCertificate = {
 	 * @param {Boolean} [throwExpired]  Throw when the certificate is out of date
 	 */
 	getCertificateInfo: async (certificate, throwExpired) => {
-		const filepath = await tempWrite(certificate, "/tmp");
+		const filepath = await tempWrite(certificate);
 		try {
 			const certData = await internalCertificate.getCertificateInfoFromFile(filepath, throwExpired);
 			fs.unlinkSync(filepath);

diff --git a/backend/internal/host.js b/backend/internal/host.js
@@ -20,6 +20,7 @@ const internalHost = {
 		if (!combinedData.certificate_id) {
 			combinedData.ssl_forced = false;
 			combinedData.http2_support = false;
+			combinedData.http3_support = false;
 		}
 
 		if (!combinedData.ssl_forced) {

diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js
@@ -2,13 +2,16 @@ import fs from "node:fs";
 import { dirname } from "node:path";
 import { fileURLToPath } from "node:url";
 import _ from "lodash";
+import db from "../db.js";
 import errs from "../lib/error.js";
 import utils from "../lib/utils.js";
 import { debug, nginx as logger } from "../logger.js";
 
 const __filename = fileURLToPath(import.meta.url);
 const __dirname = dirname(__filename);
 
+const HTTP_HOST_TABLES = ["proxy_host", "redirection_host", "dead_host"];
+
 const internalNginx = {
 	/**
 	 * This will:
@@ -158,6 +161,7 @@ const internalNginx = {
 						{ block_exploits: host.block_exploits },
 						{ allow_websocket_upgrade: host.allow_websocket_upgrade },
 						{ http2_support: host.http2_support },
+						{ http3_support: host.http3_support },
 						{ hsts_enabled: host.hsts_enabled },
 						{ hsts_subdomains: host.hsts_subdomains },
 						{ access_list: host.access_list },
@@ -241,7 +245,16 @@ const internalNginx = {
 			// Set the IPv6 setting for the host
 			host.ipv6 = internalNginx.ipv6Enabled();
 
-			locationsPromise.then(() => {
+			locationsPromise
+				.then(async () => {
+					const friendlyHostType = internalNginx.getFileFriendlyHostType(host_type);
+					if (HTTP_HOST_TABLES.includes(friendlyHostType) && (host.http3_support === 1 || host.http3_support === true)) {
+						host.http3_first = await internalNginx.isFirstHttp3Host(friendlyHostType, host.id);
+					} else {
+						host.http3_first = false;
+					}
+				})
+				.then(() => {
 				renderEngine
 					.parseAndRender(template, host)
 					.then((config_text) => {
@@ -257,10 +270,38 @@ const internalNginx = {
 						debug(logger, `Could not write ${filename}:`, err.message);
 						reject(new errs.ConfigurationError(err.message));
 					});
-			});
+				})
+				.catch((err) => {
+					reject(new errs.ConfigurationError(err.message));
+				});
 		});
 	},
 
+	/**
+	 * @param   {String} hostType
+	 * @param   {Number} hostId
+	 * @returns {Promise<boolean>}
+	 */
+	isFirstHttp3Host: async (hostType, hostId) => {
+		const knex = db();
+		const rows = await Promise.all(
+			HTTP_HOST_TABLES.map((table) =>
+				knex(table)
+					.select("id")
+					.where("is_deleted", 0)
+					.andWhere("enabled", 1)
+					.andWhere("http3_support", 1)
+					.andWhere("certificate_id", ">", 0),
+			),
+		);
+
+		const all = rows
+			.flatMap((tableRows, index) => tableRows.map((row) => ({ host_type: HTTP_HOST_TABLES[index], id: row.id })))
+			.sort((a, b) => (a.id === b.id ? a.host_type.localeCompare(b.host_type) : a.id - b.id));
+
+		return all.length > 0 && all[0].host_type === hostType && all[0].id === hostId;
+	},
+
 	/**
 	 * This generates a temporary nginx config listening on port 80 for the domain names listed
 	 * in the certificate setup. It allows the letsencrypt acme challenge to be requested by letsencrypt

diff --git a/backend/migrations/20251112090000_http3_support.js b/backend/migrations/20251112090000_http3_support.js
@@ -0,0 +1,50 @@
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "http3_support";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);
+
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.integer("http3_support").notNull().unsigned().defaultTo(0);
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] proxy_host Table altered`);
+
+			return knex.schema.table("redirection_host", (redirection_host) => {
+				redirection_host.integer("http3_support").notNull().unsigned().defaultTo(0);
+			});
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] redirection_host Table altered`);
+
+			return knex.schema.table("dead_host", (dead_host) => {
+				dead_host.integer("http3_support").notNull().unsigned().defaultTo(0);
+			});
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] dead_host Table altered`);
+		});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
+	return Promise.resolve(true);
+};
+
+export { up, down };
diff --git a/backend/models/dead_host.js b/backend/models/dead_host.js
@@ -10,7 +10,7 @@ import User from "./user.js";
 
 Model.knex(db());
 
-const boolFields = ["is_deleted", "ssl_forced", "http2_support", "enabled", "hsts_enabled", "hsts_subdomains"];
+const boolFields = ["is_deleted", "ssl_forced", "http2_support", "http3_support", "enabled", "hsts_enabled", "hsts_subdomains"];
 
 class DeadHost extends Model {
 	$beforeInsert() {

diff --git a/backend/models/proxy_host.js b/backend/models/proxy_host.js
@@ -18,6 +18,7 @@ const boolFields = [
 	"block_exploits",
 	"allow_websocket_upgrade",
 	"http2_support",
+	"http3_support",
 	"enabled",
 	"hsts_enabled",
 	"hsts_subdomains",

diff --git a/backend/models/redirection_host.js b/backend/models/redirection_host.js
@@ -19,6 +19,7 @@ const boolFields = [
 	"hsts_enabled",
 	"hsts_subdomains",
 	"http2_support",
+	"http3_support",
 ];
 
 class RedirectionHost extends Model {

diff --git a/backend/schema/common.json b/backend/schema/common.json
@@ -118,6 +118,11 @@
 			"type": "boolean",
 			"example": true
 		},
+		"http3_support": {
+			"description": "HTTP3 Protocol Support",
+			"type": "boolean",
+			"example": true
+		},
 		"block_exploits": {
 			"description": "Should we block common exploits",
 			"type": "boolean",

diff --git a/backend/schema/components/dead-host-object.json b/backend/schema/components/dead-host-object.json
@@ -1,7 +1,22 @@
 {
 	"type": "object",
 	"description": "404 Host object",
-	"required": ["id", "created_on", "modified_on", "owner_user_id", "domain_names", "certificate_id", "ssl_forced", "hsts_enabled", "hsts_subdomains", "http2_support", "advanced_config", "enabled", "meta"],
+	"required": [
+		"id",
+		"created_on",
+		"modified_on",
+		"owner_user_id",
+		"domain_names",
+		"certificate_id",
+		"ssl_forced",
+		"hsts_enabled",
+		"hsts_subdomains",
+		"http2_support",
+		"http3_support",
+		"advanced_config",
+		"enabled",
+		"meta"
+	],
 	"additionalProperties": false,
 	"properties": {
 		"id": {
@@ -34,6 +49,9 @@
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},
+		"http3_support": {
+			"$ref": "../common.json#/properties/http3_support"
+		},
 		"advanced_config": {
 			"type": "string",
 			"example": ""

diff --git a/backend/schema/components/proxy-host-object.json b/backend/schema/components/proxy-host-object.json
@@ -18,6 +18,7 @@
 		"meta",
 		"allow_websocket_upgrade",
 		"http2_support",
+		"http3_support",
 		"forward_scheme",
 		"enabled",
 		"locations",
@@ -87,6 +88,9 @@
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},
+		"http3_support": {
+			"$ref": "../common.json#/properties/http3_support"
+		},
 		"forward_scheme": {
 			"type": "string",
 			"enum": ["http", "https"],

diff --git a/backend/schema/components/redirection-host-object.json b/backend/schema/components/redirection-host-object.json
@@ -16,6 +16,7 @@
 		"hsts_enabled",
 		"hsts_subdomains",
 		"http2_support",
+		"http3_support",
 		"block_exploits",
 		"advanced_config",
 		"enabled",
@@ -80,6 +81,9 @@
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},
+		"http3_support": {
+			"$ref": "../common.json#/properties/http3_support"
+		},
 		"block_exploits": {
 			"$ref": "../common.json#/properties/block_exploits"
 		},

diff --git a/backend/schema/paths/nginx/dead-hosts/get.json b/backend/schema/paths/nginx/dead-hosts/get.json
@@ -40,6 +40,7 @@
 										"nginx_err": null
 									},
 									"http2_support": false,
+									"http3_support": false,
 									"enabled": true,
 									"hsts_enabled": false,
 									"hsts_subdomains": false

diff --git a/backend/schema/paths/nginx/dead-hosts/hostID/get.json b/backend/schema/paths/nginx/dead-hosts/hostID/get.json
@@ -41,6 +41,7 @@
 									"nginx_err": null
 								},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false

diff --git a/backend/schema/paths/nginx/dead-hosts/hostID/put.json b/backend/schema/paths/nginx/dead-hosts/hostID/put.json
@@ -48,6 +48,9 @@
 						"http2_support": {
 							"$ref": "../../../../components/dead-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../../components/dead-host-object.json#/properties/http3_support"
+						},
 						"advanced_config": {
 							"$ref": "../../../../components/dead-host-object.json#/properties/advanced_config"
 						},
@@ -80,6 +83,7 @@
 									"nginx_err": null
 								},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/dead-hosts/post.json b/backend/schema/paths/nginx/dead-hosts/post.json
@@ -39,6 +39,9 @@
 						"http2_support": {
 							"$ref": "../../../components/dead-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../components/dead-host-object.json#/properties/http3_support"
+						},
 						"advanced_config": {
 							"$ref": "../../../components/dead-host-object.json#/properties/advanced_config"
 						},
@@ -55,6 +58,7 @@
 					"ssl_forced": false,
 					"advanced_config": "",
 					"http2_support": false,
+					"http3_support": false,
 					"hsts_enabled": false,
 					"hsts_subdomains": false,
 					"meta": {}
@@ -82,6 +86,7 @@
 								"advanced_config": "",
 								"meta": {},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/proxy-hosts/get.json b/backend/schema/paths/nginx/proxy-hosts/get.json
@@ -54,6 +54,7 @@
 									},
 									"allow_websocket_upgrade": false,
 									"http2_support": false,
+									"http3_support": false,
 									"forward_scheme": "http",
 									"enabled": true,
 									"locations": [],

diff --git a/backend/schema/paths/nginx/proxy-hosts/hostID/get.json b/backend/schema/paths/nginx/proxy-hosts/hostID/get.json
@@ -51,6 +51,7 @@
 								},
 								"allow_websocket_upgrade": false,
 								"http2_support": false,
+								"http3_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],

diff --git a/backend/schema/paths/nginx/proxy-hosts/hostID/put.json b/backend/schema/paths/nginx/proxy-hosts/hostID/put.json
@@ -62,6 +62,9 @@
 						"http2_support": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/http3_support"
+						},
 						"block_exploits": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/block_exploits"
 						},
@@ -120,6 +123,7 @@
 								},
 								"allow_websocket_upgrade": false,
 								"http2_support": false,
+								"http3_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],

diff --git a/backend/schema/paths/nginx/proxy-hosts/post.json b/backend/schema/paths/nginx/proxy-hosts/post.json
@@ -54,6 +54,9 @@
 						"http2_support": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/http3_support"
+						},
 						"block_exploits": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/block_exploits"
 						},
@@ -117,6 +120,7 @@
 								"meta": {},
 								"allow_websocket_upgrade": false,
 								"http2_support": false,
+								"http3_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],

diff --git a/backend/schema/paths/nginx/redirection-hosts/get.json b/backend/schema/paths/nginx/redirection-hosts/get.json
@@ -43,6 +43,7 @@
 										"nginx_err": null
 									},
 									"http2_support": false,
+									"http3_support": false,
 									"enabled": true,
 									"hsts_enabled": false,
 									"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/redirection-hosts/hostID/get.json b/backend/schema/paths/nginx/redirection-hosts/hostID/get.json
@@ -44,6 +44,7 @@
 									"nginx_err": null
 								},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,