NginxProxyManager · kylhuk · Feb 5, 2026 · Feb 8, 2026 · Feb 9, 2026 · Feb 17, 2026
diff --git a/backend/internal/certificate.js b/backend/internal/certificate.js
@@ -630,7 +630,7 @@ const internalCertificate = {
 	 * @param {String}  privateKey    This is the entire key contents as a string
 	 */
 	checkPrivateKey: async (privateKey) => {
-		const filepath = await tempWrite(privateKey, "/tmp");
+		const filepath = await tempWrite(privateKey);
 		const failTimeout = setTimeout(() => {
 			throw new error.ValidationError(
 				"Result Validation Error: Validation timed out. This could be due to the key being passphrase-protected.",
@@ -660,7 +660,7 @@ const internalCertificate = {
 	 * @param {Boolean} [throwExpired]  Throw when the certificate is out of date
 	 */
 	getCertificateInfo: async (certificate, throwExpired) => {
-		const filepath = await tempWrite(certificate, "/tmp");
+		const filepath = await tempWrite(certificate);
 		try {
 			const certData = await internalCertificate.getCertificateInfoFromFile(filepath, throwExpired);
 			fs.unlinkSync(filepath);

diff --git a/backend/internal/host.js b/backend/internal/host.js
@@ -20,6 +20,7 @@ const internalHost = {
 		if (!combinedData.certificate_id) {
 			combinedData.ssl_forced = false;
 			combinedData.http2_support = false;
+			combinedData.http3_support = false;
 		}
 
 		if (!combinedData.ssl_forced) {

diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js
@@ -158,6 +158,7 @@ const internalNginx = {
 						{ block_exploits: host.block_exploits },
 						{ allow_websocket_upgrade: host.allow_websocket_upgrade },
 						{ http2_support: host.http2_support },
+						{ http3_support: host.http3_support },
 						{ hsts_enabled: host.hsts_enabled },
 						{ hsts_subdomains: host.hsts_subdomains },
 						{ access_list: host.access_list },

diff --git a/backend/migrations/20251112090000_http3_support.js b/backend/migrations/20251112090000_http3_support.js
@@ -0,0 +1,50 @@
+import { migrate as logger } from "../logger.js";
+
+const migrateName = "http3_support";
+
+/**
+ * Migrate
+ *
+ * @see http://knexjs.org/#Schema
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const up = (knex) => {
+	logger.info(`[${migrateName}] Migrating Up...`);
+
+	return knex.schema
+		.table("proxy_host", (proxy_host) => {
+			proxy_host.integer("http3_support").notNull().unsigned().defaultTo(0);
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] proxy_host Table altered`);
+
+			return knex.schema.table("redirection_host", (redirection_host) => {
+				redirection_host.integer("http3_support").notNull().unsigned().defaultTo(0);
+			});
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] redirection_host Table altered`);
+
+			return knex.schema.table("dead_host", (dead_host) => {
+				dead_host.integer("http3_support").notNull().unsigned().defaultTo(0);
+			});
+		})
+		.then(() => {
+			logger.info(`[${migrateName}] dead_host Table altered`);
+		});
+};
+
+/**
+ * Undo Migrate
+ *
+ * @param   {Object}  knex
+ * @returns {Promise}
+ */
+const down = (_knex) => {
+	logger.warn(`[${migrateName}] You can't migrate down this one.`);
+	return Promise.resolve(true);
+};
+
+export { up, down };
diff --git a/backend/models/dead_host.js b/backend/models/dead_host.js
@@ -10,7 +10,7 @@ import User from "./user.js";
 
 Model.knex(db());
 
-const boolFields = ["is_deleted", "ssl_forced", "http2_support", "enabled", "hsts_enabled", "hsts_subdomains"];
+const boolFields = ["is_deleted", "ssl_forced", "http2_support", "http3_support", "enabled", "hsts_enabled", "hsts_subdomains"];
 
 class DeadHost extends Model {
 	$beforeInsert() {

diff --git a/backend/models/proxy_host.js b/backend/models/proxy_host.js
@@ -18,6 +18,7 @@ const boolFields = [
 	"block_exploits",
 	"allow_websocket_upgrade",
 	"http2_support",
+	"http3_support",
 	"enabled",
 	"hsts_enabled",
 	"hsts_subdomains",

diff --git a/backend/models/redirection_host.js b/backend/models/redirection_host.js
@@ -19,6 +19,7 @@ const boolFields = [
 	"hsts_enabled",
 	"hsts_subdomains",
 	"http2_support",
+	"http3_support",
 ];
 
 class RedirectionHost extends Model {

diff --git a/backend/schema/common.json b/backend/schema/common.json
@@ -118,6 +118,11 @@
 			"type": "boolean",
 			"example": true
 		},
+		"http3_support": {
+			"description": "HTTP3 Protocol Support",
+			"type": "boolean",
+			"example": true
+		},
 		"block_exploits": {
 			"description": "Should we block common exploits",
 			"type": "boolean",

diff --git a/backend/schema/components/dead-host-object.json b/backend/schema/components/dead-host-object.json
@@ -1,7 +1,22 @@
 {
 	"type": "object",
 	"description": "404 Host object",
-	"required": ["id", "created_on", "modified_on", "owner_user_id", "domain_names", "certificate_id", "ssl_forced", "hsts_enabled", "hsts_subdomains", "http2_support", "advanced_config", "enabled", "meta"],
+	"required": [
+		"id",
+		"created_on",
+		"modified_on",
+		"owner_user_id",
+		"domain_names",
+		"certificate_id",
+		"ssl_forced",
+		"hsts_enabled",
+		"hsts_subdomains",
+		"http2_support",
+		"http3_support",
+		"advanced_config",
+		"enabled",
+		"meta"
+	],
 	"additionalProperties": false,
 	"properties": {
 		"id": {
@@ -34,6 +49,9 @@
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},
+		"http3_support": {
+			"$ref": "../common.json#/properties/http3_support"
+		},
 		"advanced_config": {
 			"type": "string",
 			"example": ""

diff --git a/backend/schema/components/proxy-host-object.json b/backend/schema/components/proxy-host-object.json
@@ -18,6 +18,7 @@
 		"meta",
 		"allow_websocket_upgrade",
 		"http2_support",
+		"http3_support",
 		"forward_scheme",
 		"enabled",
 		"locations",
@@ -87,6 +88,9 @@
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},
+		"http3_support": {
+			"$ref": "../common.json#/properties/http3_support"
+		},
 		"forward_scheme": {
 			"type": "string",
 			"enum": ["http", "https"],

diff --git a/backend/schema/components/redirection-host-object.json b/backend/schema/components/redirection-host-object.json
@@ -16,6 +16,7 @@
 		"hsts_enabled",
 		"hsts_subdomains",
 		"http2_support",
+		"http3_support",
 		"block_exploits",
 		"advanced_config",
 		"enabled",
@@ -80,6 +81,9 @@
 		"http2_support": {
 			"$ref": "../common.json#/properties/http2_support"
 		},
+		"http3_support": {
+			"$ref": "../common.json#/properties/http3_support"
+		},
 		"block_exploits": {
 			"$ref": "../common.json#/properties/block_exploits"
 		},

diff --git a/backend/schema/paths/nginx/dead-hosts/get.json b/backend/schema/paths/nginx/dead-hosts/get.json
@@ -40,6 +40,7 @@
 										"nginx_err": null
 									},
 									"http2_support": false,
+									"http3_support": false,
 									"enabled": true,
 									"hsts_enabled": false,
 									"hsts_subdomains": false

diff --git a/backend/schema/paths/nginx/dead-hosts/hostID/get.json b/backend/schema/paths/nginx/dead-hosts/hostID/get.json
@@ -41,6 +41,7 @@
 									"nginx_err": null
 								},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false

diff --git a/backend/schema/paths/nginx/dead-hosts/hostID/put.json b/backend/schema/paths/nginx/dead-hosts/hostID/put.json
@@ -48,6 +48,9 @@
 						"http2_support": {
 							"$ref": "../../../../components/dead-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../../components/dead-host-object.json#/properties/http3_support"
+						},
 						"advanced_config": {
 							"$ref": "../../../../components/dead-host-object.json#/properties/advanced_config"
 						},
@@ -80,6 +83,7 @@
 									"nginx_err": null
 								},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/dead-hosts/post.json b/backend/schema/paths/nginx/dead-hosts/post.json
@@ -39,6 +39,9 @@
 						"http2_support": {
 							"$ref": "../../../components/dead-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../components/dead-host-object.json#/properties/http3_support"
+						},
 						"advanced_config": {
 							"$ref": "../../../components/dead-host-object.json#/properties/advanced_config"
 						},
@@ -55,6 +58,7 @@
 					"ssl_forced": false,
 					"advanced_config": "",
 					"http2_support": false,
+					"http3_support": false,
 					"hsts_enabled": false,
 					"hsts_subdomains": false,
 					"meta": {}
@@ -82,6 +86,7 @@
 								"advanced_config": "",
 								"meta": {},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/proxy-hosts/get.json b/backend/schema/paths/nginx/proxy-hosts/get.json
@@ -54,6 +54,7 @@
 									},
 									"allow_websocket_upgrade": false,
 									"http2_support": false,
+									"http3_support": false,
 									"forward_scheme": "http",
 									"enabled": true,
 									"locations": [],

diff --git a/backend/schema/paths/nginx/proxy-hosts/hostID/get.json b/backend/schema/paths/nginx/proxy-hosts/hostID/get.json
@@ -51,6 +51,7 @@
 								},
 								"allow_websocket_upgrade": false,
 								"http2_support": false,
+								"http3_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],

diff --git a/backend/schema/paths/nginx/proxy-hosts/hostID/put.json b/backend/schema/paths/nginx/proxy-hosts/hostID/put.json
@@ -62,6 +62,9 @@
 						"http2_support": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../../components/proxy-host-object.json#/properties/http3_support"
+						},
 						"block_exploits": {
 							"$ref": "../../../../components/proxy-host-object.json#/properties/block_exploits"
 						},
@@ -120,6 +123,7 @@
 								},
 								"allow_websocket_upgrade": false,
 								"http2_support": false,
+								"http3_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],

diff --git a/backend/schema/paths/nginx/proxy-hosts/post.json b/backend/schema/paths/nginx/proxy-hosts/post.json
@@ -54,6 +54,9 @@
 						"http2_support": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../components/proxy-host-object.json#/properties/http3_support"
+						},
 						"block_exploits": {
 							"$ref": "../../../components/proxy-host-object.json#/properties/block_exploits"
 						},
@@ -117,6 +120,7 @@
 								"meta": {},
 								"allow_websocket_upgrade": false,
 								"http2_support": false,
+								"http3_support": false,
 								"forward_scheme": "http",
 								"enabled": true,
 								"locations": [],

diff --git a/backend/schema/paths/nginx/redirection-hosts/get.json b/backend/schema/paths/nginx/redirection-hosts/get.json
@@ -43,6 +43,7 @@
 										"nginx_err": null
 									},
 									"http2_support": false,
+									"http3_support": false,
 									"enabled": true,
 									"hsts_enabled": false,
 									"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/redirection-hosts/hostID/get.json b/backend/schema/paths/nginx/redirection-hosts/hostID/get.json
@@ -44,6 +44,7 @@
 									"nginx_err": null
 								},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/redirection-hosts/hostID/put.json b/backend/schema/paths/nginx/redirection-hosts/hostID/put.json
@@ -60,6 +60,9 @@
 						"http2_support": {
 							"$ref": "../../../../components/redirection-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../../components/redirection-host-object.json#/properties/http3_support"
+						},
 						"block_exploits": {
 							"$ref": "../../../../components/redirection-host-object.json#/properties/block_exploits"
 						},
@@ -98,6 +101,7 @@
 									"nginx_err": null
 								},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,

diff --git a/backend/schema/paths/nginx/redirection-hosts/post.json b/backend/schema/paths/nginx/redirection-hosts/post.json
@@ -54,6 +54,9 @@
 						"http2_support": {
 							"$ref": "../../../components/redirection-host-object.json#/properties/http2_support"
 						},
+						"http3_support": {
+							"$ref": "../../../components/redirection-host-object.json#/properties/http3_support"
+						},
 						"block_exploits": {
 							"$ref": "../../../components/redirection-host-object.json#/properties/block_exploits"
 						},
@@ -77,6 +80,7 @@
 					"certificate_id": 0,
 					"ssl_forced": false,
 					"http2_support": false,
+					"http3_support": false,
 					"hsts_enabled": false,
 					"hsts_subdomains": false,
 					"advanced_config": "",
@@ -108,6 +112,7 @@
 								"advanced_config": "",
 								"meta": {},
 								"http2_support": false,
+								"http3_support": false,
 								"enabled": true,
 								"hsts_enabled": false,
 								"hsts_subdomains": false,

diff --git a/backend/templates/_listen.conf b/backend/templates/_listen.conf
@@ -11,10 +11,23 @@
 {% else -%}
   #listen [::]:443;
 {% endif %}
+{% if http3_support == 1 or http3_support == true %}
+  listen 443 quic;
+{% if ipv6 -%}
+  listen [::]:443 quic;
+{% else -%}
+  #listen [::]:443 quic;
+{% endif %}
+{% endif %}
 {% endif %}
   server_name {{ domain_names | join: " " }};
 {% if http2_support == 1 or http2_support == true %}
   http2 on;
 {% else -%}
   http2 off;
-{% endif %}
+{% endif %}
+{% if http3_support == 1 or http3_support == true %}
+  http3 on;
+{% else -%}
+  http3 off;
+{% endif %}