Skip to content

feat: fix upstream host resolution edge case and support PEM paste in custom certificates#5348

Open
Eric-Terminal wants to merge 3 commits intoNginxProxyManager:developfrom
Eric-Terminal:develop
Open

feat: fix upstream host resolution edge case and support PEM paste in custom certificates#5348
Eric-Terminal wants to merge 3 commits intoNginxProxyManager:developfrom
Eric-Terminal:develop

Conversation

@Eric-Terminal
Copy link

@Eric-Terminal Eric-Terminal commented Feb 23, 2026

This PR addresses two issues:

1) Optional upstream pre-resolution for forward_host (issue #5344)

Problem:
Nginx variable-based upstream resolution may fail for hostnames that are only resolvable through container/system resolver paths (for example extra_hosts mappings like host.docker.internal).

What changed:

  • Added optional env flag: NPM_PRE_RESOLVE_UPSTREAM_HOSTS (default: disabled)
  • During Nginx config generation, NPM can pre-resolve eligible upstream hostnames via system resolver (dns.lookup)
  • Applied to both proxy host forward_host and custom location forward_host
  • If resolution fails, it safely falls back to the original hostname

Behavior:

  • No behavior change unless the new flag is explicitly enabled

2) Allow direct PEM paste in Custom Certificate modal (issue #5347)

Problem:
Custom certificate flow previously required local file selection, which is inconvenient in remote/mobile/thin-client workflows.

What changed:

  • Added textarea inputs for:
    • Certificate PEM
    • Certificate Key PEM
    • Intermediate Certificate PEM (optional)
  • Kept existing file upload inputs unchanged
  • Submit logic now accepts either:
    • uploaded files, or
    • pasted PEM text (converted to File objects client-side)
  • Existing backend validate and upload multipart APIs are reused without contract changes

Behavior:

  • Backward compatible with existing file upload workflow

Docs

  • Added advanced config documentation for NPM_PRE_RESOLVE_UPSTREAM_HOSTS

@Eric-Terminal
feat: add optional upstream hostname pre-resolution for /etc/hosts co…
f85272f 
…mpatibility

Files changed: backend/internal/nginx.js.

Purpose: provide an optional, NPM-side compatibility path for variable-based proxy_pass upstream resolution without changing existing Nginx templates or default behavior.

Implementation: add environment flag NPM_PRE_RESOLVE_UPSTREAM_HOSTS (disabled by default); pre-resolve eligible upstream hostnames via dns.lookup() while generating proxy host and custom location configs; fall back to original hostname when resolution fails.

Result: when enabled, setups using docker-compose extra_hosts (for example host.docker.internal) can avoid resolver host-not-found failures; when disabled, behavior remains backward compatible.
@Eric-Terminal
docs: document NPM_PRE_RESOLVE_UPSTREAM_HOSTS advanced option
c108bb2 
Add an Advanced Configuration section describing when to enable NPM_PRE_RESOLVE_UPSTREAM_HOSTS, example compose env usage, fallback behavior on resolution failure, and operational notes about generation-time resolution.
@Eric-Terminal
feat: allow pasting PEM content for custom certificate upload
523e810 
Add optional textarea inputs for certificate, certificate key, and intermediate certificate in CustomCertificateModal.

At submit time, pasted PEM values are converted to File objects and uploaded via existing multipart API, so backend routes remain unchanged.

Keep file upload path intact and require certificate + certificate key from either file input or pasted text before validation/upload.
@nginxproxymanagerci
Copy link

nginxproxymanagerci bot commented Feb 23, 2026

Docker Image for build 1 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5348

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!

@jc21 jc21 added the requires-verification Waiting for one or more people to confirm the fix label Feb 24, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

requires-verification Waiting for one or more people to confirm the fix

Projects

None yet

Milestone

No milestone

2 participants

@Eric-Terminal @jc21