Skip to content

NPMplus

Reverse Proxies & Load Balancers

a fork of nginx-proxy-manager

Track releases GitHub Website
TypeScript Latest 2026-04-21-r2 · 1mo ago Security brief →

Features

  • Supports HTTP/3 (QUIC) with UDP
  • Adds crowdsec and openappsec security integrations
  • Includes Goaccess analytics, TLS certificate compression, and optional ECH

Recent releases

View all 19 releases →
2026-04-21-r2 Breaking risk
⚠ Upgrade required
  • CERTBOT_RUN_INTERVAL now limited to 500 hours maximum
  • If experiencing issues with Apple clients, try disabling http2 in upstreams
Breaking changes
  • AUTH_REQUEST_TINYAUTH_DOMAIN env var removed
  • tinyauth v5.0.7+ now required (minimum version bump)
  • Cookie names changed due to stricter cookie handling
Security fixes
  • CSP fix for notifications
Notable features
  • Support for voidauth
  • Backend can now send all Upgrade headers
  • Origin-Agent-Cluster: ?1 header always sent
Full changelog

What's Changed since last release

  • fix CSP (fix notifications)
  • dep updates

What Changed in the last releases

  • support voidauth
  • remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
  • allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
  • cookies are more strict now, the cookie name has changed because of this
  • always send "Origin-Agent-Cluster: ?1" header
  • hsts buttons are now better labeled
  • CERTBOT_RUN_INTERVAL is now limited to 500 hours
  • inbuilt php has been fixed
  • the error log written to disk now uses error level info
  • rename the advanced tab from a cogwheel symbol to advanced
  • show a star if a custom config is set for locations
  • dep and doc updates

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-21-r2 (fixed to this release)
  • docker.io/zoeyvid/npmplus:latest (latest stable)
  • ghcr.io/zoeyvid/npmplus:latest (latest stable)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-04-21-r1...2026-04-21-r2

View release on GitHub
2026-04-21-r1 Breaking risk
⚠ Upgrade required
  • If experiencing issues with Apple clients after upgrade, disable http2 in upstream configuration
Breaking changes
  • Removed AUTH_REQUEST_TINYAUTH_DOMAIN environment variable; tinyauth v5.0.7+ is now required
  • Cookie name has changed due to stricter cookie handling
Security fixes
  • Always send Origin-Agent-Cluster: ?1 header for security hardening
  • Cookies are now stricter, improving security posture
Notable features
  • Added support for voidauth
  • Fixed cookie deletion and logout button
  • Backend now sends all Upgrade headers
Full changelog

What's Changed since last release

  • fix cookie deletion and with this the logout button
  • dep updates

What Changed in the last releases

  • support voidauth
  • remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
  • allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
  • cookies are more strict now, the cookie name has changed because of this
  • always send "Origin-Agent-Cluster: ?1" header
  • hsts buttons are now better labeled
  • CERTBOT_RUN_INTERVAL is now limited to 500 hours
  • inbuilt php has been fixed
  • the error log written to disk now uses error level info
  • rename the advanced tab from a cogwheel symbol to advanced
  • show a star if a custom config is set for locations
  • dep and doc updates

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-21-r1 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-21-r1 (fixed to this release)
  • docker.io/zoeyvid/npmplus:latest (latest stable)
  • ghcr.io/zoeyvid/npmplus:latest (latest stable)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-04-20-r1...2026-04-21-r1

View release on GitHub
2026-04-20-r1 Breaking risk
⚠ Upgrade required
  • If experiencing issues with Apple clients, disable http2 in upstreams to work around Upgrade header behavior changes
  • Error logs written to disk now use info level
Breaking changes
  • AUTH_REQUEST_TINYAUTH_DOMAIN environment variable removed
  • tinyauth v5.0.7+ is now required
  • Cookie name changed due to stricter cookie handling
Security fixes
  • Stricter cookie handling with changed cookie names
  • Always send Origin-Agent-Cluster: ?1 header
Notable features
  • Support for voidauth authentication method
  • Backend can now send all Upgrade headers again
  • UI improvements: advanced tab redesigned (cogwheel → 'advanced'), HSTS buttons relabeled, custom location configs indicated with star
Full changelog

What's Changed since last release

  • support voidauth
  • remove AUTH_REQUEST_TINYAUTH_DOMAIN env, tinyauth v5.0.7+ is now required
  • allow the backend to send all Upgrade headers again, if you have issues with apple clients try to instead disable http2 in your upstreams
  • cookies are more strict now, the cookie name has changed because of this
  • always send "Origin-Agent-Cluster: ?1" header
  • hsts buttons are now better labeled
  • CERTBOT_RUN_INTERVAL is now limited to 500 hours
  • inbuilt php has been fixed
  • the error log written to disk now uses error level info
  • rename the advanced tab from a cogwheel symbol to advanced
  • show a star if a custom config is set for locations
  • dep and doc updates

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-20-r1 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-20-r1 (fixed to this release)
  • docker.io/zoeyvid/npmplus:latest (latest stable)
  • ghcr.io/zoeyvid/npmplus:latest (latest stable)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-04-12-r1...2026-04-20-r1

View release on GitHub
2026-04-12-r1 Breaking risk
Breaking changes
  • tls, access, npmplus and nginx/logs folders now restricted to owner (PUID)
  • creating location / as custom location or in advanced tab will crash nginx
Security fixes
  • Fix for issue allowing non-admin users to become admin (upstream still vulnerable)
Notable features
  • nginx built with aws-lc instead of openssl
  • Certificate compression using zlib-ng and brotli support
  • mTLS support (on, off, optional)
View release on GitHub
2026-04-10-r2 Mixed
Breaking changes
  • tls, access, npmplus and nginx/logs folders now restricted to owner (PUID)
  • Creating location / as custom location or in advanced tab will crash nginx, use details tab instead
Security fixes
  • Non-admin user privilege escalation (nginx-proxy-manager #5441)
Notable features
  • Nginx built with aws-lc instead of OpenSSL with certificate compression support
  • mTLS support with on/off/optional modes
  • OAuth2proxy as auth_request provider
View release on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

About

Stars
2,114
Forks
111
Languages
TypeScript JavaScript Shell
View on GitHub Homepage

Install & Platforms

Install via
docker binary
Platforms
linux arm64

Similar tools

nginx-proxy-manager
forkline/ingress-nginx
nginx-proxy
nginx-ui
nps

Alternative to

nginx-proxy-manager

Beta — feedback welcome: [email protected]