github ZoeyVid/NPMplus 2026-04-05-b1
on GitHub

pre-release6 hours ago

This is a beta

  • Make sure to create a backup first
  • Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)

What's Changed since last beta

  • fix $request_port / $is_request_port being empty if auth_request is used (fixed #3034)

What else Changed since last release

  • breaking: the tls, access, npmplus and nginx/logs folder are now restricted to the owner (PUID)
  • breaking: creating a location / as custom location or in the advanced tab will now crash nginx
  • you can now insert configs in the location / directly in the details tab
  • nginx is now built with aws-lc instead of openssl
  • certificate compression using zlib-ng and brotli is now supported (disabled when OCSP is enabled) by patching nginx (patch created by myself)
  • build aws-lc from source
  • fix bpf by merging nginx/nginx#1219
  • add nginx patch based on nginx/nginx#973 to support encrypted client hello with aws-lc (see readme)
  • support ip certificates
  • use a upstream block in nginx to support keepalive
  • add nginx patch to use the listing IP as SNI if the client doesn't send one, this is required to improve ip certificate support since the RFC forbids clients (browsers) to send the SNI for IP targets, this required network_mode host
  • support easier changing the images used by anubis (see readme)
  • drop authentik domain level mode (drop AUTH_REQUEST_AUTHENTIK_DOMAIN env), single application mode is still supported
  • add oauth2proxy ass auth_request provider (untested by be)
  • allow upstreams to only trigger websocket upgrades, this should prevent issues with apple clients when the backend (apache2) tries to upgrade the connection to http2 between itself and nginx (which then causes a chain of issues if nginx already talks http2 to the client but nginx blindly forwards the upstreams upgrade request to the client which rejects it since it is already using http2 to nginx)
  • encrypt cookies, the secret will be generated on container restart, so sessions are invalidated after restart (set the COOKIE_SECRET to keep them valid)
  • improve CSRF protection in the backend a bit
  • make the CSP more restrictive
  • block enabling appsec and disabling request buffering at the same time
  • add ENABLE_MPTCP env to enable multipathtcp in nginx, defaults to false, only works when using network_mode host
  • merge NginxProxyManager#5421
  • make more async in the backend
  • add advanced config tab to streams, since ssl_preread is now off by default
  • merge #2783
  • use node:crypto instead of the openssl command to read certificate meta data
  • rename the CRT env to CERTBOT_RUN_INTERVAL
  • switch from moment to dayjs
  • add mTLS support
  • add swagger docs ui under /api/docs
  • LISTEN_PROXY_PROTOCOL can now also be set independently using LISTEN_PROXY_PROTOCOL_HTTP and LISTEN_PROXY_PROTOCOL_HTTPS
  • add ACME_KEY_SIZE env
  • invert default of NGINX_TRUST_SECPR1 env
  • fix anubis under some conditions
  • spoof host header for auth_request targets
  • not required caps are now dropped in the compose.yaml
  • Update docs by @gingemonster in #2790
  • doc and dep updates
  • merge upstream (no real changes)

Image tags:

  • docker.io/zoeyvid/npmplus:2026-04-05-b1 (fixed to this release)
  • ghcr.io/zoeyvid/npmplus:2026-04-05-b1 (fixed to this release)
  • docker.io/zoeyvid/npmplus:beta (latest beta/stable)
  • ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-04-04-b3...2026-04-05-b1

Check out latest releases or
releases around ZoeyVid/NPMplus 2026-04-05-b1

Don't miss a new NPMplus release

NewReleases is sending notifications on new releases.

Get notifications