Next Release Overview/TODO

[Zoey2936]

This is a list of changes which are planned to be done before the next release, if things are not on this list which currently have an open Issue, then they are currently too low priority for me (sorry), or I forgot them (sorry). I want to improve transparency a bit with this:

• Merge of upstreams new frontend:
  • fix: for some reason a disabled streams shows "Disable" instead of "Enable" as text on the enable button
  • new frontend doesn't show certbot error
  • check Add Certificate via http fails if "-" is into the FQDN NginxProxyManager/nginx-proxy-manager#4929
  • depending on if it is working or not and depending on time: make a cert show as "in-use" if it is used for a stream
  • readd: show broken hosts/streams as offline instead of online and show the nginx error when hovering over it
  • make it possible again to sort tables by clicking on the header
  • move security.txt
  • readd proxy_protocol button for streams
  • don't show the cert deletion button if a cert is used
  • add config buttons from the details tab to custom locations
  • add custom location modifier (exact match/regex, etc) [ = | ~ | ~* | ^~ | @]
  • allow empty custo locations
  • make Disable Login #2118 possible
  • hide password-login/oidc-logincif disabled
  • depending on time: option to disable gravatar
  • cache gravatar locally
  • depending on time: auto detect light/dark mode already possible
  • depending on time: auto detect lang no
  • depending on time: How to pass the JWT Token for web authentication after v2.13.1? NginxProxyManager/nginx-proxy-manager#4852
  • depending on time readd and test custom cert edition in the frontend (backend supports it): https://github.com/ZoeyVid/NPMplus/pull/1947/files
  • depending on time readd and test oidc in the frontend (backend supports it): openid-v6 #1668
  • merge upstream PR of [feature] Add support for copying an existing Proxy Host #2292 if not done by upstream
• Dockerfile/GitHub Actions:
  • nginx-quic: use native arm64 runner to build the -python image
  • NPMplus: use native arm runner to build the image
  • maybe unify nginx-quic and npmplus
  • maybe move to node image with apk add python3 py3-pip alpine with nodejs/python from apk
  • remove crowdsec build step and include in main buildstep
  • image size is somehow smaller now
• UI Buttons rework:
  • TLS-Tab:
    • force https
    • enable hsts
    • enable hsts subdomains
    • hide alt-svc header button
  • details:
    • fancyindex/upstream compression
  • once breaks all hosts to force users to review theier setting (by writting an invalid file to conf.d which mentions to review all confs) no
  • maybe cert creation: reuse-key (based on accept tos)
• ENVs:
  • add env to fully block oidc in the backend, blocked by default if not configured
  • remove HTTP3_ALT_SVC_PORT
  • use shortlived acme profile for letsencrypt by default, this also allows certs for IPs
  • switch to create logs per host additionally/instead of globally no users can filter the hostname them selves or use advanced config
  • maybe add env to set key length no
  • don't use huge nginx hash sizes/buckets by default instead add env to set "factors" for them no
  • warn if any INITIAL_* or ACME_EMAIL is set when they are not required anymore no
  • automatically set best CA settings for letsencrypt, zerossl and google
  • sleep inf if NGINX_HSTS_SUBDOMAINS is set
• Backend:
  • move to secure cookies
  • migrate http to fetch + useragent + proxy
  • feat: API schema NginxProxyManager/nginx-proxy-manager#4998 if upstream merges it
  • encrypt OIDC-Cookie makes no sense
  • fix [bug/confirmed] OIDC with Google oauth is not working - /api maybe the reason #2106
  • check if certID/upload/post.json validation can also be used for certID/upload/certID/put.json not needed at all
  • reduce loging for invalid token
  • add acme server config to certbot.ini and add a second certbot config without it for revoks no
  • revoke with private key instead of acme key no
• rootfs:
  • move nginx/conf.d/include folder to a different location
  • block mount of /etc/letsencrypt
  • User Agent for healthcheck
  • Rework start script chain (maybe like: entrypoint => envs => start => launch)
• nginx:
  • review CFLAGS
  • fastcgi(_request)_buffering
  • move log files (adjusts logs, paths (symlink))
  • fastcgi headers: https://github.com/nginx/nginx/blob/master/conf/fastcgi.conf (host header, etc.)
  • https://github.com/OWASP/www-project-secure-headers/blob/master/ci/headers_add.json
  • include acme-challenge folder in /data
  • review if current compression levels make sense
  • review headers sent to upstream
  • https://github.com/netbirdio/netbird/blob/main/infrastructure_files/nginx.tmpl.conf
  • maybe move to angie or freenginx? currently not
  • modules:
    • crowdsec: remove config file and use env options instead (https://github.com/crowdsecurity/lua-cs-bouncer/blob/main/config_example.conf) not possible
    • remove all modsec files and add env option to load it, close [bug] Abnormally high memory usage when using coreruleset #1635 by removing support for it (sorry)
    • env to load ldap module
    • env to load geop module
    • env to load geoip2 module
• docs:
  • rework https://github.com/ZoeyVid/NPMplus?tab=readme-ov-file#examples-of-implementing-some-services-using-auth_request
  • maybe explain how to edit anubis images (https://github.com/TecharoHQ/anubis/tree/main/web/static/img)
  • update the nextcloud-aio script inside NPMplus (cookie)
  • test if [bug] GoAccess --exclude-ip is ignored and database fails to persist #1936 can be closed no seems to be a bug in goaccess
  • check if other issue can be closed
  • check if I like the version number syntax
  • adjust readme (exaplain proxy_buffering/proxy_request_buffering with/without crowdsec/general)
  • update docs for php (internal/external), for external recommand custom location instead of advanced tab + explain how path works
  • test (QUIC stops working after a while #2293 (reply in thread))
  • test appsec timeout (nextcloud file upload) https://github.com/crowdsecurity/lua-cs-bouncer/blob/v1.0.13/lib/plugins/crowdsec/config.lua
  • remove worker_connections env
  • add NGINX_TRUST_SECPR1 env
  • check ulimits
  • test $ssl_preread_server_name$ssl_server_name
  • update images in frontend/public/images for NPMplus (text needs to be changed in anycase)
  • NEW BETA (Breaking: Buttons and shortlived 25 domains limit, crowdswec log path)
  • fix update check: betas and link to releases
  • fix css: scheme in custom locations
  • Dual License: MIT AND AGPLv3 (both)
  • NEW RELEASE (beta changelog + details buttons survey + watchtower auto updates are now blocked + shotlived/tlsserver certs breaks emby)
  • Update the Screenshots in the Nextcloud AIO docs of NPM and NPMplus and nginx/freenginx/angie/openresty

already done (at point off creation):

• merge of Upstreams new frontend (needs still some adjustments)
• dep updates (will still be merged on new updates...)
• merge other things from upstream (will also still be done on new updates...)
• update alpine to 3.23 (from 3.21) (with openssl 3.5.1 with native quic for nginx and native mlkem)
• use unix sockets for goaccess and NPMplus backend api which then are transformmed to tcp sockets by nginx
• oidc in the backend by merging and changing an upstream PR
• stream forwarding_port can now now be empty to use load balancing and choosing upstreams based on other options via map
• support acme profiles
• general improvements to the nginx config (for example reuseport, deferred, so_keepalive (tcp))
• add proxy_protocol as possible stream upstream (currently only in the backend)
• replace Hurricane Electric certbot dns plugin
• fix Letsencrypt renew not working after migration from upstream NPM. #1971 (fix renewal of migrated HTTP-01 certs)
• compose.yaml now documents cap_add instead of privilleged for enabling ebpf for quic
• Static/PHP hosts can now be created without using the advanced config tab
• use bcrypt for access-lists
• drop (ghcr.io/)zoeyvid/nginx-proxy-manager:caddy (not (ghcr.io/)zoeyvid/npmplus:caddy)
• require x86-64-v2 required (or aarch64)
• added zstd and unbrotli
• improve default buffer sizes
• enable early hints by default (now supported because of nginx update to v1.29)
• added anubis example to the readme
• version scheme has changed a bit
• support editing custom certs in the backend (merge upstream PR 4425)
• Cloudflare IPs are not trusted by default anymore

[Zoey2936]

I will keep comments open at the moment, depending on how much is happening here, let's see. Please do not report bugs here

[Rapter001]

The drop down menu icon is just a blank box i have no idea if its just me did you get any reports?

[Zoey2936]

Can confirm, but this issue should be gone with upstreams new frontend

[ZandercraftGames]

Just updated and saw OIDC disappear. I love the new UI, but I must admit I'm quite sad that it was removed. It was very useful.

[Zoey2936]

the backend code is still there, but the frontend code does not work with the new frontend, like all other changes I did to the frontend

[lucien-bf]

What's the blocker on mfa? (willing to help)

[Zoey2936]

Mainly time and focus on the other things

[Zoey2936]

Just updated and saw OIDC disappear. I love the new UI, but I must admit I'm quite sad that it was removed. It was very useful.

OIDC is now readded

[Zoey2936]

(but OIDC was moved to env options)

[Zoey2936]

Maybe I can release a beta in the next few days

[ZandercraftGames]

(but OIDC was moved to env options)

Heya Zoey. Just updated to the latest develop branch image and configured OIDC using the environment variables. It properly redirects to the OIDC IdP page, I log in and get redirected back to the NPMPlus login screen with the frontend reporting an Internal Error and Docker logs showing:

npmplus  | [OIDC          ] › ✖  error     Callback error: invalid response encountered
npmplus  | [Express       ] › ⚠  warning   GET /api/tokens: Error: Existing token contained invalid user data

It also seems that when logging in wit the normal login, the logout button isn't working to properly invalidate the session. It redirects to a loading screen for half a second then puts me back on the main dashboard screen.