mirror of
https://github.com/ZoeyVid/NPMplus.git
synced 2026-03-03 02:17:01 +00:00
-
scottk released this
2026-02-20 16:47:45 +00:00 | 49 commits to develop since this release📅 Originally published on GitHub: Fri, 20 Feb 2026 17:05:45 GMT
🏷️ Git tag created: Fri, 20 Feb 2026 16:47:45 GMTWhat's Changed since last release
- nginx is now built with aws-lc instead of openssl
- certificate compression using zlib-ng and brotli is now supported (disabled when OCSP is enabled) by patching nginx (patch created by myself)
- Update docs by @gingemonster in https://github.com/ZoeyVid/NPMplus/pull/2790
- dep updates
- merge upstream (no changes)
New Contributors
- @gingemonster made their first contribution in https://github.com/ZoeyVid/NPMplus/pull/2790
Image tags:
docker.io/zoeyvid/npmplus:2026-02-20-b1(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-20-b1(fixed to this release)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-19-r3...2026-02-20-b1
Downloads
-
2026-02-19 21:27:02 +00:00 | 50 commits to develop since this release📅 Originally published on GitHub: Thu, 19 Feb 2026 21:37:50 GMT
🏷️ Git tag created: Thu, 19 Feb 2026 21:27:02 GMTWhat's Changed since last release
- fix missing default / location if custom location / is disabled
- fix oidc: sec-fetch rules
- improve error logging of ratelimited requests
- dep updates
What's Changed in last release
- This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
- Make sure to create a backup first
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- remove support for setting the database config using a config file
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- use zlib-ng instead of zlib
- use quickjs-ng-dev instead of the njs inbuilt engine
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates and pin more deps (github actions)
- the NGINX_WORKER_CONNECTIONS env was re-added
- https is now forced for the npmplus and goaccess ui in the full chain
- fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
- set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
- the download button is now hidden for custom certs since it was never supported
- use strict cookies if possible
- add rate-limiting to token and oidc endpoints
- improve "upload-object" validation of custom certs
Image tags:
docker.io/zoeyvid/npmplus:2026-02-19-r3(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-19-r3(fixed to this release)docker.io/zoeyvid/npmplus:latest(latest stable)ghcr.io/zoeyvid/npmplus:latest(latest stable)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-19-r2...2026-02-19-r3
Downloads
-
2026-02-19 20:04:10 +00:00 | 54 commits to develop since this release📅 Originally published on GitHub: Thu, 19 Feb 2026 20:07:45 GMT
🏷️ Git tag created: Thu, 19 Feb 2026 20:04:10 GMTWhat's Changed since last release
- fix #2795 by patching openappsec attachment to use zlib-ng
What's Changed in last release
- This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
- Make sure to create a backup first
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- remove support for setting the database config using a config file
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- use zlib-ng instead of zlib
- use quickjs-ng-dev instead of the njs inbuilt engine
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates and pin more deps (github actions)
- the NGINX_WORKER_CONNECTIONS env was re-added
- https is now forced for the npmplus and goaccess ui in the full chain
- fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
- set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
- the download button is now hidden for custom certs since it was never supported
- use strict cookies if possible
- add rate-limiting to token and oidc endpoints
- improve "upload-object" validation of custom certs
Image tags:
docker.io/zoeyvid/npmplus:2026-02-19-r2(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-19-r2(fixed to this release)docker.io/zoeyvid/npmplus:latest(latest stable)ghcr.io/zoeyvid/npmplus:latest(latest stable)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-19-r1...2026-02-19-r2
Downloads
-
2026-02-19 18:11:52 +00:00 | 55 commits to develop since this release📅 Originally published on GitHub: Thu, 19 Feb 2026 18:31:14 GMT
🏷️ Git tag created: Thu, 19 Feb 2026 18:11:52 GMTWhat's Changed since last release
- This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
- Make sure to create a backup first
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- remove support for setting the database config using a config file
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- use zlib-ng instead of zlib
- use quickjs-ng-dev instead of the njs inbuilt engine
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates and pin more deps (github actions)
- the NGINX_WORKER_CONNECTIONS env was re-added
- https is now forced for the npmplus and goaccess ui in the full chain
- fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
- set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
- the download button is now hidden for custom certs since it was never supported
- use strict cookies if possible
- add rate-limiting to token and oidc endpoints
- improve "upload-object" validation of custom certs
What's Changed since last beta
- This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
- fixed cors again
- set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
- fix langname "Gaeilge" not being shown
- use strict cookies if possible
- dep updates and pin more deps (github actions)
- add rate-limiting to token and oidc endpoints
- improve "upload-object" validation of custom certs
- reject api requests if the Sec-Fetch-Site header is set but does not equal none or same-origin
Image tags:
docker.io/zoeyvid/npmplus:2026-02-19-r1(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-19-r1(fixed to this release)docker.io/zoeyvid/npmplus:latest(latest stable)ghcr.io/zoeyvid/npmplus:latest(latest stable)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog:
bb4286614d...2026-02-19-r1Downloads
-
2026-02-18 22:39:34 +00:00 | 57 commits to develop since this release📅 Originally published on GitHub: Wed, 18 Feb 2026 22:46:24 GMT
🏷️ Git tag created: Wed, 18 Feb 2026 22:39:34 GMTWhat's Changed since last beta
- use zlib-ng instead of zlib
- use quickjs-ng-dev instead of the njs inbuilt engine
- fix: #2781
- remove support for setting the database config using a config file
- adjust stream ssl_ciphers to match http ssl_ciphers which were changed in the last beta
- merge upstream: lang changes
What else Changed since last release
- Make sure to create a backup first
- Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates
- the NGINX_WORKER_CONNECTIONS env was re-added
- https is now forced for the npmplus and goaccess ui in the full chain
- fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
Image tags:
docker.io/zoeyvid/npmplus:2026-02-18-b1(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-18-b1(fixed to this release)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-17-b1...2026-02-18-b1
Downloads
-
2026-02-17 06:57:18 +00:00 | 69 commits to develop since this release📅 Originally published on GitHub: Tue, 17 Feb 2026 07:04:08 GMT
🏷️ Git tag created: Tue, 17 Feb 2026 06:57:18 GMTWhat's Changed since last beta
- https is now forced for the npmplus and goaccess ui in the full chain
- fix: #2698, plex is now working on samsung tizen TVs
- merge upstream: lang changes; ArvanCloud dns provider
- small doc updates
- dep updates
What else Changed since last release
- Make sure to create a backup first
- Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates
- the NGINX_WORKER_CONNECTIONS env was re-added
Image tags:
docker.io/zoeyvid/npmplus:2026-02-17-b1(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-17-b1(fixed to this release)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-15-b4...2026-02-17-b1
Downloads
-
2026-02-15 09:09:23 +00:00 | 121 commits to develop since this release📅 Originally published on GitHub: Sun, 15 Feb 2026 09:11:09 GMT
🏷️ Git tag created: Sun, 15 Feb 2026 09:09:23 GMTWhat's Changed since last beta
- fix: default of npmplus_x_frame_options in custom locations again
- This release will regenerate all your hosts
What else Changed since last release
- Make sure to create a backup first
- Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates
- the NGINX_WORKER_CONNECTIONS env was re-added
Image tags:
docker.io/zoeyvid/npmplus:2026-02-15-b4(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-15-b4(fixed to this release)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-15-b3...2026-02-15-b4
Downloads
-
2026-02-15 08:57:40 +00:00 | 122 commits to develop since this release📅 Originally published on GitHub: Sun, 15 Feb 2026 08:59:32 GMT
🏷️ Git tag created: Sun, 15 Feb 2026 08:57:40 GMTWhat's Changed since last beta
- fix: default of npmplus_upstream_compression/npmplus_x_frame_options in custom locations
- small ui improvements
- This release will regenerate all your hosts
What else Changed since last release
- Make sure to create a backup first
- Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates
- the NGINX_WORKER_CONNECTIONS env was re-added
Image tags:
docker.io/zoeyvid/npmplus:2026-02-15-b3(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-15-b3(fixed to this release)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-15-b2...2026-02-15-b3
Downloads
-
2026-02-15 08:35:43 +00:00 | 124 commits to develop since this release📅 Originally published on GitHub: Sun, 15 Feb 2026 08:37:41 GMT
🏷️ Git tag created: Sun, 15 Feb 2026 08:35:43 GMTWhat's Changed since last beta
- fix: custom locations being always marked as off
What else Changed since last release
- Make sure to create a backup first
- Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates
- the NGINX_WORKER_CONNECTIONS env was re-added
Image tags:
docker.io/zoeyvid/npmplus:2026-02-15-b2(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-15-b2(fixed to this release)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog: https://github.com/ZoeyVid/NPMplus/compare/2026-02-15-b1...2026-02-15-b2
Downloads
-
2026-02-14 21:46:43 +00:00 | 126 commits to develop since this release📅 Originally published on GitHub: Sat, 14 Feb 2026 22:23:44 GMT
🏷️ Git tag created: Sat, 14 Feb 2026 21:46:43 GMTWhat's Changed since last release
- Make sure to create a backup first
- Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
- Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
- Disable Request/Response Buffering: This was split in two buttons
- Send noindex header and block some user agents
- Enable fancyindex/compression by upstream: This was split in two buttons
- HTTP/3 Support
- (this also effects the undocumented API)
- This release will regenerate all your hosts
- The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
- Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
- The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
- Custom locations can now be turned on and off in the UI without deleting them
- the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
- the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
- A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
- Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
- basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
- setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
- streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
- the referrer-policy sent by and upstream will not be overridden anymore
- fix #2704
- fix #2652, this does not apply to existing custom certs
- fix upload of custom certificates
- contrast of selected text in the WebUI in dark mode has been improved
- merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
- dep updates
Image tags:
docker.io/zoeyvid/npmplus:2026-02-14-b1(fixed to this release)ghcr.io/zoeyvid/npmplus:2026-02-14-b1(fixed to this release)docker.io/zoeyvid/npmplus:beta(latest beta/stable)ghcr.io/zoeyvid/npmplus:beta(latest beta/stable)
Full Changelog:
bb4286614d...2026-02-14-b1Downloads