2026-04-04-b2

This is a beta

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)

What's Changed since last beta

• add ENABLE_MPTCP env, defaults to false
• make auth_request upstreams also use an upstream block

What else Changed since last release

• breaking: the tls, access, npmplus and nginx/logs folder are now restricted to the owner (PUID)
• breaking: creating a location / as custom location or in the advanced tab will now crash nginx
• you can now insert configs in the location / directly in the details tab
• nginx is now built with aws-lc instead of openssl
• certificate compression using zlib-ng and brotli is now supported (disabled when OCSP is enabled) by patching nginx (patch created by myself)
• build aws-lc from source
• fix bpf by merging nginx/nginx#1219
• add nginx patch based on nginx/nginx#973 to support encrypted client hello with aws-lc (see readme)
• support ip certificates
• use a upstream block in nginx to support keepalive
• add nginx patch to use the listing IP as SNI if the client doesn't send one, this is required to improve ip certificate support since the RFC forbids clients (browsers) to send the SNI for IP targets, this required network_mode host
• support easier changing the images used by anubis (see readme)
• drop authentik domain level mode (drop AUTH_REQUEST_AUTHENTIK_DOMAIN env), single application mode is still supported
• add oauth2proxy ass auth_request provider (untested by be)
• encrypt cookies, the secret will be generated on container restart, so sessions are invalidated after restart (set the COOKIE_SECRET to keep them valid)
• improve CSRF protection in the backend a bit
• make the CSP more restrictive
• block enabling appsec and disabling request buffering at the same time
• enable mptcp in nginx, only works when using network_mode host
• merge NginxProxyManager#5421
• make more async in the backend
• add advanced config tab to streams, since ssl_preread is now off by default
• merge #2783
• use node:crypto instead of the openssl command to read certificate meta data
• rename the CRT env to CERTBOT_RUN_INTERVAL
• switch from moment to dayjs
• add mTLS support
• add swagger docs ui under /api/docs
• LISTEN_PROXY_PROTOCOL can now also be set independently using LISTEN_PROXY_PROTOCOL_HTTP and LISTEN_PROXY_PROTOCOL_HTTPS
• add ACME_KEY_SIZE env
• invert default of NGINX_TRUST_SECPR1 env
• fix anubis under some conditions
• spoof host header for auth_request targets
• not required caps are now dropped in the compose.yaml
• Update docs by @gingemonster in #2790
• doc and dep updates
• merge upstream (no real changes)

Image tags:

• docker.io/zoeyvid/npmplus:2026-04-04-b2 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-04-04-b2 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-04-04-b1...2026-04-04-b2

2026-04-04-b1

This is a beta

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)

What's Changed since last beta

• breaking: the tls, access, npmplus and nginx/logs folder are now restricted to the owner (PUID)
• breaking: creating a location / as custom location or in the advanced tab will now crash nginx
• you can now insert configs in the location / directly in the details tab
• build aws-lc from source
• fix bpf by merging nginx/nginx#1219
• add nginx patch based on nginx/nginx#973 to support encrypted client hello with aws-lc (see readme)
• support ip certificates
• use a upstream block in nginx to support keepalive
• add nginx patch to use the listing IP as SNI if the client doesn't send one, this is required to improve ip certificate support since the RFC forbids clients (browsers) to send the SNI for IP targets, this required network_mode host
• support easier changing the images used by anubis (see readme)
• drop authentik domain level mode (drop AUTH_REQUEST_AUTHENTIK_DOMAIN env), single application mode is still supported
• add oauth2proxy (untested by be)
• encrypt cookies, the secret will be generated on container restart, so sessions are invalidated after restart (set the COOKIE_SECRET to keep them valid)
• improve CSRF protection in the backend a bit
• make the CSP more restrictive
• block enabling appsec and disabling request buffering at the same time
• enable mptcp in nginx, only works when using network_mode host
• merge NginxProxyManager#5421
• make more async in the backend
• add advanced config tab to streams, since ssl_preread is now off by default
• merge #2783
• use node:crypto instead of the openssl command to read certificate meta data
• rename the CRT env to CERTBOT_RUN_INTERVAL
• switch from moment to dayjs
• add mTLS support
• add swagger docs ui under /api/docs
• LISTEN_PROXY_PROTOCOL can now also be set independently using LISTEN_PROXY_PROTOCOL_HTTP and LISTEN_PROXY_PROTOCOL_HTTPS
• add ACME_KEY_SIZE env
• invert default of NGINX_TRUST_SECPR1 env
• fix anubis under some conditions
• spoof host header for auth_request targets
• not required caps are now dropped in the compose.yaml
• doc and dep updates

What else Changed since last release

• nginx is now built with aws-lc instead of openssl
• certificate compression using zlib-ng and brotli is now supported (disabled when OCSP is enabled) by patching nginx (patch created by myself)
• Update docs by @gingemonster in #2790
• dep/doc updates
• merge upstream (no real changes)

Image tags:

• docker.io/zoeyvid/npmplus:2026-04-04-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-04-04-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-20-b1...2026-04-04-b1

2026-02-20-b1

What's Changed since last release

• nginx is now built with aws-lc instead of openssl
• certificate compression using zlib-ng and brotli is now supported (disabled when OCSP is enabled) by patching nginx (patch created by myself)
• Update docs by @gingemonster in #2790
• dep updates
• merge upstream (no changes)

New Contributors

• @gingemonster made their first contribution in #2790

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-20-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-20-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-19-r3...2026-02-20-b1

2026-02-19-r3

What's Changed since last release

• fix missing default / location if custom location / is disabled
• fix oidc: sec-fetch rules
• improve error logging of ratelimited requests
• dep updates

What's Changed in last release

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• Make sure to create a backup first
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• remove support for setting the database config using a config file
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates and pin more deps (github actions)
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• the download button is now hidden for custom certs since it was never supported
• use strict cookies if possible
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-19-r3 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-19-r3 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-19-r2...2026-02-19-r3

2026-02-19-r2

What's Changed since last release

• fix #2795 by patching openappsec attachment to use zlib-ng

What's Changed in last release

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• Make sure to create a backup first
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• remove support for setting the database config using a config file
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates and pin more deps (github actions)
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• the download button is now hidden for custom certs since it was never supported
• use strict cookies if possible
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-19-r2 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-19-r2 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-19-r1...2026-02-19-r2

2026-02-19-r1

What's Changed since last release

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• Make sure to create a backup first
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• remove support for setting the database config using a config file
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates and pin more deps (github actions)
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• the download button is now hidden for custom certs since it was never supported
• use strict cookies if possible
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs

What's Changed since last beta

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• fixed cors again
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• fix langname "Gaeilge" not being shown
• use strict cookies if possible
• dep updates and pin more deps (github actions)
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs
• reject api requests if the Sec-Fetch-Site header is set but does not equal none or same-origin

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-19-r1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-19-r1 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: bb42866...2026-02-19-r1

2026-02-18-b1

What's Changed since last beta

• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix: #2781
• remove support for setting the database config using a config file
• adjust stream ssl_ciphers to match http ssl_ciphers which were changed in the last beta
• merge upstream: lang changes

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-18-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-18-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-17-b1...2026-02-18-b1

2026-02-17-b1

What's Changed since last beta

• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs
• merge upstream: lang changes; ArvanCloud dns provider
• small doc updates
• dep updates

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-17-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-17-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-15-b4...2026-02-17-b1

2026-02-15-b4

What's Changed since last beta

• fix: default of npmplus_x_frame_options in custom locations again
• This release will regenerate all your hosts

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-15-b4 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-15-b4 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-15-b3...2026-02-15-b4

2026-02-15-b3

What's Changed since last beta

• fix: default of npmplus_upstream_compression/npmplus_x_frame_options in custom locations
• small ui improvements
• This release will regenerate all your hosts

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-15-b3 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-15-b3 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-15-b2...2026-02-15-b3