NginxProxyManager · genticflowlabs · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026 · Mar 17, 2026
diff --git a/backend/internal/ip_ranges.js b/backend/internal/ip_ranges.js
@@ -6,6 +6,7 @@ import { ProxyAgent } from "proxy-agent";
 import errs from "../lib/error.js";
 import utils from "../lib/utils.js";
 import { ipRanges as logger } from "../logger.js";
+import settingModel from "../models/setting.js";
 import internalNginx from "./nginx.js";
 
 const __filename = fileURLToPath(import.meta.url);
@@ -23,6 +24,7 @@ const internalIpRanges = {
 	interval: null,
 	interval_processing: false,
 	iteration_count: 0,
+	last_ip_ranges: [],
 
 	initTimer: () => {
 		logger.info("IP Ranges Renewal Timer initialized");
@@ -107,6 +109,8 @@ const internalIpRanges = {
 						return true;
 					});
 
+					internalIpRanges.last_ip_ranges = clean_ip_ranges;
+
 					return internalIpRanges.generateConfig(clean_ip_ranges).then(() => {
 						if (internalIpRanges.iteration_count) {
 							// Reload nginx
@@ -129,7 +133,17 @@ const internalIpRanges = {
 	 * @param   {Array}  ip_ranges
 	 * @returns {Promise}
 	 */
-	generateConfig: (ip_ranges) => {
+	generateConfig: async (ip_ranges) => {
+		let realIpHeader = "X-Real-IP";
+		try {
+			const setting = await settingModel.query().where("id", "real-ip-header").first();
+			if (setting?.value) {
+				realIpHeader = setting.value === "custom" && setting.meta?.custom
+					? setting.meta.custom
+					: setting.value;
+			}
+		} catch (_) {}
+
 		const renderEngine = utils.getRenderEngine();
 		return new Promise((resolve, reject) => {
 			let template = null;
@@ -142,7 +156,7 @@ const internalIpRanges = {
 			}
 
 			renderEngine
-				.parseAndRender(template, { ip_ranges: ip_ranges })
+				.parseAndRender(template, { ip_ranges: ip_ranges, real_ip_header: realIpHeader })
 				.then((config_text) => {
 					fs.writeFileSync(filename, config_text, { encoding: "utf8" });
 					resolve(true);
@@ -153,6 +167,16 @@ const internalIpRanges = {
 				});
 		});
 	},
+
+	/**
+	 * Regenerate ip_ranges.conf with cached ranges and reload nginx.
+	 * Called when the real-ip-header setting changes.
+	 * @returns {Promise}
+	 */
+	regenerate: async () => {
+		await internalIpRanges.generateConfig(internalIpRanges.last_ip_ranges);
+		await internalNginx.reload();
+	},
 };
 
 export default internalIpRanges;
diff --git a/backend/internal/nginx.js b/backend/internal/nginx.js
@@ -162,6 +162,8 @@ const internalNginx = {
 						{ hsts_subdomains: host.hsts_subdomains },
 						{ access_list: host.access_list },
 						{ certificate: host.certificate },
+						{ upstream_host_id: 0 },
+						{ upstream_host_forward_scheme: "http" },
 						host.locations[i],
 					);
 

diff --git a/backend/internal/proxy-host.js b/backend/internal/proxy-host.js
@@ -80,7 +80,7 @@ const internalProxyHost = {
 				// re-fetch with cert
 				return internalProxyHost.get(access, {
 					id: row.id,
-					expand: ["certificate", "owner", "access_list.[clients,items]"],
+					expand: ["certificate", "owner", "access_list.[clients,items]", "upstream_host.[servers]"],
 				});
 			})
 			.then((row) => {
@@ -206,7 +206,7 @@ const internalProxyHost = {
 				return internalProxyHost
 					.get(access, {
 						id: thisData.id,
-						expand: ["owner", "certificate", "access_list.[clients,items]"],
+						expand: ["owner", "certificate", "access_list.[clients,items]", "upstream_host.[servers]"],
 					})
 					.then((row) => {
 						if (!row.enabled) {
@@ -323,7 +323,7 @@ const internalProxyHost = {
 			.then(() => {
 				return internalProxyHost.get(access, {
 					id: data.id,
-					expand: ["certificate", "owner", "access_list"],
+					expand: ["certificate", "owner", "access_list", "upstream_host.[servers]"],
 				});
 			})
 			.then((row) => {

diff --git a/backend/internal/report.js b/backend/internal/report.js
@@ -2,6 +2,7 @@ import internalDeadHost from "./dead-host.js";
 import internalProxyHost from "./proxy-host.js";
 import internalRedirectionHost from "./redirection-host.js";
 import internalStream from "./stream.js";
+import internalUpstreamHost from "./upstream-host.js";
 
 const internalReport = {
 	/**
@@ -19,6 +20,7 @@ const internalReport = {
 					internalRedirectionHost.getCount(userId, access_data.permission_visibility),
 					internalStream.getCount(userId, access_data.permission_visibility),
 					internalDeadHost.getCount(userId, access_data.permission_visibility),
+					internalUpstreamHost.getCount(userId, access_data.permission_visibility),
 				];
 
 				return Promise.all(promises);
@@ -29,6 +31,7 @@ const internalReport = {
 					redirection: counts.shift(),
 					stream: counts.shift(),
 					dead: counts.shift(),
+					upstream: counts.shift(),
 				};
 			});
 	},

diff --git a/backend/internal/setting.js b/backend/internal/setting.js
@@ -1,6 +1,7 @@
 import fs from "node:fs";
 import errs from "../lib/error.js";
 import settingModel from "../models/setting.js";
+import internalIpRanges from "./ip_ranges.js";
 import internalNginx from "./nginx.js";
 
 const internalSetting = {
@@ -32,6 +33,10 @@ const internalSetting = {
 				});
 			})
 			.then((row) => {
+				if (row.id === "real-ip-header") {
+					return internalIpRanges.regenerate().then(() => row);
+				}
+
 				if (row.id === "default-site") {
 					// write the html if we need to
 					if (row.value === "html") {