2026-02-20-b1

What's Changed since last release

• nginx is now built with aws-lc instead of openssl
• certificate compression using zlib-ng and brotli is now supported (disabled when OCSP is enabled) by patching nginx (patch created by myself)
• Update docs by @gingemonster in #2790
• dep updates
• merge upstream (no changes)

New Contributors

• @gingemonster made their first contribution in #2790

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-20-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-20-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-19-r3...2026-02-20-b1

2026-02-19-r3

What's Changed since last release

• fix missing default / location if custom location / is disabled
• fix oidc: sec-fetch rules
• improve error logging of ratelimited requests
• dep updates

What's Changed in last release

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• Make sure to create a backup first
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• remove support for setting the database config using a config file
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates and pin more deps (github actions)
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• the download button is now hidden for custom certs since it was never supported
• use strict cookies if possible
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-19-r3 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-19-r3 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-19-r2...2026-02-19-r3

2026-02-19-r2

What's Changed since last release

• fix #2795 by patching openappsec attachment to use zlib-ng

What's Changed in last release

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• Make sure to create a backup first
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• remove support for setting the database config using a config file
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates and pin more deps (github actions)
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• the download button is now hidden for custom certs since it was never supported
• use strict cookies if possible
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-19-r2 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-19-r2 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-19-r1...2026-02-19-r2

2026-02-19-r1

What's Changed since last release

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• Make sure to create a backup first
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• remove support for setting the database config using a config file
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates and pin more deps (github actions)
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• the download button is now hidden for custom certs since it was never supported
• use strict cookies if possible
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs

What's Changed since last beta

• This fixes a security issue related to TOTP (upstream is no affected): In release 2026-02-19-r1 (and all betas after this release) a logged-in user with a valid session can disable TOTP or regenerate Backup codes for themselves without reentering a valid TOTP code or a backup code, if the entered token was not 6 or 8 chars long, this is only possible by directly talking to the API, the frontend blocks this
• fixed cors again
• set client_max_body_size to 1mb for npmplus itself and goaccess, same of fileuploads in express
• fix langname "Gaeilge" not being shown
• use strict cookies if possible
• dep updates and pin more deps (github actions)
• add rate-limiting to token and oidc endpoints
• improve "upload-object" validation of custom certs
• reject api requests if the Sec-Fetch-Site header is set but does not equal none or same-origin

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-19-r1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-19-r1 (fixed to this release)
• docker.io/zoeyvid/npmplus:latest (latest stable)
• ghcr.io/zoeyvid/npmplus:latest (latest stable)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: bb42866...2026-02-19-r1

2026-02-18-b1

What's Changed since last beta

• use zlib-ng instead of zlib
• use quickjs-ng-dev instead of the njs inbuilt engine
• fix: #2781
• remove support for setting the database config using a config file
• adjust stream ssl_ciphers to match http ssl_ciphers which were changed in the last beta
• merge upstream: lang changes

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added
• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs (change ssl_ciphers)

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-18-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-18-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-17-b1...2026-02-18-b1

2026-02-17-b1

What's Changed since last beta

• https is now forced for the npmplus and goaccess ui in the full chain
• fix: #2698, plex is now working on samsung tizen TVs
• merge upstream: lang changes; ArvanCloud dns provider
• small doc updates
• dep updates

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream: lang changes; ArvanCloud dns provider; the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-17-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-17-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-15-b4...2026-02-17-b1

2026-02-15-b4

What's Changed since last beta

• fix: default of npmplus_x_frame_options in custom locations again
• This release will regenerate all your hosts

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-15-b4 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-15-b4 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-15-b3...2026-02-15-b4

2026-02-15-b3

What's Changed since last beta

• fix: default of npmplus_upstream_compression/npmplus_x_frame_options in custom locations
• small ui improvements
• This release will regenerate all your hosts

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-15-b3 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-15-b3 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-15-b2...2026-02-15-b3

2026-02-15-b2

What's Changed since last beta

• fix: custom locations being always marked as off

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates
• the NGINX_WORKER_CONNECTIONS env was re-added

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-15-b2 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-15-b2 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-15-b1...2026-02-15-b2

2026-02-15-b1

What's Changed since last beta

• fix creation of new proxy hosts: #2759 (comment)
• the NGINX_WORKER_CONNECTIONS env was re-added

What else Changed since last release

• Make sure to create a backup first
• Testing and feedback in discussions is welcome (only create issues if you can exactly describe how to reproduce issues)
• Breaking: this sadly comes again with many breaking changes that require manual intervention, the values of the following buttons were reset:
  • Disable Request/Response Buffering: This was split in two buttons
  • Send noindex header and block some user agents
  • Enable fancyindex/compression by upstream: This was split in two buttons
  • HTTP/3 Support
  • (this also effects the undocumented API)
• This release will regenerate all your hosts
• The X_FRAME_OPTIONS env was removed, you can now set this header directly in the WebUI per proxy host/location
• Add button to disable Crowdsec Appsec in the WebUI per proxy host/location
• The old Auth Request examples from the README are not supported anymore, you can now easily enable auth providers (anubis/tinyauth/authelia/authentik) by setting some envs and selecting them in the WebUI per proxy host/location, see the README
• Custom locations can now be turned on and off in the UI without deleting them
• the SKIP_IP_RANGES env was inverted by renaming it to TRUST_CLOUDFLARE
• the NGINX_LOAD_GEOIP_MODULE env and module was removed (the NGINX_LOAD_GEOIP2_MODULE env and module is still there)
• A Content Security Policy was added to goaccess and the NPMplus WebUI, please note that this will break uncached gravatar images, to fix this you need to edit a users profile (where you can edit the name) and save it without changes
• Proxy hosts protected with basic auth were very slow, this was fixed by reducing the bcrypt level
• basic auth password are not saved in plain text anymore in the database, this does not apply to existing access lists
• setting the ACME_PROFILE env to none will now unset the acme profile for all existing certs
• streams and proxy hosts which do not proxy to sub paths it will now work (again) with dynamic dns
• the referrer-policy sent by and upstream will not be overridden anymore
• fix #2704
• fix #2652, this does not apply to existing custom certs
• fix upload of custom certificates
• contrast of selected text in the WebUI in dark mode has been improved
• merge upstream, no changes since the "Trust Upstream Forwarded Proto Headers" button is excluded in NPMplus
• dep updates

Image tags:

• docker.io/zoeyvid/npmplus:2026-02-15-b1 (fixed to this release)
• ghcr.io/zoeyvid/npmplus:2026-02-15-b1 (fixed to this release)
• docker.io/zoeyvid/npmplus:beta (latest beta/stable)
• ghcr.io/zoeyvid/npmplus:beta (latest beta/stable)

Full Changelog: 2026-02-14-b1...2026-02-15-b1