Skip to content

Add basic MySQL TLS support #4794

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: develop
Choose a base branch
from
Open

Add basic MySQL TLS support #4794

wants to merge 3 commits into from
+26 −5

Conversation

@Johno-ACSLive
Copy link

Summary

This PR adds minimal, opt‑in TLS support for MySQL connections in Nginx Proxy Manager. It introduces three environment variables:

Variable Default Purpose
DB_MYSQL_SSL false Enable SSL when set to true.
DB_MYSQL_SSL_REJECT_UNAUTHORIZED true Controls certificate chain validation.
DB_MYSQL_SSL_VERIFY_IDENTITY true Enables hostname verification.

No behavior changes for existing users unless DB_MYSQL_SSL is explicitly enabled. Does not impact other DB engine configuration.

Motivation

Environments such as:

  • Azure Database for MySQL (secure transport enforced)
  • Self-hosted MySQL with require_secure_transport=ON
  • Security baselines requiring encrypted DB connections

…currently cause startup failure (ER_SECURE_TRANSPORT_REQUIRED) because connection attempts are plaintext. This update allows secure connections while remaining completely backward compatible.

Backward Compatibility

Scenario Before After
No TLS vars set Plain MySQL Same
Server requires TLS; no vars set Startup error Same (user must enable SSL)
TLS enabled (DB_MYSQL_SSL=true) N/A Encrypted session
Self-signed cert (user sets DB_MYSQL_SSL_REJECT_UNAUTHORIZED=false) N/A Connects (user-accepted risk)
Hostname mismatch & DB_MYSQL_SSL_VERIFY_IDENTITY=true N/A Fails (correct security posture)

Out of Scope / Future Work

  • Optional CA / client certificate path variables
  • Min/Max Cipher and associated checks
  • Postgres TLS parity (could mirror same pattern)

@Johno-ACSLive Johno-ACSLive marked this pull request as draft October 11, 2025 01:56
@Johno-ACSLive Johno-ACSLive marked this pull request as ready for review October 11, 2025 01:57
@jc21
Copy link
Member

jc21 commented Nov 2, 2025

Hi, please rebase and hopefully things will pass now.

@nginxproxymanagerci
Copy link

Docker Image for build 5 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-4794

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!

@Johno-ACSLive
Copy link
Author

Hi, please rebase and hopefully things will pass now.

Hi, done :)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@Johno-ACSLive @jc21