nginx-ui

Parses Nginx configuration files into an abstract syntax tree (AST) representation, enabling structured editing, validation, and generation of Nginx configs without regex-based string manipulation. The system maintains semantic understanding of directives, blocks, and inheritance hierarchies, allowing safe modifications that preserve syntax correctness and prevent configuration drift.

Integrates with ACME protocol (Let's Encrypt and compatible CAs) to automatically issue, renew, and manage SSL certificates with support for DNS-01 challenges via multiple DNS provider credentials. The system stores DNS provider credentials securely, schedules certificate renewal cron jobs, and automatically deploys renewed certificates to Nginx without downtime.

Integrates MaxMind GeoLite2 geolocation database to identify client locations from IP addresses, enabling geo-based access control rules and geographic analytics on Nginx traffic. The system updates the GeoLite2 database automatically, parses client IPs from Nginx logs, and provides dashboards showing traffic distribution by country/region with optional geo-blocking capabilities.

Implements a comprehensive i18n system supporting multiple languages (English, Chinese, Spanish, Japanese, Vietnamese, etc.) with dynamic language switching in the Vue 3 frontend. The system uses a translation management workflow with Weblate integration for community translations, automatic locale detection based on browser settings, and fallback to English for missing translations.

Provides a template engine for generating Nginx configurations from parameterized templates with support for variable substitution, conditional blocks (if/else), loops, and template inheritance. Templates are stored in the database and can be applied to multiple sites or upstreams, enabling configuration reuse and reducing duplication across similar Nginx setups.

Supports sending notifications to external systems (email, Slack, Discord, webhooks) for critical events (certificate expiration, configuration errors, Nginx restart failures). The system maintains a notification history, allows filtering by event type and severity, and supports custom webhook payloads for integration with external monitoring or incident management platforms.

Continuously ingests Nginx access and error logs, indexes them using Bleve (a Go full-text search library), and provides sub-millisecond search and analytics queries across millions of log entries. The system parses structured log formats (JSON, combined, custom), extracts fields (status code, response time, user agent), and enables faceted filtering and aggregation without requiring external log aggregation infrastructure.

Enables centralized management of multiple Nginx instances across different hosts through a node registration system where each node runs a lightweight agent that communicates back to the central UI via HTTP/gRPC. The system maintains node health status, synchronizes configurations across nodes, and supports batch operations (restart, reload, certificate deployment) across the cluster with rollback capabilities.

Provides a browser-based terminal interface that executes shell commands on the Nginx host system through a secure WebSocket connection, enabling operators to run diagnostic commands, view system logs, and manage Nginx processes without SSH access. Commands are executed with the privileges of the nginx-ui process (typically root or the Nginx user) and output is streamed back to the browser in real-time.

Exposes Nginx configuration, logs, and system state through the Model Context Protocol (MCP) server interface, allowing LLM-based chat assistants (ChatGPT, Claude, DeepSeek) to analyze configurations, suggest optimizations, and generate configuration snippets based on natural language requests. The MCP server provides tools for reading configs, querying logs, and executing safe read-only diagnostics, enabling the LLM to provide context-aware recommendations.

Implements user authentication with support for TOTP-based 2FA and WebAuthn passkeys, storing user credentials securely in the SQLite database with bcrypt password hashing. The system enforces 2FA for administrative accounts, provides recovery codes for account recovery, and supports passwordless authentication via FIDO2-compatible hardware keys or platform authenticators.

Creates encrypted snapshots of the Nginx UI database, configuration files, and SSL certificates, with support for multiple storage backends (local filesystem, S3, Aliyun OSS, etc.). Backups are encrypted using AES-256 before transmission or storage, and the system supports scheduled automatic backups with retention policies and point-in-time restore capabilities.

Implements in-place binary upgrades of the nginx-ui application without stopping the running service, using a graceful restart mechanism that drains existing connections before replacing the binary. The system downloads new versions from a configured release server, verifies checksums, and performs atomic binary replacement with automatic rollback on startup failure.

Provides a UI for defining Nginx upstream groups with multiple backend servers, configuring load balancing algorithms (round-robin, least connections, IP hash), and setting up active/passive health checks. The system validates upstream configurations, detects circular dependencies, and generates optimized Nginx upstream blocks with health check directives compatible with Nginx Plus or open-source modules.