Adding an IP address to the access list removes SSL configuration

[thueske]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug Adding IP addresses in access lists causes a dummy certificate from localhost to be delivered. The vHosts that use this access lists have no SSL configuration - they listen only on port 80.

Nginx Proxy Manager Version v2.9.13

To Reproduce Steps to reproduce the behavior:

1. Add a "Private" Access List with an Allow address, e.g. 192.168.0.0/16.
2. Use this access list in different vHosts (Force SSL and HTTP/2 enabled).
3. Visit your site via SSL - everything should work.
4. Now add another IP address to the access list.
5. Then visit a vHost that uses this access list. Now a localhost certificate should be served, because the SSL configuration in the vHost is missing.

Workaround: Take a vHost and save it again - the SSL configuration should be regenerated.

Expected behavior The new IP address is added to the access list and my pages are still accessible via SSL.

Further information

app_1  | 2021-12-30T14:01:18.688684912Z [12/30/2021] [2:01:18 PM] [Nginx    ] › ℹ  info      Reloading Nginx
app_1  | 2021-12-30T14:01:19.564689136Z [12/30/2021] [2:01:19 PM] [Access   ] › ℹ  info      Building Access file #2 for: Private

Broken vHost: https://pastebin.com/HVj1sPKw Functional vHost: https://pastebin.com/tPNYEA2i

Operating System Banana Pi M1 with Armbian and latest Docker

[RafaelSchridi]

I've been seeing this a lot lately while I'm restructuring my internal network and editing my access lists, re-saving 29 hosts is not fun.

[nickcj931]

Having the same issue, current easiest workaround i found is to create another access list, workflow looks like this:

1. Main access list e.g. local_access_only ->> allow 192.168.1.0/24 | Deny all
2. Assign to Proxy host - works as expected
3. Modify local_access_only ->> add allow 10.0.0.0/24
4. Attempt to visit proxy host - doesnt work issue as per OP
5. Create new access list e.g. temp_acl -->> allow 192.168.1.0/24 | Deny all
6. Assign temp_acl to the proxy host, save.
7. Change proxy host access list back to local_access_only
8. Visit host now all works as expected

Restarting the container does not fix the issue

[RafaelSchridi]

You don't have to make a temp access list, simply pressing edit then save fixes it for me.

[nickcj931]

good note @RafaelSchridi - i didnt realise that worked! Just tried it and it works for me also, that makes life a little easier, cheers.

[othyn]

Yep, still an issue. Annoying and time consuming to solve, but you have to edit each proxy host and then immediately hit save on the edit dialogue. This must re-apply the updated access list rule set to the proxy host.

Not sure of a permanent solve on this one, perhaps loop through each proxy host on save of the access list to re-apply the rules to it?

[kingfisher77]

I think this is a nogo. At least we lost access to the admin interface which is also behind a proxy_host with access_list...

[nicx]

will this ever be fixed? this bug is really annoying ;)

[RafaelSchridi]

There is a bunch of issues scattered around this topic, (I think this is the oldest one?) But it looks like somebody has a made a PR to fix this #2530, so now we wait for approval.

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: