Open shanelord01 opened 2 years ago
For the moment I've added this to my Advanced "Custom NGINX Config":
location = /webapi { allow 192.168.1.1/24; allow 127.0.0.1; deny all; }
Issue is now considered stale. If you want to keep it open, please comment :+1:
Checklist
jc21/nginx-proxy-manager:latest
docker image?Describe the bug Synology NAS sitting behind NPM. Basic Auth is enabled and works for main root protection, but logs show external IP's issuing a successful static GET request and accessing images using this call:
[server address]/webapi/entry.cgi?api=SYNO.Core.Synohdpack&version=1&method=getHDIcon&res=24&retina=false&path=webman/3rdparty/DownloadStation/images/downloadstation{0}.png
Also: webman/3rdparty/FileBrowser/images/icon/FileStation{0}.png webman/3rdparty/Virtualization/images/VirtualManagement{0}.png webman/3rdparty/SynologyPhotos/images/icon/photos_{0}.png
This skips straight past the auth and shows the file, allowing the person sending this to know a Synology NAS is present.
Issuing just [server address]/webapi correctly asks for auth.
Nginx Proxy Manager Version 2.9.18
To Reproduce Can provide the URL to my server for @jc21 or similar to assess how to resolve.
Expected behavior Expect auth to be required for any access to the server including this. How to block "SYNO.Core.Synohdpack" request?
Screenshots n/a
Operating System n/a - But tested on Windows client, Mac client and iOS client and all show the same.
Additional context n/a