Basic Authentication not working correctly on Proxy Hosts with custom locations

[PlasmaSoftUK]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug I have built a Proxy Host which has a dns name, a valid SSL cert from LetsEncrypt using the latest Docker image.

I have added an Access list with Basic HTTP auth to this proxy, along with some custom locations:

/ ==> http://10.0.0.2:8181/ /radarr ==> http://10.0.0.2:7878/ /sonar ==> http://10.0.0.2:8989/ /nzbget ==> http://10.0.0.2:6789/

When accessing the default '/' location via https://my-dns-name.com/ I am presented with the basic auth login screen and it works as expected, if I authenticate and login I get to the page if I hit cancel, I get nothing.

When accessing any of the custom locations via https://my-dns-name.com/sonarr or https://my-dns-name.com/radarr the page loads in the background before the Auth is passed, and the login box is present over the top. if I hit cancel I can still browse the page just like I should be able to AFTER authentication.

Hitting Cancel on Basic Authentication dialog for custom locations (except '/') skips Auth and allows access to the page.

Nginx Proxy Manager Version v2.9.18

To Reproduce Steps to reproduce the behavior:

1. Create custom locations with basic auth
2. Browse to a custom location and choose cancel when the auth dialog is presented
3. Page will be displayed, and it should not be.

Expected behavior Page should NOT load in the background and when hitting Cancel on the Auth dialog the page should not be loaded. I would expect a blank page or a default auth failed page.

Screenshots

Operating System running under MacOS Monterey, and Docker version 20.10.12, build e91ed57

[PlasmaSoftUK]

So I've switched to another device, auth looks to be working as expected on a device that hasn't been used before. But on a device that is authenticated when it loads the custom locations, they load in the background but it still shows the Basic Auth Login box. At this point the page is loaded, I assume because the users is authenticated, so ....... either the page shouldn't load, or the login box shouldn't be displayed? There is definitely something not right here, unless I'm missing something in the custom locations config.

[Vanillabacke]

I can confirm that issue with v2.9.19. As soon as I add an location to the nginx config, it will stop working. It looks like this will not be added, if there will be a defined location in the backend. I checking the config in /data/nginx/proxy_host after each changes to confirm that.

For those who have the same issue, here is a workaround:

• click on the three dots to edit the access list and get the ID of it from the first line Access List #2
• go to your proxy host and edit your custom nginx configuration

• add following code to your config and save your host:

  # ...
  
  # Authorization
  auth_basic            "Authorization required";
  auth_basic_user_file  /data/access/2; # this is the ID of your Access List
  proxy_set_header Authorization "";
  
  # Access Rules
  deny all;
  deny all;
  
  # Access checks must...
  satisfy any;
  
  # ...

In my example I used Satisfy Any without Pass Auth to Host. If you have different settings you can find the generated config in your mounted /data-volume:

• get the ID of your proxy host like you got it for the access list in the backend
• remove all custom nginx configuration of the host and save it
• navigate inside your mounted volume to /data/nginx/proxy_host and find the file of {PROXY_HOST_ID_FROM_BACKEND}.conf for example 32.conf
• look for the # Authorization, # Access Rules and # Access checks must... parts in the .conf-file
• add your removed custom nginx configuration to your proxy host again and add the parts from the step before
• save the proxy host and it should work

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: