githubDiversity
commented
1 year ago I just saw a video on a reddit post about this issue; https://www.reddit.com/r/selfhosted/comments/14qi7ci/risk_of_selfhosting_smaller_projects/
I am not really getting any hints as to what is the reason behind this open bug on the comments there.
And I am rather shocked to find this issue is still open here without some motivation why it is left unresolved.
Could well be that this is a non issue but then it would be confidence inspiring to see a debate about that.
sbkg0002
github-actions[bot]
Checklist
jc21/nginx-proxy-manager:latestdocker image?Describe the bug On the server services are accessed through Nginx but restricted to certain IPv4 subnets with Access Lists. When useing Domain AAAA record with IPv4, Nginx behaves as expected and restricts access accordingly. When useing Domain AAAA record with IPv6, all servicess can be accessed from outside the Subnet restriction list. An example service was restricted to local network Subnet. Using a device outside the network, i was able to access it. on the other hand, when activating VPN, the service is again restricted. the fact it was accessible at all is concerning.
Edit: I also tried restricting the Service by adding fe80::/10 to limit access to Link-Local Unicast (Same switch). No success.. Service can still be accessed.
Nginx Proxy Manager Version v2.10.3
To Reproduce Steps to reproduce the behavior:
Expected behavior since there are no IPv6/Subnet specified in the Access List and only Local Network IPv4/Subnet is provided, access should be denied if the device is not on the local network.
Operating System Nginx on Docker Engine 24.0.2; Debian GNU/Linux 12 (bookworm)