Udating AccessList will not reload nginx

[spoolr]

Describe the bug

• Access List doesn't work at all. I have never managed to see an authentication box with or without custom location .
• Force SSL doesn't work with custom location

To Reproduce

1. I created a Proxy Host with SSL, I have Force SSL set. I can only visit with HTTPS. Great.
2. Now I added an Access List with just one user and password and now my HTTPS is 403 Forbidden. I am never prompted to authenticate it's always 403 Forbidden
3. If I change the Access List to "Satisfy Any" and add my IP with "192.168.0.0/24" it is still 403 Forbidden.
4. Either Access Lists don't work, or I don't understand them.
5. If I create a Custom Location for this Proxy so that accessing / goes to /folder
   • the Access List no longer generates 403 Forbidden and the site is open to all
   • Force SSL no longer works, I can browse with HTTP

As I've been typing this I've found the Access List not working with Custom Location bug report. I see it's going back to last year. For a security problem that's really a long time. Now combine that with Force SSL also being broken, another security problem. It had me convinced this project had become abandoned, yet there is life with multiple updates this year. It's true that most apps do there own security, but I have a few like COPS that could benefit from a working Access List. Please try and address these issues in the next release.

[spoolr]

After playing around some more I've come to the realization that even though this offers a fancy GUI interface, changes to the Access List will not cause nginx to reload. This is why the changes are not reflected. If you make changes to the Access List, you will need to save the Proxy as well to force nginx to reload. There are no indications of what action will force a reload aside from looking at the logs.

After many days of struggling with this program that I thought would save me time from learning to configure nginx directly, I have downloaded Caddy, and with two simple lines in plain english my reverse proxy just worked.

[hasangnu]

Force SSL doesn't work with custom location

I had a similar problem with proxy_pass. maybe force ssl when you add include conf.d/include/force-ssl.conf;

my custon nginx configuration.

location / {
    include conf.d/include/force-ssl.conf;
    proxy_pass http://domain:port/url/;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
}

[TPham92]

Any updates/work around on this? When using Access list it never prompted to authenticate it's always 403 Forbidden. It not consistent, some time it works some time not.

[graydonpleasants]

I also have this issue when adding a new proxy with access pointing to an existing Access List, Publicly accessible works just fine.

[hsindrup]

Hi all I am (allmost) sure, that IP in acces lists only can contain public addresses.. I.e. your one public address will only allow your home network to acces

https://www.youtube.com/watch?v=UfCkwlPIozw

Mary Christmas

[niklasdahlheimer]

Can someone confirm or refute @hsindrup's comment that only public IPs are allowed in the ACL?

We use private IP address ranges, but ran into issues (NGINX keeps "seeing" the public IP of the local requester and therefore denies access). I was convinced that this is more an issue of our local DNS Server, but after I read @hsindrup 's comment I'm not sure anymore about that. A clear statement about that would be great, so I will not continue to search for a solution at the wrong place.

This guy here also uses private IP address ranges: https://youtu.be/G9voYZejH48?t=318

[psychogun]

@niklasdahlheimer https://nginx.org/en/docs/http/ngx_http_access_module.html

I think it should work with local IP addresses.

I am struggling with Access List too. Using ss on the machine hosting the container, I can clearly see my IP adress which I am connecting to the Nginx Proxy Manager service with (port :81). This will hence be the IP address which will connect to the reversed service.

If I add this specific IP adresse to the Access list, I get "403 forbidden" - "10.0.44.41" If I add the IP address with subnet range; 10.0.44.0/24, I get "403 forbidden".

If I add 10.0.44.0/16, it suddenly works.

I have to edit the Access List, and then go to the Proxy Host and click Save for any changes to take effect.

However, it works for the rest of the world too, with /16, which is not what I am trying to accomplish :) Although 10.0 is a private IP range. ..

I want to be able to dial home with a VPN before allowing access to my bitwarden instance.

[psychogun]

@niklasdahlheimer

The request was not coming from the address above. Go to /data/logs/ and use tail -f proxy-host-1_access.log to see where the culprit is. I have a setup with a plethora of IP addresses all of the place - and I see the requests are coming from an IP namely 10.0.2.100.

However, where the hell is that IP coming from? Is this an internal podman network IP?

[psychogun]

@niklasdahlheimer I can confirm it works with local/private IP addresses. A good tip is to find out which IP address is hitting the proxy through the log file. As for the solution to my problems, it was found here: https://github.com/containers/podman/discussions/10472

I am running NPM in rockylinux as a rootless container:

podman run -d -v ~/podman/npm/data/:/data/:Z -v ~/podman/npm/letsencrypt/:/letsencrypt/:Z -p 80:80 -p 81:81 -p 443:443 --net=slirp4netns:port_handler=slirp4netns jc21/nginx-proxy-manager:latest

However, to the initial bug; yes - whenever I change the Access List, I have to go to the Proxy Host and click Save to make it refresh.

[ralphocdol]

changes to the Access List will not cause nginx to reload

2 years later it still is the case, I was confused at first and had to restart my server which did not help, after poking around I manage to make it work the exact same thing that @spoolr did:

If you make changes to the Access List, you will need to save the Proxy as well to force nginx to reload.

Good thing my server is small

[ralphocdol]

So I did some changes after configuring a VLAN and manage to find my comment almost a year after.

An update to this:

I was confused at first and had to restart my server which did not help

with v2.10.4, a server restart now works

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: