Closed ckamerin closed 6 months ago
ckamerin
commented
9 months ago I was able to regain access to the NPM management console by adding the IP address and port number to the web application access listing (on the right side of the screenshot). I'm unsure why this was not needed before but is now. It did resolve my access issue for the time being.
orianelou
commented
9 months ago Hi @ckamerin,
The current integration with NGINX Proxy Manager is meant for declarative management, we'll release the next phase which will include central management soon. Could you please share the Docker Compose file used for the deployment?
As to the error you've received, were you able to reach the NGINX Proxy Manager UI before enabling file security, and are the rest of the protections enabled? I also noted you didn't define any URL in the asset, do you have other assets defined, as you must define an asset to enable open-appsec in Docker, you can read more (here)[https://docs.openappsec.io/getting-started/using-the-web-ui-saas/protect-additional-assets].
Best,
open-appsec team
ckamerin
commented
9 months ago @orianelou I thought that might be the case. I will keep my eye out for the update. Docker compose below.
I removed the asset urls for privacy (updated screenshot below) but at the time I had 1 asset with my website and several subdomains listed (eg. bar.com, foo.bar.com, foo1.bar.com) defined. At that point I did not include a url for the application management interface (xxx.xxx.xxx:81). It was accessible up until I enabled file security. Now I have created an asset for the NPM management interface separate from the other so that I can have file protections on without interfering with the NPM management interface.
Docker Compose: version: '3.3'
services: appsec-npm: container_name: npm-attachment image: 'ghcr.io/openappsec/nginx-proxy-manager-attachment:latest' ipc: host restart: unless-stopped ports:
DB_MYSQL_HOST: "db" DB_MYSQL_PORT: 3306 DB_MYSQL_USER: "npm" DB_MYSQL_PASSWORD: "****" DB_MYSQL_NAME: "npm"
DISABLE_IPV6: 'true' volumes:
/container-config/mysql:/var/lib/mysql
appsec-agent: container_name: appsec-agent image: 'ghcr.io/openappsec/agent:latest' network_mode: service:appsec-npm ipc: host restart: unless-stopped environment:
mgrimace
commented
6 months ago Are we able to connect open-appsec + npm to central management on https://my.openappsec.io and if so, are there lay instructions for getting started?
orianelou
commented
6 months ago Hi @mgrimace,
We plan to release the feature soon, if you are interested in joining our EA for this feature please email us at info@openappsec.io.
*Edit: Added screenshot from relevant portion of the config file
Checklist
jc21/nginx-proxy-manager:latestdocker image?Describe the bug
Open-appsec blocks NPM authentication through the management interface (port 81). It appears that this issue is created by the file security module even in detect/learn mode. This is after enabling the web ui for open-appsec (at my.openappsec.io). Oddly no logs of the blocking events come up so I am unable to provide that. If other logs would be helpful please let me know. In an attempt to get around this bug I have even added a custom rule to "accept" or "skip" traffic coming from the my laptop IP, however that did not work.
Nginx Proxy Manager Version
v1.0.0-beta.1
To Reproduce Steps to reproduce the behavior:
Expected behavior
I would expect that in learn/detect mode, no blocking would occur. What I am finding with the File Security and other modules is interference in the operation on the web proxy. I found a similar bug in the "Intrusion Detection" module where I had to set "Activate Protections with Severity Level" to "Critical" in order to access one of the subdirectories on my site. It may be a misunderstanding on my part about how this functions and there will be some level of blocking due to the field "Activate Protections with Severity Level" even in learn / detect mode. I see this as a flaw though as nothing should be blocked until switching to "Prevent" mode.
Screenshots
Operating System
Accessing the NPM management interface through Safari and Google Chrome from Apple M1 Max running Sonoma 14.0 (23A344). The docker containers for open-appsec and npm attachment are hosted on Debian 11.
Additional context
Safari: Version 17.0 (19616.1.27.211.1) Chrome: Version 121.0.6167.85 (Official Build) (arm64) Mac OS: Sonoma 14.0 (23A344) Host: Debian GNU/Linux 11 (bullseye) Nano agent: Version: 1.1.3-open-source Orchestration Service: Version: 1.1.3-open-source Attachment Registrar: Version: 1.1.3-open-source HTTP Transaction Handler: 1.1.3-open-source AI model version: Advanced model V1.0 Management mode: Cloud management (Fully managed)