Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Nginx proxy manager, limit access to local network via access list

See original GitHub issue

Are you in the right place?

If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the right place.

Checklist

Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
yes
Are you sure you’re not using someone else’s docker image?
im using the right image

Describe the bug

A clear and concise description of what the bug is. Recently I have been trying to limit the access of a self-hosted web service for “Streaming” to local network ONLY, with the aid of the nginx proxy manager.

My setup looks like the following:

Raspberry Pi 4 running Raspbian Os 64x running on a static IP (192.168.0.10).
docker & docker-compose & portainer are each properly installed.
raspberry running the following docker images with no ports conflicts: Nextcloud, ddclient, jc21/nginx-proxy-manager, pihole and finally this web service.
on the router (night hawk R7500), I set the IP address of the PiHole (in this case the Raspberry Pi) as DNS.
the Streaming website is a subdomain “movies.example.com”. Where the domain “example.com” and the subdomain are enforced with self-signed SSL from the Nginx Proxy manger.

All the mentioned services are dockerized and nothing is installed on “bare metal”

The Nginx Proxy manager is installed with this tutorial.

The following (Screenshot 2) shows the view of the Nginx proxy manager access list IP Address Whitelist/Blacklist.

Screenshot(1)

Screenshot 3 shows both the view of the SSL settings (3.3) and the view of the details section of the chosen host assigned with Authorization for Streaming.

PhotoGrid_1621357132298__01

What version of Nginx Proxy Manager is reported on the login page? v2.9.2
What is shown upon calling the desired website from both the local and the external network: “403 Forbidden, openresty”.

Issue Analytics

State:
Created 2 years ago
Reactions:6
Comments:9

Top GitHub Comments

2reactions

chaptergycommented, Nov 14, 2021

Unfortunately there is nothing we can do about that. If you look into the access logs of your proxy host found at /data/logs/proxy-host-<id>_access.log. You will see something like [Client 172.19.0.1] in each of the lines, which shows you what IP nginx has received that request from.
If your NPM instance is in the public internet, and not in your local network, local ip adresses are NOT available, and nginx will only receive your routers public ip address from the requesting client.
If your npm instance is within your local network, there is a quirk in how docker passes the ip to the container, causing the ip to be something like 172.19.x.x. This is the ip address of the docker bridge gateway. I think this should not happen if you send the request from a different machine than what npm is hosted on. Switching to host network mode in docker can resolve this issue, since the docker network won’t have a bridge then. You can do this by changing port 80 and 443 section in your docker-compose to:

ports:
      - target: 443
        published: 443 # Outside port
        mode: host
        protocol: tcp
      - target: 80
        published: 80 # Outside port
        mode: host
        protocol: tcp

1reaction

Dauntless0necommented, Oct 24, 2021

Same issue. Unable to resolve it using internal single IP, subnet range, or external IP.