[GH-ISSUE #1279] Access list gives 403 even when IP is whitelisted #1034

New issue

Closed

opened 2026-02-26 06:35:30 +03:00 by kerem · 13 comments

kerem commented 2026-02-26 06:35:30 +03:00

Owner

Copy link

Originally created by @hjorslev on GitHub (Aug 1, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1279

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • No
• Are you sure you're not using someone else's docker image?
  • No
• Have you searched for similar issues (both open and closed)?
  • Yes

I use this version for Proxmox: https://github.com/ej52/proxmox-scripts/tree/main/lxc/nginx-proxy-manager. I am not sure if it is specific to this environment or also affects the docker version.

Describe the bug
I am attempting to configure an access list for several proxies. I want to authenticate using IP addresses. However, all proxies gives me an 403 even though I access the site using the whitelisted IP address.

Nginx Proxy Manager Version
v#2.9.6

To Reproduce
Steps to reproduce the behavior:

1. Create access list whitelisting the IP addresses, currently I have added 3.
   
2. Add access list to proxy:
   

Expected behavior
I would expect to be able to access the site as the IP address is whitelisted.

Screenshots

Operating System
I use Alpine configured by this script: https://github.com/ej52/proxmox-scripts/tree/main/lxc/nginx-proxy-manager

Additional context
When I review the error log file for the proxy host (proxy-host-9_error.log), I see this entry:
2021/08/01 08:34:47 [error] 1293#1293: *7651 access forbidden by rule, client: 172.16.20.102, server: adc.website.com, request: "GET / HTTP/2.0", host: "adc.website.com"
(I have altered host to adc.website.com)

I have attempted to also add this local IP, but I still get a 403 when attempting to access the site.

Originally created by @hjorslev on GitHub (Aug 1, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1279 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - No - Are you sure you're not using someone else's docker image? - No - Have you searched for similar issues (both open and closed)? - Yes I use this version for Proxmox: https://github.com/ej52/proxmox-scripts/tree/main/lxc/nginx-proxy-manager. I am not sure if it is specific to this environment or also affects the docker version. **Describe the bug** I am attempting to configure an access list for several proxies. I want to authenticate using IP addresses. However, all proxies gives me an 403 even though I access the site using the whitelisted IP address. **Nginx Proxy Manager Version** v#2.9.6 **To Reproduce** Steps to reproduce the behavior: 1. Create access list whitelisting the IP addresses, currently I have added 3.  2. Add access list to proxy:  **Expected behavior** I would expect to be able to access the site as the IP address is whitelisted. **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> **Operating System** I use Alpine configured by this script: https://github.com/ej52/proxmox-scripts/tree/main/lxc/nginx-proxy-manager **Additional context** When I review the error log file for the proxy host (`proxy-host-9_error.log`), I see this entry: `2021/08/01 08:34:47 [error] 1293#1293: *7651 access forbidden by rule, client: 172.16.20.102, server: adc.website.com, request: "GET / HTTP/2.0", host: "adc.website.com"` (I have altered host to adc.website.com) I have attempted to also add this local IP, but I still get a 403 when attempting to access the site.

kerem 2026-02-26 06:35:30 +03:00

• closed this issue
• added the
  bug
  label

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@kimdre commented on GitHub (Aug 1, 2021):

I have the exact same Problem with the docker version.
Also have Version v2.9.6

<!-- gh-comment-id:890586087 --> @kimdre commented on GitHub (Aug 1, 2021): I have the exact same Problem with the docker version. Also have Version v2.9.6

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@oewean commented on GitHub (Aug 2, 2021):

It looks like you must edit/save the Proxy Hosts again after editing the Access Lists.

<!-- gh-comment-id:890975886 --> @oewean commented on GitHub (Aug 2, 2021): It looks like you must edit/save the Proxy Hosts again after editing the Access Lists.

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@hjorslev commented on GitHub (Aug 2, 2021):

@oewean Thanks. This fixed it for me.

I just edited the access list again and I could read the following in npm.log:

[8/2/2021] [4:58:33 PM] [Access   ] › ℹ  info      Building Access file #2 for: Private - family locations

When saving a site using an access list the following were to be found in npm.log:

[8/2/2021] [5:01:57 PM] [Access   ] › ℹ  info      Building Access file #2 for: Private - family locations
[8/2/2021] [5:04:31 PM] [Nginx    ] › ℹ  info      Reloading Nginx

So I think that nginx needs to be reloaded after an access list have been saved. As far as I can see the access list is written to the corresponding .conf file.

<!-- gh-comment-id:891095934 --> @hjorslev commented on GitHub (Aug 2, 2021): @oewean Thanks. This fixed it for me. I just edited the access list again and I could read the following in npm.log: ``` [8/2/2021] [4:58:33 PM] [Access ] › ℹ info Building Access file #2 for: Private - family locations ``` When saving a site using an access list the following were to be found in npm.log: ``` [8/2/2021] [5:01:57 PM] [Access ] › ℹ info Building Access file #2 for: Private - family locations [8/2/2021] [5:04:31 PM] [Nginx ] › ℹ info Reloading Nginx ``` So I think that nginx needs to be reloaded after an access list have been saved. As far as I can see the access list is written to the corresponding .conf file.

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@PlasmatikSteak commented on GitHub (Aug 19, 2021):

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

<!-- gh-comment-id:901882373 --> @PlasmatikSteak commented on GitHub (Aug 19, 2021): I have a similarly problem 2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/" The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@Ugenx commented on GitHub (Aug 23, 2021):

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

This is the problem I noticed today when troubleshooting why my access whitelist didn't seem to have any effect. The client IP in the nginx access log under /data/logs/ is the docker gateway IP 172.23.0.1. If I whitelist that, the page loads fine but it loads fine for everyone the same way public does. Is this a docker network mode related issue?

<!-- gh-comment-id:903414382 --> @Ugenx commented on GitHub (Aug 23, 2021): > I have a similarly problem > > 2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/" > > The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM. This is the problem I noticed today when troubleshooting why my access whitelist didn't seem to have any effect. The client IP in the nginx access log under `/data/logs/` is the docker gateway IP `172.23.0.1`. If I whitelist that, the page loads fine but it loads fine for everyone the same way public does. Is this a docker network mode related issue?

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@trin3heab2pam commented on GitHub (Aug 29, 2021):

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

This is the problem I noticed today when troubleshooting why my access whitelist didn't seem to have any effect. The client IP in the nginx access log under /data/logs/ is the docker gateway IP 172.23.0.1. If I whitelist that, the page loads fine but it loads fine for everyone the same way public does. Is this a docker network mode related issue?

I'm having the same issue. Were you able to get this resolved?

<!-- gh-comment-id:907866986 --> @trin3heab2pam commented on GitHub (Aug 29, 2021): > > I have a similarly problem > > > > > > 2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/" > > > > > > The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM. > > > > This is the problem I noticed today when troubleshooting why my access whitelist didn't seem to have any effect. The client IP in the nginx access log under `/data/logs/` is the docker gateway IP `172.23.0.1`. If I whitelist that, the page loads fine but it loads fine for everyone the same way public does. Is this a docker network mode related issue? I'm having the same issue. Were you able to get this resolved?

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@hakunamatata97k commented on GitHub (Sep 7, 2021):

@PlasmatikSteak
Somehow you all are getting the error that your IP is actually from a local subnet, but in my case I'm getting the following error:

2021/09/07 17:03:09 [error] 3626#3626: *5038 access forbidden by rule, client: 95.x.x.x, server: subdomain.mydomain.com, request: "GET / HTTP/1.1", host: "subdomain.mydomain.com"

The client IP 95.x.x.x is in fact the public IP of my router, which gets changes by the ISP every 24H.
the host local IP is 192.168.0.84 and the client local IP is 192.168.0.10 so logically adding the following access list in the corresponding conf file should be sufficient. The access list looks like this looks like this:

# Access Rules
allow 192.168.0.0/24; # according to Wikipedia, this should be  normally sufficient. 
allow 192.168.0.0/16;# extra, 
allow 127.0.0.0/8;
allow 172.16.0.0/12;# according to Wikipedia, this should be  normally sufficient.  
allow 172.19.0.0/16;#extra, the proxy subnet
deny all;

<!-- gh-comment-id:914396271 --> @hakunamatata97k commented on GitHub (Sep 7, 2021): @PlasmatikSteak Somehow you all are getting the error that your IP is actually from a local subnet, but in my case I'm getting the following error: `2021/09/07 17:03:09 [error] 3626#3626: *5038 access forbidden by rule, client: 95.x.x.x, server: subdomain.mydomain.com, request: "GET / HTTP/1.1", host: "subdomain.mydomain.com" ` The client IP 95.x.x.x is in fact the public IP of my router, which gets changes by the ISP every 24H. the host local IP is `192.168.0.84` and the client local IP is `192.168.0.10` so logically adding the following access list in the corresponding conf file should be sufficient. The access list looks like this looks like this: ``` # Access Rules allow 192.168.0.0/24; # according to Wikipedia, this should be normally sufficient. allow 192.168.0.0/16;# extra, allow 127.0.0.0/8; allow 172.16.0.0/12;# according to Wikipedia, this should be normally sufficient. allow 172.19.0.0/16;#extra, the proxy subnet deny all; ```

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@hakunamatata97k commented on GitHub (Sep 10, 2021):

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

How did you manage to get your log to point to the local IP, in my case it only recognizes the public IP of my router!!!.

<!-- gh-comment-id:916957858 --> @hakunamatata97k commented on GitHub (Sep 10, 2021): > I have a similarly problem > > 2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/" > > The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM. How did you manage to get your log to point to the local IP, in my case it only recognizes the public IP of my router!!!.

kerem commented 2026-02-26 06:35:30 +03:00

Author

Owner

Copy link

@dragon2611 commented on GitHub (Nov 13, 2021):

It seems Nginx isn't getting reloaded/config updated when the access list changes, is this possible to implment please?

<!-- gh-comment-id:968062035 --> @dragon2611 commented on GitHub (Nov 13, 2021): It seems Nginx isn't getting reloaded/config updated when the access list changes, is this possible to implment please?

kerem commented 2026-02-26 06:35:31 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 14, 2021):

Please see https://github.com/jc21/nginx-proxy-manager/issues/1105#issuecomment-950384265. If you use cloudflare, this could also change the IP received by nginx.

Also, if your npm instance is in the public internet, and not in your local network, you won't have access to the local ip addresses! Just the one public ip address your router has.

<!-- gh-comment-id:968276814 --> @chaptergy commented on GitHub (Nov 14, 2021): Please see https://github.com/jc21/nginx-proxy-manager/issues/1105#issuecomment-950384265. If you use cloudflare, this could also change the IP received by nginx. Also, if your npm instance is in the public internet, and not in your local network, you won't have access to the local ip addresses! Just the one public ip address your router has.

kerem commented 2026-02-26 06:35:31 +03:00

Author

Owner

Copy link

@dragon2611 commented on GitHub (Nov 14, 2021):

@chaptergy This is not the issue in my case, it's that if I add a new IP to the whitelist it doesn't take effect until I go into a host that uses the whitelist and re-save the configuration.

<!-- gh-comment-id:968285017 --> @dragon2611 commented on GitHub (Nov 14, 2021): @chaptergy This is not the issue in my case, it's that if I add a new IP to the whitelist it doesn't take effect until I go into a host that uses the whitelist and re-save the configuration.

kerem commented 2026-02-26 06:35:31 +03:00

Author

Owner

Copy link

@chaptergy commented on GitHub (Nov 14, 2021):

@dragon2611 Then you are on the wrong issue. You'd probably want https://github.com/jc21/nginx-proxy-manager/issues/637

<!-- gh-comment-id:968285864 --> @chaptergy commented on GitHub (Nov 14, 2021): @dragon2611 Then you are on the wrong issue. You'd probably want https://github.com/jc21/nginx-proxy-manager/issues/637

kerem commented 2026-02-26 06:35:31 +03:00

Author

Owner

Copy link

@almostserious commented on GitHub (Apr 13, 2022):

Also, if your npm instance is in the public internet, and not in your local network, you won't have access to the local ip addresses! Just the one public ip address your router has.

What does that mean? How can my Nginx Proxy Manager be in the public internert, or in the local network?
Isnt it always hosted in the local network?
Can you please elaborate on this? I would like my NPM instance to be in my local network.

Could this issue be prevented if I instead of using a public DNS Provider use a local hosted one that resolves my local network without going through the intenet?

edit

Indeed that works. For example as I am using Adguard I was able to simply to a DNS Rewrite of the URL I am trying to reach and rewrite it directly to the IP where NPM is running. In that case, NPM recevies the local IP instead of the Public IP and the access list works fine for local IP only.

<!-- gh-comment-id:1098404564 --> @almostserious commented on GitHub (Apr 13, 2022): > Also, if your npm instance is in the public internet, and not in your local network, you won't have access to the local ip addresses! Just the one public ip address your router has. What does that mean? How can my Nginx Proxy Manager be in the public internert, or in the local network? Isnt it always hosted in the local network? Can you please elaborate on this? I would like my NPM instance to be in my local network. Could this issue be prevented if I instead of using a public DNS Provider use a local hosted one that resolves my local network without going through the intenet? *edit* Indeed that works. For example as I am using Adguard I was able to simply to a DNS Rewrite of the URL I am trying to reach and rewrite it directly to the IP where NPM is running. In that case, NPM recevies the local IP instead of the Public IP and the access list works fine for local IP only.

kerem referenced this issue 2026-02-26 07:38:56 +03:00

[PR #1034] [MERGED] don't fix the select height, to fix multiline select #3342

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1034

No description provided.