[GH-ISSUE #1380] FORBIDDEN: Despite Documentation! Creating "Local only" Access List, requires PUBLIC IPs ONLY #1085

New issue

Closed

opened 2026-02-26 06:35:42 +03:00 by kerem · 12 comments

kerem commented 2026-02-26 06:35:42 +03:00

Owner

Copy link

Originally created by @hakunamatata97k on GitHub (Sep 6, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1380

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug

Despite what the documentation say, adding local IPs, subnets, and local gateway is NOT working in my case!.

i used the following docker-compose.yaml file to do the installation:

`  npm-app:
    image: jc21/nginx-proxy-manager:latest
    container_name: nginx-app
    restart: always
    ports:
        - 80:80
        - 81:81
        - 443:443
    environment:
        - DB_MYSQL_HOST=npm-db
        - DB_MYSQL_PORT=3306
        - DB_MYSQL_USER=npm
        - DB_MYSQL_PASSWORD=PASSWORD
        - DB_MYSQL_NAME=npm
    volumes:
        - npm-data:/data
        - npm-ssl:/etc/letsencrypt
    networks:
        - nginx
  npm-db:
    image: jc21/mariadb-aria:latest
    container_name: nginx-db
    restart: always
    environment:
        - MYSQL_ROOT_PASSWORD=PASSWORD
        - MYSQL_DATABASE=npm
        - MYSQL_USER=npm
        - MYSQL_PASSWORD=PASSWORD
    volumes:
        - npm-db:/var/lib/mysql
    networks:
        - nginx`

The conf file:

`------------------------------------------------------------
example.domain.com
------------------------------------------------------------
server { 
set $forward_scheme http; 
set $server         "myApp"; 
set $port           80;
listen 80; listen [::]:80;
server_name example.domain.com;
Block Exploits
include conf.d/include/block-exploits.conf;
proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1;
access_log /data/logs/proxy-host-2_access.log proxy; error_log /data/logs/proxy-host-2_error.log warn;
location / {
# Access Rules
allow 0.0.0.0/8;
allow 192.168.0.0/24; # according to Wikipedia, this should be  normally sufficient. 
allow 192.168.0.0/16;# extra, 
allow 127.0.0.0/8;
allow 172.16.0.0/12;# according to Wikipedia, this should be  normally sufficient.  
allow 172.19.0.0/16;#extra, the proxy subnet
deny all;

# Access checks must...

satisfy all;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


# Proxy!
include conf.d/include/proxy.conf;
}
Custom
include /data/nginx/custom/server_proxy[.]conf; }

Nginx Proxy Manager Version

I pulled the latest docker image: docker pull jc21/nginx-proxy-manager:latest

Expected behavior

its expected that the page would load without getting 403 ERROR forbidden!!!.

Screenshots

Operating System

Raspbian Os 64x, docker & Portainer.

Additional context

Originally created by @hakunamatata97k on GitHub (Sep 6, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1380 <!-- Are you in the right place? - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* --> **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes **Describe the bug** <!-- A clear and concise description of what the bug is. --> Despite what the [documentation](http://nginx.org/en/docs/http/ngx_http_access_module.html) say, adding local IPs, subnets, and local gateway is NOT working in my case!. i used the following `docker-compose.yaml` file to do the installation: ``` ` npm-app: image: jc21/nginx-proxy-manager:latest container_name: nginx-app restart: always ports: - 80:80 - 81:81 - 443:443 environment: - DB_MYSQL_HOST=npm-db - DB_MYSQL_PORT=3306 - DB_MYSQL_USER=npm - DB_MYSQL_PASSWORD=PASSWORD - DB_MYSQL_NAME=npm volumes: - npm-data:/data - npm-ssl:/etc/letsencrypt networks: - nginx npm-db: image: jc21/mariadb-aria:latest container_name: nginx-db restart: always environment: - MYSQL_ROOT_PASSWORD=PASSWORD - MYSQL_DATABASE=npm - MYSQL_USER=npm - MYSQL_PASSWORD=PASSWORD volumes: - npm-db:/var/lib/mysql networks: - nginx` ``` **The conf file:** ``` `------------------------------------------------------------ example.domain.com ------------------------------------------------------------ server { set $forward_scheme http; set $server "myApp"; set $port 80; listen 80; listen [::]:80; server_name example.domain.com; Block Exploits include conf.d/include/block-exploits.conf; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; access_log /data/logs/proxy-host-2_access.log proxy; error_log /data/logs/proxy-host-2_error.log warn; location / { # Access Rules allow 0.0.0.0/8; allow 192.168.0.0/24; # according to Wikipedia, this should be normally sufficient. allow 192.168.0.0/16;# extra, allow 127.0.0.0/8; allow 172.16.0.0/12;# according to Wikipedia, this should be normally sufficient. allow 172.19.0.0/16;#extra, the proxy subnet deny all; # Access checks must... satisfy all; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; # Proxy! include conf.d/include/proxy.conf; } Custom include /data/nginx/custom/server_proxy[.]conf; } ``` **Nginx Proxy Manager Version** <!-- What version of Nginx Proxy Manager is reported on the login page? --> I pulled the latest docker image: `docker pull jc21/nginx-proxy-manager:latest` **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> its expected that the page would load without getting 403 ERROR forbidden!!!. **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> **Operating System** <!-- Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error. --> Raspbian Os 64x, docker & Portainer. **Additional context** <!-- Add any other context about the problem here, docker version, browser version, logs if applicable to the problem. Too much info is better than too little. -->

kerem 2026-02-26 06:35:42 +03:00

• closed this issue
• added the
  stale
  bug
  labels

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@PlasmatikSteak commented on GitHub (Sep 7, 2021):

Possible duplicate
https://github.com/jc21/nginx-proxy-manager/issues/1279

<!-- gh-comment-id:914053560 --> @PlasmatikSteak commented on GitHub (Sep 7, 2021): Possible duplicate https://github.com/jc21/nginx-proxy-manager/issues/1279

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@hakunamatata97k commented on GitHub (Sep 7, 2021):

Possible duplicate
#1279
This is kinda the same but differs in one aspect: people in that bug are getting an error message from the npm which tells that the client is in fact connected locally "172.16.20.102" and yet they are not able to access the page!.

In my situation, the NPM gives the following error message and doesn't recognize that the client is connected locally:
2021/09/07 17:03:09 [error] 3626#3626: *5038 access forbidden by rule, client: 95.x.x.x, server: subdomain.mydomain.com, request: "GET / HTTP/1.1", host: "subdomain.mydomain.com"
the 95.x.x.x being the public IP of the router!. So NPM is not recognizing that I'm in the local network!!!!.
I can't add the public IP of my router because it will be dynamically changed by the ISP.
That's how these both issues differ.

<!-- gh-comment-id:914401243 --> @hakunamatata97k commented on GitHub (Sep 7, 2021): > Possible duplicate > #1279 This is kinda the same but differs in one aspect: people in that bug are getting an error message from the npm which tells that the client is in fact connected locally "172.16.20.102" and yet they are not able to access the page!. In my situation, the NPM gives the following error message and doesn't recognize that the client is connected locally: `2021/09/07 17:03:09 [error] 3626#3626: *5038 access forbidden by rule, client: 95.x.x.x, server: subdomain.mydomain.com, request: "GET / HTTP/1.1", host: "subdomain.mydomain.com" ` the 95.x.x.x being the public IP of the router!. So NPM is not recognizing that I'm in the local network!!!!. I can't add the public IP of my router because it will be dynamically changed by the ISP. That's how these both issues differ.

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Dec 17, 2021):

Did you find a solution for your "local access" problem? I have a similar problem, NPM is not able to access only the local nework without going through the "outside" internet. Their are some subdomains that would rather keep outside acces.
How to solve this?

<!-- gh-comment-id:996727972 --> @BobWs commented on GitHub (Dec 17, 2021): Did you find a solution for your "local access" problem? I have a similar problem, NPM is not able to access only the local nework without going through the "outside" internet. Their are some subdomains that would rather keep outside acces. How to solve this?

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@msiemens commented on GitHub (Dec 18, 2021):

I struggled with this too, but after thinking about this for a while I'm fairly certain this issue has nothing to do with NPM itself but rather with the router/networking setup.

Basically, the typical setup (as far as I can tell) uses port forwarding configured in one's home router and a DNS entry some domain that uses the router's public IP (e.g. using some dynamic DNS service). As far as I understand in this setup NPM will never be able to receive the local IP address because every connection to NPM resolves to the router's IP which in turn creates a connection to NPM. So it absolutely makes sense to see the router's public IP address in the logs as it's where the connection is originating from NPM's point of view.

To be honest, I think there's nothing NPM can do to fix this. It does exactly what it's made for: configure a NGINX instance as a reverse proxy. But NPM can't configure your local network to route requests directly to itself without going through the router's public IP and port forwarding.

See also: https://github.com/jc21/nginx-proxy-manager/issues/1105#issuecomment-950384265

Unfortunately there is nothing we can do about that. If you look into the access logs of your proxy host found at /data/logs/proxy-host-_access.log. You will see something like [Client 172.19.0.1] in each of the lines, which shows you what IP nginx has received that request from.
If your NPM instance is in the public internet, and not in your local network, local ip adresses are NOT available, and nginx will only receive your routers public ip address from the requesting client.

<!-- gh-comment-id:997180738 --> @msiemens commented on GitHub (Dec 18, 2021): I struggled with this too, but after thinking about this for a while I'm fairly certain this issue has nothing to do with NPM itself but rather with the router/networking setup. Basically, the typical setup (as far as I can tell) uses port forwarding configured in one's home router and a DNS entry some domain that uses the router's public IP (e.g. using some dynamic DNS service). As far as I understand in this setup NPM will never be able to receive the local IP address because every connection to NPM resolves to the router's IP which in turn creates a connection to NPM. So it absolutely makes sense to see the router's public IP address in the logs as it's where the connection is originating from NPM's point of view. To be honest, I think there's nothing NPM can do to fix this. It does exactly what it's made for: configure a NGINX instance as a reverse proxy. But NPM can't configure your local network to route requests directly to itself without going through the router's public IP and port forwarding. See also: https://github.com/jc21/nginx-proxy-manager/issues/1105#issuecomment-950384265 > Unfortunately there is nothing we can do about that. If you look into the access logs of your proxy host found at /data/logs/proxy-host-<id>_access.log. You will see something like [Client 172.19.0.1] in each of the lines, which shows you what IP nginx has received that request from. > If your NPM instance is in the public internet, and not in your local network, local ip adresses are NOT available, and nginx will only receive your routers public ip address from the requesting client.

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@almostserious commented on GitHub (Apr 14, 2022):

So, I was trying to figure out the same. I wanted local access to some URLs only.

And indeed, with normal settings this will not work because NPM will always receive the Public IP as the traffic is routed through a DNS thats located outside your network.

However, I just found a way to make it work for me.
I am using Adguard as my DNS.
Within there, I can specify DNS Rewrites.
So adding the URL I want to be only available locally and rewriting this to the IP of NPM makes NPM receive the local IPs asking for access.

This results in the Access List working as intended.

This should work with any locally hosted DNS service that allows you to do custom routes.

<!-- gh-comment-id:1098813905 --> @almostserious commented on GitHub (Apr 14, 2022): So, I was trying to figure out the same. I wanted local access to some URLs only. And indeed, with normal settings this will not work because NPM will always receive the Public IP as the traffic is routed through a DNS thats located outside your network. However, I just found a way to make it work for me. I am using Adguard as my DNS. Within there, I can specify DNS Rewrites. So adding the URL I want to be only available locally and rewriting this to the IP of NPM makes NPM receive the local IPs asking for access. This results in the Access List working as intended. This should work with any locally hosted DNS service that allows you to do custom routes.

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Apr 15, 2022):

So, I was trying to figure out the same. I wanted local access to some URLs only.

And indeed, with normal settings this will not work because NPM will always receive the Public IP as the traffic is routed through a DNS thats located outside your network.

However, I just found a way to make it work for me. I am using Adguard as my DNS. Within there, I can specify DNS Rewrites. So adding the URL I want to be only available locally and rewriting this to the IP of NPM makes NPM receive the local IPs asking for access.

This results in the Access List working as intended.

This should work with any locally hosted DNS service that allows you to do custom routes.

Interesting find! I’m also using Adguard, so could you please explain it a little more in detail how to do it. Could you please give an example how to configure adguard.

<!-- gh-comment-id:1100100982 --> @BobWs commented on GitHub (Apr 15, 2022): > So, I was trying to figure out the same. I wanted local access to some URLs only. > > And indeed, with normal settings this will not work because NPM will always receive the Public IP as the traffic is routed through a DNS thats located outside your network. > > However, I just found a way to make it work for me. I am using Adguard as my DNS. Within there, I can specify DNS Rewrites. So adding the URL I want to be only available locally and rewriting this to the IP of NPM makes NPM receive the local IPs asking for access. > > This results in the Access List working as intended. > > This should work with any locally hosted DNS service that allows you to do custom routes. Interesting find! I’m also using Adguard, so could you please explain it a little more in detail how to do it. Could you please give an example how to configure adguard.

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@almostserious commented on GitHub (Apr 15, 2022):

Sure thing, its pretty simple.

Put your desired URL, or a wildcard and put it in a DNS rewrite in Adguard. i.e.: *.myddns.duckdns.org and simply rewrite it to the IP where NPM is running in your local network.
That should be the same IP that you also forwarded port 80 and 443 in your router.
You can find this in Adguard under Filter & DNS Rewrite

<!-- gh-comment-id:1100420654 --> @almostserious commented on GitHub (Apr 15, 2022): Sure thing, its pretty simple. Put your desired URL, or a wildcard and put it in a DNS rewrite in Adguard. i.e.: *.myddns.duckdns.org and simply rewrite it to the IP where NPM is running in your local network. That should be the same IP that you also forwarded port 80 and 443 in your router. You can find this in Adguard under Filter & DNS Rewrite 

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Apr 16, 2022):

@almostserious thanks for sharing I will give it a try!

<!-- gh-comment-id:1100652049 --> @BobWs commented on GitHub (Apr 16, 2022): @almostserious thanks for sharing I will give it a try!

kerem commented 2026-02-26 06:35:42 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Apr 18, 2022):

Unfortunately it isn’t working for me. I have configured exactly as you described, but it isn’t working.
Could it be related to the fact that I have setup Adguard with macvlan? I have read that macvlan can’t communicate with the host due some security limitations of Docker.

<!-- gh-comment-id:1101113835 --> @BobWs commented on GitHub (Apr 18, 2022): Unfortunately it isn’t working for me. I have configured exactly as you described, but it isn’t working. Could it be related to the fact that I have setup Adguard with macvlan? I have read that macvlan can’t communicate with the host due some security limitations of Docker.

kerem commented 2026-02-26 06:35:43 +03:00

Author

Owner

Copy link

@Nickjones818 commented on GitHub (Sep 7, 2022):

To provide some feedback for anyone with ability to perform "Host Overrides"
You can assign an access list of just your local subnet as shown...

But you need to be able to adjust your router/firewall DNS settings (in my case using PFSense DNS Resolver, located at the bottom of that page) to override the IP of the DNS Request your trying to make

in this example i have Dynamic DNS setup and a Godaddy Domain name all being pointed back to my home webserver being hosted on Unraid. Some are exposed to the public, others just local subnet. In my example of local only, i just simply created a made up website name (myembyserver.network), and added that to the host override section of PFsense. The name resolves on my local network only, is routed through NPM perfectly.

<!-- gh-comment-id:1239613441 --> @Nickjones818 commented on GitHub (Sep 7, 2022): To provide some feedback for anyone with ability to perform "Host Overrides" You can assign an access list of just your local subnet as shown...   But you need to be able to adjust your router/firewall DNS settings (in my case using PFSense DNS Resolver, located at the bottom of that page) to override the IP of the DNS Request your trying to make  in this example i have Dynamic DNS setup and a Godaddy Domain name all being pointed back to my home webserver being hosted on Unraid. Some are exposed to the public, others just local subnet. In my example of local only, i just simply created a made up website name (myembyserver.network), and added that to the host override section of PFsense. The name resolves on my local network only, is routed through NPM perfectly.

kerem commented 2026-02-26 06:35:43 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 5, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:1977795664 --> @github-actions[bot] commented on GitHub (Mar 5, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 06:35:43 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Apr 18, 2025):

Issue was closed due to inactivity.

<!-- gh-comment-id:2814353866 --> @github-actions[bot] commented on GitHub (Apr 18, 2025): Issue was closed due to inactivity.

kerem referenced this issue 2026-02-26 07:39:02 +03:00

[PR #1085] [MERGED] Improved new password error messages #3364

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1085

No description provided.