starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00

[GH-ISSUE #135] [NOOB] Prevent Direct Public IP access? #120

New issue

Closed

opened 2026-02-26 06:30:22 +03:00 by kerem · 5 comments

kerem commented

2026-02-26 06:30:22 +03:00

Owner

Originally created by @Kevinf63 on GitHub (May 6, 2019).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/135

Hi there, I fully apologize for my lack of networking knowledge in advance.

I'm curious to know is there a method or implementation in NPM/nginx default configs that prevents direct access over my public IP address and instead only allows traffic routed through my Cloudflare DDNS?

Perhaps being able to globally alter the default config to deny all but whitelist these IP's?
https://www.cloudflare.com/ips/

I figured it might help my poor Virgin Media SuperHub 3.0 router falling over from port scanning/bots DDOSing, but I'm totally naive on this subject to be honest and could be a simple fix staring me in the face!

Originally created by @Kevinf63 on GitHub (May 6, 2019). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/135 Hi there, I fully apologize for my lack of networking knowledge in advance. I'm curious to know is there a method or implementation in NPM/nginx default configs that prevents **direct access** over my **public IP address** and instead only allows traffic routed through my Cloudflare **DDNS**? Perhaps being able to globally alter the default config to deny all but whitelist these IP's? [https://www.cloudflare.com/ips/](https://www.cloudflare.com/ips/) I figured it might help my poor Virgin Media SuperHub 3.0 router falling over from port scanning/bots DDOSing, but I'm totally naive on this subject to be honest and could be a simple fix staring me in the face!

kerem closed this issue

2026-02-26 06:30:22 +03:00

kerem commented

2026-02-26 06:30:22 +03:00

Author

Owner

@jc21 commented on GitHub (May 8, 2019):

Well sure you could use the advanced tab in proxy hosts to specify your whitelist options, but if you're using LetsEncrypt certificates with a whitelist, then it's likely not to work and you'll have to obtain a whitelist of LE servers as well.

@jc21 commented on GitHub (May 8, 2019): Well sure you could use the advanced tab in proxy hosts to specify your whitelist options, but if you're using LetsEncrypt certificates with a whitelist, then it's likely not to work and you'll have to obtain a whitelist of LE servers as well.

kerem commented

2026-02-26 06:30:22 +03:00

Author

Owner

@Kevinf63 commented on GitHub (May 8, 2019):

Cheers for the quick response! No LetsEncrypt certs being used directly on NPM currently (HTTP only). Just the certs on the Cloudflare side although I'm not sure if thats unwise.

If I use a deny all; and allow those individual IP ranges it should work right? I seem to hit a snag were it seems the deny all is taking precedence over the other rules, likely an order or nginx syntax stumbling block.

@Kevinf63 commented on GitHub (May 8, 2019): Cheers for the quick response! No LetsEncrypt certs being used directly on NPM currently (HTTP only). Just the certs on the Cloudflare side although I'm not sure if thats unwise. If I use a deny all; and allow those individual IP ranges it should work right? I seem to hit a snag were it seems the deny all is taking precedence over the other rules, likely an order or nginx syntax stumbling block.

kerem commented

2026-02-26 06:30:22 +03:00

Author

Owner

@jc21 commented on GitHub (May 8, 2019):

When I use something like this:

allow 203.174.180.157;
deny all;

it works as expected for me

@jc21 commented on GitHub (May 8, 2019): When I use something like this: ``` allow 203.174.180.157; deny all; ``` it works as expected for me

kerem commented

2026-02-26 06:30:22 +03:00

Author

Owner

@the1ts commented on GitHub (Jul 3, 2019):

I was using the same style as above in location /
allow 192.168.0.0/24 deny all
But this was also denying renewing of certs, I fixed by adding an allow all to the letsencrypt-acme-challenge.conf alongside the turning off auth:
^~ /.well-known/acme-challenge/ { auth_basic off allow all
Am I doing something wrong or could this be a new default entry without harm?
Can put a PR in if wanted.

@the1ts commented on GitHub (Jul 3, 2019): I was using the same style as above in location / `allow 192.168.0.0/24 deny all` But this was also denying renewing of certs, I fixed by adding an allow all to the letsencrypt-acme-challenge.conf alongside the turning off auth: `^~ /.well-known/acme-challenge/ { auth_basic off allow all` Am I doing something wrong or could this be a new default entry without harm? Can put a PR in if wanted.

kerem commented

2026-02-26 06:30:22 +03:00

Author

Owner

@jc21 commented on GitHub (Jul 3, 2019):

True I didn't consider the acme challenge, should allow all regardless of custom configuration. If you PR that it would be great. I've been too busy lately :/

@jc21 commented on GitHub (Jul 3, 2019): True I didn't consider the acme challenge, should allow all regardless of custom configuration. If you PR that it would be great. I've been too busy lately :/

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#120

No description provided.

Rows
Columns