[GH-ISSUE #2141] Access List not working! How can I setup NPM to protect certain subdomain for outside access? #1539

New issue

Closed

opened 2026-02-26 07:31:28 +03:00 by kerem · 17 comments

kerem commented 2026-02-26 07:31:28 +03:00

Owner

Copy link

Originally created by @BobWs on GitHub (Jul 7, 2022).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2141

Hi,

I've setup NPM-Docker on my Synology NAS and when I try to setup Access List to protect certain sub.domains form outside access it doesn't work. See screenshot for my Access List setup and the proxy setup for subdomains.

I have also tried to add a Custom Nginx Configuration to the Advanced Tab but that is also not working.

location /# {
  allow 192.168.178.0/24;
  deny all;
}

Any help please how to setup NPM with Access List protection to work properly.
TIA

Originally created by @BobWs on GitHub (Jul 7, 2022). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/2141 Hi, I've setup NPM-Docker on my Synology NAS and when I try to setup Access List to protect certain sub.domains form outside access it doesn't work. See screenshot for my Access List setup and the proxy setup for subdomains.    I have also tried to add a Custom Nginx Configuration to the Advanced Tab but that is also not working. ``` location /# { allow 192.168.178.0/24; deny all; } ```  Any help please how to setup NPM with Access List protection to work properly. TIA

kerem 2026-02-26 07:31:28 +03:00

• closed this issue
• added the
  stale
  bug
  labels

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@UrekD commented on GitHub (Jul 7, 2022):

I think you are missing a deny rule on your access list. This worked for me ex.

<!-- gh-comment-id:1178361849 --> @UrekD commented on GitHub (Jul 7, 2022): I think you are missing a deny rule on your access list. This worked for me ex. 

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Jul 8, 2022):

I think you are missing a deny rule on your access list. This worked for me ex.

The deny rule is activated by default, but I could give it a try.

<!-- gh-comment-id:1178580652 --> @BobWs commented on GitHub (Jul 8, 2022): > I think you are missing a deny rule on your access list. This worked for me ex. The deny rule is activated by default, but I could give it a try.

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@UrekD commented on GitHub (Jul 8, 2022):

I think you are missing a deny rule on your access list. This worked for me ex.

The deny rule is activated by default, but I could give it a try.

I thought so myself, but it didn't work without it. Also check the console it could not like the networks you specified. You see in my screenshot I use large ranges because it wouldn't accept smaller /24 for some reason. It only shows error in the console.

Personally I'm planning to switch to standard nginx as this just breaks every so often, no fail2ban and other missing features.

<!-- gh-comment-id:1178955652 --> @UrekD commented on GitHub (Jul 8, 2022): > > I think you are missing a deny rule on your access list. This worked for me ex. > > The deny rule is activated by default, but I could give it a try. > > > I thought so myself, but it didn't work without it. Also check the console it could not like the networks you specified. You see in my screenshot I use large ranges because it wouldn't accept smaller /24 for some reason. It only shows error in the console. Personally I'm planning to switch to standard nginx as this just breaks every so often, no fail2ban and other missing features.

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Jul 9, 2022):

thought so myself, but it didn't work without it.

Okay I will make the necessary changes and see if it works. Did you also enable Satisfy Any?

<!-- gh-comment-id:1179483158 --> @BobWs commented on GitHub (Jul 9, 2022): > thought so myself, but it didn't work without it. Okay I will make the necessary changes and see if it works. Did you also enable Satisfy Any?

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@UrekD commented on GitHub (Jul 9, 2022):

Okay I will make the necessary changes and see if it works. Did you also enable Satisfy Any?

No I did not. I checked and as you said the deny all doesn't matter not does Satisfy Any from what I can see, just the 2 rules do everything.

Eh it worked for 5 min... Satisfy on and 2 rules without the deny all works for now, removed and re added the rule.

<!-- gh-comment-id:1179622337 --> @UrekD commented on GitHub (Jul 9, 2022): > Okay I will make the necessary changes and see if it works. Did you also enable Satisfy Any? ~~No I did not. I checked and as you said the deny all doesn't matter not does Satisfy Any from what I can see, just the 2 rules do everything.~~ Eh it worked for 5 min... Satisfy on and 2 rules without the deny all works for now, removed and re added the rule.

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Jul 11, 2022):

Okay I will make the necessary changes and see if it works. Did you also enable Satisfy Any?

No I did not. I checked and as you said the deny all doesn't matter not does Satisfy Any from what I can see, just the 2 rules do everything.

Eh it worked for 5 min... Satisfy on and 2 rules without the deny all works for now, removed and re added the rule.

So I have tried both ways, with and without the “extra deny rule” and they are both working.
For now I removed the extra rule and will see what happens overtime. Satisfy All is off.
I also checked the proxy hosts config files after removing the extra deny rule and I can confirm that the default rule is still present.

One thing I noticed is that you have to save all the proxy hosts again after editing the ACL.

<!-- gh-comment-id:1180024004 --> @BobWs commented on GitHub (Jul 11, 2022): > > Okay I will make the necessary changes and see if it works. Did you also enable Satisfy Any? > > ~No I did not. I checked and as you said the deny all doesn't matter not does Satisfy Any from what I can see, just the 2 rules do everything.~ > > Eh it worked for 5 min... Satisfy on and 2 rules without the deny all works for now, removed and re added the rule. So I have tried both ways, with and without the “extra deny rule” and they are both working. For now I removed the extra rule and will see what happens overtime. Satisfy All is off. I also checked the proxy hosts config files after removing the extra deny rule and I can confirm that the default rule is still present. One thing I noticed is that you have to save all the proxy hosts again after editing the ACL.

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@kingfisher77 commented on GitHub (Jul 15, 2022):

We experience also irritating problems with the access feature. We added some ip subnets with net masks and all of a sudden access ist not possible anymore. Browser reports "Your connection is not private”. Problem is, that also the nginx proxy admin interface is behind a secured subdomain and not accessible anymore.

It seems that nginx proxy manager is not matured... We just set it up like it is ment to.

<!-- gh-comment-id:1185859673 --> @kingfisher77 commented on GitHub (Jul 15, 2022): We experience also irritating problems with the access feature. We added some ip subnets with net masks and all of a sudden access ist not possible anymore. Browser reports "Your connection is not private”. Problem is, that also the nginx proxy admin interface is behind a secured subdomain and not accessible anymore. It seems that nginx proxy manager is not matured... We just set it up like it is ment to.

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@jmo161 commented on GitHub (Jul 20, 2022):

We experience also irritating problems with the access feature. We added some ip subnets with net masks and all of a sudden access ist not possible anymore. Browser reports "Your connection is not private”. Problem is, that also the nginx proxy admin interface is behind a secured subdomain and not accessible anymore.

It seems that nginx proxy manager is not matured... We just set it up like it is ment to.

After any changes to any access list, I've found that you need to edit the proxy configuration that uses that access list and re-save it (you don't need to make any changes) for it to un-break itself and take the modified access list.

I'm not sure if there's an issue for this specifically yet, if there isn't, we should create one as I do believe it to be a bug. It's pretty irritating when you have 30 proxy hosts sharing the same access list...

<!-- gh-comment-id:1190469556 --> @jmo161 commented on GitHub (Jul 20, 2022): > We experience also irritating problems with the access feature. We added some ip subnets with net masks and all of a sudden access ist not possible anymore. Browser reports "Your connection is not private”. Problem is, that also the nginx proxy admin interface is behind a secured subdomain and not accessible anymore. > > It seems that nginx proxy manager is not matured... We just set it up like it is ment to. After any changes to any access list, I've found that you need to edit the proxy configuration that uses that access list and re-save it (you don't need to make any changes) for it to un-break itself and take the modified access list. I'm not sure if there's an issue for this specifically yet, if there isn't, we should create one as I do believe it to be a bug. It's pretty irritating when you have 30 proxy hosts sharing the same access list...

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@kingfisher77 commented on GitHub (Jul 20, 2022):

True. Could you create a first version of the bug ticket as i am not so fluently with these kind of tasks. I would be delighted to finalize it together with you. Is this okay?

<!-- gh-comment-id:1190483101 --> @kingfisher77 commented on GitHub (Jul 20, 2022): True. Could you create a first version of the bug ticket as i am not so fluently with these kind of tasks. I would be delighted to finalize it together with you. Is this okay?

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@BobWs commented on GitHub (Jul 21, 2022):

After any changes to any access list, I've found that you need to edit the proxy configuration that uses that access list and re-save it (you don't need to make any changes) for it to un-break itself and take the modified access list.

That is the problem indeed I have noticed too. It’s very annoying if your proxy list is long!

<!-- gh-comment-id:1191069606 --> @BobWs commented on GitHub (Jul 21, 2022): > After any changes to any access list, I've found that you need to edit the proxy configuration that uses that access list and re-save it (you don't need to make any changes) for it to un-break itself and take the modified access list. That is the problem indeed I have noticed too. It’s very annoying if your proxy list is long!

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@talondnb commented on GitHub (Jul 23, 2022):

Yes, I have found this too. Any modification to access lists needs to be re-applied on the proxy hosts.

I have also found another issue; if you have custom advanced configuration that defines stuff within a 'location /', your access list on that proxy host is not actually applied to the proxy host .conf file!

e.g.

below conf with custom advanced config via gui, missing access list section (even after re-applying)

$ cat 14.conf 
# ------------------------------------------------------------
# blah.blah.blah
# ------------------------------------------------------------


server {
  set $forward_scheme http;
  set $server         "10.10.10.100";
  set $port           7878;

  listen 80;
#listen [::]:80;

listen 443 ssl http2;
#listen [::]:443;


  server_name blah.blah.blah;


  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem;






  # Block Exploits
  include conf.d/include/block-exploits.conf;







    # Force SSL
    include conf.d/include/force-ssl.conf;




proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;


  access_log /data/logs/proxy-host-14_access.log proxy;
  error_log /data/logs/proxy-host-14_error.log warn;

# Increase buffer size for large headers
# This is needed only if you get 'upstream sent too big header while reading response
# header from upstream' error when trying to access an application protected by goauthentik
proxy_buffers 8 16k;
proxy_buffer_size 32k;

location / {
    # Put your proxy_pass to your application here
    proxy_pass          $forward_scheme://$server:$port;

    # authentik-specific config
    auth_request        /outpost.goauthentik.io/auth/nginx;
    error_page          401 = @goauthentik_proxy_signin;
    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header Set-Cookie $auth_cookie;

    # translate headers from the outposts back to the actual upstream
    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;

    proxy_set_header X-authentik-username $authentik_username;
    proxy_set_header X-authentik-groups $authentik_groups;
    proxy_set_header X-authentik-email $authentik_email;
    proxy_set_header X-authentik-name $authentik_name;
    proxy_set_header X-authentik-uid $authentik_uid;
}

# all requests to /outpost.goauthentik.io must be accessible without authentication
location /outpost.goauthentik.io {
    proxy_pass          http://10.10.10.100:9000/outpost.goauthentik.io;
    # ensure the host of this vserver matches your external URL you've configured
    # in authentik
    proxy_set_header    Host $host;
    proxy_set_header    X-Original-URL $scheme://$http_host$request_uri;
    add_header          Set-Cookie $auth_cookie;
    auth_request_set    $auth_cookie $upstream_http_set_cookie;
}

# Special location for when the /auth endpoint returns a 401,
# redirect to the /start URL which initiates SSO
location @goauthentik_proxy_signin {
    internal;
    add_header Set-Cookie $auth_cookie;
    return 302 /outpost.goauthentik.io/start?rd=$request_uri;
    # For domain level, use the below error_page to redirect to your authentik server with the full redirect path
    # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri;
}





  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

<!-- gh-comment-id:1193067094 --> @talondnb commented on GitHub (Jul 23, 2022): Yes, I have found this too. Any modification to access lists needs to be re-applied on the proxy hosts. I have also found another issue; if you have custom advanced configuration that defines stuff within a 'location /', your access list on that proxy host is not actually applied to the proxy host .conf file! e.g.   below conf with custom advanced config via gui, missing access list section (even after re-applying) ``` $ cat 14.conf # ------------------------------------------------------------ # blah.blah.blah # ------------------------------------------------------------ server { set $forward_scheme http; set $server "10.10.10.100"; set $port 7878; listen 80; #listen [::]:80; listen 443 ssl http2; #listen [::]:443; server_name blah.blah.blah; # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-7/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-7/privkey.pem; # Block Exploits include conf.d/include/block-exploits.conf; # Force SSL include conf.d/include/force-ssl.conf; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; access_log /data/logs/proxy-host-14_access.log proxy; error_log /data/logs/proxy-host-14_error.log warn; # Increase buffer size for large headers # This is needed only if you get 'upstream sent too big header while reading response # header from upstream' error when trying to access an application protected by goauthentik proxy_buffers 8 16k; proxy_buffer_size 32k; location / { # Put your proxy_pass to your application here proxy_pass $forward_scheme://$server:$port; # authentik-specific config auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; # translate headers from the outposts back to the actual upstream auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-username $authentik_username; proxy_set_header X-authentik-groups $authentik_groups; proxy_set_header X-authentik-email $authentik_email; proxy_set_header X-authentik-name $authentik_name; proxy_set_header X-authentik-uid $authentik_uid; } # all requests to /outpost.goauthentik.io must be accessible without authentication location /outpost.goauthentik.io { proxy_pass http://10.10.10.100:9000/outpost.goauthentik.io; # ensure the host of this vserver matches your external URL you've configured # in authentik proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; } # Special location for when the /auth endpoint returns a 401, # redirect to the /start URL which initiates SSO location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; # For domain level, use the below error_page to redirect to your authentik server with the full redirect path # return 302 https://authentik.company/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; } # Custom include /data/nginx/custom/server_proxy[.]conf; } ```

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@MrSmits commented on GitHub (Aug 30, 2022):

Check my comment on here, this workaround seems to work for me at least
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/383#issuecomment-1231453474

<!-- gh-comment-id:1232077600 --> @MrSmits commented on GitHub (Aug 30, 2022): Check my comment on here, this workaround seems to work for me at least https://github.com/NginxProxyManager/nginx-proxy-manager/issues/383#issuecomment-1231453474

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@mgutt commented on GitHub (Nov 26, 2022):

alondnb

I can verify this behavior. Screenshots:
https://forums.unraid.net/topic/131150-nextcloud-benutzer-anlegen-klappt-nicht/?do=findComment&comment=1195344

A workaround is to add the code manually to the own location / block, but it will break if an access list is deleted.

<!-- gh-comment-id:1328061089 --> @mgutt commented on GitHub (Nov 26, 2022): > alondnb I can verify this behavior. Screenshots: https://forums.unraid.net/topic/131150-nextcloud-benutzer-anlegen-klappt-nicht/?do=findComment&comment=1195344 A workaround is to add the code manually to the own location / block, but it will break if an access list is deleted.

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@Vanillabacke commented on GitHub (Feb 27, 2023):

the access list has no effect on my server, which has the latest version installed ( v2.9.19 ).
tried all possible configurations / workarounds, what i have found. the login dialog won't show up.

<!-- gh-comment-id:1446605060 --> @Vanillabacke commented on GitHub (Feb 27, 2023): the access list has no effect on my server, which has the latest version installed ( v2.9.19 ). tried all possible configurations / workarounds, what i have found. the login dialog won't show up.

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@bbrfkr commented on GitHub (Mar 24, 2023):

+1

<!-- gh-comment-id:1482311313 --> @bbrfkr commented on GitHub (Mar 24, 2023): +1

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Feb 14, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:1942964691 --> @github-actions[bot] commented on GitHub (Feb 14, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:31:29 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Mar 30, 2025):

Issue was closed due to inactivity.

<!-- gh-comment-id:2764342968 --> @github-actions[bot] commented on GitHub (Mar 30, 2025): Issue was closed due to inactivity.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#1539

No description provided.