[GH-ISSUE #3002] Unable to set access control lists based on IP/network #2049

New issue

Open

opened 2026-02-26 07:33:49 +03:00 by kerem · 13 comments

kerem commented 2026-02-26 07:33:49 +03:00

Owner

Copy link

Originally created by @crosesvg on GitHub (Jun 16, 2023).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3002

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug
Access lists do not work as all connections are seen to originate from the containers gateway address

Nginx Proxy Manager Version
v2.10.3

To Reproduce
Steps to reproduce the behavior:
Configure an Access list to:
allow traffic from local networks (e.g. 192.168.0.0/16)
Deny traffic from all
Assign the access list to a proxy host
Attempt to access the proxy host

Expected behavior
Traffic originating from 192.168.0.0/16 networks are granted access
Traffic originating from other internal/external networks are denied

Actual behavior
Traffic from 192.168.0.0/16 networks are denied access
if the access list is updated to include 172.16.0.0/16 (e.g. the subnet/ip address of the docker container/gateway) then connections are allowed from all networks (as all requests are seen to originate from the subnet that the container/gateway resides in)

Operating System
Docker desktop/WSL on Windows

Originally created by @crosesvg on GitHub (Jun 16, 2023). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3002 **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - Yes - Are you sure you're not using someone else's docker image? - Yes - Have you searched for similar issues (both open and closed)? - Yes Describe the bug Access lists do not work as all connections are seen to originate from the containers gateway address Nginx Proxy Manager Version v2.10.3 **To Reproduce** Steps to reproduce the behavior: Configure an Access list to: allow traffic from local networks (e.g. 192.168.0.0/16) Deny traffic from all Assign the access list to a proxy host Attempt to access the proxy host **Expected behavior** Traffic originating from 192.168.0.0/16 networks are granted access Traffic originating from other internal/external networks are denied **Actual behavior** Traffic from 192.168.0.0/16 networks are denied access if the access list is updated to include 172.16.0.0/16 (e.g. the subnet/ip address of the docker container/gateway) then connections are allowed from all networks (as all requests are seen to originate from the subnet that the container/gateway resides in) **Operating System** Docker desktop/WSL on Windows

kerem added the

stale

bug

labels 2026-02-26 07:33:49 +03:00

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@jmaximusix commented on GitHub (Sep 2, 2023):

can confirm
This reddit user has also come to the same conclusion:
https://www.reddit.com/r/nginxproxymanager/comments/110634p/comment/j8lc9cj/?utm_source=share&utm_medium=web2x&context=3

<!-- gh-comment-id:1703807892 --> @jmaximusix commented on GitHub (Sep 2, 2023): can confirm This reddit user has also come to the same conclusion: https://www.reddit.com/r/nginxproxymanager/comments/110634p/comment/j8lc9cj/?utm_source=share&utm_medium=web2x&context=3

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@grainsoflight commented on GitHub (Sep 29, 2023):

Having the same issue. adding

location = / {
allow 192.168.0.0/24;
deny all;
}

manually to the advanced settings resolves the issue, so it seems like the access lists arent properly inserting it

<!-- gh-comment-id:1740319590 --> @grainsoflight commented on GitHub (Sep 29, 2023): Having the same issue. adding location = / { allow 192.168.0.0/24; deny all; } manually to the advanced settings resolves the issue, so it seems like the access lists arent properly inserting it

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Oct 22, 2023):

Try to check(box) "Satisfy any" [x]

I had issues with HTTP Basic Auth as well, but this made sure it satisfied on IP-restrictions only.

<!-- gh-comment-id:1773985765 --> @dezza commented on GitHub (Oct 22, 2023): Try to check(box) "Satisfy any" [x] I had issues with HTTP Basic Auth as well, but this made sure it satisfied on IP-restrictions only.

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@grainsoflight commented on GitHub (Oct 22, 2023):

I had tried this and it did not work

On Sat, Oct 21, 2023, 11:53 PM dezza @.***> wrote:

Try to check(box) "Satisfy any" [x]

I had issues with HTTP Basic Auth as well, but this made sure it satisfied
on IP-restrictions only.

—
Reply to this email directly, view it on GitHub
https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3002#issuecomment-1773985765,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/AHANMY2IR2VIQUEZA6LRINTYASKB5AVCNFSM6AAAAAAZJEBKEKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZTHE4DKNZWGU
.
You are receiving this because you commented.Message ID:
@.***>

<!-- gh-comment-id:1774003097 --> @grainsoflight commented on GitHub (Oct 22, 2023): I had tried this and it did not work On Sat, Oct 21, 2023, 11:53 PM dezza ***@***.***> wrote: > Try to check(box) "Satisfy any" [x] > > I had issues with HTTP Basic Auth as well, but this made sure it satisfied > on IP-restrictions only. > > — > Reply to this email directly, view it on GitHub > <https://github.com/NginxProxyManager/nginx-proxy-manager/issues/3002#issuecomment-1773985765>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AHANMY2IR2VIQUEZA6LRINTYASKB5AVCNFSM6AAAAAAZJEBKEKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTONZTHE4DKNZWGU> > . > You are receiving this because you commented.Message ID: > ***@***.***> >

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Oct 22, 2023):

I had tried this and it did not work

Ok! Well maybe try with a new entry so you're sure a new file is being created.

I couldn't get the basic auth working, not sure why, it showed my user and an excerpt (3 letters or so) of the password for login, but this login never worked in basic auth, so not sure what was wrong..

<!-- gh-comment-id:1774004902 --> @dezza commented on GitHub (Oct 22, 2023): > I had tried this and it did not work Ok! Well maybe try with a new entry so you're sure a new file is being created. I couldn't get the basic auth working, not sure why, it showed my user and an excerpt (3 letters or so) of the password for login, but this login never worked in basic auth, so not sure what was wrong..

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@dezza commented on GitHub (Oct 23, 2023):

Btw the issue with not seeing the correct source IP is easily resolved by running the container with --network=slirp4netns:port_handler=slirp4netns

<!-- gh-comment-id:1774267286 --> @dezza commented on GitHub (Oct 23, 2023): Btw the issue with not seeing the correct source IP is easily resolved by running the container with `--network=slirp4netns:port_handler=slirp4netns`

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jun 4, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2146416045 --> @github-actions[bot] commented on GitHub (Jun 4, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@luixal commented on GitHub (Dec 14, 2024):

Just got here as I'm still having this issue.

Any workaround other than @grainsoflight ? Works like a charm but it's hard to keep track of which domains have which access...

<!-- gh-comment-id:2543060084 --> @luixal commented on GitHub (Dec 14, 2024): Just got here as I'm still having this issue. Any workaround other than @grainsoflight ? Works like a charm but it's hard to keep track of which domains have which access...

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@smileatom commented on GitHub (Jan 3, 2025):

The reason the ACLs dont work is that NGINX in docker has no idea what the source IP of the request is, it thinks its the IP of the docker container. Therefore it cannot work.

<!-- gh-comment-id:2568735418 --> @smileatom commented on GitHub (Jan 3, 2025): The reason the ACLs dont work is that NGINX in docker has no idea what the source IP of the request is, it thinks its the IP of the docker container. Therefore it cannot work.

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@luixal commented on GitHub (Jan 4, 2025):

Then, why does it work by adding it manually like in the example above? I tried it myself and it does work for me.

<!-- gh-comment-id:2571330605 --> @luixal commented on GitHub (Jan 4, 2025): Then, why does it work by adding it manually like in the example above? I tried it myself and it does work for me.

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@smileatom commented on GitHub (Jan 5, 2025):

Then, why does it work by adding it manually like in the example above? I tried it myself and it does work for me.

Becxause you likely added a CIDR block that includes the docker container IP.

<!-- gh-comment-id:2571484581 --> @smileatom commented on GitHub (Jan 5, 2025): > Then, why does it work by adding it manually like in the example above? I tried it myself and it does work for me. Becxause you likely added a CIDR block that includes the docker container IP.

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@luixal commented on GitHub (Jan 5, 2025):

I don't think I've added anything else, but can't be sure as I set it up long time ago.

Will try deploying this in a linux container instead of a docker one. That should fix it is that's the issue.

<!-- gh-comment-id:2571692100 --> @luixal commented on GitHub (Jan 5, 2025): I don't think I've added anything else, but can't be sure as I set it up long time ago. Will try deploying this in a linux container instead of a docker one. That should fix it is that's the issue.

kerem commented 2026-02-26 07:33:50 +03:00

Author

Owner

Copy link

@github-actions[bot] commented on GitHub (Jul 12, 2025):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:3064518877 --> @github-actions[bot] commented on GitHub (Jul 12, 2025): Issue is now considered stale. If you want to keep it open, please comment :+1:

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

develop

dependabot/npm_and_yarn/backend/liquidjs-10.25.7

dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987

dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41

dependabot/npm_and_yarn/backend/basic-ftp-5.3.0

dependabot/npm_and_yarn/test/follow-redirects-1.16.0

dependabot/npm_and_yarn/test/axios-1.15.0

dependabot/npm_and_yarn/frontend/lodash-4.18.1

dependabot/npm_and_yarn/backend/lodash-4.18.1

dependabot/npm_and_yarn/test/lodash-4.18.1

dependabot/npm_and_yarn/frontend/vite-7.3.2

dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21

dependabot/npm_and_yarn/frontend/lodash-es-4.18.1

dependabot/npm_and_yarn/frontend/happy-dom-20.8.9

dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0

dependabot/npm_and_yarn/frontend/picomatch-4.0.4

dependabot/npm_and_yarn/backend/picomatch-2.3.2

dependabot/npm_and_yarn/frontend/yaml-1.10.3

dependabot/npm_and_yarn/test/flatted-3.4.2

dependabot/npm_and_yarn/test/tar-7.5.11

dependabot/npm_and_yarn/frontend/immutable-5.1.5

master

dependabot/npm_and_yarn/test/glob-10.5.0

dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1

dependabot/npm_and_yarn/test/form-data-4.0.4

v3-abandoned

bump-freedns

openidc

ssl-passthrough-hosts

static-content

v2.14.0

v2.13.7

v2.13.6

v2.13.5

v2.13.4

v2.13.3

v2.13.2

v2.13.1

v2.13.0

v2.12.6

v2.12.5

v2.12.4

v2.12.3

v2.12.2

v2.12.1

v2.12.0

v2.11.3

v2.11.2

v2.11.1

v2.11.0

v2.10.4

v2.10.3

v2.10.2

v2.10.1

v2.10.0

v2.9.22

v2.9.21

v2.9.20

v2.9.19

v2.9.18

v2.9.17

v2.9.16

v2.9.15

v2.9.14

v2.9.13

v2.9.12

v2.9.11

v2.9.10

v2.9.9

v2.9.8

v2.9.7

v2.9.6

v2.9.5

v2.9.4

v2.9.3

v2.9.2

v2.9.1

v2.9.0

v2.8.1

v2.8.0

v2.7.3

v2.7.2

v2.7.1

v2.7.0

v2.6.2

v2.6.1

v2.6.0

v2.5.0

v2.4.0

v2.3.1

v2.3.0

v2.2.4

v2.2.3

v2.2.2

v2.2.1

v2.2.0

v2.1.2

v2.1.1

v2.1.0

2.0.14

2.0.13

2.0.12

2.0.11

2.0.10

2.0.9

2.0.8

2.0.7

2.0.6

2.0.5

2.0.4

2.0.3

2.0.2

2.0.0

v2.0.0

1.1.2

1.1.1

1.0.1

Labels

Clear labels   

awaiting feedback

  

bug

  

cannot reproduce

  

dns provider request

  

duplicate

  

enhancement

  

enhancement

  

enhancement

  

good first issue

  

help wanted

  

invalid

  

need more info

  

no certbot plugin available

  

product-support

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

stale

  

troll

  

upstream issue

  

v2

  

v2

  

v2

  

v3

  

wontfix

No labels

awaiting feedback

bug

cannot reproduce

dns provider request

duplicate

enhancement

enhancement

enhancement

good first issue

help wanted

invalid

need more info

no certbot plugin available

product-support

pull-request

question

stale

troll

upstream issue

v2

v2

v2

v3

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#2049

No description provided.