starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #356] Restricting Access by IP Address #309

New issue
Closed
opened 2026-02-26 06:32:12 +03:00 by kerem · 7 comments
kerem commented 2026-02-26 06:32:12 +03:00
Owner
Copy link

Originally created by @Indemnity83 on GitHub (Apr 9, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/356

The Problem
I'm using the reverse proxy to give simple domain names to a couple of dozen services all running on docker in my home so I don't have to remember what random port the container's web interface is on. I suspect this use case is quite common (see #137, #135 as similar examples). However, this potentially exposes my proxy hosts to the internet at large, and I don't want public access to these services.

The current Access list will let me put a basic auth "firewall" between the outside world and my private services, but it also complicates access for legitimate access (particularly since password managers can't always fill out basic auth requests, and strong passwords are highly encouraged for anything public).

The Solution
Expand the Access Lists to allow restriction by IP address in addition to basic auth. The NGINX documentation actually has an amazing example that describes exactly what we're after.

I've made a mockup of the revised "New Access List" modal (the HTML can be found in a gist here).

ezgif com-optimize

The goal of the UI changes is to keep things simple and approachable even for users who may not understand what's going on under the hood. No other UI changes would be necessary. I'm not certain of the extent of back-end changes required at this point.

Alternatives
This configuration can be achieved by utilizing the advanced -> Custom Nginx Configuration feature already built into the application. However, there are a few issues/concerns with implementing IP restriction this way:

  1. It requires the user to have an understanding of NGINX configuration
  2. Changes/updates must be applied to every proxy host individually
  3. It's not obvious from the proxy hosts list that there is any access control enabled (or conversely if you've forgotten to apply access restrictions to a host)
Originally created by @Indemnity83 on GitHub (Apr 9, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/356 **The Problem** I'm using the reverse proxy to give simple domain names to a couple of dozen services all running on docker in my home so I don't have to remember what random port the container's web interface is on. I suspect this use case is quite common (see #137, #135 as similar examples). However, this potentially exposes my proxy hosts to the internet at large, and I don't want public access to these services. The current Access list will let me put a basic auth "firewall" between the outside world and my private services, but it also complicates access for legitimate access (particularly since password managers can't always fill out basic auth requests, and strong passwords are highly encouraged for anything public). **The Solution** Expand the Access Lists to allow restriction by IP address in addition to basic auth. The NGINX documentation actually [has an amazing example](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/#combining-basic-authentication-with-access-restriction-by-ip-address) that describes exactly what we're after. I've made a mockup of the revised "New Access List" modal (the HTML can be found [in a gist here](https://gist.github.com/Indemnity83/12a6a0f34127b79b8200ff43982fe8ce)). ![ezgif com-optimize](https://user-images.githubusercontent.com/35218/78948259-8e4a7880-7a7c-11ea-973a-d5d94dc10726.gif) The goal of the UI changes is to keep things simple and approachable even for users who may not understand what's going on under the hood. No other UI changes would be necessary. I'm not certain of the extent of back-end changes required at this point. **Alternatives** This configuration can be achieved by utilizing the advanced -> Custom Nginx Configuration feature already built into the application. However, there are a few issues/concerns with implementing IP restriction this way: 1. It requires the user to have an understanding of NGINX configuration 2. Changes/updates must be applied to every proxy host individually 3. It's not obvious from the proxy hosts list that there is any access control enabled (or conversely if you've forgotten to apply access restrictions to a host)
kerem 2026-02-26 06:32:12 +03:00
kerem commented 2026-02-26 06:32:12 +03:00
Author
Owner
Copy link

@Indemnity83 commented on GitHub (Apr 9, 2020):

I'm willing to work on a PR on this as well, but I'm not intimately familiar with the js libraries being used so I may only be able to provide an 80% solution before needing some assistance.

<!-- gh-comment-id:611798972 --> @Indemnity83 commented on GitHub (Apr 9, 2020): I'm willing to work on a PR on this as well, but I'm not intimately familiar with the js libraries being used so I may only be able to provide an 80% solution before needing some assistance.
kerem commented 2026-02-26 06:32:12 +03:00
Author
Owner
Copy link

@Thijmen commented on GitHub (Apr 11, 2020):

Awesome @Indemnity83 , I was looking for this as well. Is there any way I can help you with? I am not familiar either, but I am sure we can figure it out!

<!-- gh-comment-id:612498498 --> @Thijmen commented on GitHub (Apr 11, 2020): Awesome @Indemnity83 , I was looking for this as well. Is there any way I can help you with? I am not familiar either, but I am sure we can figure it out!
kerem commented 2026-02-26 06:32:12 +03:00
Author
Owner
Copy link

@Indemnity83 commented on GitHub (Apr 14, 2020):

This was merged in with #360 🎉

<!-- gh-comment-id:613717592 --> @Indemnity83 commented on GitHub (Apr 14, 2020): This was merged in with #360 🎉
kerem commented 2026-02-26 06:32:13 +03:00
Author
Owner
Copy link

@Yabbo commented on GitHub (Jan 26, 2021):

this doesnt seam to actually stop anything for me... if I put allow a specific internal ip and leave the block all at the end i can still hit the domain from outside my network.

<!-- gh-comment-id:767771503 --> @Yabbo commented on GitHub (Jan 26, 2021): this doesnt seam to actually stop anything for me... if I put allow a specific internal ip and leave the block all at the end i can still hit the domain from outside my network.
kerem commented 2026-02-26 06:32:13 +03:00
Author
Owner
Copy link

@talesam commented on GitHub (Mar 25, 2021):

Can I restrict that a host can only be accessed by a specific IP? I want to restrict only one hots, where is my served as bkp running with web interface.

<!-- gh-comment-id:807735602 --> @talesam commented on GitHub (Mar 25, 2021): Can I restrict that a host can only be accessed by a specific IP? I want to restrict only one hots, where is my served as bkp running with web interface.
kerem commented 2026-02-26 06:32:13 +03:00
Author
Owner
Copy link

@Subline-75 commented on GitHub (May 11, 2021):

this doesnt seam to actually stop anything for me... if I put allow a specific internal ip and leave the block all at the end i can still hit the domain from outside my network.

Did you find a way to block access via the server ip?
I can access the auth page of NPM via my domain but also with my serverip and I would like to prevent this.

<!-- gh-comment-id:837552461 --> @Subline-75 commented on GitHub (May 11, 2021): > this doesnt seam to actually stop anything for me... if I put allow a specific internal ip and leave the block all at the end i can still hit the domain from outside my network. Did you find a way to block access via the server ip? I can access the auth page of NPM via my domain but also with my serverip and I would like to prevent this.
kerem commented 2026-02-26 06:32:13 +03:00
Author
Owner
Copy link

@l-Legacy-l commented on GitHub (May 13, 2021):

It doesn't seem to work for me also

<!-- gh-comment-id:840705227 --> @l-Legacy-l commented on GitHub (May 13, 2021): It doesn't seem to work for me also
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#309
No description provided.