starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 17:35:52 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[PR #3364] Added support for ddns lookups for addresses in access lists #3687

New issue
Open
opened 2026-02-26 08:31:34 +03:00 by kerem · 0 comments
kerem commented 2026-02-26 08:31:34 +03:00
Owner
Copy link

📋 Pull Request Information

Original PR: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3364
Author: @vari
Created: 12/3/2023
Status: 🔄 Open

Base: developHead: access-list-client-ddns-support

📝 Commits (8)

  • 5586709 Initial pass at DDNS support for client addresses
  • ec9eb0d Refactor and integrate ddns resolution with nginx module
  • 972d158 fix linter warnings
  • 33f41f7 Fix utils.js linter error
  • 743cdd8 Eliminate circular dependency
  • 7b09fef Update configs for active hosts only on ddns update
  • 3b0ff57 doc string update
  • e317900 Add support for '-' in ddns domain names

📊 Changes

7 files changed (+338 additions, -10 deletions)

View changed files

📝 backend/index.js (+2 -0)
📝 backend/internal/nginx.js (+45 -9)
backend/lib/ddns_resolver/ddns_resolver.js (+83 -0)
backend/lib/ddns_resolver/ddns_updater.js (+167 -0)
📝 backend/lib/utils.js (+35 -0)
📝 backend/logger.js (+2 -1)
📝 backend/schema/endpoints/access-lists.json (+4 -0)

📄 Description

Added support for ddns:somedomain.whateverddns.com address format in the client access lists.

This allows users to specify domain names instead of IP addresses for allow/deny lists, thereby allowing dynamic allow/deny lists.

This is useful if users have a service exposed to the public internet via a ddns domain, and they want to limit it so that only users from the local network can access the service on the ddns domain.

In theory, this is probably already possible by using custom DNS server to prevent any local network request to the domain name from going outside to the internet (and then setting allow list to local subnet in proxy manager), but not everyone can (or will) use a custom DNS server for their setup.

The new ddns support makes it trivially easy for anyone to limit to local network if they are using ddns without having to mess with custom DNS servers or network configuration. Also, if users want to expose their service to a fixed number of external users, then the ddns lookup can be used with the allow list provided the external users are using a ddns service. E.g. if I want to share a service on my network to 2 friends, and each friend uses a ddns that points to their public IP (friend1.domain.com, friend2.domain.com), then I can just add ddns:friend1.domain.com and ddns:friend2.domain.com to my allow list in proxy manager and they will continue to have access even if their public IP changes. I won't have to manually go an update the access list every time the IP changes.

This should address #1708 and #2240 .

Compared to some of the existing solutions mentioned in the above issues, this implementation should be the simplest with minimal overhead and no other dependencies (e.g. no cron, env vars, etc needed). Can directly specify the domains in the normal allow list UI.

Usage:

  • Prefix the dynamic domain/host you want to use for the access list with ddns:
    e.g. If you want to add the dynamic hosts yourdomain.ddns.com and yourdomain2.ddns.com to your allow list, do the following:
    image
  • Upon saving the access list, any associated hosts will automatically be updated to use the resolved IP of the dynamic domain/host in the access list (and this will trigger a nginx reload so that changes take effect).
  • The proxy manager will also periodically poll the dynamic domains, and update any proxy hosts that are using those domains if there is an IP address update. Default interval is 1 hour, can be configured by setting the DDNS_UPDATE_INTERVAL env var to the desired number of seconds (minimum 60).
    On start up, all used domains will be resolved and any associated hosts will be updated in nginx about 10s after the proxy manager starts (10s buffer ensures server has enough time to finish loading).

Disclaimers:

  • I haven't used js in almost 6 years, do not be surprised if the code is inefficient / not following best practices. Suggestions for cleaning up and refactoring the code to make it more efficient/readable are welcome!
  • I'm using getent hosts <hostname> to look up the IP of the user defined domains - if there is a better way, please let me know and I can update the PR. I've tried to make it safe by using spawn instead of exec to prevent issues with unsanitized user inputs, however I'm not doing any custom sanitization.

🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/NginxProxyManager/nginx-proxy-manager/pull/3364 **Author:** [@vari](https://github.com/vari) **Created:** 12/3/2023 **Status:** 🔄 Open **Base:** `develop` ← **Head:** `access-list-client-ddns-support` --- ### 📝 Commits (8) - [`5586709`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/5586709d03b077c795b65511785154b4ce12022b) Initial pass at DDNS support for client addresses - [`ec9eb0d`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/ec9eb0dd6078ad3e892bac5437f30c723f5b0982) Refactor and integrate ddns resolution with nginx module - [`972d158`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/972d158161654481bd36532626b1e395fa19b559) fix linter warnings - [`33f41f7`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/33f41f7e6ff5bd52a445147a0956f280308f1fd3) Fix utils.js linter error - [`743cdd8`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/743cdd8b0be23923c2f7a2f039aa5b02f2dd0351) Eliminate circular dependency - [`7b09fef`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/7b09fefd1799be082e0c140e446a6ee260719333) Update configs for active hosts only on ddns update - [`3b0ff57`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/3b0ff570d9b948eb3503075cf92437c063e42c3d) doc string update - [`e317900`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/e3179006d1f186a50794137ece08b7495a28e7a3) Add support for '-' in ddns domain names ### 📊 Changes **7 files changed** (+338 additions, -10 deletions) <details> <summary>View changed files</summary> 📝 `backend/index.js` (+2 -0) 📝 `backend/internal/nginx.js` (+45 -9) ➕ `backend/lib/ddns_resolver/ddns_resolver.js` (+83 -0) ➕ `backend/lib/ddns_resolver/ddns_updater.js` (+167 -0) 📝 `backend/lib/utils.js` (+35 -0) 📝 `backend/logger.js` (+2 -1) 📝 `backend/schema/endpoints/access-lists.json` (+4 -0) </details> ### 📄 Description Added support for `ddns:somedomain.whateverddns.com` address format in the client access lists. This allows users to specify domain names instead of IP addresses for allow/deny lists, thereby allowing dynamic allow/deny lists. This is useful if users have a service exposed to the public internet via a ddns domain, and they want to limit it so that only users from the local network can access the service on the ddns domain. In theory, this is probably already possible by using custom DNS server to prevent any local network request to the domain name from going outside to the internet (and then setting allow list to local subnet in proxy manager), but not everyone can (or will) use a custom DNS server for their setup. The new ddns support makes it trivially easy for anyone to limit to local network if they are using ddns without having to mess with custom DNS servers or network configuration. Also, if users want to expose their service to a fixed number of external users, then the ddns lookup can be used with the allow list provided the external users are using a ddns service. E.g. if I want to share a service on my network to 2 friends, and each friend uses a ddns that points to their public IP (friend1.domain.com, friend2.domain.com), then I can just add `ddns:friend1.domain.com` and `ddns:friend2.domain.com` to my allow list in proxy manager and they will continue to have access even if their public IP changes. I won't have to manually go an update the access list every time the IP changes. This should address #1708 and #2240 . Compared to some of the existing solutions mentioned in the above issues, this implementation should be the simplest with minimal overhead and no other dependencies (e.g. no cron, env vars, etc needed). Can directly specify the domains in the normal allow list UI. Usage: - Prefix the dynamic domain/host you want to use for the access list with `ddns:` e.g. If you want to add the dynamic hosts `yourdomain.ddns.com` and `yourdomain2.ddns.com` to your allow list, do the following: ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/651665/7c3327c8-ed4d-4a35-a768-7e8b96b63877) - Upon saving the access list, any associated hosts will automatically be updated to use the resolved IP of the dynamic domain/host in the access list (and this will trigger a nginx reload so that changes take effect). - The proxy manager will also periodically poll the dynamic domains, and update any proxy hosts that are using those domains if there is an IP address update. Default interval is 1 hour, can be configured by setting the `DDNS_UPDATE_INTERVAL` env var to the desired number of seconds (minimum 60). On start up, all used domains will be resolved and any associated hosts will be updated in nginx about 10s after the proxy manager starts (10s buffer ensures server has enough time to finish loading). Disclaimers: - I haven't used js in almost 6 years, do not be surprised if the code is inefficient / not following best practices. Suggestions for cleaning up and refactoring the code to make it more efficient/readable are welcome! - I'm using `getent hosts <hostname>` to look up the IP of the user defined domains - if there is a better way, please let me know and I can update the PR. I've tried to make it safe by using spawn instead of exec to prevent issues with unsanitized user inputs, however I'm not doing any custom sanitization. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#3687
No description provided.