[PR #5208] fix: Check access list before force SSL redirect #4090

New issue

Open

opened 2026-02-26 08:33:06 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 08:33:06 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5208
Author: @Kiryuumaru
Created: 1/22/2026
Status: 🔄 Open

Base: develop ← Head: fix/force-ssl-access-list-bypass

📝 Commits (1)

19086ce fix: check access list before force SSL redirect

📊 Changes

5 files changed (+89 additions, -0 deletions)

View changed files

📝 backend/internal/access-list.js (+57 -0)
📝 backend/templates/_forced_ssl.conf (+18 -0)
➕ backend/templates/access_list_geo.conf (+10 -0)
📝 docker/rootfs/etc/nginx/nginx.conf (+3 -0)
📝 docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh (+1 -0)

📄 Description

Fixes #5207 - Security issue where Force SSL leaks host existence

When both Force SSL and an Access List are active on a Proxy Host, HTTP requests from unauthorized IPs were receiving a 301 redirect instead of being blocked. This allowed attackers to enumerate valid hosts by brute-forcing the Host header.

Solution: Use nginx geo module to check IP access before the SSL redirect. Only allowed IPs get redirected to HTTPS; denied IPs fall through to the access phase and receive 403.

Changes:

Add geo block template for IP-based access control
Modify _forced_ssl.conf to check geo variable before redirecting
Generate geo config files when access lists are created/updated
Include geo configs at http level in nginx.conf
Create access_geo directory on startup

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5208 **Author:** [@Kiryuumaru](https://github.com/Kiryuumaru) **Created:** 1/22/2026 **Status:** 🔄 Open **Base:** `develop` ← **Head:** `fix/force-ssl-access-list-bypass` --- ### 📝 Commits (1) - [`19086ce`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/19086ce7095f42f6a4f488b875665cd9fe4dcb2e) fix: check access list before force SSL redirect ### 📊 Changes **5 files changed** (+89 additions, -0 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/access-list.js` (+57 -0) 📝 `backend/templates/_forced_ssl.conf` (+18 -0) ➕ `backend/templates/access_list_geo.conf` (+10 -0) 📝 `docker/rootfs/etc/nginx/nginx.conf` (+3 -0) 📝 `docker/rootfs/etc/s6-overlay/s6-rc.d/prepare/20-paths.sh` (+1 -0) </details> ### 📄 Description Fixes #5207 - Security issue where Force SSL leaks host existence When both Force SSL and an Access List are active on a Proxy Host, HTTP requests from unauthorized IPs were receiving a 301 redirect instead of being blocked. This allowed attackers to enumerate valid hosts by brute-forcing the Host header. Solution: Use nginx geo module to check IP access before the SSL redirect. Only allowed IPs get redirected to HTTPS; denied IPs fall through to the access phase and receive 403. Changes: - Add geo block template for IP-based access control - Modify _forced_ssl.conf to check geo variable before redirecting - Generate geo config files when access lists are created/updated - Include geo configs at http level in nginx.conf - Create access_geo directory on startup --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem added the

pull-request

label

2026-02-26 08:33:06 +03:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#4090

No description provided.

Rows
Columns