starred/nginx-proxy-manager-NginxProxyManager

Fork 0

mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 01:15:51 +03:00

[PR #5211] feat: Add IP-based access control for Stream Hosts #4091

New issue

Open

opened 2026-02-26 08:33:06 +03:00 by kerem · 0 comments

kerem commented

2026-02-26 08:33:06 +03:00

Owner

📋 Pull Request Information

Original PR: https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5211
Author: @Kiryuumaru
Created: 1/23/2026
Status: 🔄 Open

Base: develop ← Head: feature/stream-access-list

📝 Commits (2)

933ee2b feat: Add IP-based access control for Stream Hosts
fb19619 Retry CI

📊 Changes

21 files changed (+168 additions, -25 deletions)

View changed files

📝 backend/internal/access-list.js (+27 -5)
📝 backend/internal/stream.js (+6 -6)
➕ backend/migrations/20260123000000_stream_access.js (+43 -0)
📝 backend/models/access_list.js (+12 -0)
📝 backend/models/stream.js (+12 -0)
📝 backend/schema/components/stream-object.json (+15 -0)
📝 backend/schema/paths/nginx/streams/get.json (+2 -1)
📝 backend/schema/paths/nginx/streams/post.json (+6 -1)
📝 backend/schema/paths/nginx/streams/streamID/get.json (+2 -1)
📝 backend/schema/paths/nginx/streams/streamID/put.json (+5 -1)
➕ backend/templates/_access_stream.conf (+10 -0)
📝 backend/templates/stream.conf (+4 -0)
📝 frontend/src/api/backend/expansions.ts (+1 -0)
📝 frontend/src/api/backend/getStream.ts (+2 -2)
📝 frontend/src/api/backend/getStreams.ts (+2 -2)
📝 frontend/src/api/backend/models.ts (+2 -0)
📝 frontend/src/hooks/useStream.ts (+2 -1)
📝 frontend/src/hooks/useStreams.ts (+3 -3)
📝 frontend/src/modals/StreamModal.tsx (+3 -1)
📝 frontend/src/pages/Nginx/Streams/Table.tsx (+8 -0)

...and 1 more files

📄 Description

Summary

This PR implements IP-based access control for Stream Hosts, addressing feature request #5125.

Changes

Backend

Database Migration: Added access_list_id column to the stream table
Models: Added access_list relation to Stream model and streams relation to AccessList model
Internal Logic:
- Updated stream CRUD operations to handle access_list expansion
- Updated access-list internal to regenerate stream configs when access lists are modified or deleted
API Schemas: Added access_list_id to stream POST/PUT endpoints
Nginx Templates:
- Created _access_stream.conf template for IP-based allow/deny rules
- Updated stream.conf to include the access template for both TCP and UDP blocks

Frontend

Added StreamExpansion type for API calls
Added accessListId and accessList to Stream interface
Added Access tab to Stream modal with AccessField component
Added Access List column to Streams table

Implementation Notes

Only IP-based rules are applied - The nginx stream module does not support HTTP basic authentication or the satisfy directive, so only allow/deny rules from the Access List clients are used
When an Access List is assigned to a stream, the generated nginx config includes:
- allow directives for each client IP/CIDR in the access list
- A final deny all; directive
When an Access List is deleted or modified, all associated stream configs are automatically regenerated

Example Generated Config

server {
  listen 55555;
  listen [::]:55555;

  # Stream Access Control (IP-based only)
  # Note: nginx stream module does not support basic auth or satisfy directives
  # Access Rules: 1 total
  allow 100.64.0.0/10;
  deny all;

  proxy_pass 192.168.1.100:5555;
  ...
}

Screenshots:

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/NginxProxyManager/nginx-proxy-manager/pull/5211 **Author:** [@Kiryuumaru](https://github.com/Kiryuumaru) **Created:** 1/23/2026 **Status:** 🔄 Open **Base:** `develop` ← **Head:** `feature/stream-access-list` --- ### 📝 Commits (2) - [`933ee2b`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/933ee2b70f8edb12c23104a908f3820c786f8f2a) feat: Add IP-based access control for Stream Hosts - [`fb19619`](https://github.com/NginxProxyManager/nginx-proxy-manager/commit/fb196195db9207b9f2ee92bb95a62dc01163cf72) Retry CI ### 📊 Changes **21 files changed** (+168 additions, -25 deletions) <details> <summary>View changed files</summary> 📝 `backend/internal/access-list.js` (+27 -5) 📝 `backend/internal/stream.js` (+6 -6) ➕ `backend/migrations/20260123000000_stream_access.js` (+43 -0) 📝 `backend/models/access_list.js` (+12 -0) 📝 `backend/models/stream.js` (+12 -0) 📝 `backend/schema/components/stream-object.json` (+15 -0) 📝 `backend/schema/paths/nginx/streams/get.json` (+2 -1) 📝 `backend/schema/paths/nginx/streams/post.json` (+6 -1) 📝 `backend/schema/paths/nginx/streams/streamID/get.json` (+2 -1) 📝 `backend/schema/paths/nginx/streams/streamID/put.json` (+5 -1) ➕ `backend/templates/_access_stream.conf` (+10 -0) 📝 `backend/templates/stream.conf` (+4 -0) 📝 `frontend/src/api/backend/expansions.ts` (+1 -0) 📝 `frontend/src/api/backend/getStream.ts` (+2 -2) 📝 `frontend/src/api/backend/getStreams.ts` (+2 -2) 📝 `frontend/src/api/backend/models.ts` (+2 -0) 📝 `frontend/src/hooks/useStream.ts` (+2 -1) 📝 `frontend/src/hooks/useStreams.ts` (+3 -3) 📝 `frontend/src/modals/StreamModal.tsx` (+3 -1) 📝 `frontend/src/pages/Nginx/Streams/Table.tsx` (+8 -0) _...and 1 more files_ </details> ### 📄 Description ## Summary This PR implements IP-based access control for Stream Hosts, addressing feature request #5125. ## Changes ### Backend - **Database Migration**: Added `access_list_id` column to the `stream` table - **Models**: Added `access_list` relation to Stream model and `streams` relation to AccessList model - **Internal Logic**: - Updated stream CRUD operations to handle `access_list` expansion - Updated access-list internal to regenerate stream configs when access lists are modified or deleted - **API Schemas**: Added `access_list_id` to stream POST/PUT endpoints - **Nginx Templates**: - Created `_access_stream.conf` template for IP-based allow/deny rules - Updated `stream.conf` to include the access template for both TCP and UDP blocks ### Frontend - Added `StreamExpansion` type for API calls - Added `accessListId` and `accessList` to Stream interface - Added Access tab to Stream modal with AccessField component - Added Access List column to Streams table ## Implementation Notes - **Only IP-based rules are applied** - The nginx stream module does not support HTTP basic authentication or the `satisfy` directive, so only `allow`/`deny` rules from the Access List clients are used - When an Access List is assigned to a stream, the generated nginx config includes: - `allow` directives for each client IP/CIDR in the access list - A final `deny all;` directive - When an Access List is deleted or modified, all associated stream configs are automatically regenerated ## Example Generated Config ```nginx server { listen 55555; listen [::]:55555; # Stream Access Control (IP-based only) # Note: nginx stream module does not support basic auth or satisfy directives # Access Rules: 1 total allow 100.64.0.0/10; deny all; proxy_pass 192.168.1.100:5555; ... } ``` Screenshots: <img width="592" height="635" alt="image" src="https://github.com/user-attachments/assets/cfd00c64-7b3b-41a3-9112-d4cebe7e0d50" /> <img width="589" height="623" alt="image" src="https://github.com/user-attachments/assets/dd4a34aa-0865-4779-a69b-6332d410eaf1" /> <img width="1368" height="245" alt="image" src="https://github.com/user-attachments/assets/541f2541-d72f-4d86-839f-ec9e38578adb" /> --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

kerem added the

pull-request

label

2026-02-26 08:33:06 +03:00

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

starred/nginx-proxy-manager-NginxProxyManager#4091

No description provided.

Rows
Columns