starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 09:25:55 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #637] Udating AccessList will not reload nginx #539

New issue
Closed
opened 2026-02-26 06:33:19 +03:00 by kerem · 13 comments
kerem commented 2026-02-26 06:33:19 +03:00
Owner
Copy link

Originally created by @spoolr on GitHub (Oct 6, 2020).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/637

Describe the bug

  • Access List doesn't work at all. I have never managed to see an authentication box with or without custom location .
  • Force SSL doesn't work with custom location

To Reproduce

  1. I created a Proxy Host with SSL, I have Force SSL set. I can only visit with HTTPS. Great.
  2. Now I added an Access List with just one user and password and now my HTTPS is 403 Forbidden. I am never prompted to authenticate it's always 403 Forbidden
  3. If I change the Access List to "Satisfy Any" and add my IP with "192.168.0.0/24" it is still 403 Forbidden.
  4. Either Access Lists don't work, or I don't understand them.
  5. If I create a Custom Location for this Proxy so that accessing / goes to /folder
  • the Access List no longer generates 403 Forbidden and the site is open to all
  • Force SSL no longer works, I can browse with HTTP

As I've been typing this I've found the Access List not working with Custom Location bug report. I see it's going back to last year. For a security problem that's really a long time. Now combine that with Force SSL also being broken, another security problem. It had me convinced this project had become abandoned, yet there is life with multiple updates this year. It's true that most apps do there own security, but I have a few like COPS that could benefit from a working Access List. Please try and address these issues in the next release.

Originally created by @spoolr on GitHub (Oct 6, 2020). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/637 **Describe the bug** - Access List doesn't work at all. I have never managed to see an authentication box with or without custom location . - Force SSL doesn't work with custom location **To Reproduce** 1. I created a Proxy Host with SSL, I have Force SSL set. I can only visit with HTTPS. Great. 2. Now I added an Access List with just one user and password and now my HTTPS is 403 Forbidden. I am never prompted to authenticate it's always 403 Forbidden 3. If I change the Access List to "Satisfy Any" and add my IP with "192.168.0.0/24" it is still 403 Forbidden. 4. Either Access Lists don't work, or I don't understand them. 5. If I create a Custom Location for this Proxy so that accessing / goes to /folder - the Access List no longer generates 403 Forbidden and the site is open to all - Force SSL no longer works, I can browse with HTTP As I've been typing this I've found the Access List not working with Custom Location bug report. I see it's going back to last year. For a security problem that's really a long time. Now combine that with Force SSL also being broken, another security problem. It had me convinced this project had become abandoned, yet there is life with multiple updates this year. It's true that most apps do there own security, but I have a few like COPS that could benefit from a working Access List. Please try and address these issues in the next release.
kerem 2026-02-26 06:33:19 +03:00
  • closed this issue
  • added the
    stale
    bug
         labels
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@spoolr commented on GitHub (Oct 14, 2020):

After playing around some more I've come to the realization that even though this offers a fancy GUI interface, changes to the Access List will not cause nginx to reload. This is why the changes are not reflected. If you make changes to the Access List, you will need to save the Proxy as well to force nginx to reload. There are no indications of what action will force a reload aside from looking at the logs.

After many days of struggling with this program that I thought would save me time from learning to configure nginx directly, I have downloaded Caddy, and with two simple lines in plain english my reverse proxy just worked.

<!-- gh-comment-id:708157008 --> @spoolr commented on GitHub (Oct 14, 2020): After playing around some more I've come to the realization that even though this offers a fancy GUI interface, changes to the Access List will not cause nginx to reload. This is why the changes are not reflected. If you make changes to the Access List, you will need to save the Proxy as well to force nginx to reload. There are no indications of what action will force a reload aside from looking at the logs. After many days of struggling with this program that I thought would save me time from learning to configure nginx directly, I have downloaded Caddy, and with two simple lines in plain english my reverse proxy just worked.
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@hasangnu commented on GitHub (Oct 16, 2020):

Force SSL doesn't work with custom location

I had a similar problem with proxy_pass. maybe force ssl when you add include conf.d/include/force-ssl.conf;

my custon nginx configuration.

location / {
    include conf.d/include/force-ssl.conf;
    proxy_pass http://domain:port/url/;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
}
<!-- gh-comment-id:710296116 --> @hasangnu commented on GitHub (Oct 16, 2020): > Force SSL doesn't work with custom location I had a similar problem with proxy_pass. maybe force ssl when you add **include conf.d/include/force-ssl.conf;** my custon nginx configuration. ``` location / { include conf.d/include/force-ssl.conf; proxy_pass http://domain:port/url/; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; } ```
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@TPham92 commented on GitHub (Dec 7, 2020):

Any updates/work around on this? When using Access list it never prompted to authenticate it's always 403 Forbidden. It not consistent, some time it works some time not.

<!-- gh-comment-id:739670358 --> @TPham92 commented on GitHub (Dec 7, 2020): Any updates/work around on this? When using Access list it never prompted to authenticate it's always 403 Forbidden. It not consistent, some time it works some time not.
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@graydonpleasants commented on GitHub (Dec 15, 2020):

I also have this issue when adding a new proxy with access pointing to an existing Access List, Publicly accessible works just fine.

<!-- gh-comment-id:745375094 --> @graydonpleasants commented on GitHub (Dec 15, 2020): I also have this issue when adding a new proxy with access pointing to an existing Access List, Publicly accessible works just fine.
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@hsindrup commented on GitHub (Dec 24, 2020):

Hi all
I am (allmost) sure, that IP in acces lists only can contain public addresses.. I.e. your one public address will only allow your home network to acces

https://www.youtube.com/watch?v=UfCkwlPIozw

Mary Christmas

<!-- gh-comment-id:750764061 --> @hsindrup commented on GitHub (Dec 24, 2020): Hi all I am (allmost) sure, that IP in acces lists only can contain public addresses.. I.e. your one public address will only allow your home network to acces https://www.youtube.com/watch?v=UfCkwlPIozw Mary Christmas
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@niklasdahlheimer commented on GitHub (Jan 18, 2022):

Can someone confirm or refute @hsindrup's comment that only public IPs are allowed in the ACL?

We use private IP address ranges, but ran into issues (NGINX keeps "seeing" the public IP of the local requester and therefore denies access). I was convinced that this is more an issue of our local DNS Server, but after I read @hsindrup 's comment I'm not sure anymore about that. A clear statement about that would be great, so I will not continue to search for a solution at the wrong place.

This guy here also uses private IP address ranges: https://youtu.be/G9voYZejH48?t=318

<!-- gh-comment-id:1015742758 --> @niklasdahlheimer commented on GitHub (Jan 18, 2022): **Can someone confirm or refute @hsindrup's comment that only public IPs are allowed in the ACL?** We use private IP address ranges, but ran into issues (NGINX keeps "seeing" the public IP of the local requester and therefore denies access). I was convinced that this is more an issue of our local DNS Server, but after I read @hsindrup 's comment I'm not sure anymore about that. A clear statement about that would be great, so I will not continue to search for a solution at the wrong place. This guy here also uses private IP address ranges: https://youtu.be/G9voYZejH48?t=318
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@psychogun commented on GitHub (Feb 10, 2022):

@niklasdahlheimer
https://nginx.org/en/docs/http/ngx_http_access_module.html

I think it should work with local IP addresses.

I am struggling with Access List too. Using ss on the machine hosting the container, I can clearly see my IP adress which I am connecting to the Nginx Proxy Manager service with (port :81). This will hence be the IP address which will connect to the reversed service.

If I add this specific IP adresse to the Access list, I get "403 forbidden" - "10.0.44.41"
If I add the IP address with subnet range; 10.0.44.0/24, I get "403 forbidden".

If I add 10.0.44.0/16, it suddenly works.

I have to edit the Access List, and then go to the Proxy Host and click Save for any changes to take effect.

However, it works for the rest of the world too, with /16, which is not what I am trying to accomplish :) Although 10.0 is a private IP range. ..

I want to be able to dial home with a VPN before allowing access to my bitwarden instance.

<!-- gh-comment-id:1034943124 --> @psychogun commented on GitHub (Feb 10, 2022): @niklasdahlheimer https://nginx.org/en/docs/http/ngx_http_access_module.html I think it should work with local IP addresses. I am struggling with Access List too. Using `ss` on the machine hosting the container, I can clearly see my IP adress which I am connecting to the Nginx Proxy Manager service with (port :81). This will hence be the IP address which will connect to the reversed service. If I add this specific IP adresse to the Access list, I get "403 forbidden" - "10.0.44.41" If I add the IP address with subnet range; 10.0.44.0/24, I get "403 forbidden". If I add 10.0.44.0/16, it suddenly works. I have to edit the Access List, and then go to the Proxy Host and click Save for any changes to take effect. However, it works for the rest of the world too, with /16, which is not what I am trying to accomplish :) Although 10.0 is a private IP range. .. I want to be able to dial home with a VPN before allowing access to my bitwarden instance.
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@psychogun commented on GitHub (Feb 10, 2022):

@niklasdahlheimer

The request was not coming from the address above. Go to /data/logs/ and use tail -f proxy-host-1_access.log to see where the culprit is. I have a setup with a plethora of IP addresses all of the place - and I see the requests are coming from an IP namely 10.0.2.100.

However, where the hell is that IP coming from? Is this an internal podman network IP?

<!-- gh-comment-id:1034958018 --> @psychogun commented on GitHub (Feb 10, 2022): @niklasdahlheimer The request was not coming from the address above. Go to `/data/logs/` and use `tail -f proxy-host-1_access.log` to see where the culprit is. I have a setup with a plethora of IP addresses all of the place - and I see the requests are coming from an IP namely `10.0.2.100`. However, where the hell is that IP coming from? Is this an internal podman network IP?
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@psychogun commented on GitHub (Feb 10, 2022):

@niklasdahlheimer
I can confirm it works with local/private IP addresses. A good tip is to find out which IP address is hitting the proxy through the log file. As for the solution to my problems, it was found here: https://github.com/containers/podman/discussions/10472

I am running NPM in rockylinux as a rootless container:

podman run -d -v ~/podman/npm/data/:/data/:Z -v ~/podman/npm/letsencrypt/:/letsencrypt/:Z -p 80:80 -p 81:81 -p 443:443 --net=slirp4netns:port_handler=slirp4netns jc21/nginx-proxy-manager:latest

However, to the initial bug; yes - whenever I change the Access List, I have to go to the Proxy Host and click Save to make it refresh.

<!-- gh-comment-id:1035450770 --> @psychogun commented on GitHub (Feb 10, 2022): @niklasdahlheimer I can confirm it works with local/private IP addresses. A good tip is to find out which IP address is hitting the proxy through the log file. As for the solution to my problems, it was found here: https://github.com/containers/podman/discussions/10472 I am running NPM in rockylinux as a rootless container: ``` podman run -d -v ~/podman/npm/data/:/data/:Z -v ~/podman/npm/letsencrypt/:/letsencrypt/:Z -p 80:80 -p 81:81 -p 443:443 --net=slirp4netns:port_handler=slirp4netns jc21/nginx-proxy-manager:latest ``` However, to the initial bug; yes - whenever I change the Access List, I have to go to the Proxy Host and click Save to make it refresh.
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@ralphocdol commented on GitHub (Nov 14, 2022):

changes to the Access List will not cause nginx to reload

2 years later it still is the case, I was confused at first and had to restart my server which did not help, after poking around I manage to make it work the exact same thing that @spoolr did:

If you make changes to the Access List, you will need to save the Proxy as well to force nginx to reload.

Good thing my server is small

<!-- gh-comment-id:1313980529 --> @ralphocdol commented on GitHub (Nov 14, 2022): > changes to the Access List will not cause nginx to reload 2 years later it still is the case, I was confused at first and had to restart my server which did not help, after poking around I manage to make it work the exact same thing that @spoolr did: > If you make changes to the Access List, you will need to save the Proxy as well to force nginx to reload. Good thing my server is small
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@ralphocdol commented on GitHub (Sep 12, 2023):

So I did some changes after configuring a VLAN and manage to find my comment almost a year after.

An update to this:

I was confused at first and had to restart my server which did not help

with v2.10.4, a server restart now works

<!-- gh-comment-id:1714777630 --> @ralphocdol commented on GitHub (Sep 12, 2023): So I did some changes after configuring a VLAN and manage to find my comment almost a year after. An update to this: > I was confused at first and had to restart my server which did not help with v2.10.4, a server restart now works
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (Mar 24, 2024):

Issue is now considered stale. If you want to keep it open, please comment 👍

<!-- gh-comment-id:2016661977 --> @github-actions[bot] commented on GitHub (Mar 24, 2024): Issue is now considered stale. If you want to keep it open, please comment :+1:
kerem commented 2026-02-26 06:33:19 +03:00
Author
Owner
Copy link

@github-actions[bot] commented on GitHub (May 4, 2025):

Issue was closed due to inactivity.

<!-- gh-comment-id:2848914173 --> @github-actions[bot] commented on GitHub (May 4, 2025): Issue was closed due to inactivity.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#539
No description provided.