starred/nginx-proxy-manager-NginxProxyManager
1
0
Fork 0
mirror of https://github.com/NginxProxyManager/nginx-proxy-manager.git synced 2026-04-25 01:15:51 +03:00
Code Issues 937 Projects Releases 10 Packages Wiki Activity

[GH-ISSUE #1105] Nginx proxy manager, limit access to local network via access list #912

New issue
Closed
opened 2026-02-26 06:34:54 +03:00 by kerem · 28 comments
kerem commented 2026-02-26 06:34:54 +03:00
Owner
Copy link

Originally created by @hakunamatata97k on GitHub (May 18, 2021).
Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1105

Are you in the right place?

  • If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
  • If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
  • If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the right place.

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • yes
  • Are you sure you're not using someone else's docker image?
  • im using the right image

Describe the bug

  • A clear and concise description of what the bug is.
    Recently I have been trying to limit the access of a self-hosted web service for "Streaming" to local network ONLY, with the aid of the nginx proxy manager.

My setup looks like the following:

  • Raspberry Pi 4 running Raspbian Os 64x running on a static IP (192.168.0.10).

  • docker & docker-compose & portainer are each properly installed.

  • raspberry running the following docker images with no ports conflicts: Nextcloud, ddclient, jc21/nginx-proxy-manager, pihole and finally this web service.

  • on the router (night hawk R7500), I set the IP address of the PiHole (in this case the Raspberry Pi) as DNS.

  • the Streaming website is a subdomain "movies.example.com". Where the domain "example.com" and the subdomain are enforced with self-signed SSL from the Nginx Proxy manger.

All the mentioned services are dockerized and nothing is installed on "bare metal"

The Nginx Proxy manager is installed with this tutorial.

The following (Screenshot 2) shows the view of the Nginx proxy manager access list IP Address Whitelist/Blacklist.

Screenshot(1)

Screenshot 3 shows both the view of the SSL settings (3.3) and the view of the details section of the chosen host assigned with Authorization for Streaming.

PhotoGrid_1621357132298__01

  • What version of Nginx Proxy Manager is reported on the login page?
    v2.9.2
  • What is shown upon calling the desired website from both the local and the external network: "403 Forbidden, openresty".
Originally created by @hakunamatata97k on GitHub (May 18, 2021). Original GitHub issue: https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1105 **Are you in the right place?** - If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit. - If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask. - If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the *right place.* **Checklist** - Have you pulled and found the error with `jc21/nginx-proxy-manager:latest` docker image? - yes - Are you sure you're not using someone else's docker image? - im using the right image - **Describe the bug** - A clear and concise description of what the bug is. Recently I have been trying to limit the access of a self-hosted web service for "Streaming" to local network ONLY, with the aid of the nginx proxy manager. My setup looks like the following: - Raspberry Pi 4 running Raspbian Os 64x running on a static IP (192.168.0.10). - docker & docker-compose & portainer are each properly installed. - raspberry running the following docker images with no ports conflicts: Nextcloud, ddclient, jc21/nginx-proxy-manager, pihole and finally this web service. - on the router (night hawk R7500), I set the IP address of the PiHole (in this case the Raspberry Pi) as DNS. - the Streaming website is a subdomain "movies.example.com". Where the domain "example.com" and the subdomain are enforced with self-signed SSL from the Nginx Proxy manger. All the mentioned services are dockerized and nothing is installed on "bare metal" The Nginx Proxy manager is installed with this [tutorial](https://www.the-digital-life.com/nextcloud-nginx-proxy-manager-in-10-minutes/). The following (Screenshot 2) shows the view of the Nginx proxy manager access list IP Address Whitelist/Blacklist. ![Screenshot(1)](https://user-images.githubusercontent.com/61120512/118694842-cf2ec800-b80c-11eb-85e3-27054d98261e.png) Screenshot 3 shows both the view of the SSL settings (3.3) and the view of the details section of the chosen host assigned with Authorization for Streaming. ![PhotoGrid_1621357132298__01](https://user-images.githubusercontent.com/61120512/118695098-161cbd80-b80d-11eb-8c0a-2d596d8fd2e7.png) - What version of Nginx Proxy Manager is reported on the login page? v2.9.2 - What is shown upon calling the desired website from both the local and the external network: "403 Forbidden, openresty".
kerem 2026-02-26 06:34:54 +03:00
kerem commented 2026-02-26 06:34:54 +03:00
Author
Owner
Copy link

@hakunamatata97k commented on GitHub (May 18, 2021):

I ended up whitelisting the public IP address of my router, and somehow it covered all the devices within my network.

<!-- gh-comment-id:843522308 --> @hakunamatata97k commented on GitHub (May 18, 2021): I ended up whitelisting the public IP address of my router, and somehow it covered all the devices within my network.
kerem commented 2026-02-26 06:34:54 +03:00
Author
Owner
Copy link

@benloeffel commented on GitHub (Aug 20, 2021):

Experiencing the same issue in the access list.
It seems, only external IP addresses are accepted in the access list - which isn't fun when your ISP assigns the IP dynamically.

<!-- gh-comment-id:902459139 --> @benloeffel commented on GitHub (Aug 20, 2021): Experiencing the same issue in the access list. It seems, only external IP addresses are accepted in the access list - which isn't fun when your ISP assigns the IP dynamically.
kerem commented 2026-02-26 06:34:54 +03:00
Author
Owner
Copy link

@mczeus commented on GitHub (Sep 28, 2021):

Hopefully this will be implemented soon, with a fixed IP that doesn't really help.

<!-- gh-comment-id:929055294 --> @mczeus commented on GitHub (Sep 28, 2021): Hopefully this will be implemented soon, with a fixed IP that doesn't really help.
kerem commented 2026-02-26 06:34:54 +03:00
Author
Owner
Copy link

@fgurdradee commented on GitHub (Oct 11, 2021):

I ended up whitelisting the public IP address of my router, and somehow it covered all the devices within my network.

I am ending up with the same issue. What subnet did you use for external IP ? /32 ?

<!-- gh-comment-id:939691347 --> @fgurdradee commented on GitHub (Oct 11, 2021): > I ended up whitelisting the public IP address of my router, and somehow it covered all the devices within my network. I am ending up with the same issue. What subnet did you use for external IP ? /32 ?
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@Dauntless0ne commented on GitHub (Oct 24, 2021):

Same issue. Unable to resolve it using internal single IP, subnet range, or external IP.

<!-- gh-comment-id:950259086 --> @Dauntless0ne commented on GitHub (Oct 24, 2021): Same issue. Unable to resolve it using internal single IP, subnet range, or external IP.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@chaptergy commented on GitHub (Oct 24, 2021):

Unfortunately there is nothing we can do about that. If you look into the access logs of your proxy host found at /data/logs/proxy-host-<id>_access.log. You will see something like [Client 172.19.0.1] in each of the lines, which shows you what IP nginx has received that request from.
If your NPM instance is in the public internet, and not in your local network, local ip adresses are NOT available, and nginx will only receive your routers public ip address from the requesting client.
If your npm instance is within your local network, there is a quirk in how docker passes the ip to the container, causing the ip to be something like 172.19.x.x. This is the ip address of the docker bridge gateway. I think this should not happen if you send the request from a different machine than what npm is hosted on. Switching to host network mode in docker can resolve this issue, since the docker network won't have a bridge then. You can do this by changing port 80 and 443 section in your docker-compose to:

ports:
      - target: 443
        published: 443 # Outside port
        mode: host
        protocol: tcp
      - target: 80
        published: 80 # Outside port
        mode: host
        protocol: tcp
<!-- gh-comment-id:950384265 --> @chaptergy commented on GitHub (Oct 24, 2021): Unfortunately there is nothing we can do about that. If you look into the access logs of your proxy host found at `/data/logs/proxy-host-<id>_access.log`. You will see something like `[Client 172.19.0.1]` in each of the lines, which shows you what IP nginx has received that request from. If your NPM instance is in the public internet, and not in your local network, local ip adresses are NOT available, and nginx will only receive your routers public ip address from the requesting client. If your npm instance is within your local network, there is [a quirk in how docker passes the ip to the container](https://github.com/docker/roadmap/issues/157), causing the ip to be something like `172.19.x.x`. This is the ip address of the docker bridge gateway. I think this should not happen if you send the request from a different machine than what npm is hosted on. Switching to [host network mode](https://docs.docker.com/network/host/) in docker can resolve this issue, since the docker network won't have a bridge then. You can do this by changing port 80 and 443 section in your docker-compose to: ```yml ports: - target: 443 published: 443 # Outside port mode: host protocol: tcp - target: 80 published: 80 # Outside port mode: host protocol: tcp ```
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@jehanalvani commented on GitHub (Jun 2, 2022):

@chaptergy Thanks for the summary. As I understand, by switching to host networking on my proxy manager container, I should be able to allowlist both the public IP of my network, and the private subnet(s) of my network. I have done both steps, and continue to see the same behavior. From /data/logs/proxy-host-8-access.log

[02/Jun/2022:17:56:25 +0000] - - 403 - GET https ombi.alvani.me "/i/" [Client 50.35.120.49] [Length 111] [Gzip 1.35] [Sent-to 10.0.1.201] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15" "-"

Allowlisting 50.35.120.49 still results in a 403.

Screen Shot 2022-06-02 at 11 05 36 AM
Screen Shot 2022-06-02 at 11 05 42 AM

<!-- gh-comment-id:1145161094 --> @jehanalvani commented on GitHub (Jun 2, 2022): @chaptergy Thanks for the summary. As I understand, by switching to host networking on my proxy manager container, I should be able to allowlist both the public IP of my network, and the private subnet(s) of my network. I have done both steps, and continue to see the same behavior. From `/data/logs/proxy-host-8-access.log` `[02/Jun/2022:17:56:25 +0000] - - 403 - GET https ombi.alvani.me "/i/" [Client 50.35.120.49] [Length 111] [Gzip 1.35] [Sent-to 10.0.1.201] "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.5 Safari/605.1.15" "-"` Allowlisting `50.35.120.49` still results in a 403. ![Screen Shot 2022-06-02 at 11 05 36 AM](https://user-images.githubusercontent.com/2472689/171697170-ef951c2a-cee0-4818-ba34-dba8c582a5d7.png) ![Screen Shot 2022-06-02 at 11 05 42 AM](https://user-images.githubusercontent.com/2472689/171697177-45eef244-fd57-44eb-b92b-29409a6558ed.png)
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@sadrian80 commented on GitHub (Jul 6, 2022):

Am I missing something?

I have NPM deployed in my local subnet. When I create an access list with

allow: 192.168.0.0/24
deny: all

and attach it to a proxy host, I get a 403 from everywhere, including any machine on the local subnet.
Screenshot 2022-07-06 at 13 49 36

image

<!-- gh-comment-id:1176126104 --> @sadrian80 commented on GitHub (Jul 6, 2022): Am I missing something? I have NPM deployed in my local subnet. When I create an access list with allow: 192.168.0.0/24 deny: all and attach it to a proxy host, I get a 403 from everywhere, including any machine on the local subnet. ![Screenshot 2022-07-06 at 13 49 36](https://user-images.githubusercontent.com/77888082/177543625-d11be6a6-84c8-41c7-982a-6daf86655603.png) ![image](https://user-images.githubusercontent.com/77888082/177543769-b91dcc8e-20f8-45aa-94a9-c8f2a5443df9.png)
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@PlexSheep commented on GitHub (Dec 11, 2022):

I can confirm this doesn't work. The compose snippet of chaptergy results in an error for me. If i try to whitelist my local ip subnet i get 403 on every page that uses the auth.

<!-- gh-comment-id:1345685976 --> @PlexSheep commented on GitHub (Dec 11, 2022): I can confirm this doesn't work. The compose snippet of [chaptergy](https://github.com/chaptergy) results in an error for me. If i try to whitelist my local ip subnet i get 403 on every page that uses the auth.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@threehappypenguins commented on GitHub (Jan 19, 2023):

Adding to the Custom Nginx Configuration should work. I did this, but to whitelist DDNS addresses as well as LAN access. For example you could:

Hosts > Edit > Advanced and in Custom Nginx Configuration:

location = / {
	allow 192.168.1.1/24;
	allow 10.6.0.0/24;
	deny all;
}
<!-- gh-comment-id:1397719261 --> @threehappypenguins commented on GitHub (Jan 19, 2023): Adding to the _Custom Nginx Configuration_ should work. [I did this](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1708#issuecomment-1397633769), but to whitelist DDNS addresses as well as LAN access. For example you could: Hosts > Edit > Advanced and in _Custom Nginx Configuration_: ``` location = / { allow 192.168.1.1/24; allow 10.6.0.0/24; deny all; } ```
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@trulow commented on GitHub (Feb 13, 2023):

I'm also having the same issue. I've tried even adding the Custom Nginx Config as stated by @threehappypenguins but it still doesn't work to limit local access.

I figured it out. It does work with local access only. What I needed change is to allow the local docker IP range.

By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN.

Adding "allow 192.168.1.0/24" enables local network access.
Adding "allow PUBLIC_IP" where PUBLIC_IP is your public IP address allows you to connect to a remote server without having to use the VPN.

<!-- gh-comment-id:1428784273 --> @trulow commented on GitHub (Feb 13, 2023): ~I'm also having the same issue. I've tried even adding the Custom Nginx Config as stated by @threehappypenguins but it still doesn't work to limit local access.~ I figured it out. It does work with local access only. What I needed change is to allow the local docker IP range. By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN. Adding "allow 192.168.1.0/24" enables local network access. Adding "allow PUBLIC_IP" where PUBLIC_IP is your public IP address allows you to connect to a remote server without having to use the VPN.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@phtinix commented on GitHub (Feb 18, 2023):

I'm also having the same issue. I've tried even adding the Custom Nginx Config as stated by @threehappypenguins but it still doesn't work to limit local access.

I figured it out. It does work with local access only. What I needed change is to allow the local docker IP range.

By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN.

Adding "allow 192.168.1.0/24" enables local network access. Adding "allow PUBLIC_IP" where PUBLIC_IP is your public IP address allows you to connect to a remote server without having to use the VPN.

Seems to work for me !

<!-- gh-comment-id:1435721995 --> @phtinix commented on GitHub (Feb 18, 2023): > ~I'm also having the same issue. I've tried even adding the Custom Nginx Config as stated by @threehappypenguins but it still doesn't work to limit local access.~ > > I figured it out. It does work with local access only. What I needed change is to allow the local docker IP range. > > By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN. > > Adding "allow 192.168.1.0/24" enables local network access. Adding "allow PUBLIC_IP" where PUBLIC_IP is your public IP address allows you to connect to a remote server without having to use the VPN. Seems to work for me !
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@josopu commented on GitHub (Apr 24, 2023):

By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN.

You are connecting via docker WireGuard in the same docker network, right? Because I have WireGuard built-in, and it uses different network, so still needed the public IP address.

<!-- gh-comment-id:1520407677 --> @josopu commented on GitHub (Apr 24, 2023): > By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN. You are connecting via docker WireGuard in the same docker network, right? Because I have WireGuard built-in, and it uses different network, so still needed the public IP address.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@trulow commented on GitHub (Apr 24, 2023):

By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN.

You are connecting via docker WireGuard in the same docker network, right? Because I have WireGuard built-in, and it uses different network, so still needed the public IP address.

Correct. I'm using wg-easy for my Wireguard setup to manage my users/credentials. wg-easy is using the same docker network as the rest of my containers including NginxProxyManager.

<!-- gh-comment-id:1520445621 --> @trulow commented on GitHub (Apr 24, 2023): > > By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN. > > You are connecting via docker WireGuard in the same docker network, right? Because I have WireGuard built-in, and it uses different network, so still needed the public IP address. Correct. I'm using [wg-easy](https://github.com/WeeJeWel/wg-easy) for my Wireguard setup to manage my users/credentials. wg-easy is using the same docker network as the rest of my containers including NginxProxyManager.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@xKliment commented on GitHub (Apr 27, 2023):

Well i have NginxProxyManager on a other VirtualMachine than wireguard because i cant use Adguard + NginxProxyManager on one Machine. But the NginxProxyManger and Wireguard are both on the 192.168.178.0 network..

<!-- gh-comment-id:1525766168 --> @xKliment commented on GitHub (Apr 27, 2023): Well i have NginxProxyManager on a other VirtualMachine than wireguard because i cant use Adguard + NginxProxyManager on one Machine. But the NginxProxyManger and Wireguard are both on the 192.168.178.0 network..
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@homonto commented on GitHub (May 24, 2023):

I'm also having the same issue. I've tried even adding the Custom Nginx Config as stated by @threehappypenguins but it still doesn't work to limit local access.

I figured it out. It does work with local access only. What I needed change is to allow the local docker IP range.

By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN.

Adding "allow 192.168.1.0/24" enables local network access. Adding "allow PUBLIC_IP" where PUBLIC_IP is your public IP address allows you to connect to a remote server without having to use the VPN.

the only problem is: PUBLIC_IP can be changed and then, you need to change the configuration, right?

<!-- gh-comment-id:1560513246 --> @homonto commented on GitHub (May 24, 2023): > ~I'm also having the same issue. I've tried even adding the Custom Nginx Config as stated by @threehappypenguins but it still doesn't work to limit local access.~ > > I figured it out. It does work with local access only. What I needed change is to allow the local docker IP range. > > By using "allow 172.18.0.0/16" in the access list, I could limit access to my containers only if connected through my docker wireguard VPN. > > Adding "allow 192.168.1.0/24" enables local network access. Adding "allow PUBLIC_IP" where PUBLIC_IP is your public IP address allows you to connect to a remote server without having to use the VPN. the only problem is: PUBLIC_IP can be changed and then, you need to change the configuration, right?
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@peterge1998 commented on GitHub (Sep 26, 2023):

I have a similar problem like @xKliment. I run npm in a different lxc on the same machine as wireguard. I have this access list:
image

My devices get a 10.7.0.3/24 ip when connected through wireguard. But I am not able to access the site through npm, only from my non-vpn internal network...

Did you find a solution for this?

Nevermind, I just found that I set the wrong value in WG_ALLOWED_IPS for wireguard.

<!-- gh-comment-id:1735509884 --> @peterge1998 commented on GitHub (Sep 26, 2023): ~~I have a similar problem like @xKliment. I run npm in a different lxc on the same machine as wireguard. I have this access list:~~ ![image](https://github.com/NginxProxyManager/nginx-proxy-manager/assets/47355238/a27410dc-e0f5-4448-ad4d-799fc7208da7) ~~My devices get a 10.7.0.3/24 ip when connected through wireguard. But I am not able to access the site through npm, only from my non-vpn internal network...~~ ~~Did you find a solution for this?~~ Nevermind, I just found that I set the wrong value in WG_ALLOWED_IPS for wireguard.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@lazee486 commented on GitHub (Sep 28, 2023):

ive found using 1 instance NPM in the cloud, and 1 instance NPM in my lan, works best, and set my own dns recordsin router, public dns or hosts... helps with speed as in lan traffic doesnt got out my net interface and back in...if you use cloudflare for dns and dns with the api letsincrypt works even with lan IP's...

<!-- gh-comment-id:1739357533 --> @lazee486 commented on GitHub (Sep 28, 2023): ive found using 1 instance NPM in the cloud, and 1 instance NPM in my lan, works best, and set my own dns recordsin router, public dns or hosts... helps with speed as in lan traffic doesnt got out my net interface and back in...if you use cloudflare for dns and dns with the api letsincrypt works even with lan IP's...
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@rubin110 commented on GitHub (Oct 16, 2023):

The machine I'm running NPM on sits on both my local network and the internet, basically acts as my home router. My workaround to this issue is to firewalld off everything coming through from my WAN interface except for things like port 80 and 443, and then run this docker container with network_mode: host.

The only issue I hit is it seems NPM internally uses port 3000 for its API, which another container of mine was using. Once I switched ports for that container, everything seems to be functioning correctly now.

<!-- gh-comment-id:1764958335 --> @rubin110 commented on GitHub (Oct 16, 2023): The machine I'm running NPM on sits on both my local network and the internet, basically acts as my home router. My workaround to this issue is to firewalld off everything coming through from my WAN interface except for things like port 80 and 443, and then run this docker container with `network_mode: host`. The only issue I hit is it seems NPM internally uses port 3000 for its API, which another container of mine was using. Once I switched ports for that container, everything seems to be functioning correctly now.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@Riffer commented on GitHub (Nov 2, 2023):

Workaround OpenMediaVault docker:

 ---
 version: '3.8'
 services:
   app:
     image: 'jc21/nginx-proxy-manager:latest'
     restart: unless-stopped
     network_mode: bridge
     ports: 
     # These ports are in format <host-port>:<container-port>
       
       - '192.168.0.141:80:80' # Public HTTP Port
       - '192.168.0.141:443:443' # Public HTTPS Port
       - '81:81' # Admin Web Port

By binding the port to the host address, I get the correct address of my systems in the local network.

Conveniently, you can use the global environment (also for other docks):

Global Environment:

 BASE_HOST_IP=192.168.0.141

Placeholder in Yaml:

 - '${BASE_HOST_IP}:80:80' # Public HTTP Port
 - '${BASE_HOST_IP}:443:443' # Public HTTPS Port
<!-- gh-comment-id:1790790315 --> @Riffer commented on GitHub (Nov 2, 2023): Workaround OpenMediaVault docker: ``` --- version: '3.8' services: app: image: 'jc21/nginx-proxy-manager:latest' restart: unless-stopped network_mode: bridge ports: # These ports are in format <host-port>:<container-port> - '192.168.0.141:80:80' # Public HTTP Port - '192.168.0.141:443:443' # Public HTTPS Port - '81:81' # Admin Web Port ``` By binding the port to the host address, I get the correct address of my systems in the local network. Conveniently, you can use the global environment (also for other docks): Global Environment: ``` BASE_HOST_IP=192.168.0.141 ``` Placeholder in Yaml: ``` - '${BASE_HOST_IP}:80:80' # Public HTTP Port - '${BASE_HOST_IP}:443:443' # Public HTTPS Port ```
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@whompyjaw commented on GitHub (Nov 8, 2023):

Adding to the Custom Nginx Configuration should work. I did this, but to whitelist DDNS addresses as well as LAN access. For example you could:

Hosts > Edit > Advanced and in Custom Nginx Configuration:

location = / {
	allow 192.168.1.1/24;
	allow 10.6.0.0/24;
	deny all;
}

This worked for me (i have a hairpin NAT). I didn't have to do the extra finangling. I removed the second line, and it allowed local access and prevented public access. I wouldn't recommend using public IP cuz that can change.

<!-- gh-comment-id:1801091258 --> @whompyjaw commented on GitHub (Nov 8, 2023): > Adding to the _Custom Nginx Configuration_ should work. [I did this](https://github.com/NginxProxyManager/nginx-proxy-manager/issues/1708#issuecomment-1397633769), but to whitelist DDNS addresses as well as LAN access. For example you could: > > Hosts > Edit > Advanced and in _Custom Nginx Configuration_: > > ``` > location = / { > allow 192.168.1.1/24; > allow 10.6.0.0/24; > deny all; > } > ``` This worked for me (i have a hairpin NAT). I didn't have to do the extra finangling. I removed the second line, and it allowed local access and prevented public access. I wouldn't recommend using public IP cuz that can change.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@homonto commented on GitHub (Nov 8, 2023):

so I am using cloudflare end the origin IP is changing all the time
if I block internet, then the IP cannot be resolved - domain name is kept by local nginx instance so the calling service has to go to internet, to cloudflare, come then to my nginx to resolve the IP - blocked internet access means: cannot resolve

what I am saying: even local call to my domain: my.domain.com (domain.com is on cloudflare, "my" is only in LAN) requires internet to resolve the my.domain.com

<!-- gh-comment-id:1801094857 --> @homonto commented on GitHub (Nov 8, 2023): so I am using cloudflare end the origin IP is changing all the time if I block internet, then the IP cannot be resolved - domain name is kept by local nginx instance so the calling service has to go to internet, to cloudflare, come then to my nginx to resolve the IP - blocked internet access means: cannot resolve what I am saying: even local call to my domain: my.domain.com (domain.com is on cloudflare, "my" is only in LAN) requires internet to resolve the my.domain.com
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@Riffer commented on GitHub (Nov 8, 2023):

@homonto set up a local DNS (i.e. pi.hole is convenient) with your local server IP. In my case my router is the DHCP but I propagate the additional DNS IP to all systems in my network.

<!-- gh-comment-id:1801163781 --> @Riffer commented on GitHub (Nov 8, 2023): @homonto set up a local DNS (i.e. pi.hole is convenient) with your local server IP. In my case my router is the DHCP but I propagate the additional DNS IP to all systems in my network.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@homonto commented on GitHub (Nov 8, 2023):

I have Pihole, even 2: one on each VLAN: 192.168.1.23 and 192.168.100.31
so maybe you can help me:
1- nginx is on 192.168.1.6
2- domain speed.mydomain.com is on 192.168.1.23
3- in nginx I set:

  • destination: https://192.168.1.23:8443
  • access: speed
    then in access list, speed has:
  • allow: 192.168.100.0/24 (my laptop is on 192.168.100.x)
  • deny: all
    4- on Pihole I set:
  • speed.domain.com -> 192.168.1.23

But with these settings it is not working

  • ping resolves speed.domain.com as proper IP of the server: 192.168.1.23
    nginx log shows:
    2023/11/08 07:32:06 [error] 1328750#1328750: *189640 access forbidden by rule, client: 172.70.91.5, server: speed.domain.com, request: "GET /favicon.ico HTTP/2.0", host: "speed.domain.com", referrer: "https://speed.domain.com/"

Evidently the request comes from Cloudfare rather than from local DNS, but why?

<!-- gh-comment-id:1801245701 --> @homonto commented on GitHub (Nov 8, 2023): I have Pihole, even 2: one on each VLAN: 192.168.1.23 and 192.168.100.31 so maybe you can help me: 1- nginx is on 192.168.1.6 2- domain speed.mydomain.com is on 192.168.1.23 3- in nginx I set: - destination: https://192.168.1.23:8443 - access: speed then in access list, speed has: - allow: 192.168.100.0/24 (my laptop is on 192.168.100.x) - deny: all 4- on Pihole I set: - speed.domain.com -> 192.168.1.23 But with these settings it is not working - ping resolves speed.domain.com as proper IP of the server: 192.168.1.23 nginx log shows: `2023/11/08 07:32:06 [error] 1328750#1328750: *189640 access forbidden by rule, client: 172.70.91.5, server: speed.domain.com, request: "GET /favicon.ico HTTP/2.0", host: "speed.domain.com", referrer: "https://speed.domain.com/" ` Evidently the request comes from Cloudfare rather than from local DNS, but why?
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@Riffer commented on GitHub (Nov 9, 2023):

@homonto a ping ain't be logged by ngnix. You see a call to favicon.ico - that's probably your browser.

You must ensure in your testing that your browser uses the DNS of your network. Search for DNS in the settings. Some use primarily external DNS for security reasons. Only when the external DNS has no match, do they check the internal ones, but because Cloudflare knows an external address for your domain that's not happening.

Or call the site by curl or wget.

<!-- gh-comment-id:1804078150 --> @Riffer commented on GitHub (Nov 9, 2023): @homonto a ping ain't be logged by ngnix. You see a call to favicon.ico - that's probably your browser. You must ensure in your testing that your browser uses the DNS of your network. Search for DNS in the settings. Some use primarily external DNS for security reasons. Only when the external DNS has no match, do they check the internal ones, but because Cloudflare knows an external address for your domain that's not happening. Or call the site by curl or wget.
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@homonto commented on GitHub (Nov 9, 2023):

all my clients have provided my 2 Piholes as DNS IPs.
and the domain assignment to the internal IP is on the Piholes:
Screenshot 2023-11-09 at 15 49 56

Then both Piholes are referring to router (Opnsense):

Screenshot 2023-11-09 at 15 48 45

And then Unbound DNS is providing the real DNS service. Do you think this can be the issue?
Screenshot 2023-11-09 at 15 52 18

<!-- gh-comment-id:1804094172 --> @homonto commented on GitHub (Nov 9, 2023): all my clients have provided my 2 Piholes as DNS IPs. and the domain assignment to the internal IP is on the Piholes: <img width="805" alt="Screenshot 2023-11-09 at 15 49 56" src="https://github.com/NginxProxyManager/nginx-proxy-manager/assets/46562447/2c143a98-d5e7-405a-b68e-03577a05b874"> Then both Piholes are referring to router (Opnsense): <img width="981" alt="Screenshot 2023-11-09 at 15 48 45" src="https://github.com/NginxProxyManager/nginx-proxy-manager/assets/46562447/42733586-2cfc-41b3-8d9a-70c150bed950"> And then Unbound DNS is providing the real DNS service. Do you think this can be the issue? <img width="601" alt="Screenshot 2023-11-09 at 15 52 18" src="https://github.com/NginxProxyManager/nginx-proxy-manager/assets/46562447/c92fdc29-090f-43b3-8436-de5d426a11b1">
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@Riffer commented on GitHub (Nov 9, 2023):

@homonto maybe you missed my previous comment - did you check your browser settings?

<!-- gh-comment-id:1804244643 --> @Riffer commented on GitHub (Nov 9, 2023): @homonto maybe you missed my previous comment - did you check your browser settings?
kerem commented 2026-02-26 06:34:55 +03:00
Author
Owner
Copy link

@homonto commented on GitHub (Nov 9, 2023):

browser has no DNS settings and I checked on 3: Chrome, Firefox and Safari. And on mobile phone as well.
plus, my firewall redirects everything calling port 53 to unbound
I am 100% sure problem is on my side - just I am NOT sure how to approach it. ;-)

<!-- gh-comment-id:1804317860 --> @homonto commented on GitHub (Nov 9, 2023): browser has no DNS settings and I checked on 3: Chrome, Firefox and Safari. And on mobile phone as well. plus, my firewall redirects everything calling port 53 to unbound I am 100% sure problem is on my side - just I am NOT sure how to approach it. ;-)
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
develop
dependabot/npm_and_yarn/backend/liquidjs-10.25.7
dependabot/npm_and_yarn/frontend/prod-minor-updates-2a16bf3987
dependabot/npm_and_yarn/frontend/dev-patch-updates-754666cf41
dependabot/npm_and_yarn/backend/basic-ftp-5.3.0
dependabot/npm_and_yarn/test/follow-redirects-1.16.0
dependabot/npm_and_yarn/test/axios-1.15.0
dependabot/npm_and_yarn/frontend/lodash-4.18.1
dependabot/npm_and_yarn/backend/lodash-4.18.1
dependabot/npm_and_yarn/test/lodash-4.18.1
dependabot/npm_and_yarn/frontend/vite-7.3.2
dependabot/npm_and_yarn/backend/prod-minor-updates-5ec19a7f21
dependabot/npm_and_yarn/frontend/lodash-es-4.18.1
dependabot/npm_and_yarn/frontend/happy-dom-20.8.9
dependabot/npm_and_yarn/backend/path-to-regexp-8.4.0
dependabot/npm_and_yarn/frontend/picomatch-4.0.4
dependabot/npm_and_yarn/backend/picomatch-2.3.2
dependabot/npm_and_yarn/frontend/yaml-1.10.3
dependabot/npm_and_yarn/test/flatted-3.4.2
dependabot/npm_and_yarn/test/tar-7.5.11
dependabot/npm_and_yarn/frontend/immutable-5.1.5
master
dependabot/npm_and_yarn/test/glob-10.5.0
dependabot/npm_and_yarn/frontend/mdast-util-to-hast-13.2.1
dependabot/npm_and_yarn/test/form-data-4.0.4
v3-abandoned
bump-freedns
openidc
ssl-passthrough-hosts
static-content
v2.14.0
v2.13.7
v2.13.6
v2.13.5
v2.13.4
v2.13.3
v2.13.2
v2.13.1
v2.13.0
v2.12.6
v2.12.5
v2.12.4
v2.12.3
v2.12.2
v2.12.1
v2.12.0
v2.11.3
v2.11.2
v2.11.1
v2.11.0
v2.10.4
v2.10.3
v2.10.2
v2.10.1
v2.10.0
v2.9.22
v2.9.21
v2.9.20
v2.9.19
v2.9.18
v2.9.17
v2.9.16
v2.9.15
v2.9.14
v2.9.13
v2.9.12
v2.9.11
v2.9.10
v2.9.9
v2.9.8
v2.9.7
v2.9.6
v2.9.5
v2.9.4
v2.9.3
v2.9.2
v2.9.1
v2.9.0
v2.8.1
v2.8.0
v2.7.3
v2.7.2
v2.7.1
v2.7.0
v2.6.2
v2.6.1
v2.6.0
v2.5.0
v2.4.0
v2.3.1
v2.3.0
v2.2.4
v2.2.3
v2.2.2
v2.2.1
v2.2.0
v2.1.2
v2.1.1
v2.1.0
2.0.14
2.0.13
2.0.12
2.0.11
2.0.10
2.0.9
2.0.8
2.0.7
2.0.6
2.0.5
2.0.4
2.0.3
2.0.2
2.0.0
v2.0.0
1.1.2
1.1.1
1.0.1
Labels
Clear labels   
awaiting feedback

   
bug

   
cannot reproduce

   
dns provider request

   
duplicate

   
enhancement

   
enhancement

   
enhancement

   
good first issue

   
help wanted

   
invalid

   
need more info

   
no certbot plugin available

   
product-support

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
stale

   
troll

   
upstream issue

   
v2

   
v2

   
v2

   
v3

   
wontfix
No labels
awaiting feedback
bug
cannot reproduce
dns provider request
duplicate
enhancement
enhancement
enhancement
good first issue
help wanted
invalid
need more info
no certbot plugin available
product-support
pull-request
question
stale
troll
upstream issue
v2
v2
v2
v3
wontfix
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
starred/nginx-proxy-manager-NginxProxyManager#912
No description provided.