Access list gives 403 even when IP is whitelisted

[hjorslev]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • No
• Are you sure you're not using someone else's docker image?
  • No
• Have you searched for similar issues (both open and closed)?
  • Yes

I use this version for Proxmox: https://github.com/ej52/proxmox-scripts/tree/main/lxc/nginx-proxy-manager. I am not sure if it is specific to this environment or also affects the docker version.

Describe the bug
I am attempting to configure an access list for several proxies. I want to authenticate using IP addresses. However, all proxies gives me an 403 even though I access the site using the whitelisted IP address.

Nginx Proxy Manager Version
v#2.9.6

To Reproduce
Steps to reproduce the behavior:

1. Create access list whitelisting the IP addresses, currently I have added 3.
   
2. Add access list to proxy:
   

Expected behavior
I would expect to be able to access the site as the IP address is whitelisted.

Screenshots

Operating System
I use Alpine configured by this script: https://github.com/ej52/proxmox-scripts/tree/main/lxc/nginx-proxy-manager

Additional context
When I review the error log file for the proxy host (proxy-host-9_error.log), I see this entry:
2021/08/01 08:34:47 [error] 1293#1293: *7651 access forbidden by rule, client: 172.16.20.102, server: adc.website.com, request: "GET / HTTP/2.0", host: "adc.website.com"
(I have altered host to adc.website.com)

I have attempted to also add this local IP, but I still get a 403 when attempting to access the site.

[kimdre]

I have the exact same Problem with the docker version.
Also have Version v2.9.6

[oewean]

It looks like you must edit/save the Proxy Hosts again after editing the Access Lists.

[hjorslev]

@oewean Thanks. This fixed it for me.

I just edited the access list again and I could read the following in npm.log:

[8/2/2021] [4:58:33 PM] [Access   ] › ℹ  info      Building Access file #2 for: Private - family locations

When saving a site using an access list the following were to be found in npm.log:

[8/2/2021] [5:01:57 PM] [Access   ] › ℹ  info      Building Access file #2 for: Private - family locations
[8/2/2021] [5:04:31 PM] [Nginx    ] › ℹ  info      Reloading Nginx

So I think that nginx needs to be reloaded after an access list have been saved. As far as I can see the access list is written to the corresponding .conf file.

[PlasmatikSteak]

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

[Ugenx]

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

This is the problem I noticed today when troubleshooting why my access whitelist didn't seem to have any effect. The client IP in the nginx access log under /data/logs/ is the docker gateway IP 172.23.0.1. If I whitelist that, the page loads fine but it loads fine for everyone the same way public does. Is this a docker network mode related issue?

[trin3heab2pam]

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

This is the problem I noticed today when troubleshooting why my access whitelist didn't seem to have any effect. The client IP in the nginx access log under /data/logs/ is the docker gateway IP 172.23.0.1. If I whitelist that, the page loads fine but it loads fine for everyone the same way public does. Is this a docker network mode related issue?

I'm having the same issue. Were you able to get this resolved?

[hakunamatata97k]

@PlasmatikSteak
Somehow you all are getting the error that your IP is actually from a local subnet, but in my case I'm getting the following error:

2021/09/07 17:03:09 [error] 3626#3626: *5038 access forbidden by rule, client: 95.x.x.x, server: subdomain.mydomain.com, request: "GET / HTTP/1.1", host: "subdomain.mydomain.com"

The client IP 95.x.x.x is in fact the public IP of my router, which gets changes by the ISP every 24H.
the host local IP is 192.168.0.84 and the client local IP is 192.168.0.10 so logically adding the following access list in the corresponding conf file should be sufficient. The access list looks like this looks like this:

# Access Rules
allow 192.168.0.0/24; # according to Wikipedia, this should be  normally sufficient. 
allow 192.168.0.0/16;# extra, 
allow 127.0.0.0/8;
allow 172.16.0.0/12;# according to Wikipedia, this should be  normally sufficient.  
allow 172.19.0.0/16;#extra, the proxy subnet
deny all;

[hakunamatata97k]

I have a similarly problem

2021/08/19 12:20:00 [error] 312#312: *906 access forbidden by rule, client: 172.20.0.1, server: subdomain.domain.tld, request: "GET / HTTP/2.0", host: "subdomain.domain.tld", referrer: "https://subdomain.domain.tld/"

The Client IP is the gateway of the docker container. I think some X-Forward parameter is missing in NPM.

How did you manage to get your log to point to the local IP, in my case it only recognizes the public IP of my router!!!.

[dragon2611]

It seems Nginx isn't getting reloaded/config updated when the access list changes, is this possible to implment please?

[chaptergy]

Please see #1105 (comment). If you use cloudflare, this could also change the IP received by nginx.

Also, if your npm instance is in the public internet, and not in your local network, you won't have access to the local ip addresses! Just the one public ip address your router has.

[dragon2611]

@chaptergy This is not the issue in my case, it's that if I add a new IP to the whitelist it doesn't take effect until I go into a host that uses the whitelist and re-save the configuration.

[chaptergy]

@dragon2611 Then you are on the wrong issue. You'd probably want #637

[almostserious]

Also, if your npm instance is in the public internet, and not in your local network, you won't have access to the local ip addresses! Just the one public ip address your router has.

What does that mean? How can my Nginx Proxy Manager be in the public internert, or in the local network?
Isnt it always hosted in the local network?
Can you please elaborate on this? I would like my NPM instance to be in my local network.

Could this issue be prevented if I instead of using a public DNS Provider use a local hosted one that resolves my local network without going through the intenet?

edit

Indeed that works. For example as I am using Adguard I was able to simply to a DNS Rewrite of the URL I am trying to reach and rewrite it directly to the IP where NPM is running. In that case, NPM recevies the local IP instead of the Public IP and the access list works fine for local IP only.