External IP's getting successful static GET request with Auth Enabled

[shanelord01]

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Yes
• Are you sure you're not using someone else's docker image?
  • Yes
• Have you searched for similar issues (both open and closed)?
  • Yes

Describe the bug Synology NAS sitting behind NPM. Basic Auth is enabled and works for main root protection, but logs show external IP's issuing a successful static GET request and accessing images using this call:

[server address]/webapi/entry.cgi?api=SYNO.Core.Synohdpack&version=1&method=getHDIcon&res=24&retina=false&path=webman/3rdparty/DownloadStation/images/download_station_{0}.png

Also: webman/3rdparty/FileBrowser/images/icon/FileStation_{0}.png webman/3rdparty/Virtualization/images/VirtualManagement_{0}.png webman/3rdparty/SynologyPhotos/images/icon/photos_{0}.png

This skips straight past the auth and shows the file, allowing the person sending this to know a Synology NAS is present.

Issuing just [server address]/webapi correctly asks for auth.

Nginx Proxy Manager Version 2.9.18

To Reproduce Can provide the URL to my server for @jc21 or similar to assess how to resolve.

Expected behavior Expect auth to be required for any access to the server including this. How to block "SYNO.Core.Synohdpack" request?

Screenshots n/a

Operating System n/a - But tested on Windows client, Mac client and iOS client and all show the same.

Additional context n/a

[shanelord01]

For the moment I've added this to my Advanced "Custom NGINX Config":

location = /webapi { allow 192.168.1.1/24; allow 127.0.0.1; deny all; }

[github-actions[bot]]

Issue is now considered stale. If you want to keep it open, please comment :+1: