nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard
Published 1 month ago verified publisher icon NginxProxyManager

ACLs does not work when using rootless

Open trulow opened this issue 1 year ago • 2 comments

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
    • Yes
  • Are you sure you're not using someone else's docker image?
    • Yes
  • Have you searched for similar issues (both open and closed)?
    • Yes

Describe the bug Access Lists do not work correctly when deploying as rootless.

When defining an access list with NPM using allow <IP_ADDRESS> and then enabling a ACL within a host proxy, the ACL does not work and any IP can still access the host. However is redeployed as sudo, then the ACLs work as intended.

Nginx Proxy Manager Version 2.11.2

To Reproduce

  1. Steps to reproduce the behavior:
  2. Deploy NPM as rootless
  3. Setup NPM admin account
  4. Create an ACL
  5. Create a proxy host and add the host to the ACL
  6. Use an external machine to access host, verify that you can still access the host even though it should be blocked by ACL
  7. Purge installation and redeploy as sudo
  8. Use an external machine to access host and verify that the ACL now works and blocks access to host.

Expected behavior ACLs should apply when deploying NPM as rootless user.

Operating System Ubuntu server 24.04

trulow avatar May 03 '24 18:05 trulow

Check to see if the allow directive is being added to the individual proxy host config files, those are stored at /data/nginx/proxy_host/

it would look like

allow [ip address here];

I had to change a few things to get the templating to work correctly. Likely an issue with default user of container

bluekitedreamer avatar May 22 '24 05:05 bluekitedreamer

@bluekitedreamer I have a similar issue (but not rootless). I checked the /data/nginx/proxy_host files, and they do NOT have the Access Rules inserted in the conf files. Some of the conf files do, some don't, I'm not sure the pattern. Aha, I see something, for the conf files that do not have the access list in there, I see control characters ^M. Maybe that is helpful in finding the fix for this bug.

yroyathon avatar Oct 13 '24 17:10 yroyathon

@yroyathon One thing I noticed: if I opened the same proxy host in the webui and clicked save (without changing anything) it would fix the acl issue.

If one of the proxy hosts has an ACL issue and all the settings are correct, open it in webui and click save. For me it fixed a lot of the issues.

bluekitedreamer avatar Oct 20 '24 20:10 bluekitedreamer

@bluekitedreamer I tried that but it didn't work. For now I've got a script that runs once an hour which examines the NPM proxy host conf files, and if there is a conf file that should have the Access Rules in the location / block but they aren't there, it inserts them. It's not a great solution, but the alternative is to just stop using NPM, and switch to another reverse proxy that properly enforces ACLs.

yroyathon avatar Oct 21 '24 04:10 yroyathon

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar May 22 '25 02:05 github-actions[bot]