nginx-proxy-manager
nginx-proxy-manager copied to clipboard
NginxProxyManager
Setting access restriction results in 403 forbidden error
I am using Nginx Proxy Manager v2.2.3. This problem started occurring after the update to v2.2.3.
I have setup a username with password in the access list. When applying this to a proxy domain, the site becomes inaccessible with a 403 forbidden error. No login window is displayed.
Error.log
2020/04/22 13:01:10 [error] 8411#8411: *210879 access forbidden by rule, client: IP_REDACTED, server: omv.REDACTED.eu, request: "GET / HTTP/2.0", host: "omv.REDACTED.eu"
proxy_host-4.log
[22/Apr/2020:13:01:10 +0000] - - 403 - GET https omv.REDACTED.eu "/" [Client IP_REDACTED] [Length 107] [Gzip 1.36] [Sent-to 192.168.178.100] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" "-"
This is similar behavior to what I was seeing with my issue in some cases. There's a chance this could be tied to mine #382
Have you checked to see if your .conf files have "satisfy all" or "satisfy any" correctly on (usually) line 43 below "#Access checks must..."?
I have just checked, the following is added to the /nginx/proxy_host/4.conf (starting at line 50):
location / {
# Authorization
auth_basic "Authorization required";
auth_basic_user_file /data/access/4;
# Access Rules
deny all;
# Access checks must...
satisfy all;
I haven't yet figured out if this is an incorrect configuration, or in what way this could cause the 403 forbidden error. Any ideas?
I am getting the same issue on 2.2.3. It won't accept allow all as an entry via the web gui. If I edit the file /nginx/proxy_host/*.conf manually to allow all instead of deny all it works.
I want it to ask for basic auth when accessing via any IP address, not sure if this is the right way to do this or not. Please advise
https://github.com/jc21/nginx-proxy-manager/issues/393 is possibly also related
Similar issue, I wish to use access rules without authorisation however the host still asks for basic auth. Most likely because there needs to be a check in code "if the user / password list is empty, dont include 'auth_basic' in the config file". This check needs to be put in the proxy_host.conf template
I had the same issue.
It seems to be happening only when HTTP/2 Support is active on the proxy.
After I disabled it, it asked me for login and it worked.
By design, a client will need to meet BOTH the authorization, and access rules defined on the access list unless you select the satisfy any option.
It sounds like you're only setting a username/password and not modifying the authorization rules or setting satisfy any and the default deny all rule in the authorization is resulting in a 403 response.
It sounds like your use case requires setting the satisfy any option on the access list to tell Nginx to let a user in if they satisfy either the Authentication or Access rules.
Similar issue, I wish to use access rules without authorisation however the host still asks for basic auth. Most likely because there needs to be a check in code "if the user / password list is empty, dont include 'auth_basic' in the config file". This check needs to be put in the proxy_host.conf template
This is a different issue to the OP's ... I've submitted PR #403 to prevent the server asking for auth if no users are defined.
It won't accept allow all as an entry via the web gui
This is also fixed in #402
I believe this issue has been fixed, on the current version access restrictions work without problems as far as I know.
I had the same issue. It seems to be happening only when
HTTP/2 Supportis active on the proxy. After I disabled it, it asked me for login and it worked.
This solved the 403 in my case. HTTP/2 was messing up with the auth.
just in case, it happened today on a fresh install of the last version. So maybe its not fully resolved.
Fresh install today, I get a 403 Forbidden when satisfy any is enabled if there is a username/pass on its own or if I also have a username/pass and allowed ip filled in. It also happens if the satisy all is disabled with both usr/pass and IP set. This is using the docker image on unraid community apps.
UPDATE: It seems you need to restart the docker after each change of an option for it to take effect. I now get the pop up for usr/pass etc
@dioxidec it happens if you use HTTP/2 and ACL. Disabling HTTP/2 fixed it for me and other in this thread.
@dioxidec it happens if you use HTTP/2 and ACL. Disabling HTTP/2 fixed it for me and other in this thread.
+1
Thank you. Was trying to simply add 192.168.1.0/24 to allow list and it was giving 403 forbidden even with satisfy any setting. Turning off HTTP/2 fixed it for me as well.
This has been driving me crazy. Been working on this for the past hour. I was also receiving the 403 error. I did try disabling HTTP/2. What worked was disabling HTTP/2 and then restarting the container. Saving it in NPM was not enough. I had to disable SSL support, save, completely restart the container, re-enable SSL support, restart the container. Once I did that it worked.
Hi guys! I played around a bit with NPM and the backing Nginx... And IMHO there are number of issues that cause all the confusion.
-
NPM does not reload affected proxy host configurations when you change the access lists.
- I did
killall -HUP nginxin the Docker container to do that, but: - You can do that by opening and saving the proxy host configurations (individually) in the UI.
- I did
- Confusion with the Satisfy Any switch and Authorization (which I suppose should be Authentication) and Access tabs:
- When checking a client against the Authorization tab, they are allowed if the list is empty (because NPM skips the basic auth directives in Nginx whatsoever).
- When checking a client against the Access tab, they are denied if the list is empty (because NPM forces you to have a
deny alldirective in Nginx). - If the Satisfy Any is disabled (i.e.
satisfy allin Nginx), a client should be allowed by both the Authorization and Acccess tabs. - If the Satisfy Any is enabled (i.e.
satisfy anyin Nginx, a client should be allowed by any the Authorization and Acccess tabs.
Bottomline, if you want basic authentication only without checking against the white list:
- Add users to the Authorization tab.
- Two options:
- Enable the Satisfy All switch and keep the Access tab empty.
-
Disable the Satisfy All switch and add an
allow allrule in the beginning of the Access tab.
- Re-save the affected proxy host(s).
Hi guys, I got hte same error today on lastet 2.9.14... I try to setup a LAN only acces so put an acces list with local 192.168.0.0/24 network and user. I got 403 Forbidden ( openresty ) I can confirm that :
- HTTP/2 is disable
- Satisfy Any is untick
I got it working with satisfy any tick but therefore it's not ip restricted...
In logs i got this : access forbidden by rule, client: <IP>, server: subdomain.mydomain.com request: "GET / HTTP/2.0", host: "subdomain.mydomain.com", referrer: "http://<ngnix_proxy_manager_IP>:81/"
The issue still persists.
Can confirm this is still a problem in v2.9.18. Has anyone else been able to get this working?
I thought I was doing something wrong, been messing with it for a while now. I'm on v2.9.18. When trying to limit access to a website by IP addresses it does seem to work properly when using my LAN address, but not for public IP addresses...
I.e when I set below I can access the site from a machine in the 192.168.100.0/24 subnet, but not from a machine coming from that public IP.
Think I found a workaround. I just manually placed the allow/deny rules in the custom configuration for the proxy host and it seems to work as it should there.
I now have my proxy host access control set to be publicly accesible but have the below custom config applied:
I wonder if there are any drawbacks to doing it this way. But if not, that’s a great find!
Edit: And the above totally works btw! Thank you @MrSmits
No problem.
I think the major difference is that doing it this way the access control list works for the entire proxy host. When you use the NPM GUI I think it sets the access list only on location /, which means if you add custom locations under a proxy host that those aren't secured by the access list. But this is just from what I observed by briefly looking at the proxy host config files that NPM generates when you select an access list. I'll take another look later at things and do some more testing, I'm not a developer so not sure how much help this is for the NPM project but I can mess around with Nginx itself just fine :)
Hey, I am experiencing a similar issue. When I use an Access List with no authorization, I am send to a "403 Forbidden openresty". This is still happening with "HTTP/2 Support" on/off, "Satisfy Any" on/off & even with the "Custom Nginx Configuration" configured and Access List set to "Public".
But if I use an Access List with authorization credentials, I can access my page. The only problem is, it seems to not be following the rules I set for the Access List from my testing.
Is there any workaround for this that I haven't tried? Thanks./
I got it working with basic auth with:
inside ACL
-
satisfy any: off -
allow: all -
deny: all
in the proxy settings:
-
block common exploit: on - I have a
custom SSLcert but everything else off (force ssl:offhttp/2:off)
note that it was working with public access so I recommend you first check that it works in public mode before trying to set it up with basic auth
Yeah, but I am looking to use my service without auth but just locally. Even thought I set the settings for it only being accessible locally, it's still accessible publicly.
What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP)
What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP)
through wan with a port forward on router I access my local lan server where npm is installed