nginx-proxy-manager icon indicating copy to clipboard operation
nginx-proxy-manager copied to clipboard

Published 20 hours ago verified publisher icon NginxProxyManager

Global IP/proxyProvider restrictions

Open the-hotmann opened this issue 3 years ago • 1 comments

I run mostly all my services on Cloudflare, which is specially helpful, if you want to conceal your origin IP as I run NPM on my NAS and don't want to expose my IP to anyone.

For security reasons, I want to block every request to my NPM that is not proxied through Cloudflare. Since my NAS is getting requests (internally) from my Router I can not simply whitelist my router's IP as it would allow every request again. So I am searching for a way of checking and allowing just requests that are "forwarded for XX" and XX stands for an IP in Cloudflares IP range.

For not blocking my local access to the NPM these infos are required:

  1. routers IP
  2. proxy Service name (Cloudflare) 2.1. Cloudflare's IPs are listed here: 2.1.1. IPv4 2.1.2. IPv6

Now the NPM shall block ALL requests from the router, unless they are within the IP ranges of Cloudflare. Other local requests should be allowed for administration and in case something goes wrong, so local access is not blocked out.

The IPs from Cloudflare shall be updated daily and "tracked". So saving the time when they have been checked last time. so in case something goes wrong we can see/debug it.

It shall be able to set this globally so every other access rule gets extended by this. But for those who want to set it to some domains only shall also be able to do so.

It should be built in a way that in the future other services can easily be added by NPM itself and expert config shall be available, so people can add their very own config/proxyProvider.

Describe the solution you'd like Just having to provide three infos:

  1. router IP (maybe automatically detectable)
  2. proxyProvider which you want to allow
  3. globally or selected domains

The rest shall be done automatically and it should be hasslefree. This will guarantee, that just external requests, that hae been proxied by Cloudflare can request anything.

I hope this is not asked for too much, but I think restricting (in a very easy way) who in general is allowed to send requests to you is important for security.

the-hotmann avatar Jun 27 '22 01:06 the-hotmann

This might help in the meantime https://serverfault.com/questions/601339/how-do-i-deny-all-requests-not-from-cloudflare

Rustymage avatar Jun 28 '22 14:06 Rustymage

Issue is now considered stale. If you want to keep it open, please comment :+1:

github-actions[bot] avatar Feb 14 '24 01:02 github-actions[bot]