Nginx proxy manager, limit access to local network via access list

[hakunamatata97k]

Are you in the right place?

• If you are looking for support on how to get your upstream server forwarding, please consider asking the community on Reddit.
• If you are writing code changes to contribute and need to ask about the internals of the software, Gitter is the best place to ask.
• If you think you found a bug with NPM (not Nginx, or your upstream server or MySql) then you are in the right place.

Checklist

• Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
• yes
• Are you sure you're not using someone else's docker image?
• im using the right image

Describe the bug

• A clear and concise description of what the bug is.
  Recently I have been trying to limit the access of a self-hosted web service for "Streaming" to local network ONLY, with the aid of the nginx proxy manager.

My setup looks like the following:

• Raspberry Pi 4 running Raspbian Os 64x running on a static IP (192.168.0.10).

• docker & docker-compose & portainer are each properly installed.

• raspberry running the following docker images with no ports conflicts: Nextcloud, ddclient, jc21/nginx-proxy-manager, pihole and finally this web service.

• on the router (night hawk R7500), I set the IP address of the PiHole (in this case the Raspberry Pi) as DNS.

• the Streaming website is a subdomain "movies.example.com". Where the domain "example.com" and the subdomain are enforced with self-signed SSL from the Nginx Proxy manger.

All the mentioned services are dockerized and nothing is installed on "bare metal"

The Nginx Proxy manager is installed with this tutorial.

The following (Screenshot 2) shows the view of the Nginx proxy manager access list IP Address Whitelist/Blacklist.

Screenshot 3 shows both the view of the SSL settings (3.3) and the view of the details section of the chosen host assigned with Authorization for Streaming.

• What version of Nginx Proxy Manager is reported on the login page?
  v2.9.2
• What is shown upon calling the desired website from both the local and the external network: "403 Forbidden, openresty".

[hakunamatata97k]

I ended up whitelisting the public IP address of my router, and somehow it covered all the devices within my network.

[benloeffel]

Experiencing the same issue in the access list.
It seems, only external IP addresses are accepted in the access list - which isn't fun when your ISP assigns the IP dynamically.

[mczeus]

Hopefully this will be implemented soon, with a fixed IP that doesn't really help.

[fgurdradee]

I ended up whitelisting the public IP address of my router, and somehow it covered all the devices within my network.

I am ending up with the same issue. What subnet did you use for external IP ? /32 ?

[Dauntless0ne]

Same issue. Unable to resolve it using internal single IP, subnet range, or external IP.

[chaptergy]

Unfortunately there is nothing we can do about that. If you look into the access logs of your proxy host found at /data/logs/proxy-host-<id>_access.log. You will see something like [Client 172.19.0.1] in each of the lines, which shows you what IP nginx has received that request from.
If your NPM instance is in the public internet, and not in your local network, local ip adresses are NOT available, and nginx will only receive your routers public ip address from the requesting client.
If your npm instance is within your local network, there is a quirk in how docker passes the ip to the container, causing the ip to be something like 172.19.x.x. This is the ip address of the docker bridge gateway. I think this should not happen if you send the request from a different machine than what npm is hosted on. Switching to host network mode in docker can resolve this issue, since the docker network won't have a bridge then. You can do this by changing port 80 and 443 section in your docker-compose to:

ports:
      - target: 443
        published: 443 # Outside port
        mode: host
        protocol: tcp
      - target: 80
        published: 80 # Outside port
        mode: host
        protocol: tcp