NPM - allow only specific IP's
Posted by jeffshead
|
NPM - allow only specific IP's September 06, 2022 07:45AM |
Registered: 3 years ago Posts: 4 |
I'm trying to limit access to a location. I want to use both basic auth and allow only certain IP's.
I have Nginx Proxy Manager (NPM) facing the Internet (reverse proxy) and a Nginx instance behind it. I guess both are acting as reverse proxies. Everything is Docker. I got the basic auth working but when I try to restrict IP's, I get 502 gateway errors. I'm guessing it has something to do with me not using the correct code to use the real, remote IP's of visitors which is passed from NPM to the internal NGINX server.
For reference, below is the entire, original nginx.conf file of the internal NGINX server:
...
worker_processes 1;
events {
worker_connections 1024;
}
http {
sendfile on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/xml text/css
text/comma-separated-values
text/javascript
application/x-javascript
application/atom+xml;
default_type application/octet-stream;
include /etc/nginx/mime.types;
server_tokens off;
server {
client_max_body_size 50M;
listen 80;
server_name _;
# Proxying connections to application servers
location = / {
proxy_pass http://frontend:8082/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location = /robots.txt {
proxy_pass http://frontend:8082/robots.txt;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ [.]* {
proxy_pass http://switchboard:8083;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
...
Below is the location (taken from the code above) which I'm trying to restrict access to:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
The code below does work:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
The code below does NOT work (502 gateway error):
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
real_ip_header X-Forwarded-For;
set_real_ip_from 172.16.0.0/12;
allow 1.2.3.4/28;
allow 2.3.4.5;
allow 3.4.5.6;
allow 4.5.6.7
deny all;
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
The code below also does NOT work:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
real_ip_header X-Real-IP;
set_real_ip_from 172.16.0.0/12;
allow 1.2.3.4/28;
allow 2.3.4.5;
allow 3.4.5.6;
allow 4.5.6.7
deny all;
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
What am I doing wrong? How do I troubleshoot? I kow the internal NGINX server is getting the real IP from NPM because it passes the real IP to what is behind the internal NGINX server.
Edited 1 time(s). Last edit at 09/06/2022 07:47AM by jeffshead.
I have Nginx Proxy Manager (NPM) facing the Internet (reverse proxy) and a Nginx instance behind it. I guess both are acting as reverse proxies. Everything is Docker. I got the basic auth working but when I try to restrict IP's, I get 502 gateway errors. I'm guessing it has something to do with me not using the correct code to use the real, remote IP's of visitors which is passed from NPM to the internal NGINX server.
For reference, below is the entire, original nginx.conf file of the internal NGINX server:
...
worker_processes 1;
events {
worker_connections 1024;
}
http {
sendfile on;
gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/xml text/css
text/comma-separated-values
text/javascript
application/x-javascript
application/atom+xml;
default_type application/octet-stream;
include /etc/nginx/mime.types;
server_tokens off;
server {
client_max_body_size 50M;
listen 80;
server_name _;
# Proxying connections to application servers
location = / {
proxy_pass http://frontend:8082/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location = /robots.txt {
proxy_pass http://frontend:8082/robots.txt;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ [.]* {
proxy_pass http://switchboard:8083;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
}
}
...
Below is the location (taken from the code above) which I'm trying to restrict access to:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
The code below does work:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
The code below does NOT work (502 gateway error):
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
real_ip_header X-Forwarded-For;
set_real_ip_from 172.16.0.0/12;
allow 1.2.3.4/28;
allow 2.3.4.5;
allow 3.4.5.6;
allow 4.5.6.7
deny all;
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
The code below also does NOT work:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
real_ip_header X-Real-IP;
set_real_ip_from 172.16.0.0/12;
allow 1.2.3.4/28;
allow 2.3.4.5;
allow 3.4.5.6;
allow 4.5.6.7
deny all;
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...
What am I doing wrong? How do I troubleshoot? I kow the internal NGINX server is getting the real IP from NPM because it passes the real IP to what is behind the internal NGINX server.
Edited 1 time(s). Last edit at 09/06/2022 07:47AM by jeffshead.
|
Re: NPM - allow only specific IP's September 06, 2022 08:41AM |
Registered: 3 years ago Posts: 4 |
Sorry, only registered users may post in this forum.
Online Users
Guests:
265
Record Number of Users:
8
on April 13, 2023
Record Number of Guests:
421
on December 02, 2018
This forum is powered by Phorum.
 |
 |
 |
 |
|