Welcome! Log In Create A New Profile

Advanced

NPM - allow only specific IP's

Posted by jeffshead 
NPM - allow only specific IP's
September 06, 2022 07:45AM
I'm trying to limit access to a location. I want to use both basic auth and allow only certain IP's.

I have Nginx Proxy Manager (NPM) facing the Internet (reverse proxy) and a Nginx instance behind it. I guess both are acting as reverse proxies. Everything is Docker. I got the basic auth working but when I try to restrict IP's, I get 502 gateway errors. I'm guessing it has something to do with me not using the correct code to use the real, remote IP's of visitors which is passed from NPM to the internal NGINX server.

For reference, below is the entire, original nginx.conf file of the internal NGINX server:
...
worker_processes 1;
events {

worker_connections 1024;

}

http {

sendfile on;

gzip on;
gzip_http_version 1.0;
gzip_proxied any;
gzip_min_length 500;
gzip_disable "MSIE [1-6]\.";
gzip_types text/plain text/xml text/css
text/comma-separated-values
text/javascript
application/x-javascript
application/atom+xml;

default_type application/octet-stream;
include /etc/nginx/mime.types;

server_tokens off;

server {
client_max_body_size 50M;
listen 80;
server_name _;
# Proxying connections to application servers
location = / {
proxy_pass http://frontend:8082/;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;

}
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location = /robots.txt {
proxy_pass http://frontend:8082/robots.txt;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
location ~ [.]* {
proxy_pass http://switchboard:8083;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}

}

}
...


Below is the location (taken from the code above) which I'm trying to restrict access to:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {
proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...


The code below does work:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {

auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;

proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...


The code below does NOT work (502 gateway error):
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {

real_ip_header X-Forwarded-For;
set_real_ip_from 172.16.0.0/12;
allow 1.2.3.4/28;
allow 2.3.4.5;
allow 3.4.5.6;
allow 4.5.6.7
deny all;
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;

proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...


The code below also does NOT work:
...
location ~* (/generate|/manage|/download|/history|/settings|/resources).* {

real_ip_header X-Real-IP;
set_real_ip_from 172.16.0.0/12;
allow 1.2.3.4/28;
allow 2.3.4.5;
allow 3.4.5.6;
allow 4.5.6.7
deny all;
auth_basic "Basic Auth Restricted Canrytokens";
auth_basic_user_file /etc/nginx/.htpasswd;

proxy_pass http://frontend:8082;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
}
...

What am I doing wrong? How do I troubleshoot? I kow the internal NGINX server is getting the real IP from NPM because it passes the real IP to what is behind the internal NGINX server.



Edited 1 time(s). Last edit at 09/06/2022 07:47AM by jeffshead.
Re: NPM - allow only specific IP's
September 06, 2022 08:41AM
Found the issue. It is a typo. I left off a ";".

This line is missing the semicolon:
...
allow 4.5.6.7
...


Should be:
...
allow 4.5.6.7;
...
Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 58
Record Number of Users: 6 on February 13, 2018
Record Number of Guests: 421 on December 02, 2018
Powered by nginx      Powered by FreeBSD      PHP Powered      Powered by MariaDB      ipv6 ready