External IP's getting successful static GET request with Auth Enabled #2123
Description
Checklist
- Have you pulled and found the error with
jc21/nginx-proxy-manager:latestdocker image?- Yes
- Are you sure you're not using someone else's docker image?
- Yes
- Have you searched for similar issues (both open and closed)?
- Yes
Describe the bug
Synology NAS sitting behind NPM. Basic Auth is enabled and works for main root protection, but logs show external IP's issuing a successful static GET request and accessing images using this call:
[server address]/webapi/entry.cgi?api=SYNO.Core.Synohdpack&version=1&method=getHDIcon&res=24&retina=false&path=webman/3rdparty/DownloadStation/images/download_station_{0}.png
Also:
webman/3rdparty/FileBrowser/images/icon/FileStation_{0}.png
webman/3rdparty/Virtualization/images/VirtualManagement_{0}.png
webman/3rdparty/SynologyPhotos/images/icon/photos_{0}.png
This skips straight past the auth and shows the file, allowing the person sending this to know a Synology NAS is present.
Issuing just [server address]/webapi correctly asks for auth.
Nginx Proxy Manager Version
2.9.18
To Reproduce
Can provide the URL to my server for @jc21 or similar to assess how to resolve.
Expected behavior
Expect auth to be required for any access to the server including this. How to block "SYNO.Core.Synohdpack" request?
Screenshots
n/a
Operating System
n/a - But tested on Windows client, Mac client and iOS client and all show the same.
Additional context
n/a