-
Notifications
You must be signed in to change notification settings - Fork 2.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Setting access restriction results in 403 forbidden error #383
Comments
This is similar behavior to what I was seeing with my issue in some cases. There's a chance this could be tied to mine #382 Have you checked to see if your .conf files have "satisfy all" or "satisfy any" correctly on (usually) line 43 below "#Access checks must..."? |
I have just checked, the following is added to the
I haven't yet figured out if this is an incorrect configuration, or in what way this could cause the 403 forbidden error. Any ideas? |
I am getting the same issue on 2.2.3. It won't accept allow all as an entry via the web gui. If I edit the file /nginx/proxy_host/*.conf manually to allow all instead of deny all it works. I want it to ask for basic auth when accessing via any IP address, not sure if this is the right way to do this or not. Please advise |
#393 is possibly also related |
Similar issue, I wish to use access rules without authorisation however the host still asks for basic auth. Most likely because there needs to be a check in code "if the user / password list is empty, dont include 'auth_basic' in the config file". This check needs to be put in the proxy_host.conf template |
I had the same issue. |
By design, a client will need to meet BOTH the authorization, and access rules defined on the access list unless you select the It sounds like you're only setting a username/password and not modifying the authorization rules or setting It sounds like your use case requires setting the |
This is a different issue to the OP's ... I've submitted PR #403 to prevent the server asking for auth if no users are defined. |
This is also fixed in #402 |
I believe this issue has been fixed, on the current version access restrictions work without problems as far as I know. |
This solved the 403 in my case. HTTP/2 was messing up with the auth. |
just in case, it happened today on a fresh install of the last version. So maybe its not fully resolved. |
Fresh install today, I get a 403 Forbidden when satisfy any is enabled if there is a username/pass on its own or if I also have a username/pass and allowed ip filled in. It also happens if the satisy all is disabled with both usr/pass and IP set. This is using the docker image on unraid community apps. UPDATE: It seems you need to restart the docker after each change of an option for it to take effect. I now get the pop up for usr/pass etc |
@dioxidec it happens if you use HTTP/2 and ACL. Disabling HTTP/2 fixed it for me and other in this thread. |
+1 Thank you. Was trying to simply add |
This has been driving me crazy. Been working on this for the past hour. I was also receiving the 403 error. I did try disabling HTTP/2. What worked was disabling HTTP/2 and then restarting the container. Saving it in NPM was not enough. I had to disable SSL support, save, completely restart the container, re-enable SSL support, restart the container. Once I did that it worked. |
I can confirm this issue is still there. |
Hi guys! I played around a bit with NPM and the backing Nginx... And IMHO there are number of issues that cause all the confusion.
Bottomline, if you want basic authentication only without checking against the white list:
|
Hi guys,
I got it working with satisfy any tick but therefore it's not ip restricted... In logs i got this : |
The issue still persists. |
Can confirm this is still a problem in v2.9.18. Has anyone else been able to get this working? |
I wonder if there are any drawbacks to doing it this way. But if not, that’s a great find! Edit: And the above totally works btw! Thank you @MrSmits |
No problem. I think the major difference is that doing it this way the access control list works for the entire proxy host. |
Hey, I am experiencing a similar issue. But if I use an Access List with authorization credentials, I can access my page. The only problem is, it seems to not be following the rules I set for the Access List from my testing. Is there any workaround for this that I haven't tried? |
I got it working with
in the
note that it was working with public access so I recommend you first check that it works in public mode before trying to set it up with basic auth |
Yeah, but I am looking to use my service without auth but just locally. Even thought I set the settings for it only being accessible locally, it's still accessible publicly. |
What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP) |
through wan with a port forward on router I access my local lan server where npm is installed |
Sorry, question was for @Wraaath |
I'm accessing my service through the domain I assigned. |
So you are accessing the host from you LAN on a public IP adress, presumably through NAT loopback? Have you tried setting an allow for you WAN address? |
hi there, the above does not work sadly. i am able to access the site through public mode first, adding your steps gives me 403 forbidden - issue still persists |
The workaround I've posted is working perfectly fine for me till date, latest npm. |
I played around with this exact settings and it seems the order is important:
To me it looks like the ACL I hope this helps to further diagnose the issue or at least as workaround. |
I tried every possible combination of configurations in the last two hours.
And yes. It is crucial to first create the ACL and then create a NEW Proxy Host. Adding the ACL to an existing proxy host will result in 403 error, or in logging in having no effect and login window showing over and over again. Note: When I misconfigured it i had to "clear the site data" in the browser for it to work again once it was configured right. And just in case someone doesn't know (as I did 2h ago). You can auto login if you use this url scheme: |
Basic functionality working like ass makes me question the security of this whole project... |
It did not gain 15k stars by 'working like ass'. Show some respect. |
I'm having similar problems with NPM and access list to restrict acces to only on specific IP address. So basically when I add the specific IP I want to grant access I'm getting the forbidden page, when I remove the restriction it is working. Any suggestions how to fix this? I would like to grant a specific IP address to my webdav server this way. |
Make sure you add the allow entries for the correct IP and subnet adresses, should just work. |
Thanks but yes, I have set the correct IP (double checked it with what's-my-IP), but still no access. When I remove the entry it is working, but then it is open to everyone and that is not what I want. |
Had the same issue and seams to still persist. My ruleset for the ACL is:
Works like intended and even does not need the mentioned saving order trickery but i cannot say if this will work if you do not route outside of your network(pure local only). |
In my case it was the other way around, after activating HTTP2 for the host it started to ask for auth. Browser: Chrome |
Issue is now considered stale. If you want to keep it open, please comment 👍 |
Still a pain. |
I am using Nginx Proxy Manager v2.2.3. This problem started occurring after the update to v2.2.3.
I have setup a username with password in the access list. When applying this to a proxy domain, the site becomes inaccessible with a 403 forbidden error. No login window is displayed.
Error.log
2020/04/22 13:01:10 [error] 8411#8411: *210879 access forbidden by rule, client: IP_REDACTED, server: omv.REDACTED.eu, request: "GET / HTTP/2.0", host: "omv.REDACTED.eu"
proxy_host-4.log
[22/Apr/2020:13:01:10 +0000] - - 403 - GET https omv.REDACTED.eu "/" [Client IP_REDACTED] [Length 107] [Gzip 1.36] [Sent-to 192.168.178.100] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" "-"
The text was updated successfully, but these errors were encountered: