Setting access restriction results in 403 forbidden error

[Elmardus]

I am using Nginx Proxy Manager v2.2.3. This problem started occurring after the update to v2.2.3.

I have setup a username with password in the access list. When applying this to a proxy domain, the site becomes inaccessible with a 403 forbidden error. No login window is displayed.

Error.log
2020/04/22 13:01:10 [error] 8411#8411: *210879 access forbidden by rule, client: IP_REDACTED, server: omv.REDACTED.eu, request: "GET / HTTP/2.0", host: "omv.REDACTED.eu"

proxy_host-4.log
[22/Apr/2020:13:01:10 +0000] - - 403 - GET https omv.REDACTED.eu "/" [Client IP_REDACTED] [Length 107] [Gzip 1.36] [Sent-to 192.168.178.100] "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:75.0) Gecko/20100101 Firefox/75.0" "-"

[McCloudS]

This is similar behavior to what I was seeing with my issue in some cases. There's a chance this could be tied to mine #382

Have you checked to see if your .conf files have "satisfy all" or "satisfy any" correctly on (usually) line 43 below "#Access checks must..."?

[Elmardus]

I have just checked, the following is added to the /nginx/proxy_host/4.conf (starting at line 50):

  location / {

    # Authorization
    auth_basic            "Authorization required";
    auth_basic_user_file  /data/access/4;

    # Access Rules
    deny all;

    # Access checks must...
    satisfy all;

I haven't yet figured out if this is an incorrect configuration, or in what way this could cause the 403 forbidden error. Any ideas?

[jameski83]

I am getting the same issue on 2.2.3. It won't accept allow all as an entry via the web gui. If I edit the file /nginx/proxy_host/*.conf manually to allow all instead of deny all it works.

I want it to ask for basic auth when accessing via any IP address, not sure if this is the right way to do this or not. Please advise

[modem7]

#393 is possibly also related

[andyjhall]

Similar issue, I wish to use access rules without authorisation however the host still asks for basic auth. Most likely because there needs to be a check in code "if the user / password list is empty, dont include 'auth_basic' in the config file". This check needs to be put in the proxy_host.conf template

[radumpopescu]

I had the same issue.
It seems to be happening only when HTTP/2 Support is active on the proxy.
After I disabled it, it asked me for login and it worked.

[Indemnity83]

By design, a client will need to meet BOTH the authorization, and access rules defined on the access list unless you select the satisfy any option.

It sounds like you're only setting a username/password and not modifying the authorization rules or setting satisfy any and the default deny all rule in the authorization is resulting in a 403 response.

It sounds like your use case requires setting the satisfy any option on the access list to tell Nginx to let a user in if they satisfy either the Authentication or Access rules.

[Indemnity83]

Similar issue, I wish to use access rules without authorisation however the host still asks for basic auth. Most likely because there needs to be a check in code "if the user / password list is empty, dont include 'auth_basic' in the config file". This check needs to be put in the proxy_host.conf template

This is a different issue to the OP's ... I've submitted PR #403 to prevent the server asking for auth if no users are defined.

[Indemnity83]

It won't accept allow all as an entry via the web gui

This is also fixed in #402

[Elmardus]

I believe this issue has been fixed, on the current version access restrictions work without problems as far as I know.

[robertorubioguardia]

I had the same issue.
It seems to be happening only when HTTP/2 Support is active on the proxy.
After I disabled it, it asked me for login and it worked.

This solved the 403 in my case. HTTP/2 was messing up with the auth.

[robertorubioguardia]

just in case, it happened today on a fresh install of the last version. So maybe its not fully resolved.

[dioxidec]

Fresh install today, I get a 403 Forbidden when satisfy any is enabled if there is a username/pass on its own or if I also have a username/pass and allowed ip filled in. It also happens if the satisy all is disabled with both usr/pass and IP set. This is using the docker image on unraid community apps.

UPDATE: It seems you need to restart the docker after each change of an option for it to take effect. I now get the pop up for usr/pass etc

[robertorubioguardia]

@dioxidec it happens if you use HTTP/2 and ACL. Disabling HTTP/2 fixed it for me and other in this thread.

[Hukuma1]

@dioxidec it happens if you use HTTP/2 and ACL. Disabling HTTP/2 fixed it for me and other in this thread.

+1

Thank you. Was trying to simply add 192.168.1.0/24 to allow list and it was giving 403 forbidden even with satisfy any setting. Turning off HTTP/2 fixed it for me as well.

[wildernessfamily]

This has been driving me crazy. Been working on this for the past hour. I was also receiving the 403 error. I did try disabling HTTP/2. What worked was disabling HTTP/2 and then restarting the container. Saving it in NPM was not enough. I had to disable SSL support, save, completely restart the container, re-enable SSL support, restart the container. Once I did that it worked.

[kekonn]

I can confirm this issue is still there.

[vdachev]

Hi guys! I played around a bit with NPM and the backing Nginx... And IMHO there are number of issues that cause all the confusion.

• NPM does not reload affected proxy host configurations when you change the access lists.
  • I did killall -HUP nginx in the Docker container to do that, but:
  • You can do that by opening and saving the proxy host configurations (individually) in the UI.
• Confusion with the Satisfy Any switch and Authorization (which I suppose should be Authentication) and Access tabs:
  • When checking a client against the Authorization tab, they are allowed if the list is empty (because NPM skips the basic auth directives in Nginx whatsoever).
  • When checking a client against the Access tab, they are denied if the list is empty (because NPM forces you to have a deny all directive in Nginx).
  • If the Satisfy Any is disabled (i.e. satisfy all in Nginx), a client should be allowed by both the Authorization and Acccess tabs.
  • If the Satisfy Any is enabled (i.e. satisfy any in Nginx, a client should be allowed by any the Authorization and Acccess tabs.

Bottomline, if you want basic authentication only without checking against the white list:

1. Add users to the Authorization tab.
2. Two options:
   1. Enable the Satisfy All switch and keep the Access tab empty.
   2. Disable the Satisfy All switch and add an allow all rule in the beginning of the Access tab.
3. Re-save the affected proxy host(s).

[tromanshow]

Hi guys,
I got hte same error today on lastet 2.9.14...
I try to setup a LAN only acces so put an acces list with local 192.168.0.0/24 network and user. I got 403 Forbidden ( openresty )
I can confirm that :

• HTTP/2 is disable
• Satisfy Any is untick

I got it working with satisfy any tick but therefore it's not ip restricted...

In logs i got this :
access forbidden by rule, client: , server: subdomain.mydomain.com request: "GET / HTTP/2.0", host: "subdomain.mydomain.com", referrer: "http://<ngnix_proxy_manager_IP>:81/"

[csulit]

The issue still persists.

[mplacona]

The issue still persists.

Can confirm this is still a problem in v2.9.18. Has anyone else been able to get this working?

[MrSmits]

I thought I was doing something wrong, been messing with it for a while now. I'm on v2.9.18.
When trying to limit access to a website by IP addresses it does seem to work properly when using my LAN address, but not for public IP addresses...

I.e when I set below I can access the site from a machine in the 192.168.100.0/24 subnet, but not from a machine coming from that public IP.

[MrSmits]

Think I found a workaround. I just manually placed the allow/deny rules in the custom configuration for the proxy host and it seems to work as it should there.
I now have my proxy host access control set to be publicly accesible but have the below custom config applied:

[mplacona]

I wonder if there are any drawbacks to doing it this way. But if not, that’s a great find!

Edit: And the above totally works btw! Thank you @MrSmits

[MrSmits]

No problem.

I think the major difference is that doing it this way the access control list works for the entire proxy host.
When you use the NPM GUI I think it sets the access list only on location /, which means if you add custom locations under a proxy host that those aren't secured by the access list. But this is just from what I observed by briefly looking at the proxy host config files that NPM generates when you select an access list.
I'll take another look later at things and do some more testing, I'm not a developer so not sure how much help this is for the NPM project but I can mess around with Nginx itself just fine :)

[Wraaath]

Hey, I am experiencing a similar issue.
When I use an Access List with no authorization, I am send to a "403 Forbidden openresty".
This is still happening with "HTTP/2 Support" on/off, "Satisfy Any" on/off & even with the "Custom Nginx Configuration" configured and Access List set to "Public".

But if I use an Access List with authorization credentials, I can access my page. The only problem is, it seems to not be following the rules I set for the Access List from my testing.

Is there any workaround for this that I haven't tried?
Thanks./

[zgorizzo69]

I got it working with basic auth with:
inside ACL

• satisfy any : off
• allow : all
• deny : all

in the proxy settings:

• block common exploit: on
• I have a custom SSL cert but everything else off ( force ssl:off http/2:off)

note that it was working with public access so I recommend you first check that it works in public mode before trying to set it up with basic auth

[Wraaath]

Yeah, but I am looking to use my service without auth but just locally. Even thought I set the settings for it only being accessible locally, it's still accessible publicly.

[MrSmits]

What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP)

[zgorizzo69]

What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP)

through wan with a port forward on router I access my local lan server where npm is installed

[MrSmits]

What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP)

through wan with a port forward on router I access my local lan server where npm is installed

Sorry, question was for @Wraaath

[Wraaath]

What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP)

I'm accessing my service through the domain I assigned.

[MrSmits]

What is your LAN IP and how are you trying to access the website? (Via LAN IP or hostname or WAN IP)

I'm accessing my service through the domain I assigned.

So you are accessing the host from you LAN on a public IP adress, presumably through NAT loopback? Have you tried setting an allow for you WAN address?

[tomshomelab]

192.168.0.0/24

hi there, the above does not work sadly.

i am able to access the site through public mode first, adding your steps gives me 403 forbidden - issue still persists

[MrSmits]

The workaround I've posted is working perfectly fine for me till date, latest npm.
It can be something to you networking setup that is different from mine, so double check the IP adresses your connecting from and to. Also make sure you have no syntax errors in the advanced config page.

[elexx]

I got it working with basic auth with: inside ACL

• satisfy any : off
• allow : all
• deny : all

in the proxy settings:

• block common exploit: on
• I have a custom SSL cert but everything else off ( force ssl:off http/2:off)

note that it was working with public access so I recommend you first check that it works in public mode before trying to set it up with basic auth

I played around with this exact settings and it seems the order is important:

• Set allow: all in ACL
• Modify the proxy host in any way (toggle any button and save)

To me it looks like the ACL allow: all is the important part. But it seems it doesn't get picked up automatically but only after reloading the host config, for example by changing anything and clicking "save".

I hope this helps to further diagnose the issue or at least as workaround.

[mxbchr]

I tried every possible combination of configurations in the last two hours.
What reliably fixed it for me is this:

1. Creating a "Allow 0.0.0.0/0" rule in the Access List Tab
2. Deactivating "Satisfy Any" in ACL Tab
3. Create a NEW Proxy Host.
4. Deactivating HTST, HTST Subdomains and HTTP/2 in the Proxy Host Tab. Force SSL works for me when everything else is off.

And yes. It is crucial to first create the ACL and then create a NEW Proxy Host. Adding the ACL to an existing proxy host will result in 403 error, or in logging in having no effect and login window showing over and over again.

Note: When I misconfigured it i had to "clear the site data" in the browser for it to work again once it was configured right.

And just in case someone doesn't know (as I did 2h ago). You can auto login if you use this url scheme:
https.//username:password@example.com/
Hope this helps.

[l4kr]

Basic functionality working like ass makes me question the security of this whole project...

[viseshrp]

Basic functionality working like ass makes me question the security of this whole project...

It did not gain 15k stars by 'working like ass'. Show some respect.
And I'm sorry, how much did you pay for this again? That's right. Nothing. It's free software. If you do not like it, move on.

[BobWs]

I'm having similar problems with NPM and access list to restrict acces to only on specific IP address.
I have tried all the suggestions above but none is working for me. I'm on the latest NPM (2.10.4) install on docker on a Synology Host.

So basically when I add the specific IP I want to grant access I'm getting the forbidden page, when I remove the restriction it is working.

(this didn't work)

Any suggestions how to fix this? I would like to grant a specific IP address to my webdav server this way.
TIA

[MrSmits]

Make sure you add the allow entries for the correct IP and subnet adresses, should just work.
It's always worked fine for me :)

[BobWs]

Make sure you add the allow entries for the correct IP and subnet adresses, should just work.
It's always worked fine for me :)

Thanks but yes, I have set the correct IP (double checked it with what's-my-IP), but still no access. When I remove the entry it is working, but then it is open to everyone and that is not what I want.

[4lexKidd]

Had the same issue and seams to still persist.
I got the issue fixed but here is my setup so you can relate:
I have nginxpm set up using a fixed domain and a fixed public ip address.
I tried several configurations and orders of saving and nothing seamed to work with local ip ranges (192.xxx.yyy.zzz/16 or /24). Due to the nature of accessing my services through subdomains, all requests were routed externally (me>>domainprovider>>me) and therefor ariving whith my non-changing public ip.

My ruleset for the ACL is:

• Satisfy Any -> ON
• 2 User Accounts that have to be logged in if the request is not from my home-net
• Access Rules are (in this order):
  Allow -> Public ip
  Allow -> 192.168.0.0/16 (just to save myself from shananigans; might not be nessesary)
  Deny -> all

Works like intended and even does not need the mentioned saving order trickery but i cannot say if this will work if you do not route outside of your network(pure local only).

[enkelmedia]

I had the same issue. It seems to be happening only when HTTP/2 Support is active on the proxy. After I disabled it, it asked me for login and it worked.

In my case it was the other way around, after activating HTTP2 for the host it started to ask for auth.

Browser: Chrome
Nginx: v2.10.4

[github-actions]

Issue is now considered stale. If you want to keep it open, please comment 👍

[BananaAcid]

Still a pain.