Skip to content

Access list didn't work #873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dartymath opened this issue Feb 7, 2021 · 4 comments
Closed

Access list didn't work #873

dartymath opened this issue Feb 7, 2021 · 4 comments
Labels
bug

Comments

@dartymath
Copy link

Checklist

  • Have you pulled and found the error with jc21/nginx-proxy-manager:latest docker image?
  • Are you sure you're not using someone else's docker image?
  • If having problems with Lets Encrypt, have you made absolutely sure your site is accessible from outside of your network?

Yes is the last docker jc21/nginx-proxy-manager:latest 2.7.3
Issue on Access List more precisely the client ip address is not good : always 172.18.0.1 (gateway on docker)

Describe the bug

  • A clear and concise description of what the bug is.
  • What version of Nginx Proxy Manager is reported on the login page?

Version 2.7.3 lastest ! when using access list -> always 403 Forbidden reach !
on the log file of the concern proxy host i can find that the ip client address register is in fact the gateway of the container 172.18.0.1 and not the real address of the client -> normal it doesn't work.
This Client address is obtain on both for Internal client requery of external with 4G mobile phone
I try different advanced option report on other issues "Nginx PM not recognizing my actual IP I am connecting with, but rather a Cloudflare IP. #811" and "IP address - Docker #112" without success

Can you help me please

To Reproduce
Steps to reproduce the behavior:

  1. Go to '...'
  2. Click on '....'
  3. Scroll down to '....'
  4. See error

[07/Feb/2021:16:11:33 +0000] - - 403 - GET https morse.xx-xx.fr "/" [Client 172.18.0.1] [Length 182] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" "http://192.168.0.19:281/"
[07/Feb/2021:16:11:33 +0000] - - 403 - GET https morse.xx-xx.fr "/favicon.ico" [Client 172.18.0.1] [Length 182] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" "https://morse.xx-xx.fr/"
[07/Feb/2021:16:12:51 +0000] - - 403 - GET https morse.xx-xx.fr "/" [Client 172.18.0.1] [Length 182] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" "http://192.168.0.19:281/"
[07/Feb/2021:16:12:51 +0000] - - 403 - GET https morse.xx-xx.fr "/favicon.ico" [Client 172.18.0.1] [Length 182] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" "https://morse.xx-xx.fr/"
[07/Feb/2021:16:15:26 +0000] - - 403 - GET https morse.xx-xx.fr "/" [Client 172.18.0.1] [Length 182] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" "http://192.168.0.19:281/"
[07/Feb/2021:16:15:26 +0000] - - 403 - GET https morse.xx-xx.fr "/favicon.ico" [Client 172.18.0.1] [Length 182] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.146 Safari/537.36" "https://morse.xx-xx.fr/"
[07/Feb/2021:16:17:30 +0000] - - 403 - GET https morse.xx-xx.fr "/" [Client 172.18.0.1] [Length 171] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.152 Mobile Safari/537.36" "-"
[07/Feb/2021:16:17:30 +0000] - - 403 - GET https morse.xx-xx.fr "/favicon.ico" [Client 172.18.0.1] [Length 171] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.152 Mobile Safari/537.36" "https://morse.xx-xx.fr/"
[07/Feb/2021:16:17:34 +0000] - - 403 - GET https morse.xx-xx.fr "/" [Client 172.18.0.1] [Length 171] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.152 Mobile Safari/537.36" "-"
[07/Feb/2021:16:17:35 +0000] - - 403 - GET https morse.xx-xx.fr "/favicon.ico" [Client 172.18.0.1] [Length 171] [Gzip 3.23] [Sent-to 192.168.0.19] "Mozilla/5.0 (Linux; Android 10; SM-G973F) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/88.0.4324.152 Mobile Safari/537.36" "https://morse.xx-xx.fr/"

Expected behavior
A clear and concise description of what you expected to happen.

Screenshots
If applicable, add screenshots to help explain your problem.
access list
log
log2

Operating System

  • Please specify if using a Rpi, Mac, orchestration tool or any other setups that might affect the reproduction of this error.

Synolody DSM

Additional context
Add any other context about the problem here, docker version, browser version if applicable to the problem. Too much info is better than too little.
@dartymath dartymath added the bug label Feb 7, 2021
@dartymath
Copy link
Author

Just to precise, I have the same issue when I install Nginx Proxy Manager as addon in Home Assistant or with another docker jlesage/nginx-proxy-manager.
The issue seems to come froml the version 2.7.3

@christofkac
Copy link

christofkac commented Dec 30, 2021
edited
Loading

Hi,
I have a similar problem:
I want to access a Grafana dashboard which loads data from an influxdb.
Strangely, some data is read correctly and for some data I get the error 403 like in the post above.

Here some examples:

[29/Dec/2021:13:35:40 +0100] - - 403 - GET https gr.chrkac.com "/api/datasources/proxy/1/query?db=iobroker&q=SELECT%20mean(%22value%22)%20FROM%20%22javascript.0.HeizungHolland.Aussentemperatur%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22javascript.0.HeizungHolland.TemperaturIst%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22javascript.0.HeizungHolland.TemperaturSoll%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22javascript.0.HeizungHolland.BrennerAn%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(previous)&epoch=ms" [Client 192.168.188.20] [Length 171] [Gzip 3.23] [Sent-to 192.168.178.233] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" "https://gr.chrkac.com/d/ylJMgbXiz/iobroker?orgId=1"

[29/Dec/2021:13:35:40 +0100] - 200 200 - GET https gr.chrkac.com "/api/datasources/proxy/1/query?db=iobroker&q=SELECT%20mean(%22value%22)%20FROM%20%22viessmannapi.0.271207.0.features.heating.dhw.sensors.temperature.hotWaterStorage.properties.value.value%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22viessmannapi.0.271207.0.features.heating.dhw.temperature.main.properties.value.value%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22viessmannapi.0.271207.0.features.heating.dhw.charging.properties.active.value%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(previous)%3BSELECT%20mean(%22value%22)%20FROM%20%22viessmannapi.0.info.connection%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(previous)&epoch=ms" [Client 192.168.188.20] [Length 5929] [Gzip -] [Sent-to 192.168.178.233] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" "https://gr.chrkac.com/d/ylJMgbXiz/iobroker?orgId=1"

[29/Dec/2021:13:35:46 +0100] - - 403 - GET https gr.chrkac.com "/api/datasources/proxy/1/query?db=iobroker&q=SELECT%20mean(%22value%22)%20FROM%20%22javascript.0.Google_Maps.zur_Arbeit.Minuten_0%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22javascript.0.Google_Maps.zur_ArbeitAnja.Minuten_0%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)&epoch=ms" [Client 192.168.188.20] [Length 171] [Gzip 3.23] [Sent-to 192.168.178.233] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" "https://gr.chrkac.com/d/ylJMgbXiz/iobroker?orgId=1"

[29/Dec/2021:13:35:46 +0100] - 200 200 - GET https gr.chrkac.com "/api/datasources/proxy/1/query?db=iobroker&q=SELECT%20mean(%22value%22)%20FROM%20%22mqtt.0.Terasse.Helligkeit%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22mqtt.0.Terasse.Batterie%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22mqtt.0.Terasse.WiFi%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(5m)%20fill(linear)&epoch=ms" [Client 192.168.188.20] [Length 4633] [Gzip -] [Sent-to 192.168.178.233] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" "https://gr.chrkac.com/d/ylJMgbXiz/iobroker?orgId=1"

[29/Dec/2021:13:35:47 +0100] - - 403 - GET https gr.chrkac.com "/api/datasources/proxy/1/query?db=iobroker&q=SELECT%20mean(%22value%22)%20%20%2F%201000%20FROM%20%22sonoff.0.Waschmaschine_D58B90.ENERGY_Power%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(2m)%20fill(linear)%3BSELECT%20mean(%22value%22)%20FROM%20%22javascript.0.Waschmaschine.An%22%20WHERE%20time%20%3E%3D%20now()%20-%202d%20and%20time%20%3C%3D%20now()%20GROUP%20BY%20time(2m)%20fill(previous)&epoch=ms" [Client 192.168.188.20] [Length 171] [Gzip 3.23] [Sent-to 192.168.178.233] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36" "https://gr.chrkac.com/d/ylJMgbXiz/iobroker?orgId=1"

After having had a deeper look I found one difference between the successful and the unsuccessful posts:
Successful posts contain "[Gzip -] "
Unsuccessful posts carry "[Gzip 3.23]", exactly as for the user creating this issue.

Is this a bug in nginx itself?

Bye
Christof

@christofkac
Copy link

Hi,
I played around with the rest API and found out, that the option "block common exploits" was the issue. I guess because the requests which was rejected contained the string "javascript".
Disabling this option made it work.
Hope that helps somebody else.
Bye
Christof

@chaptergy
Copy link
Collaborator

The solution to the original issue is here: #1105 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@chaptergy @christofkac @dartymath