nginx-proxy-manager: Setting access restriction results in 403 forbidden error

I had the same issue. It seems to be happening only when HTTP/2 Support is active on the proxy. After I disabled it, it asked me for login and it worked.

Hi guys! I played around a bit with NPM and the backing Nginx… And IMHO there are number of issues that cause all the confusion.

• NPM does not reload affected proxy host configurations when you change the access lists.
  • I did killall -HUP nginx in the Docker container to do that, but:
  • You can do that by opening and saving the proxy host configurations (individually) in the UI.
• Confusion with the Satisfy Any switch and Authorization (which I suppose should be Authentication) and Access tabs:
  • When checking a client against the Authorization tab, they are allowed if the list is empty (because NPM skips the basic auth directives in Nginx whatsoever).
  • When checking a client against the Access tab, they are denied if the list is empty (because NPM forces you to have a deny all directive in Nginx).
  • If the Satisfy Any is disabled (i.e. satisfy all in Nginx), a client should be allowed by both the Authorization and Acccess tabs.
  • If the Satisfy Any is enabled (i.e. satisfy any in Nginx, a client should be allowed by any the Authorization and Acccess tabs.

Bottomline, if you want basic authentication only without checking against the white list:

1. Add users to the Authorization tab.
2. Two options:
   1. Enable the Satisfy All switch and keep the Access tab empty.
   2. Disable the Satisfy All switch and add an allow all rule in the beginning of the Access tab.
3. Re-save the affected proxy host(s).

Basic functionality working like ass makes me question the security of this whole project…

It did not gain 15k stars by ‘working like ass’. Show some respect. And I’m sorry, how much did you pay for this again? That’s right. Nothing. It’s free software. If you do not like it, move on.

Basic functionality working like ass makes me question the security of this whole project…

Hi guys, I got hte same error today on lastet 2.9.14… I try to setup a LAN only acces so put an acces list with local 192.168.0.0/24 network and user. I got 403 Forbidden ( openresty ) I can confirm that :

• HTTP/2 is disable
• Satisfy Any is untick

I got it working with satisfy any tick but therefore it’s not ip restricted…

In logs i got this : access forbidden by rule, client: <IP>, server: subdomain.mydomain.com request: “GET / HTTP/2.0”, host: “subdomain.mydomain.com”, referrer: “http://<ngnix_proxy_manager_IP>:81/”

No problem.

I think the major difference is that doing it this way the access control list works for the entire proxy host. When you use the NPM GUI I think it sets the access list only on location /, which means if you add custom locations under a proxy host that those aren’t secured by the access list. But this is just from what I observed by briefly looking at the proxy host config files that NPM generates when you select an access list. I’ll take another look later at things and do some more testing, I’m not a developer so not sure how much help this is for the NPM project but I can mess around with Nginx itself just fine 😃

Think I found a workaround. I just manually placed the allow/deny rules in the custom configuration for the proxy host and it seems to work as it should there. I now have my proxy host access control set to be publicly accesible but have the below custom config applied:

I had the same issue. It seems to be happening only when HTTP/2 Support is active on the proxy. After I disabled it, it asked me for login and it worked.

In my case it was the other way around, after activating HTTP2 for the host it started to ask for auth.

Browser: Chrome Nginx: v2.10.4

I tried every possible combination of configurations in the last two hours. What reliably fixed it for me is this:

1. Creating a “Allow 0.0.0.0/0” rule in the Access List Tab
2. Deactivating “Satisfy Any” in ACL Tab
3. Create a NEW Proxy Host.
4. Deactivating HTST, HTST Subdomains and HTTP/2 in the Proxy Host Tab. Force SSL works for me when everything else is off.

And yes. It is crucial to first create the ACL and then create a NEW Proxy Host. Adding the ACL to an existing proxy host will result in 403 error, or in logging in having no effect and login window showing over and over again.

Note: When I misconfigured it i had to “clear the site data” in the browser for it to work again once it was configured right.

And just in case someone doesn’t know (as I did 2h ago). You can auto login if you use this url scheme: https.//username:password@example.com/ Hope this helps.

By design, a client will need to meet BOTH the authorization, and access rules defined on the access list unless you select the satisfy any option.

It sounds like you’re only setting a username/password and not modifying the authorization rules or setting satisfy any and the default deny all rule in the authorization is resulting in a 403 response.

It sounds like your use case requires setting the satisfy any option on the access list to tell Nginx to let a user in if they satisfy either the Authentication or Access rules.

I have just checked, the following is added to the /nginx/proxy_host/4.conf (starting at line 50):

  location / {

    # Authorization
    auth_basic            "Authorization required";
    auth_basic_user_file  /data/access/4;

    # Access Rules
    deny all;

    # Access checks must...
    satisfy all;

I haven’t yet figured out if this is an incorrect configuration, or in what way this could cause the 403 forbidden error. Any ideas?