fix: Check access list before force SSL redirect#5208
Open
Kiryuumaru wants to merge 1 commit intoNginxProxyManager:developfrom
Open
fix: Check access list before force SSL redirect#5208Kiryuumaru wants to merge 1 commit intoNginxProxyManager:developfrom
Kiryuumaru wants to merge 1 commit intoNginxProxyManager:developfrom
Conversation
Kiryuumaru
force-pushed
the
fix/force-ssl-access-list-bypass
branch
2 times, most recently
from
050ee89 to
58b4057
Compare
Fixes NginxProxyManager#5207 - Security issue where Force SSL leaks host existence When both Force SSL and an Access List are active on a Proxy Host, HTTP requests from unauthorized IPs were receiving a 301 redirect instead of being blocked. This allowed attackers to enumerate valid hosts by brute-forcing the Host header. Solution: Use nginx geo module to check IP access before the SSL redirect. Only allowed IPs get redirected to HTTPS; denied IPs fall through to the access phase and receive 403. Changes: - Add geo block template for IP-based access control - Modify _forced_ssl.conf to check geo variable before redirecting - Generate geo config files when access lists are created/updated - Include geo configs at http level in nginx.conf - Create access_geo directory on startup
Kiryuumaru
force-pushed
the
fix/force-ssl-access-list-bypass
branch
from
58b4057 to
19086ce
Compare
|
Docker Image for build 2 is available on DockerHub: Note Ensure you backup your NPM instance before testing this image! Especially if there are database changes. Warning Changes and additions to DNS Providers require verification by at least 2 members of the community! |
Author
|
PR is tested and ready for review 🚀 |
jc21
added
the
requires-verification
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes #5207 - Security issue where Force SSL leaks host existence
When both Force SSL and an Access List are active on a Proxy Host, HTTP requests from unauthorized IPs were receiving a 301 redirect instead of being blocked. This allowed attackers to enumerate valid hosts by brute-forcing the Host header.
Solution: Use nginx geo module to check IP access before the SSL redirect. Only allowed IPs get redirected to HTTPS; denied IPs fall through to the access phase and receive 403.
Changes: