How can you easily lock down proxy hosts on the Nginx Proxy Manager with Access List protection? I recently deployed many services in Docker containers that I’ve exposed via the Nginx Proxy Manager. But some of these services should not be accessible for everyone. Or you have specific applications that don’t have any user authentication and you want not everyone to access them. With a simple Access List in Nginx Proxy Manager, you can define a custom policy based on credentials or IP addresses. Let’s have a look at how that works.
An Access List, also sometimes referred to as “ACL” in IT is a prefined list of access rules. This is very useful for any administrative application such as Portainer, Bitwarden, or the Nginx Proxy Manager web interface itself. It’s also useful to lock down access to applications that are vulnerable themselves. In Nginx Proxy Manager you can create a new Access List and select them in any proxy hosts.
Note, currently in Nginx Proxy Manager, if you change anything in an Access List that is already present in a proxy host, you need to save the proxy host object again! This took me quite a while to figure out and probably is something that should be improved in a future version of the Nginx Proxy Manager.
Access based on User
In the “Authorization” tab you can enter usernames and passwords to authenticate users to your application or service. This is very easy and self-explained. Unfortunately, it’s limited to 5 users max. But one cool feature is, that you can also forward this authentication to the real server with the “Pass Auth to Host” flag. This will send out an HTTP Basic Auth packet.
Access based on IP Address
You can also define up to 4 rules based on IP Addresses. You can select if you want to specifically allow IP addresses or block them. They are applied in the order they are defined, so when there is a match all other rules below are ignored. It’s important to mention that you can not just enter a single IP address, but also networks. So in this example, I’ve blocked the network 192.168.0.0/24 completely. That means all IP addresses from 192.168.0.1 till 192.168.0.254 are allowed to connect via this Access List.
Combination and ruleset
How does it work when you combine an Authorization via credentials and an Access list by IP addresses? If you enable the “Satisfy Any” checkbox in the main tab, that means that either the authorization or the IP addresses need to match, but not both. If you disable it, both need to match to validate access to the proxy host. This can be very useful if you have some IP addresses that may be valid to access an application, but this is not secured by password authentication.