Skip to content

fix: Check access list before force SSL redirect #5208

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Kiryuumaru wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

fix: Check access list before force SSL redirect #5208

Kiryuumaru wants to merge 1 commit into from
+89 −0

Conversation

@Kiryuumaru
Copy link

@Kiryuumaru Kiryuumaru commented Jan 22, 2026

Fixes #5207 - Security issue where Force SSL leaks host existence

When both Force SSL and an Access List are active on a Proxy Host, HTTP requests from unauthorized IPs were receiving a 301 redirect instead of being blocked. This allowed attackers to enumerate valid hosts by brute-forcing the Host header.

Solution: Use nginx geo module to check IP access before the SSL redirect. Only allowed IPs get redirected to HTTPS; denied IPs fall through to the access phase and receive 403.

Changes:

  • Add geo block template for IP-based access control
  • Modify _forced_ssl.conf to check geo variable before redirecting
  • Generate geo config files when access lists are created/updated
  • Include geo configs at http level in nginx.conf
  • Create access_geo directory on startup

@Kiryuumaru Kiryuumaru force-pushed the fix/force-ssl-access-list-bypass branch 2 times, most recently from 050ee89 to 58b4057 Compare January 22, 2026 04:28
@Kiryuumaru
fix: check access list before force SSL redirect
19086ce 
Fixes NginxProxyManager#5207 - Security issue where Force SSL leaks host existence

When both Force SSL and an Access List are active on a Proxy Host,
HTTP requests from unauthorized IPs were receiving a 301 redirect
instead of being blocked. This allowed attackers to enumerate valid
hosts by brute-forcing the Host header.

Solution: Use nginx geo module to check IP access before the SSL
redirect. Only allowed IPs get redirected to HTTPS; denied IPs
fall through to the access phase and receive 403.

Changes:
- Add geo block template for IP-based access control
- Modify _forced_ssl.conf to check geo variable before redirecting
- Generate geo config files when access lists are created/updated
- Include geo configs at http level in nginx.conf
- Create access_geo directory on startup
@Kiryuumaru Kiryuumaru force-pushed the fix/force-ssl-access-list-bypass branch from 58b4057 to 19086ce Compare January 22, 2026 04:46
@Kiryuumaru Kiryuumaru marked this pull request as ready for review January 22, 2026 04:59
@nginxproxymanagerci
Copy link

nginxproxymanagerci bot commented Jan 22, 2026

Docker Image for build 2 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5208

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!

@Kiryuumaru
Copy link
Author

Kiryuumaru commented Jan 23, 2026

PR is tested and ready for review 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Force SSL redirect is applied before Access List, leaking host existence via 301 and aiding host enumeration

1 participant

@Kiryuumaru