Skip to content

feat: Add IP-based access control for Stream Hosts #5211

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Kiryuumaru wants to merge 2 commits into
base: develop
Choose a base branch
from
Open

feat: Add IP-based access control for Stream Hosts #5211

Kiryuumaru wants to merge 2 commits into from
+168 −25

Conversation

@Kiryuumaru
Copy link

@Kiryuumaru Kiryuumaru commented Jan 23, 2026
edited
Loading

Summary

This PR implements IP-based access control for Stream Hosts, addressing feature request #5125.

Changes

Backend

  • Database Migration: Added access_list_id column to the stream table
  • Models: Added access_list relation to Stream model and streams relation to AccessList model
  • Internal Logic:
    • Updated stream CRUD operations to handle access_list expansion
    • Updated access-list internal to regenerate stream configs when access lists are modified or deleted
  • API Schemas: Added access_list_id to stream POST/PUT endpoints
  • Nginx Templates:
    • Created _access_stream.conf template for IP-based allow/deny rules
    • Updated stream.conf to include the access template for both TCP and UDP blocks

Frontend

  • Added StreamExpansion type for API calls
  • Added accessListId and accessList to Stream interface
  • Added Access tab to Stream modal with AccessField component
  • Added Access List column to Streams table

Implementation Notes

  • Only IP-based rules are applied - The nginx stream module does not support HTTP basic authentication or the satisfy directive, so only allow/deny rules from the Access List clients are used
  • When an Access List is assigned to a stream, the generated nginx config includes:
    • allow directives for each client IP/CIDR in the access list
    • A final deny all; directive
  • When an Access List is deleted or modified, all associated stream configs are automatically regenerated

Example Generated Config

server {
  listen 55555;
  listen [::]:55555;

  # Stream Access Control (IP-based only)
  # Note: nginx stream module does not support basic auth or satisfy directives
  # Access Rules: 1 total
  allow 100.64.0.0/10;
  deny all;

  proxy_pass 192.168.1.100:5555;
  ...
}

Screenshots:

image image image

@Kiryuumaru Kiryuumaru mentioned this pull request Jan 23, 2026
Open
@Kiryuumaru Kiryuumaru marked this pull request as ready for review January 23, 2026 15:21
@Kiryuumaru Kiryuumaru force-pushed the feature/stream-access-list branch 2 times, most recently from 5743db3 to a91fab1 Compare January 23, 2026 16:26
@Kiryuumaru
feat: Add IP-based access control for Stream Hosts
933ee2b 
Implements GitHub issue NginxProxyManager#5125 - Adds allow/deny IP-based access control
for Stream Hosts using existing Access Lists infrastructure.

Changes:
- Add access_list_id column to stream table (migration)
- Add access_list relation to Stream model
- Add streams relation to AccessList model
- Update stream internal logic to handle access_list expansion
- Update access-list internal to regenerate stream configs on changes
- Add access_list_id to stream API schemas
- Create _access_stream.conf template for IP-only rules
- Update stream.conf to include access template
- Add Access tab to StreamModal in frontend
- Add Access List column to Streams table
- Add StreamExpansion type and update API hooks

Note: Only IP-based allow/deny rules apply to streams.
Basic authentication is not supported by nginx stream module.
@Kiryuumaru Kiryuumaru force-pushed the feature/stream-access-list branch from a91fab1 to 933ee2b Compare January 23, 2026 17:33
@nginxproxymanagerci
Copy link

nginxproxymanagerci bot commented Jan 23, 2026

Docker Image for build 5 is available on DockerHub:

nginxproxymanager/nginx-proxy-manager-dev:pr-5211

Note

Ensure you backup your NPM instance before testing this image! Especially if there are database changes.
This is a different docker image namespace than the official image.

Warning

Changes and additions to DNS Providers require verification by at least 2 members of the community!

@Kiryuumaru
Copy link
Author

Kiryuumaru commented Jan 23, 2026

This PR is tested and ready for review 🚀

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@Kiryuumaru