Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

REST interface returning 403 with "Host not permitted" #3340

Open
nc-williambr opened this issue Dec 9, 2024 · 15 comments
Open

REST interface returning 403 with "Host not permitted" #3340

nc-williambr opened this issue Dec 9, 2024 · 15 comments
Assignees

Comments

@nc-williambr
Copy link

Building from scratch using Alpine Linux 3.21 as a base. When attempting to access the web UI, I get a 403 error and the text "Host not permitted". The web UI does not appear to log anything. Any help in debugging this?

@nc-williambr
Copy link
Author

nc-williambr commented Dec 9, 2024

FWIW, my Dockerfile follows

FROM alpine:3.21

ENV OXIDIZED_HOME=/etc/oxidized
ENV PATH="/usr/local/bin:${PATH}"
ENV GEMSPATH=/usr/lib/ruby/gems/3.3.0
ENV OXIDIZED_VERSION=0.31.0

RUN set -eux; \
  apk --update add --no-cache \
    ruby \
        ruby-rugged \
        ruby-dev \
        g++ \
        cmake \
        make \
        openssl-dev \
        libssh2 \
        icu-dev \
        icu-libs \
        zlib-dev \
        msmtp \
        bash \
        git \
      linux-headers \
  ; \
  apk upgrade; \
  gem install -V --no-document --no-wrappers --conservative --minimal-deps \
    oxidized \
    oxidized-web \
  ; \
  apk del \
    ruby-dev \
        g++ \
        cmake \
        make \
        openssl-dev \
        icu-dev \
        zlib-dev \
      linux-headers \
  ; \
  mkdir $OXIDIZED_HOME; \
  ln -s $GEMSPATH/gems/oxidized-$OXIDIZED_VERSION/extra/oxidized-report-git-commits /usr/bin/oxidized-report-git-commits; \
  find $GEMSPATH/cache -mindepth 1 -delete

# Default oxidized-web port
EXPOSE 8888

CMD ["oxidized"]

# https://github.com/opencontainers/image-spec/blob/master/annotations.md
LABEL org.opencontainers.image.authors="Will Brickles" \
      org.opencontainers.image.title="oxidized" \
      org.opencontainers.image.description="software to backup network switch configurations" \
      org.opencontainers.image.version="${OXIDIZED_VERSION}"

@pierre-guillot
Copy link

Hi,

I have the same problem with my debian install.
Just update my Oxidized setup who works with a lighttpd.

Interesting thing, I can connect to the interface directely from the server with this command : "lynx 127.0.0.1:8888".

Can change the listen port of puma by modify this file : /var/lib/gems/3.1.0/gems/oxidized-0.31.0/lib/oxidized/config.rb

@ydeKKgroup
Copy link

Hi,

Same comportement. I can access directly to the IP:Port of the server, but when i use reverse proxy front of service i get a 403 from puma web server .

It's seem to be related as the usage of reverse proxy , may missing some headers ?

any help would be great .

@justorsil
Copy link

Hi,
Same issue with a fresh install on debian 12.
I can access directly to the IP:Port but access don't work with the fqdn resolution, "Host not permitted".

  • oxidized (0.31.0, 0.26.3)
  • oxidized-script (0.6.0)
  • oxidized-web (0.14.0)
  • puma (6.4.3)

Thanks a lot

@robertcheramy
Copy link
Collaborator

Please post the rest_api part of your config file.
It should be rest: 0.0.0.0:8888.

@nc-williambr
Copy link
Author

nc-williambr commented Dec 18, 2024

Confirmed

rest: 0.0.0.0:8888

As others have mentioned, I am also using a reverse proxy (nginx) in front of my install to add TLS support and authentication.

Based on the other comments, it appears to be some issue when forwarding from any reverse proxy, as I see people mentioning lighttpd, puma, and nginx.

@robertcheramy
Copy link
Collaborator

I've just tested nginx (debian bookworm) + official oxidized container (running with podman) + basic authentication (Oxidized-web v.0.14.0, Oxidized v.0.31.0), and it works fine.

I suppose that you have a configuration problem on your proxy.

My nginx code:

    location /node/ {
        auth_basic "Restricted Area";
        auth_basic_user_file .htpasswd;
        proxy_pass http://127.0.0.1:8888;
        proxy_set_header Host $http_host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

@chris240189
Copy link

Building from scratch using Alpine Linux 3.21 as a base. When attempting to access the web UI, I get a 403 error and the text "Host not permitted". The web UI does not appear to log anything. Any help in debugging this?

I did an upgrade of ubuntu from a working 22.04 to 24.04 with the exact same issue. You are not alone in this.

@xpiety
Copy link

xpiety commented Dec 20, 2024

Same here, upgrade to ubuntu 24.04 and now "Host not permitted".

@scarygary
Copy link

For anyone else trying to get oxidized running on Ubuntu 24.04 through a reverse proxy. Here's my workaround.

Edit the file /var/lib/gems/3.2.0/gems/oxidized-web-0.14.0/lib/oxidized/web/webapp.rb and add the line
set :host_authorization, { permitted_hosts: [] }
right below the existing line that says
set :haml, { escape_html: false }

Save the file and restart oxidized and you should be good to go.

@pierre-guillot
Copy link

Confirm that works on Debian: I edited the file /var/lib/gems/3.1.0/gems/oxidized-web-0.14.0/lib/oxidized/web/webapp.rb like this :

Oxidized-3340

Thank for the solution 👍

@nc-williambr
Copy link
Author

Adding:

set :host_authorization, { permitted_hosts: [] }

worked for me as well. Thanks @scarygary! Any idea what triggered this?

@scarygary
Copy link

Adding:

set :host_authorization, { permitted_hosts: [] }

worked for me as well. Thanks @scarygary! Any idea what triggered this?

Not exactly sure, since I'm not a coder. The web application/api in Oxidized is built using Sinatra and that in turn is using Rack::Protection to protect against typical web attacks. Somewhere along the way I guess an update started requiring a list of allowed hosts. The line I added allows all hosts to connect and since I'm using a reverse proxy to add tls and authentication I really don't see this as a security issue. Besides, the interface is only available locally anyway.

You can find info on Sinatra as well as Rack::Protection at https://github.com/sinatra/

@nc-williambr
Copy link
Author

I added an issue in ytti/oxidized-web to hopefully get this added there.

@robertcheramy
Copy link
Collaborator

I am still not been able to reproduce :-(

Can someone test starting oxidized with APP_ENV=production oxidized (or set the env variable APP_ENV=production)? This should solve the problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

8 participants