search

UnifiedPush / common-proxies

Mirror of https://codeberg.org/UnifiedPush/common-proxies
MIT License
24 stars 11 forks source link

Is there any way to tell paranoidHttp to allow localhost? #20

Closed ilikenwf closed 2 years ago

ilikenwf commented 2 years ago

I'm not a go programmer, so pardon my ignorance - but I have everything running on my internal network - no outside IP addresses are used, and the rewriter here is the only thing that appears to work properly with my matrix install - pure proxying with nginx does not work right for me. All clients operate on the network directly or via VPN.

Looking at the docs for paranoidhttp, it does seem to exemplify on the main readme how to allow 127.0.0.1 - which is what I'd love to be able to do...

In my testing, other than having up-rewrite-linux-amd64 reject the IP, everything else is working.

Thank you!

karmanyaahm commented 2 years ago

This is a configuration option. See the docs for allowed gateway host

https://github.com/UnifiedPush/common-proxies/blob/main/docs/config.md

ilikenwf commented 2 years ago

This doesn't seem to work for me as it appears that without using an explicit allow when creating the phttp client,, it still is not allowed.

My Config:

listenAddr = "127.0.0.1:5000"
verbose = true

[gateway]
        AllowedHosts = ["127.0.0.1"] 
        [gateway.matrix]
                enabled = true
[rewrite]
        [rewrite.fcm]
                enabled = false
                # key = ""
        [rewrite.gotify]
                enabled = true
                address = "push.internal.lan:8081"
                scheme = "http"

Example of allowing localhost in the paranoidhttp readme:

// Add an permitted ipnets with functional option
ipNet, _ := net.ParseCIDR("127.0.0.1/32")
client, _, _ := paranoidhttp.New(
    paranoidhttp.PermittedIPNets(ipNet))
karmanyaahm commented 2 years ago

AllowedHosts = ["127.0.0.1"]

Is your Gotify (or other push provider?) reverse proxy listening on ports 80 and 443? because as https://github.com/UnifiedPush/common-proxies/blob/main/docs/config.md says

The port only needs to be included if it's something other than 80 or 443, but if so, entries for both HTTP and HTTPS should be included.

Also,

Example of allowing localhost in the paranoidhttp readme:

common-proxies does the same thing, just differently, bypassing pHTTP altogether. https://github.com/UnifiedPush/common-proxies/blob/bc7e94a3604d74001f1070b8bf90f3e91af3d75b/handler.go#L68-L74

ilikenwf commented 2 years ago

Gotify is what I use, it listens internally on 8081 but is proxied on port 80 and 443 currently.

Your code is good for bypassing pHTTP, however I think that because you're already initializing pHTTP in init() that localhost is rejected, preventing it from executing anyway - I don't think that line 68 is ever reached as a result. It works for other ranges because they aren't included in the presets that pHTTP rejects.

karmanyaahm commented 2 years ago

What error log do you receive from common-proxies?

karmanyaahm commented 2 years ago

Also, are you using Gotify at http://localhost? because that is distinct from http://127.0.0.1 I'm just thinking of possible issues because it works on my machine

ilikenwf commented 2 years ago

Gotify is listening on 127.0.0.1 as well as externally on 192.168.2.84 on the LAN it sits on - I was just using localhost here as an alias, apologies.

It may be matrix-synapse being troublesome, I forget how it is I reconfigured the push location a couple days ago, however now it is coming from an internal 192.168.2.84 IP (which is local to the machine) and I've added to allowed hosts, both with and without the port 81 part - I've tried previously with port 80 with similar results.

2021/11/17 17:25:44 Loading new config
2021/11/17 17:25:44 Server is ready to handle requests at 127.0.0.1:5000
2021/11/17 17:25:50 Post "http://push.internal.lan:81/UP?token=xxxxxxxxxxxx": bad ip is detected: 192.168.2.84
2021/11/17 17:25:50 POST /_matrix/push/v1/notify 127.0.0.1:59958 0 bytes read; 0 bytes written; Synapse/1.46.0 forward
ilikenwf commented 2 years ago

Gotify is listening on 127.0.0.1 as well as externally on 192.168.2.84 on the LAN it sits on - I was just using localhost here as an alias, apologies.

It may be matrix-synapse being troublesome, I forget how it is I reconfigured the push location a couple days ago, however now it is coming from an internal 192.168.2.84 IP (which is local to the machine) and I've added to allowed hosts, both with and without the port 81 part - I've tried previously with port 80 with similar results.

2021/11/17 17:25:44 Loading new config
2021/11/17 17:25:44 Server is ready to handle requests at 127.0.0.1:5000
2021/11/17 17:25:50 Post "http://push.internal.lan:81/UP?token=xxxxxxxxxxxx": bad ip is detected: 192.168.2.84
2021/11/17 17:25:50 POST /_matrix/push/v1/notify 127.0.0.1:59958 0 bytes read; 0 bytes written; Synapse/1.46.0 forward
ilikenwf commented 2 years ago

I recall - I have gotify listening through nginx on port 81, and haproxy on 80 - in both cases the above log results.

karmanyaahm commented 2 years ago

bad ip is detected: 192.168.2.84

You need to add push.internal.lan:81 (and the https version if there is any) to the allowed hosts lists since that's the host that's being blocked.

ilikenwf commented 2 years ago

Ah - that got it!

I suppose hostname here matters more than an IP, then. Good to know and thank you!