search

Voyz / ibeam

IBeam is an authentication and maintenance tool used for the Interactive Brokers Client Portal Web API Gateway.
Apache License 2.0
579 stars 115 forks source link

localhost access denied when custom conf.yaml is mounted in docker #15

Closed gmara13 closed 3 years ago

gmara13 commented 3 years ago

ibeam has bee working fine with default set up. have ben testing requests on the server that ibeam is running on by hitting localhost:5000 url just fine. mounted a volume with conf.yaml that allows ip access from my local machine and access is confirmed but now localhost:5000 access is denied when running requests from the server ibeam is on. nothing changed on conf.yaml from default except for adding one ip under allowed ips. tried changing url to 127.0.0.1, 0.0.0.0, etc nothing works, keep getting 404 response.

Voyz commented 3 years ago

Hey @gmara13 welcome to IBeam! 😊

Sorry to hear the conf.yaml is causing you some issues. Could I ask you to share the contents of your conf.yaml file here - make sure you hide the cacert password if you do - so we could understand what may be causing that issue?

Also, are you running IBeam as a standalone or as a Docker image?

gmara13 commented 3 years ago 
    ip2loc: "US"
    proxyRemoteSsl: true
    proxyRemoteHost: "https://api.ibkr.com"
    listenPort: 5000
    listenSsl: true
    svcEnvironment: "v1"
    sslCert: "vertx.jks"
    sslPwd: "mywebapi"
    authDelay: 3000
    portalBaseURL: ""
    serverOptions:
        blockedThreadCheckInterval: 1000000
        eventLoopPoolSize: 20
        workerPoolSize: 20
        maxWorkerExecuteTime: 100
        internalBlockingPoolSize: 20
    cors:
        origin.allowed: "*"
        allowCredentials: false
    webApps:
        - name: "demo"
          index: "index.html"
    ips:
      allow:
        - 192.*
        - 131.216.*
        - 127.0.0.1
        - xxx.xxx.xxx
      deny:
        - 212.90.324.10

its the same default file with the only addition of the ip allowed. conf works to allow that specified ip so settings are being passed Edit: using the docker image

Voyz commented 3 years ago

Great, thanks for providing the conf file! I think I can see where the issue is. The original ips/allow looks like this:

    ips:
      allow:
        - 192.*
        - 131.216.*
        - 127.0.0.1

While yours contains that xxx.xxx.xxx addition, and a change from 192.* to 192.. I would guess this is why your localhost no longer is allowed. Try adding that asterisk * back behind 192. and see if this helps.

Alternatively, I'd also try verify that this xxx.xxx.xxx is a valid field there. From what I can see the asterisks are used as wildcards, as opposed to x's - possibly this is corrupting the setup?

gmara13 commented 3 years ago

ah sorry mate. this was a typo from when i copied the text into github and tried to format it. the '' is actually present in '192.' and the 'xxx' are just placeholders to cover my ip. the below is what is present in the conf

ips:

allow:

  • 192.*
  • 131.216.*
  • 127.0.0.1
  • 216.032.123.34
Voyz commented 3 years ago

Right, thanks for clarifying that 👍

Could you then share the code or command you use to communicate with the gateway (make sure to remove any credentials)? A 404 error sounds more like an incorrect endpoint. Also please share the full output of the command.

gmara13 commented 3 years ago

so once the gateway is up im just using simple requests in python: here is working from my PC accessing server: https://gyazo.com/b5310581b6feaf91c5df4e1042a8595a

here is NOT working from server: https://gyazo.com/26c6edb59b6e2b6504437173fe8a7bb5

if i take off the mounted conf.yaml though the localhost url works

Voyz commented 3 years ago

Thanks for all that info 👍

Can I ask you to add this IP: 0.0.0.0 to config.yaml ips/allow and try again?

I think I might have been incorrect in that IBeam uses the default config.yaml.

gmara13 commented 3 years ago

0.0.0.0 was added to allowed but still getting 404 response

Voyz commented 3 years ago

Can you try this as the conf.yaml:

ip2loc: "US"
proxyRemoteSsl: true
proxyRemoteHost: "https://api.ibkr.com"
listenPort: 5000
listenSsl: true
svcEnvironment: "v1"
sslCert: "vertx.jks"
sslPwd: "mywebapi"
authDelay: 3000
portalBaseURL: ""
serverOptions:
  blockedThreadCheckInterval: 1000000
  eventLoopPoolSize: 20
  workerPoolSize: 20
  maxWorkerExecuteTime: 100
  internalBlockingPoolSize: 20
cors:
  origin.allowed: "*"
  allowCredentials: false
webApps:
  - name: "demo"
    index: "index.html"
ips:
  allow:
    - 192.*
    - 131.216.*
    - 127.0.0.1
    - 0.0.0.0
    - 172.17.0.0
    - 172.17.0.1
    - 172.17.0.2
    - 172.17.0.3
  deny:
    - 212.90.324.10

And try again?

gmara13 commented 3 years ago

Solved! the addition of 172.17.0.0 solved the connection issue

Voyz commented 3 years ago

I'm glad that it helped! 😄

Although at the same time I'm puzzled as to why this would have fixed it. This is a docker-internal IP. I'm going to look into this when I find some time.

Voyz commented 3 years ago

Right, I can't figure it why exactly but indeed that 172.17.0.0 is necessary to connect from outside of the docker network. I remember having dug into it back in October when I was developing IBeam pre-alpha and must have put it there on purpose. I'm going to update the docs to clarify this. Thanks for highlighting the issue @gmara13 👍👏

Voyz commented 3 years ago

Updated Wiki documentation to clarify what the default conf.yaml file contains and why 172.17.0.* is there by default.

https://github.com/Voyz/ibeam/wiki/Gateway-Configuration https://github.com/Voyz/ibeam/wiki/Troubleshooting#access-denied

Marking this issue as closed 👍