403 Forbidden pulling coreapp/web images from non EU/US IP ranges

[bearnard]

Unable to pull images from outside EU/US

root@bearn:~# docker pull docker.whatsapp.biz/coreapp:v2.27.9
v2.27.9: Pulling from coreapp
fe703b657a32: Pulling fs layer
f9df1fafd224: Pulling fs layer
a645a4b887f9: Pulling fs layer
57db7fe0b522: Waiting
6b2eb8ccc98d: Waiting
9cf68babd01f: Waiting
4dc1ba623584: Waiting
90a8d2ecb28d: Waiting
a7eb49866f8b: Waiting
783ab5575e2d: Waiting
976147b0c3f6: Waiting
e053676657f8: Waiting
01c8f62993f7: Waiting
error pulling image configuration: error parsing HTTP 403 response body: invalid character 'F' looking for beginning of value: "Forbidden!"

[alanhhwong]

Hi @bearnard , we've seen similar issues in the past when running on Windows machines - is that what you are on?

[bearnard]

@alanhhwong Linux/Mac only.

[bearnard]

@alanhhwong Just to elaborate, our own vms on bare metal running Debian, Ubuntu and even Azure hosted Kubernetes nodes in South Africa, so it's definitely some ACL at the registry (bintray?)

[bearnard]

From South Africa:

curl -qs -o /dev/null -w '%{http_code}' https://whatsapp.bintray.com/dkr-releases/
403

From EU:

curl -qs -o /dev/null -w '%{http_code}' https://whatsapp.bintray.com/dkr-releases/
200

[alanhhwong]

@bearnard thanks for the details. From the two curl calls, any chance South Africa is behind some proxy? Do they both have similar network config? We've listed hostnames that you need to whitelist in case it's needed here: https://developers.facebook.com/docs/whatsapp/network-debugging

[bearnard]

@alanhhwong no proxies, This very much seems like a bintray misconfiguration on the repo, they specifically have IP and GEO restriction settings as far as I can tell, looking at docs.

[bearnard]

perhaps someone who manages the repo can look into these settings? https://jfrog.com/article/ip-and-geo-restriction/

[alanhhwong]

I'm having the team double check :) We do have businesses using this in South Africa so I'm fairly certain we're clear here.

Also to note, we have seen similar issue (which you also commented on), and it had something to do with hypervisor. Have you tried pulling the images from a physical machine (non-VM)?

[bearnard]

@alanhhwong yes, bare-metal has the same issue. I get a 403 from my home Fibre, Azure South Africa and Hetzner South Africa

[romeomcc]

@bearnard @alanhhwong did you guys manage to sort this out, I am having the same issue, bare metal Linux, Windows even went to docker.whatsapp.biz and it takes me to Bintray.com... also searched for whatsapp and found https://bintray.com/whatsapp but cannot pull down any content... forbidden.. any help will be appraciated.

[bearnard]

@romeomcc No luck, waiting on @alanhhwong who was in the process of escalating to the repo admins.

[alanhhwong]

@romeomcc @bearnard still investigating on this. we did check on the geo restrictions and South Africa is definitely on the whitelist.

@romeomcc where are you trying this from if I may ask?

[romeomcc]

@alanhhwong I am trying from South Africa, Afrihost is my ISP. I am not sure what type of account you guys have setup but it also give the forbidden error when you have run out of credit (Just a thought) do you have a location I can try from and I will create a VM in that location on azure ?

[alanhhwong]

Interesting, thanks. We'll continue to investigate.

You can try Singapore to see if that works.

[romeomcc]

@alanhhwong I used a vpn and installed from the USA. working now thanks. on the off chance do you know who can assist in creating the line

[bearnard]

Just an update, I can pull from the new AWS af-south-1 region just fine, so perhaps the bintray whitelist for South Africa needs a bit of an update of the ranges?

[bearnard]

If push comes to shove I guess we could duplicate the images in a private repo or something, but it would be nicer to not have to do that sort of thing.

[mengyiyuan]

@bearnard the team also successfully pulled the image in AWS SA region, so we were still struggling to repro the issue. Will keep you posted.

[mengyiyuan]

Just an update, I can pull from the new AWS af-south-1 region just fine, so perhaps the bintray whitelist for South Africa needs a bit of an update of the ranges?

@bearnard The team has checked country blacklist and IP blacklist before, and confirmed that SA is not on the blacklist. Since you can get it working with AWS SA region, and we are really struggling to repro the error, I will close the issue for now. Feel free to reopen if you have a different opinion. Thanks!

[uguracikgoz]

Hello. Is TR on blacklist now ? We can not even pull any image from any repo of 3.

[uguracikgoz]

@mengyiyuan can you please share info about TR status. Its not possible to get images from container repo. I have tried 3 different with latest versions publish one wabizapi changelog. How it d be solved any clue ?

[slaiddominio]

Hello everyone, we are starting the project with Whatsapp de Negocios.

We are not able to download doker compose, it informs that it was migrated to jfrog.

Could someone help me with this?

[nathanaelsousa]

Guys I solved this problem by upgrading my docker version! From: Docker version 19.03.13, build 4484c46d9d To: Docker version 20.10.7, build f0df350