host: Hostname does not match client IP

[pansx]

i user kubernetes run docker drawpile,exposed port 27750 to domain dp.yong-gang.cn,people can connect,but when i publish server to drawpile.net it said

host: Hostname does not match client IP

i think it check is my pod ip matching my public ip ,can cancel this check?

[Wade821]

I don't believe that can be bypassed, probably for security reasons. I'd suggest waiting for @callaa to respond on this.

But to confirm, you're hosting a server on one address but forwarding the traffic from another address?

[pansx]

yes,in kubernetes any docker app will have a pod ip,and using load balancer to expose port,load balancer has public ip and route to pod to access app ,so it should check is hostname connect to same session as publish request not simplely check is request ip is publish hostname A record...

[notfood]

Append the --local-host dp.yong-gang.cn to the command you use to run drawpile drawpile-srv

That will override the kubernetes hostname.

[pansx]

i did that at first time but no effect,and override the kubernetes hostname no effect because my pod use route default to access drawpile.net,but load balancer use another route another public ip to listen 27750...

[callaa]

The listing server will resolve the hostname and check that it matches the originating IP address. This is an anti-SPAM measure.

I think most Kubernetes cloud providers will give pods random IP addresses from a pool, so it's not possible to reliably associate them with a specific domain. But I believe it's possible to create an egress service or cloud NAT or something like that to give them a consistent IP. Of course, if it's not the same as the load balancer's IP, there's still a problem.

If this is not feasible, the only solution I can think of is to add support for registered domains + API keys, since I'd rather not just remove the IP check. Without the check, anyone could spam phantom sessions for any domain.

A third, and possibly better, option would be to set up your own list server. The list server can now fetch session listings directly from the server(s) without having to explicitly announce them. (See https://pub.drawpile.net/) Once the new Drawpile communities section is published, this will be the preferred way for servers to list their sessions.

[pansx]

default route cant expose port because all kubernetes cloud providers user use share route i cant change it and ingress is same as node port,it cant be expose without load balancer... own list server users wont discover our server unless he setting client and our user good at drawing not good at computer...

[Wade821]

@pansx no need to close this yet. Callaa said we have some options, including a new feature possibly....

[rhwong]

Same question

This problem occurs when I use FRP to expose my 27750 port to VPS

Is there a solution now?

[Wade821]

The solution just requires time/effort, and there's a variety of other important issues to address. The simplest solution would be to set up your own list server.

https://github.com/drawpile/listserver