Closed mcancellara closed 8 months ago
furthermore, some rules are added when starting globaleaks but never removed when stopping:
# iptables-save | grep 8080
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
Thank you for reporting this @mcancellara
Will check and update this ticket after some retesting.
@mcancellara: about the not removed rules you are right but in relation to port 8443 and 8080 i guess the rule is not necessary.
Can you reach to me on community,globaleaks.org?
I suppose you may be using a proxy and trying to reach out to the platform directly on port 8443. What if you connect to port 80/443?
Ciao Giovanni,
grazie per la rapidità nella risposta non sto utilizzando un proxy, però qualche dubbio me l'hai fatto venire sul giro che stavo facendo e ho verificato, ti direi che il server riceve le connessioni sulla 443
ho stoppato e riavviato globaleaks, per cui la mia accept è sparita, e con tcpdump vedo questo, e direi che punto la 443:
se aggiungo la mia ACCEPT vedo l'handshake correttamente
devo dire però che parto da un server dedicato sul cloud di Aruba con una debian che mi è stata fornita, per cui magari c'è qualche restrizione sul firewall out of the box sulla loro immagine.
Se pensi che la tue regole siano corrette, posso provare a tirare su in lab una debian 11, installare direttamente l'ultima release di globaleaks e vedere cosa succede
per la community, mi sembra di capire serva un invito da parte tua per accedere al vostro slack
Grazie,
Massimo
Inviato da iPhone
Il giorno 10 dic 2023, alle ore 18:10, Giovanni Pellerano ha scritto:
@mcancellara [1]: about the not removed rules you are right but in relation to port 8443 and 8080 i guess the rule is not necessary.
Can you reach to me on community,globaleaks.org?
I suppose you may be using a proxy and trying to reach out to the platform directly on port 8443. What if you connect to port 80/443?
--
Reply to this email directly, view it on GitHub [2], or unsubscribe [3]. You are receiving this because you were mentioned.Message ID: @github.com>
--=_d756e3cb13803f4a7889381a5af974f1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">
Thank you @mcancellara
Actually i'm restoring those INPUT rules; i think the issue you were facing is the same for which those lines were added: https://github.com/globaleaks/GlobaLeaks/issues/3622
Hello, same problem with Debian 12, fresh install. Until the end of platform wizard everything Is fine, but at the end (we you Need to click on procede button) Globaleaks returns a red "error" popup.
After some tests I switch to Globaleaks 4.13.18 and everything works.
It seems is no more available to check Globaleaks by calling the homepage with wget or curl from the same gl node.
I have an automated procedure which checks (from the same GL node) the availability of the site after upgrading the distribution but after upgrading to 4.13.20 is no more possible to get the wget request working:
root@gl-node:~# wget --no-proxy https://mygl.example.com/#/admin
--2023-12-11 16:27:27-- https://mygl.example.com/
Resolving mygl.example.com (mygl.example.com)... 10.10.10.40
Connecting to mygl.example.com (mygl.example.com)|10.10.10.40|:443... failed: Connection refused.
In Globalekas 4.13.18 it works. It could be possible to restore the rights iptables rules?
Thx
Closing as the issue should be solved by now.
What version of GlobaLeaks are you using?
4.13.19
What browser(s) are you seeing the problem on?
All
What operating system(s) are you seeing the problem on?
Linux
Describe the issue
After upgrading, site is unreachable via https. Comparing iptables rules before and after upgrade, it seems that this rule is missing: -A INPUT -p tcp -m comment --comment globaleaks -m tcp --dport 8443 -j ACCEPT
adding the rule restores web access to globaleaks
Proposed solution
Add back missing rules to the INPUT chain