search

globaleaks / whistleblowing-software

GlobaLeaks is free, open-source whistleblowing software enabling anyone to easily set up and maintain a secure reporting platform.
https://www.globaleaks.org
Other
1.22k stars 267 forks source link

Web traffic not allowed after upgrade from 4.13.18 to 4.13.19 on Debian 11.8 #3856

Closed mcancellara closed 8 months ago

mcancellara commented 9 months ago

What version of GlobaLeaks are you using?

4.13.19

What browser(s) are you seeing the problem on?

All

What operating system(s) are you seeing the problem on?

Linux

Describe the issue

After upgrading, site is unreachable via https. Comparing iptables rules before and after upgrade, it seems that this rule is missing: -A INPUT -p tcp -m comment --comment globaleaks -m tcp --dport 8443 -j ACCEPT

adding the rule restores web access to globaleaks

Proposed solution

Add back missing rules to the INPUT chain

mcancellara commented 9 months ago

furthermore, some rules are added when starting globaleaks but never removed when stopping:

# iptables-save | grep 8080
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
-A PREROUTING -p tcp -m tcp --dport 8080 -j MARK --set-xmark 0x1/0xffffffff
evilaliv3 commented 9 months ago

Thank you for reporting this @mcancellara

Will check and update this ticket after some retesting.

evilaliv3 commented 9 months ago

@mcancellara: about the not removed rules you are right but in relation to port 8443 and 8080 i guess the rule is not necessary.

Can you reach to me on community,globaleaks.org?

I suppose you may be using a proxy and trying to reach out to the platform directly on port 8443. What if you connect to port 80/443?

mcancellara commented 9 months ago

Ciao Giovanni,

grazie per la rapidità nella risposta non sto utilizzando un proxy, però qualche dubbio me l'hai fatto venire sul giro che stavo facendo e ho verificato, ti direi che il server riceve le connessioni sulla 443

ho stoppato e riavviato globaleaks, per cui la mia accept è sparita, e con tcpdump vedo questo, e direi che punto la 443:

se aggiungo la mia ACCEPT vedo l'handshake correttamente

devo dire però che parto da un server dedicato sul cloud di Aruba con una debian che mi è stata fornita, per cui magari c'è qualche restrizione sul firewall out of the box sulla loro immagine.

Se pensi che la tue regole siano corrette, posso provare a tirare su in lab una debian 11, installare direttamente l'ultima release di globaleaks e vedere cosa succede

per la community, mi sembra di capire serva un invito da parte tua per accedere al vostro slack

Grazie,

Massimo

Inviato da iPhone

Il giorno 10 dic 2023, alle ore 18:10, Giovanni Pellerano ha scritto:

@mcancellara [1]: about the not removed rules you are right but in relation to port 8443 and 8080 i guess the rule is not necessary.

Can you reach to me on community,globaleaks.org?

I suppose you may be using a proxy and trying to reach out to the platform directly on port 8443. What if you connect to port 80/443?

--

Reply to this email directly, view it on GitHub [2], or unsubscribe [3]. You are receiving this because you were mentioned.Message ID: @github.com>

--=_d756e3cb13803f4a7889381a5af974f1 Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=UTF-8

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN">

Ciao Giovanni,
grazie per la rapidità nella risposta

non sto utilizzando un proxy, però qualche dubbio me l'hai fat= to venire sul giro che stavo facendo e ho verificato, ti direi che il serve= r riceve le connessioni sulla 443

ho stoppato e riavviato global= eaks, per cui la mia accept è sparita, e con tcpdump vedo questo, e = direi che punto la 443:

evilaliv3 commented 9 months ago

Thank you @mcancellara

Actually i'm restoring those INPUT rules; i think the issue you were facing is the same for which those lines were added: https://github.com/globaleaks/GlobaLeaks/issues/3622

FrancescoZanti commented 9 months ago

Hello, same problem with Debian 12, fresh install. Until the end of platform wizard everything Is fine, but at the end (we you Need to click on procede button) Globaleaks returns a red "error" popup.

After some tests I switch to Globaleaks 4.13.18 and everything works.

reporter4u commented 9 months ago

It seems is no more available to check Globaleaks by calling the homepage with wget or curl from the same gl node.

I have an automated procedure which checks (from the same GL node) the availability of the site after upgrading the distribution but after upgrading to 4.13.20 is no more possible to get the wget request working:

root@gl-node:~# wget --no-proxy https://mygl.example.com/#/admin
--2023-12-11 16:27:27--  https://mygl.example.com/
Resolving mygl.example.com (mygl.example.com)... 10.10.10.40
Connecting to mygl.example.com (mygl.example.com)|10.10.10.40|:443... failed: Connection refused.

In Globalekas 4.13.18 it works. It could be possible to restore the rights iptables rules?

Thx

evilaliv3 commented 8 months ago

Closing as the issue should be solved by now.

  • © Githubissues.
  • Githubissues is a development platform for aggregating issues.