nickthecook / archyve

GNU Affero General Public License v3.0
120 stars 15 forks source link

How to permit all hosts using ALLOWED_HOSTS #78

Open virdb opened 1 month ago

virdb commented 1 month ago

I noticed the new variable, but I don't understand how to use it to enable all hosts. I commented it out , but still no login is possible from outside.

How can I enable all hosts or subnets?

Thanks a lot and best regards

nickthecook commented 1 month ago

Try ALLOWED_HOSTS=[\"*\"] in your local.env file.

virdb commented 1 month ago

I did, but unsuccessfully.

This is what I found in the log of archyve-archyve-1:

I, [2024-09-18T07:23:12.216652 #62]  INFO -- : [f29be021-4264-4811-999d-a3e4a94c2e70] Started GET "/" for 192.168.3.222 at 2024-09-18 07:23:12 +0000
I, [2024-09-18T07:23:37.773307 #34]  INFO -- : [ce1d62c2-9adb-4b7c-8ea1-04155ba5220b] Started GET "/" for 192.168.3.222 at 2024-09-18 07:23:37 +0000
I, [2024-09-18T07:23:58.901556 #62]  INFO -- : [f29be021-4264-4811-999d-a3e4a94c2e70] Processing by CollectionsController#index as HTML
I, [2024-09-18T07:23:58.901571 #34]  INFO -- : [ce1d62c2-9adb-4b7c-8ea1-04155ba5220b] Processing by CollectionsController#index as HTML
I, [2024-09-18T07:24:04.180216 #34]  INFO -- : [ce1d62c2-9adb-4b7c-8ea1-04155ba5220b] Completed 401 Unauthorized in 5155ms (ActiveRecord: 0.0ms | Allocations: 2294)
I, [2024-09-18T07:24:04.180207 #62]  INFO -- : [f29be021-4264-4811-999d-a3e4a94c2e70] Completed 401 Unauthorized in 5155ms (ActiveRecord: 0.0ms | Allocations: 2294)
I, [2024-09-18T07:24:06.845087 #34]  INFO -- : [c01d3276-18d6-4722-ae2d-11ac66de2e80] Started GET "/" for 192.168.3.222 at 2024-09-18 07:24:06 +0000
I, [2024-09-18T07:24:07.008232 #34]  INFO -- : [c01d3276-18d6-4722-ae2d-11ac66de2e80] Processing by CollectionsController#index as HTML
I, [2024-09-18T07:24:07.124047 #34]  INFO -- : [c01d3276-18d6-4722-ae2d-11ac66de2e80] Completed 401 Unauthorized in 116ms (ActiveRecord: 0.0ms | Allocations: 731)
I, [2024-09-18T07:24:09.521661 #34]  INFO -- : [a1870165-c6c3-4ed9-8c45-50ba2c2d744d] Started GET "/users/sign_in" for 192.168.3.222 at 2024-09-18 07:24:09 +0000
I, [2024-09-18T07:24:10.181405 #34]  INFO -- : [a1870165-c6c3-4ed9-8c45-50ba2c2d744d] Processing by Devise::SessionsController#new as HTML
I, [2024-09-18T07:24:25.585651 #34]  INFO -- : [a1870165-c6c3-4ed9-8c45-50ba2c2d744d]   Rendered layout layouts/application.html.erb (Duration: 4368.3ms | Allocations: 4501)
I, [2024-09-18T07:24:25.783197 #34]  INFO -- : [a1870165-c6c3-4ed9-8c45-50ba2c2d744d] Completed 200 OK in 15553ms (Views: 7730.8ms | ActiveRecord: 193.6ms | Allocations: 25249)
I, [2024-09-18T07:24:35.812979 #34]  INFO -- : [e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] Started POST "/users/sign_in" for 192.168.3.222 at 2024-09-18 07:24:35 +0000
I, [2024-09-18T07:24:36.218976 #34]  INFO -- : [e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] Processing by Devise::SessionsController#create as TURBO_STREAM
I, [2024-09-18T07:24:36.219124 #34]  INFO -- : [e0b2cede-71bc-4f1d-9c7a-45133d9f37dc]   Parameters: {"authenticity_token"=>"[FILTERED]", "user"=>{"email"=>"admin@archyve.io", "password"=>"[FILTERED]", "remember_me"=>"true"}, "commit"=>"Sign in"}
W, [2024-09-18T07:24:36.624243 #34]  WARN -- : [e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] HTTP Origin header (http://192.168.1.4) didn't match request.base_url (http://192.168.1.4:3300)
I, [2024-09-18T07:24:37.033260 #34]  INFO -- : [e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] Completed 422 Unprocessable Entity in 794ms (ActiveRecord: 0.0ms | Allocations: 961)
E, [2024-09-18T07:24:37.270424 #34] ERROR -- : [e0b2cede-71bc-4f1d-9c7a-45133d9f37dc]   
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] ActionController::InvalidAuthenticityToken (HTTP Origin header (http://192.168.1.4) didn't match request.base_url (http://192.168.1.4:3300)):
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc]   
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal/request_forgery_protection.rb:293:in `handle_unverified_request'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal/request_forgery_protection.rb:388:in `handle_unverified_request'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] devise (4.9.3) lib/devise/controllers/helpers.rb:255:in `handle_unverified_request'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal/request_forgery_protection.rb:377:in `verify_authenticity_token'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:403:in `block in make_lambda'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:202:in `block (2 levels) in halting'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/abstract_controller/callbacks.rb:34:in `block (2 levels) in <module:Callbacks>'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:203:in `block in halting'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:598:in `block in invoke_before'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:598:in `each'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:598:in `invoke_before'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:119:in `block in run_callbacks'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] turbo-rails (2.0.5) lib/turbo-rails.rb:24:in `with_request_id'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] turbo-rails (2.0.5) app/controllers/concerns/turbo/request_id_tracking.rb:10:in `turbo_tracking_request_id'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:130:in `block in run_callbacks'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] audited (5.6.0) lib/audited/sweeper.rb:16:in `around'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:130:in `block in run_callbacks'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] audited (5.6.0) lib/audited/sweeper.rb:16:in `around'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:130:in `block in run_callbacks'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actiontext (7.1.3.2) lib/action_text/rendering.rb:23:in `with_renderer'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actiontext (7.1.3.2) lib/action_text/engine.rb:69:in `block (4 levels) in <class:Engine>'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:130:in `instance_exec'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:130:in `block in run_callbacks'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:141:in `run_callbacks'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/abstract_controller/callbacks.rb:258:in `process_action'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal/rescue.rb:25:in `process_action'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal/instrumentation.rb:74:in `block in process_action'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/notifications.rb:206:in `block in instrument'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/notifications/instrumenter.rb:58:in `instrument'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/notifications.rb:206:in `instrument'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal/instrumentation.rb:73:in `process_action'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal/params_wrapper.rb:261:in `process_action'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activerecord (7.1.3.2) lib/active_record/railties/controller_runtime.rb:32:in `process_action'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/abstract_controller/base.rb:160:in `process'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionview (7.1.3.2) lib/action_view/rendering.rb:40:in `process'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal.rb:227:in `dispatch'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_controller/metal.rb:309:in `dispatch'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/routing/route_set.rb:49:in `dispatch'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/routing/route_set.rb:32:in `serve'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/routing/mapper.rb:21:in `block in <class:Constraints>'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/routing/mapper.rb:51:in `serve'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/journey/router.rb:51:in `block in serve'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/journey/router.rb:131:in `block in find_routes'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/journey/router.rb:124:in `each'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/journey/router.rb:124:in `find_routes'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/journey/router.rb:32:in `serve'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/routing/route_set.rb:882:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack-pjax (1.1.0) lib/rack/pjax.rb:12:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] warden (1.2.9) lib/warden/manager.rb:36:in `block in call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] warden (1.2.9) lib/warden/manager.rb:34:in `catch'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] warden (1.2.9) lib/warden/manager.rb:34:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack (3.0.9.1) lib/rack/tempfile_reaper.rb:20:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack (3.0.9.1) lib/rack/etag.rb:29:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack (3.0.9.1) lib/rack/conditional_get.rb:43:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack (3.0.9.1) lib/rack/head.rb:15:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/http/permissions_policy.rb:36:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/http/content_security_policy.rb:33:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack-session (2.0.0) lib/rack/session/abstract/id.rb:272:in `context'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack-session (2.0.0) lib/rack/session/abstract/id.rb:266:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/cookies.rb:689:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activegraph (11.5.0.beta.2) lib/active_graph/migrations/check_pending.rb:16:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/callbacks.rb:29:in `block in call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/callbacks.rb:101:in `run_callbacks'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/callbacks.rb:28:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] sentry-rails (5.18.1) lib/sentry/rails/rescued_exception_interceptor.rb:9:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/debug_exceptions.rb:29:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] sentry-ruby (5.18.1) lib/sentry/rack/capture_exceptions.rb:15:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/show_exceptions.rb:31:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] railties (7.1.3.2) lib/rails/rack/logger.rb:37:in `call_app'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] railties (7.1.3.2) lib/rails/rack/logger.rb:24:in `block in call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/tagged_logging.rb:135:in `block in tagged'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/tagged_logging.rb:39:in `tagged'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/tagged_logging.rb:135:in `tagged'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] activesupport (7.1.3.2) lib/active_support/broadcast_logger.rb:240:in `method_missing'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] railties (7.1.3.2) lib/rails/rack/logger.rb:24:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/remote_ip.rb:92:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/request_id.rb:28:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack (3.0.9.1) lib/rack/method_override.rb:28:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack (3.0.9.1) lib/rack/runtime.rb:24:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/executor.rb:14:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] actionpack (7.1.3.2) lib/action_dispatch/middleware/static.rb:25:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] rack (3.0.9.1) lib/rack/sendfile.rb:114:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] railties (7.1.3.2) lib/rails/engine.rb:536:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] puma (6.4.2) lib/puma/configuration.rb:272:in `call'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] puma (6.4.2) lib/puma/request.rb:100:in `block in handle_request'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] puma (6.4.2) lib/puma/thread_pool.rb:378:in `with_force_shutdown'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] puma (6.4.2) lib/puma/request.rb:99:in `handle_request'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] puma (6.4.2) lib/puma/server.rb:464:in `process_client'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] puma (6.4.2) lib/puma/server.rb:245:in `block in run'
[e0b2cede-71bc-4f1d-9c7a-45133d9f37dc] puma (6.4.2) lib/puma/thread_pool.rb:155:in `block in spawn_thread'

192.168.1.4 is the address of the docker box where archyve is runnin on.

nickthecook commented 1 month ago

Interesting... I don't think this issue is caused by ALLOWED_HOSTS.

It looks like you were hitting /, getting redirected to /users/sign_in, then getting rejected. The API is under /v1, e.g. /v1/collections to list collections. You'll need to set the API auth headers if you haven't already.

Are you writing a client, trying to connect another, existing app, or something else?

virdb commented 1 month ago

Interesting... I don't think this issue is caused by ALLOWED_HOSTS.

It looks like you were hitting /, getting redirected to /users/sign_in, then getting rejected. The API is under /v1, e.g. /v1/collections to list collections. You'll need to set the API auth headers if you haven't already.

Are you writing a client, trying to connect another, existing app, or something else?

Just try to login into archyve web server from my laptop web browser pointing http://xxx.xxx.xxx.xxx:3300/

nickthecook commented 1 month ago

Ah, I see.

I have found a few other people with the same error in other apps, and in all cases they seem to be accessing the app through a reverse proxy, like NGINX.

Are you accessing Archyve through NGINX or another reverse proxy?

virdb commented 1 month ago

Ah, I see.

I have found a few other people with the same error in other apps, and in all cases they seem to be accessing the app through a reverse proxy, like NGINX.

Are you accessing Archyve through NGINX or another reverse proxy?

Actually not yet. I'directly connect via LAN address

nickthecook commented 1 month ago

I'm trying to reproduce, so I ran Archyve in the container on another machine, but I was able to connect without issue. I added the ALLOWED_HOSTS entry I posted above and was still able to connect.

I've just cloned the repo and run docker compose up -d on the other machine, and connected to http://192.168.1.20:3300 and http://othermachinehostname:3300 and had no issues.

I also had docker listen on :80 instead of :3300 so I could just type the URL without port into the address bar in a browser to see if that generated an issue, but everything still worked.

Questions:

  1. In your browser, do you put http://192.168.1.4:3300 in the URL bar, or just http://192.168.1.4? If the latter, what is taking a request on port 80 and mapping it to 3300 in the rails container?

  2. Have you modified the compose file at all, or just run it as is on your docker box?

  3. Are you starting the containers with docker compose up -d, or using some orchestration software?

  4. What browser are you using? The error logs complain about an Origin header, but when I send a request in Firefox it's not sending that header at all.

oxaronick commented 1 month ago

@virdb Did you get it to work?